#################################################################### # Copyright 1999-2004 Gentoo Foundation # # Distributed under the terms of the GNU General Public License v2 # ################################################################### # This is configuration for /etc/init.d/pax # # These settings are used to manipulate the base system so that # # things that break under PaX are marked accordingly, to relax # # restrictions. These markings include mainly chpax/paxctl flags, # # but also include flagging off the executable stack on some # # libraries. # ################################################################### # chpax prefix description # p PE do not enforce paging based non-executable pages # E ET emulate trampolines # r RE do not randomize mmap() base [ELF only] # m ME do not restrict mprotect() # s SE do not enforce segmentation based non-executable pages # x XE do not randomize ET_EXEC base [ELF only] # psem PSE same as PE + SE + ME, or -psem # NOTE: PS_EXEC_EXEMPT is {PAGE,SEGM}_EXEC_EXEMPT. For executables # with BOTH, you should use this, as it enables -e and -m, to make # sure that pax doesn't cry about odd flag settings in softmode # chpax command. If using multiple tools, can separate by spaces. # This one hits BOTH chpax and paxctl CHPAX="/sbin/chpax /sbin/paxctl" # yes to be annoyed #VERBOSE="yes" ######################################################################### # Here's some basic apps we'll use, that we have to apply much stuff to # ######################################################################## # I'm debating if I should do the eval here or in the actual script; I'm # currently opting for doing it in the init.d script. # # To do it here, set things ="`eval echo /path/to/{some,binaries}`" #java=/opt/blackdown-{jdk-*/{,jre/},jre-*/}bin/{java{,_vm,c},keytool,kinit,klist,ktab,orbd,policytool,rmi{d,registry},servertool,tnameserv,*} java="/opt/*-{jdk-*/{,jre/},jre-*/}bin/*" wine="/usr/lib/wine/bin/{wine{,build,clipsrv,dump,gcc,server,wrap,-{k,p}thread},w{mc,rc,idl}}" x11="/usr/X11R6/bin/{XFree86,Xorg}" xine="/usr/bin/{g,}xine" openoffice="/opt/OpenOffice.org*/program/soffice.bin" #mozilla="/usr/lib/MozillaFirefox/firefox-bin /usr/lib/mozilla/mozilla-bin" xmms="/usr/bin/xmms" mplayer="/usr/bin/{g,}mplayer" mono="/usr/bin/mono" xscreensaver="/usr/lib/xscreensaver/*" ##################################################### # Miscillaneous things that need each of these tags # #################################################### PSE_misc="/usr/bin/totem /usr/bin/acme \ /usr/bin/gnome-sound-recorder /usr/bin/xfce4-panel" # mprotect exempt ME_misc="/usr/bin/blender{,-bin} \ /usr/games/bin/bzflag" #################################### # Settings are really applied here # ################################### PS_EXEC_EXEMPT="${PSE_misc} ${x11} ${xine} ${wine} ${java} ${openoffice} \ ${mplayer} ${mono}" PAGEEXEC_EXEMPT="" # Note: Once execstack is ignored by glibc, we can take mozilla and xmms out # of MPROTECT_EXEMPT, saving us the hassle of a fully exploitable browser. TRAMPOLINE_EXEMPT="${xmms}" MPROTECT_EXEMPT="${java} ${xscreensaver} ${xmms} ${ME_misc}" RANDMMAP_EXEMPT="${java} ${x11}" SEGMEXEC_EXEMPT="" RANDEXEC_EXEMPT="${java} ${x11} ${wine}" # NO_EXECSTACK # Turn off the executable stack for retarded libs that don't need it # This bit causes the mozilla plug-ins to demand a browser with executable # stack, which caused us to previously have a fully exploitable browser. NO_EXECSTACK="/usr/lib/nsbrowser/plugins/libflashplayer.so \ /usr/lib/nsbrowser/plugins/{lib,}javaplugin_oji.so \ /usr/lib/xmms/Input/libmpg123.so \ /usr/lib/xmms/Visualization/libbscope.so \ /usr/lib/opengl/xorg-x11/lib/libGL.so* \ /usr/lib/libGL.so*" # when zero flag mask is set to "yes" it will remove all pax flags from all # files on reboot/stop #ZERO_FLAG_MASK="yes" # Leave this one on; it zeros before starting, which is the only way to lover # privs when no longer needed ZERO_ON_START="yes" # This one tells us to actually follow the NO_EXECSTACK stuff and place those # settings; requires prelink to be merged SET_NO_EXECSTACK="yes"