Re: exec-shield (maybe ITP kernel-patch-exec-shield)
On Mon, 3 Nov 2003 13:47, Gustavo Franco wrote:
> Russell Coker wrote:
> >http://people.redhat.com/mingo/exec-shield/
> >http://kerneltrap.org/node/view/913
> >
> >It seems that exec-shield does 99% of what PaX does (PaX is the most
> > desirable feature in GRSec). Exec-shield also has support for 2.6 and
> > looks like it will be a standard feature in Red Hat.
>
> I believe that exec-shield doesn't 99% of what PaX does, do some tests
> with paxtest[1], but
> i like the idea of merge the patch with "debian kernel" in the future.
I quickly checked out paxtest, there are a number of issues listed as
"Vulnerable", but I believe that some of those are necessary for full
functionality of programs such as X servers. The aim of exec-shield is to
have no need of a "chpax" type program. Also exec-shield will do even better
when we have a tool chain supporting PIE, this is already in Fedora, and will
be in Debian by gcc 3.4 if not before.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: