Re: PaX on Debian

To: russell@coker.com.au
Cc: debian-devel@lists.debian.org, debian-security@lists.debian.org
Subject: Re: PaX on Debian
From: John Richard Moser <nigelenki@comcast.net>
Date: Mon, 26 Jul 2004 00:17:37 -0400
Message-id: <[🔎] 410485E1.20700@comcast.net>
In-reply-to: <[🔎] 200407261355.35098.russell@coker.com.au>
References: <[🔎] 4103E679.2050402@comcast.net> <[🔎] 200407261329.57210.russell@coker.com.au> <[🔎] 41047EFB.4050405@comcast.net> <[🔎] 200407261355.35098.russell@coker.com.au>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Russell Coker wrote:
| On Mon, 26 Jul 2004 13:48, John Richard Moser <nigelenki@comcast.net>
wrote:
|
|>| Before we can even start thinking about PaX on Debian we need to find a
|>| maintainer for the kernel patch who will package new versions of the
|>| patch which apply to the Debian kernel source tree.  We have had a few
|>
|>Are you talking PaX or grsecurity?  PaX is significantly less invasive
|>than grsecurity.  There will still be issues, of course.
|
|
| PaX.  AFAIK the only PaX kernel-patch package in Debian is the Adamantix
| kernel source, which has RSBAC and a bunch of other stuff, and the GRSec
| patch.  Neither of them apply to the Debian kernel source tree.
|
|

I'm pretty much proposing that all your sources include PaX; your
binaries can have it compiled out.  I've got a working PaX patch for
2.6.7-ck* :)  It was only a 1 miss issue.  I'll see if Deb sources are
kind or if they rape my ass. . .


|>Where would I see debian's 2.6.7 source tree?  I'm not a deb user,
|>remember, so I'll need a tarball or something.
|
|
| http://ftp.debian.org/debian/pool/main/k/
|

OK how the hell does this work?  What's this supposed to apply to?
kernel-source-2.6.7_2.6.7-3_all.deb ?


ahh, 2.6.7 +  kernel-source-2.6.7_2.6.7-3.diff.gz

I'll get on this right away. . . . I don't really see anything that
stands out in my brain, so I think PaX will apply pretty cleanly to this.



