Re: PaX on Debian (Kernel Settings)

To: debian-kernel@lists.debian.org
Cc: debian-security@lists.debian.org, debian-devel@lists.debian.org
Subject: Re: PaX on Debian (Kernel Settings)
From: John Richard Moser <nigelenki@comcast.net>
Date: Tue, 27 Jul 2004 16:54:07 -0400
Message-id: <[🔎] 4106C0EF.3000805@comcast.net>
In-reply-to: <4103E679.2050402@comcast.net>
References: <4103E679.2050402@comcast.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This post is also being forwarded to debian-kernel, as it contains the
appropriate kernel settings.  This is a continuation of the message from
the debian-security and debian-devel lists, archived at

http://lists.debian.org/debian-security/2004/07/msg00159.html

There is a recapitulation of the data from this thread at

http://lists.debian.org/debian-security/2004/07/msg00201.html

As noted, kernel settings have not yet been discussed.  Here, I will
discuss the settings I recommend for best compatibility, and what issues
PaX raises in kernel packaging.

It still hasn't been decided if Debian will actually supply a
PaX-enabled base, with ET_DYN binaries or even with PT_PAX_FLAGS in the
ELF headers (PaX binutils patch makes these) and appropriate markings to
prevent breakage under a PaX kernel.

If Debian is indeed going to support a PaX protected base, it will have
to supply a PaX kernel to make any use of it; however, it is possible to
supply a PaX kernel without the special base.  Things will break under
the PaX kernel without the support of the distribution to find and mark
these ahead of time; but it would still make an easy first step.  Users
should NOT by default use a PaX kernel image without a PaX base!

In either case, the below settings can be used most safely with PaX on
x86.  Notes about breakage and other architectures appear below; read
them if you intend to make any use of this.

|Security options  --->
|    PaX  --->
|[*] Enable various PaX features
|       PaX Control  --->
|         [*] Support soft mode
|         [*] Use legacy ELF header marking
|         [*] Use ELF program header marking
|         MAC system integration (none)  --->
|       Non-executable pages  --->
|         [*] Enforce non-executable pages
|         [*]   Paging based non-executable pages
|         [*]   Segmentation based non-executable pages
|               Default non-executable page method (SEGMEXEC)  --->
|         [*] Emulate trampolines
|         [*] Restrict mprotect()
|         [ ]   Disallow ELF text relocations
|       Address Space Layout Randomization  --->
|         [*] Address Space Layout Randomization
|         [*]   Randomize kernel stack base
|         [*]   Randomize user stack base
|         [*]   Randomize mmap() base
|         [*]     Randomize ET_EXEC base
|         ---   Disable the vsyscall page

The "[ ]   Disallow ELF text relocations" option must be disabled, else
certain programs won't work.  There is no way to disable this at runtime
that I am aware of.

"MAC system integration (none)  --->" can be set to "Hook" (I believe)
for certain SELinux patches or for other ACL systems; but this is beyond
the scope.  ACL systems are appropriate for Adamantix, but I do not
believe they are appropriate for Debian's standard distribution.

"[*]   Paging based non-executable pages" will FORCE "Disable the
vsyscall page" on on x86.  This breaks Debian's current glibc as per
Debian Bug #245563; however, this issue is fixed in upstream glibc (as
noted on the bug).  Patches should be ported back so that PAGEEXEC can
be used; and/or a newer glibc should be used on whatever Debian release
starts off with PaX.  This should not affect amd64 or other archs.

Archs with a hardware NX bit should use PAGEEXEC.  This includes AMD64
and PowerPC I believe, as well as many others (sparc, etc).

"[*]   Segmentation based non-executable pages" (SEGMEXEC), when used,
will halve the virtual address space available to a task.  Be wary.

A patch can be supplied that will make the "Default none-xecutable page
method" selectable at boot via a kernel command line option.

A big one here, it was found that PaX patches onto Debian's 2.6.7
patched kernel cleanly.  You may or may not supply PaX in your base
kernel patch set; however, it is encouraged that you supply *BOTH* a
PaX-enabled and PaX-disabled kernel.  Just putting "N" on 'enable
various PaX features' up there for the PaXless one should be sufficient.

There are various other patches that go well with PaX, such as the
obscurity patch (which NULLs out /proc/<PID>/maps to prevent basic
information leaking) and the pax_default_nx= patch.  It's up to you to
decide what you want if you're going to supply a more secure kernel image.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitely stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBBsDuhDd4aOud5P8RAiKJAJ92Zam6Xho/nCYt0AEOAVVhm7j/0QCbBSRA
plOEaYP3i3KEhx2h2mgCt1o=
=8h/m
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: PaX on Debian (Kernel Settings)
  - From: Christoph Hellwig <hch@lst.de>

Prev by Date: kernel-patch-powerpc-2.6.7_2.6.7-4_powerpc.changes ACCEPTED
Next by Date: Bug#261734: Can't load module in kernel-image 2.6.7
Previous by thread: kernel-patch-powerpc-2.6.7_2.6.7-4_powerpc.changes ACCEPTED
Next by thread: Re: PaX on Debian (Kernel Settings)
Index(es):
- Date
- Thread