It would be easier to use Grsecurity if when you emerge a program that does not work with PAX (Page / Segmentation protection) it automatically in the ebuild "chpax -sp FILE" so no problems occur. Here is a list of the programs I found that needed to be "chpax -sp" (although proabably more): Xfree Open Office Gxine alsamixer acme blackdown-java wine mplayer Totem Reproducible: Always Steps to Reproduce: 1. 2. 3.
Some would say that would be a potential security risk to have portage taking care of pax flags directly. Under an ideal grsecurity setup these flags are supposed to be handled directly via the acl system vs chpax. So I think perhaps the solution here would be to add the path/filenames to the /etc/init.d/chpax init script and call a restart after a merge of one of those files. What you could do to help build that list would be to merge pax-utils then run and paste the output from scanexec -x -p | grep -v ^PeMRxS
I could not emerge scanexec, but located it in hardened-gcc. But your bit of code done absotly nothing:( "Under an ideal grsecurity setup these flags are supposed to be handled directly via the acl system vs chpax. So I think perhaps the solution here would be to add the path/filenames to the /etc/init.d/chpax init script and call a restart after a merge of one of those files." I agree that ACLs are a better solution but the ACLS take so much to setup, I did make some a while ago (remember me) but I looked and version 2 which looks alot eaiser is coming out soon so I am waiting for that then I will make lots of ACLs:) It would be nice if grsecurity did not force the use of a strict default ACLs then you could just use it for pax flags and for programs that need protection such as Apache, Samba, Ftp server etc. I think /etc/init.d/chpax is a good idea so people don't have to have acls
I emerge synced and found pax-utils. It only scans paths not the whole system so it is not a complete list: PeMRxs /usr/bin/xmms PeMRxs /usr/bin/gxine PeMRxs /usr/bin/totem PeMRxs /opt/blackdown-jdk-1.4.1/jre/bin/java PeMRxs /opt/blackdown-jdk-1.4.1/bin/java PeMRxs /usr/X11R6/bin/xinit PeMRxs /usr/X11R6/bin/XFree86 PeMRxs /usr/bin/xmms PeMRxs /usr/bin/gxine PeMRxs /usr/bin/totem
You right it does not catch all.. But it gives me a good enough start to make some senseable suggestions in the /etc/init.d/chpax file. Note: the functionaly of the grsecurity init script is nearly the same. If you were using hardened-gcc , which it sounds like you are you might always notice the scanexec utils does not catch the ET_DYN files either.. I'll try to put another util (scanelf/scanpax) together to look at all ELF's in the next day or two. As for scanning outside of path this can already be done.. example; scanexec /home/solar/bin/
pax-utils-0.0.2 is in portage as ~x86 scanelf --help Usage: scanelf [options] dir1 dir2 dirN.. -p, --path : Scan all directories in PATH environment. -l, --ldpath : Scan all directories in /etc/ld.so.conf -h, --help : Print this help and exit. -v, --version : Print version and exit.
PeMRxs ET_DYN /usr/bin/acme PeMRxs ET_EXEC /usr/bin/xmms PeMRxs ET_EXEC /usr/bin/gxine PeMRxs ET_EXEC /usr/bin/totem PeMRxs ET_EXEC /usr/bin/mplayer PeMRxs ET_EXEC /usr/bin/gmplayer PeMRxs ET_DYN /usr/bin/blender PeMRxs ET_EXEC /opt/blackdown-jdk-1.4.1/jre/bin/java PeMRxs ET_EXEC /opt/blackdown-jdk-1.4.1/bin/java PeMRxs ET_EXEC /usr/X11R6/bin/xinit peMRxs ET_EXEC /usr/X11R6/bin/XFree86 PeMRxs ET_DYN /usr/bin/acme PeMRxs ET_EXEC /usr/bin/xmms PeMRxs ET_EXEC /usr/bin/gxine PeMRxs ET_EXEC /usr/bin/totem PeMRxs ET_EXEC /usr/bin/mplayer PeMRxs ET_EXEC /usr/bin/gmplayer PeMRxs ET_DYN /usr/bin/blender PeMRxs ET_EXEC /opt/enemy-territory/et.x86 PeMRxs ET_EXEC /opt/enemy-territory/etded.x86 PeMRxs ET_EXEC /opt/teamspeak2-server/server_linux PeMRxs ET_EXEC /usr/share/teamspeak2-client/TeamSpeak.bin PeMRxs ET_EXEC /opt/epsxe/epsxe (although does not work because it executes a random name in the tmp folder that gets killed by pax, would need ACL system to fix it!) Maybe more!!! BTW when Gresecurity 2.0 comes out I will start making ACLS and submit them to you if you want:) to help Gentoo have a full ACL set to make Grsecurity easy to setup:)
some hopefully sane defaults addded to chpax's init file no -r1 version bump was needed so you will want to preform the follwing commands. emerge sync rm /etc/{init,conf}.d/chpax emerge chpax key thing to to get those old init/conf files out of there. I also talked with the PaX author about how he felt about me adding auto-chpax support to bins. After talking for a while it was decided that sometime in the future pax will be moving most of it's flag settings into the linking stage.
changing resolution to FIXED
Ok, I saw you had updated chpax. One problem though is that you want PAGEEXEC_EXEMPT to automatically equal SEGMEXEC_EXEMPT or the other way around. I think it used to be done like this. This just makes it easier not to have duplicates because SEGMEXEC_EXEMPt & PAGEEXEC_EXEMPT do exactly the same thing just different methods. Apart from that its looking good:)!