icebox linux-2.6.7-deb # patch -p1 < ../kernel-source-2.6.7_2.6.7-3.diff
patching file debian/changelog
patching file debian/control
patching file debian/apply
patching file debian/patches/drivers-sb-pnp_unregister.dpatch
patching file debian/patches/fs-cramfs-constify.dpatch
patching file debian/patches/fs-jfs-compile.dpatch
patching file debian/patches/netlink-macro-fixups.dpatch
patching file debian/patches/acpi-typo.dpatch
patching file debian/patches/envp.dpatch
patching file debian/patches/include-linux-mca.h-fixups.dpatch
patching file debian/patches/x86-i486_emu.dpatch
patching file debian/patches/doc-post_halloween.dpatch
patching file debian/patches/fs-isofs-acorn.dpatch
patching file debian/patches/drivers-scsi-advansys-dma_api.dpatch
patching file debian/patches/modular-ide-pnp.dpatch
patching file debian/patches/include-missing-includes.dpatch
patching file debian/patches/include-thread_info-ifdefs.dpatch
patching file debian/patches/modular-ide.dpatch
patching file debian/patches/fs-isofs-dont-check-period.dpatch
patching file
debian/patches/dont-dereference-netdev.name-before-register_netdev.dpatch
patching file debian/patches/drivers-net-tg3-readd.dpatch
patching file debian/patches/DPATCH
patching file debian/patches/drivers-usb-net-pegasus-startstop_queue.dpatch
patching file debian/patches/drivers-net-via_rhine-avoid_bitfield.dpatch
patching file debian/patches/remove-references-to-removed-drivers.dpatch
patching file debian/patches/drivers-ide-dma-blacklist-toshiba.dpatch
patching file debian/patches/alpha-epoch-comment.dpatch
patching file debian/patches/ipsec-missing_wakeup.dpatch
patching file debian/patches/00list-1
patching file debian/patches/drivers-scsi-generic_proc_info.dpatch
patching file debian/patches/drivers-isdn-io_funcs-fixup.dpatch
patching file debian/patches/drivers-scsi-sd-NO_SENSE.dpatch
patching file debian/patches/extraversion.dpatch
patching file debian/patches/alpha-tembits.dpatch
patching file debian/patches/drivers-input-psaux-hacks.dpatch
patching file debian/patches/drivers-input-hiddev-HIDIOCGUCODE.dpatch
patching file debian/patches/drivers-atkbd-quiten.dpatch
patching file debian/patches/drivers-scsi_changer.dpatch
patching file debian/patches/modular-swsusp.dpatch
patching file debian/patches/drivers-dpt_i2o-fixup.dpatch
patching file debian/patches/drivers-net-8139too-locking.dpatch
patching file debian/patches/drivers-net-irda-dma_api.dpatch
patching file debian/patches/modular-vesafb.dpatch
patching file debian/patches/chown-gid-check.dpatch
patching file debian/patches/drivers-ftape.dpatch
patching file debian/patches/fs-asfs.dpatch
patching file debian/patches/00list-2
patching file debian/patches/fs-asfs-2.dpatch
patching file debian/patches/00list-3
patching file debian/patches/chown-procfs.dpatch
patching file debian/patches/3w-9xxx.dpatch
patching file debian/patches/marvell-pegasos.dpatch
patching file debian/patches/xfs-update.dpatch
patching file debian/patches/marvell-mm.dpatch
patching file debian/patches/netfilter-signedcharbug.dpatch
patching file debian/README.NMU
patching file debian/rules
patching file debian/make-kernel-patch-pkgs
patching file debian/ChangeLog-2.6.7
patching file debian/substvars
patching file debian/prune-non-free
patching file debian/list-patches
patching file debian/unpatch
patching file debian/make-substvars
patching file debian/copyright
patching file debian/substvars.safe
patching file debian/official
patching file debian/README.Debian



So far so good, PaX next, dry run test real quick.


