It might be helpful to add the following note about using prelink with grsecurity to the Prelink HOWTO or the Gentoo Security Guide or both: In order to prelink on a system with grsecurity using a randomized mmap() base, it is necessary to turn randomized mmap() base OFF for /lib/ld-2.3.#.so. This can be done with the chpax utility, but it must be done when the file is not in use. I had to boot the gentoo CD in order to do it, but it makes prelink behave. One must choose between faster executables or fewer security holes. I opted for speed, because I'm not too worried about security on this computer. Reproducible: Always Steps to Reproduce: 1.Build a kernel with grsecurity's randomized mmap() base support 2.Try to prelink 3. Actual Results: You get lots of errors... I don't think prelink is able to do anything Portage 2.0.48-r1 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1) ================================================================= System uname: 2.4.20-gentoo-r5 i686 GENTOO_MIRRORS="http://adelie.polymtl.ca/ ftp://csociety-ftp.ecn.purdue.edu/pub/gentoo/ rsync://csociety-ftp.ecn.purdue.edu/pub/gentoo/ ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/config /usr/kde/3/share/config /usr/X11R6/lib/X11/xkb /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/usr/portage/distfiles" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR_OVERLAY="" USE="oss ncurses slang readline guile perl python -3dnow -arts -avi -berkdb -encode -esd -imlib -kde -libg++ -libwww -motif -mikmod -nls -qt -sdl -svga x86 alsa apm atlas bonobo cdr crypt cups gdbm gif gnome gpm gtk gtk2 imap java jpeg maildir mmx mozilla mpeg oggvorbis opengl pam pcmcia pdflib png pnp quicktime spell sse ssl tcltk tcpd tetex truetype trusted X xml2 xmms xv zlib" COMPILER="gcc3" CHOST="i686-pc-linux-gnu" CFLAGS="-march=pentium3 -O3 -fomit-frame-pointer -pipe" CXXFLAGS="-march=pentium3 -O3 -fomit-frame-pointer -pipe" ACCEPT_KEYWORDS="x86 ~x86" MAKEOPTS="-j2" AUTOCLEAN="yes" SYNC="rsync://rsync.us.gentoo.org/gentoo-portage" FEATURES="sandbox ccache userpriv"
I'd say put this in the grsecurity guide.
Well as far as the grsecurity guide should go.. We should not encourage the use of prelink at all.
Okay, so adding a note that, if you use grsecurity on your system, the user must make a choice between security and speed, and for security, they shouldn't be using prelink, and for speed, they should turn the randomized mmap() off for those particular files. In the prelink guide, that is; we don't want to have security-related guides mention how to be less secure, do we? :)
yes exactly, in the prelink guide I would think we could quote Derek Dolney comments and in the grsecurity guide I'm thinking we should discourage the use of prelink all together. Note from the PaX Team: <solar> In theory one could use a PaX enabled system and prelink together if your not using randomized mmap() base ? <pipacs> not only that, you can enable aslr, it's just prelink won't have any effect ;) <pipacs> or as you said, disable aslr and then prelink will be active
Created attachment 17046 [details, diff] Add grsecurity information to prelink-howto
Created attachment 17047 [details, diff] Add note about prelinking and performance in general to the grsecurity guide
the patches look good..
committed