Summary: | exec stacks in app-emulation/xen | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Charlie Shepherd (RETIRED) <masterdriverz> |
Component: | New packages | Assignee: | Gentoo Xen Devs <xen> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bplant, dennis.petschull, qa |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
Fixes exec stacks in xen
a more complete patch (including makefile) |
Description
Charlie Shepherd (RETIRED)
2006-08-15 12:13:37 UTC
Created attachment 94343 [details, diff]
Fixes exec stacks in xen
Created attachment 97368 [details, diff]
a more complete patch (including makefile)
In the former patch the Makefile is still to be edited by hand. This patch includes a single line change in the Makefile to fix the file permissions for the symbol file.
I used the second patch (although I had to modify it first as it wouldn't apply). It has removed most of the exec stacks, but the following still remains. --- --- RWX boot/xen-syms-3.0.2 I tested the HVM capabilities using an XP install CD and it still appeared to work. No need for the Makefile patch, as xen-syms-3.0.2 isn't meant to be executed - it's used only in conjunction with gdb and a xen core dump. It also doesn't fix anything - scanelf still complains about exec-stacks in xen-syms. (In reply to comment #5) > It also doesn't fix anything - scanelf still complains about exec-stacks in > xen-syms. > Yep. Same here. It would be great if someone knows a fix to this problem. I spoke to spb in #gentoo-hardened and apparently there's no point addressing exec stacks in anything which is loaded prior to the kernel (eg. the xen hypervisor), since non-executable stacks won't be enforced anyway. Even with the GNU stack markings applied, there's still a writable/executable segment triggering a QA warning (or failure, if FEATURES=stricter), which I'd like to address by adding QA_WX_LOAD="boot/xen-syms-${XEN_VERSION/_/-}" to the ebuild. Since the GNU stack markings are apparently useless in this situation, I'd rather avoid them and keep things as close to vanilla upstream as possible. However, I need the agreement of QA before proceeding with the addition of QA_WX_LOAD, as per man 5 ebuild this is correct ... if the code's role does not involve actually running under the linux kernel, then exec stack markings are meanlingless The solution proposed in comment #7 should be applied when this package is next bumped - it's not big enough to warrant a bump on its own. In addition to boot/xen-syms I am setting QA_WX_LOAD for usr/lib/xen/boot/hvmloader in the xen-tools ebuild. hvmloader is used to emulate the pc bios and bootstrap fully vurtualized kernels. I should have closed this bug ages ago, resolving. |