icebox linux-2.6.7-deb # patch -p1 --dry-run <
../pax-linux-2.6.7-200406252135.patch
patching file arch/alpha/kernel/osf_sys.c
patching file arch/alpha/mm/fault.c
patching file arch/i386/Kconfig
patching file arch/i386/kernel/apm.c
patching file arch/i386/kernel/cpu/common.c
patching file arch/i386/kernel/entry.S
patching file arch/i386/kernel/head.S
patching file arch/i386/kernel/ldt.c
patching file arch/i386/kernel/process.c
patching file arch/i386/kernel/reboot.c
patching file arch/i386/kernel/setup.c
patching file arch/i386/kernel/signal.c
patching file arch/i386/kernel/sys_i386.c
patching file arch/i386/kernel/sysenter.c
patching file arch/i386/kernel/trampoline.S
patching file arch/i386/kernel/traps.c
patching file arch/i386/kernel/vmlinux.lds.S
patching file arch/i386/mm/fault.c
patching file arch/i386/mm/init.c
patching file arch/i386/pci/pcbios.c
patching file arch/ia64/ia32/binfmt_elf32.c
patching file arch/ia64/ia32/ia32priv.h
patching file arch/ia64/ia32/sys_ia32.c
patching file arch/ia64/kernel/sys_ia64.c
patching file arch/ia64/mm/fault.c
patching file arch/mips/kernel/binfmt_elfn32.c
patching file arch/mips/kernel/binfmt_elfo32.c
patching file arch/mips/kernel/syscall.c
patching file arch/mips/mm/fault.c
patching file arch/parisc/kernel/sys_parisc.c
patching file arch/parisc/kernel/traps.c
patching file arch/parisc/mm/fault.c
patching file arch/ppc/kernel/syscalls.c
patching file arch/ppc/mm/fault.c
patching file arch/ppc64/kernel/syscalls.c
patching file arch/ppc64/mm/fault.c
patching file arch/sparc/kernel/sys_sparc.c
patching file arch/sparc/kernel/sys_sunos.c
patching file arch/sparc/mm/fault.c
patching file arch/sparc/mm/init.c
patching file arch/sparc/mm/srmmu.c
patching file arch/sparc64/kernel/itlb_base.S
patching file arch/sparc64/kernel/sys_sparc.c
patching file arch/sparc64/kernel/sys_sunos32.c
patching file arch/sparc64/mm/fault.c
patching file arch/sparc64/solaris/misc.c
patching file arch/x86_64/ia32/ia32_binfmt.c
patching file arch/x86_64/ia32/sys_ia32.c
patching file arch/x86_64/kernel/setup64.c
patching file arch/x86_64/kernel/sys_x86_64.c
patching file arch/x86_64/mm/fault.c
patching file drivers/char/mem.c
patching file drivers/char/random.c
patching file drivers/pnp/pnpbios/bioscalls.c
patching file drivers/scsi/scsi_devinfo.c
patching file drivers/video/vesafb.c
patching file fs/binfmt_aout.c
patching file fs/binfmt_elf.c
patching file fs/binfmt_flat.c
patching file fs/binfmt_misc.c
patching file fs/exec.c
patching file fs/proc/array.c
patching file fs/proc/task_mmu.c
patching file include/asm-alpha/a.out.h
patching file include/asm-alpha/elf.h
patching file include/asm-alpha/mman.h
patching file include/asm-alpha/page.h
patching file include/asm-alpha/pgtable.h
patching file include/asm-i386/a.out.h
patching file include/asm-i386/desc.h
patching file include/asm-i386/elf.h
patching file include/asm-i386/mach-default/apm.h
patching file include/asm-i386/mach-pc9800/apm.h
patching file include/asm-i386/mman.h
patching file include/asm-i386/mmu.h
patching file include/asm-i386/mmu_context.h
patching file include/asm-i386/page.h
patching file include/asm-i386/pgalloc.h
patching file include/asm-i386/pgtable.h
patching file include/asm-i386/processor.h
patching file include/asm-i386/system.h
patching file include/asm-ia64/elf.h
patching file include/asm-ia64/mman.h
patching file include/asm-ia64/page.h
patching file include/asm-ia64/pgtable.h
patching file include/asm-ia64/ustack.h
patching file include/asm-mips/a.out.h
patching file include/asm-mips/elf.h
patching file include/asm-mips/page.h
patching file include/asm-parisc/a.out.h
patching file include/asm-parisc/elf.h
patching file include/asm-parisc/mman.h
patching file include/asm-parisc/page.h
patching file include/asm-parisc/pgtable.h
patching file include/asm-ppc/a.out.h
patching file include/asm-ppc/elf.h
patching file include/asm-ppc/mman.h
patching file include/asm-ppc/page.h
patching file include/asm-ppc/pgtable.h
patching file include/asm-ppc64/a.out.h
patching file include/asm-ppc64/elf.h
patching file include/asm-ppc64/mman.h
patching file include/asm-ppc64/page.h
patching file include/asm-ppc64/pgtable.h
patching file include/asm-sparc/a.out.h
patching file include/asm-sparc/elf.h
patching file include/asm-sparc/mman.h
patching file include/asm-sparc/page.h
patching file include/asm-sparc/pgtable.h
patching file include/asm-sparc/pgtsrmmu.h
patching file include/asm-sparc/uaccess.h
patching file include/asm-sparc64/a.out.h
patching file include/asm-sparc64/elf.h
patching file include/asm-sparc64/mman.h
patching file include/asm-sparc64/page.h
patching file include/asm-sparc64/pgtable.h
patching file include/asm-x86_64/a.out.h
patching file include/asm-x86_64/elf.h
patching file include/asm-x86_64/mman.h
patching file include/asm-x86_64/page.h
patching file include/asm-x86_64/pgalloc.h
patching file include/asm-x86_64/pgtable.h
patching file include/linux/a.out.h
patching file include/linux/binfmts.h
patching file include/linux/elf.h
patching file include/linux/mm.h
patching file include/linux/mman.h
patching file include/linux/random.h
patching file include/linux/sched.h
patching file include/linux/sysctl.h
patching file kernel/fork.c
patching file kernel/sysctl.c
patching file mm/filemap.c
patching file mm/madvise.c
patching file mm/memory.c
patching file mm/mlock.c
patching file mm/mmap.c
patching file mm/mprotect.c
patching file mm/mremap.c
patching file mm/rmap.c
patching file security/Kconfig
icebox linux-2.6.7-deb #


