Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 185651 Details for
Bug 263149
PaX Quickstart guide updates
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Unified diff
pax-quickstart.diff (text/plain), 5.00 KB, created by
Francisco Blas Izquierdo Riera
on 2009-03-20 19:46:44 UTC
(
hide
)
Description:
Unified diff
Filename:
MIME Type:
Creator:
Francisco Blas Izquierdo Riera
Created:
2009-03-20 19:46:44 UTC
Size:
5.00 KB
patch
obsolete
>Index: pax-quickstart.xml >=================================================================== >RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml,v >retrieving revision 1.12 >diff -u -r1.12 pax-quickstart.xml >--- pax-quickstart.xml 11 Nov 2007 17:08:51 -0000 1.12 >+++ pax-quickstart.xml 20 Mar 2009 19:43:06 -0000 >@@ -14,6 +14,9 @@ > <author title="Editor"> > <mail link="solar@gentoo.org">solar</mail> > </author> >+<author title="Reviewer"> >+ <mail link="klondike@xiscosoft.es">klondike</mail> >+</author> > > <abstract> > A quickstart covering PaX and Hardened Gentoo. >@@ -23,8 +26,8 @@ > <!-- See http://creativecommons.org/licenses/by-sa/2.0 --> > <license/> > >-<version>1.4</version> >-<date>2007-09-11</date> >+<version>1.5</version> >+<date>2009-14-03</date> > > <chapter> > <title>What is Hardened Gentoo?</title> >@@ -48,20 +51,43 @@ > <body> > > <p> >-PaX is a patch to the Linux kernel that provides hardening in two ways. >+PaX is a patch to the Linux kernel that provides hardening in three ways (four on >+x86 32-bit machines). > </p> > > <p> > The first, <e>ASLR</e> (Address Space Layout Randomization) provides a means to > randomize the addressing scheme of all data loaded into memory. When an > application is built as a <e>PIE</e> (Position Independent Executable), PaX is >-able to also randomize the addresses of the application base in addition. >+able to also randomize the addresses of the application base and kernel in addition. >+ASLR prevents some exploits which rely on the knowledge of the address of the data >+to be exploited. > </p> > > <p> > The second protection provided by PaX is non-executable memory. This prevents a > common form of attack where executable code is inserted into memory by an >-attacker. More information on PaX can be found throughout this guide, but the >+attacker. >+</p> >+ >+<p> >+The third, free memory sanitization, erases RAM memory pages when they are freed in >+order to avoid sensible data to stay in memory for a long time. >+</p> >+ >+<note> >+The free memory sanitization doesn't sanitizes swap pages so if the data is on swap it >+will stay there for a long time before it is overwriten. >+</note> >+ >+<p> >+The fourth, which is only avaiable on 32 bit x86 builds, invalid userland pointer derefrence >+prevention, adds a few checks to the kernel so it doesn't dereference userland (this is non-kernel) >+addreses when it is expected to only dereference kernel addresses. >+</p> >+ >+<p> >+More information on PaX can be found throughout this guide, but the > homepage can be found at <uri>http://pax.grsecurity.net</uri>. > </p> > >@@ -84,7 +110,7 @@ > <e>SSP</e> (Stack Smashing Protector) is a second complementary technology we > introduce at executable build time. SSP was originally introduced by IBM under > the name <e>ProPolice</e>. It modifies the C compiler to insert initialization >-code into functions that create a buffer in memory. >+code into functions that create a buffer in memory. > </p> > > <note> >@@ -134,31 +160,36 @@ > </p> > > <pre caption="Kernel configuration"> >+PaX ---> > [*] Enable various PaX features > >-PaX Control -> >+PaX Control ---> > > [ ] Support soft mode >- [*] Use legacy ELF header marking >+ [ ] Use legacy ELF header marking > [*] Use ELF program header marking > MAC system integration (none) ---> > >-Non-executable page -> >+Non-executable page ---> > > [*] Enforce non-executable pages > [*] Paging based non-executable pages > [*] Segmentation based non-executable pages > [*] Emulate trampolines > [*] Restrict mprotect() >- [ ] Disallow ELF text relocations >+ [*] Disallow ELF text relocations >+ [*] Enforce non-executable kernel pages > >-Address Space Layout Randomization -> >+Address Space Layout Randomization ---> > > [*] Address Space Layout Randomization > [*] Randomize kernel stack base > [*] Randomize user stack base > [*] Randomize mmap() base >- [*] Randomize ET_EXEC base >+Miscellaneous hardening features ---> >+ [*] Sanitize all freed memory >+ [*] Prevent invalid userland pointer dereference >+ [*] Prevent various kernel object reference counter overflows > </pre> > > <p> >@@ -220,15 +251,15 @@ > </p> > > <note> >-The most notable of these applications are XFree/Xorg, mplayer and multimedia tools >-based on xine-lib. The easiest way around these problems are to disable PaX >+The most notable of these applications are XFree/Xorg, firefox, mplayer and multimedia >+tools based on xine-lib. The easiest way around these problems are to disable PaX > protections. > </note> > > <p> > Luckily there is a utility to toggle protections on a per-executable basis, > <e>paxctl</e>. As with any other package in Gentoo, install paxctl with the >-command <c>emerge paxctl</c>. Usage is show by <c>paxctl -h</c>. >+command <c>emerge paxctl</c>. Usage is shown by <c>paxctl -h</c>. > </p> > > <note> >@@ -251,6 +282,8 @@ > > -v: view flags -z: restore default flags > -q: suppress error messages -Q: report flags in short format flags >+ -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!) >+ -C: create PT_PAX_FLAGS (see manpage!) > </pre> > > <p>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=185651">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 263149
:
185643
|
185644
|
185651
|
185663
|
185665