. . . . what maintainer?  You just need a packager for now; the patch
applies cleanly to the debian sources for 2.6.7.

|
|>| We have recently discussed this on at least one of the lists you
|>| posted to.
|>
|>| The end result of the discussion is that GCC is getting another SSP type
|>| technology known as "mudflap".  Mudflap depends on some major new
|>| features of
|>| GCC 3.5, so it looks like we won't be getting this until GCC 3.5 as the
|>| Debian GCC people don't want to merge in other patches which have no
|>| apparent chance of being included upstream.
|>
|>Then don't use ProPolice/SSP for now.
|
|
| That seems to be what will happen.  I'd rather see SSP included
sooner, but I
| guess it won't happen.
|
I'm glad to see somebody's sane :)


Now, read this very carefully, as it's important.

http://pax.grsecurity.net/binutils-2.14.90.0.8-pt-pax-flags-200402042140.patch
http://pax.grsecurity.net/binutils-2.15.91.0.1-pt-pax-flags-200405291420.patch

These two binutils patches are on pax.grsecurity.net.  They affect
binutils-2.14.90.0.8 and 2.15.91.0.1, respectively.

These add PT_PAX_FLAGS to the elf headers that binutils produces.  These
ELF files are compatible with non-PaX Linux systems.  It is HIGHLY
recommended that you use the corresponding patch for the version of
binutils used to build Debian's base system, rather than use the
depricated EI_PAX field used by chpax.

Even if you're not interested in patches that won't necessarily go to
mainline, this is HIGHLY recommended.  The EI_PAX field is an unused
field, while PT_PAX_FLAGS is created specifically for PaX.  This means
you can't predict what else might use EI_PAX (including other
experimental patches end users find/create).  That field is volitile
under certain conditions; for example, in at least some versions of
strip, strip clears the EI_PAX flags.  All versions of strip I'm aware
of leave PT_PAX_FLAGS untouched.

Also, by using this and PaX, you could very well influence the mainline
for the toolchain :)

That's a strong recommendation for if you go with PaX.  You can ignore
it, but be ready to face any consequences that are incurred, if any.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitely stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBBIXehDd4aOud5P8RAkMJAJ4+m/W+Bw1AkHp2+lsJ4QNGfJIjBwCghY2I
D8Z9hnzvRPe4Nw0a78GHlGk=
=qlsd
-----END PGP SIGNATURE-----
Reply to:
References:
- PaX on Debian
  - From: John Richard Moser <nigelenki@comcast.net>
- Re: PaX on Debian
  - From: Russell Coker <russell@coker.com.au>
- Re: PaX on Debian
  - From: John Richard Moser <nigelenki@comcast.net>
- Re: PaX on Debian
  - From: Russell Coker <russell@coker.com.au>
Prev by Date: Re: PaX on Debian
Next by Date: Re: Bug#261257: ITP: folding -- Folding@home Client (install package)
Previous by thread: Re: PaX on Debian
Next by thread: Re: PaX on Debian
Index(es):
- Date
- Thread