[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PaX on Debian

Hash: SHA1

Russell Coker wrote:
| On Mon, 26 Jul 2004 02:57, John Richard Moser <nigelenki@comcast.net>
|>I'm interested in discussing the viability of PaX on Debian.  I'd like
|>to discuss the changes to the base system that would be made, the costs
|>in terms of overhead and compatibility, the gains in terms of security,
|>and the mutability (elimination) of the costs.
| Before we can even start thinking about PaX on Debian we need to find a
| maintainer for the kernel patch who will package new versions of the
| which apply to the Debian kernel source tree.  We have had a few
| about this in the past which have had no positive result because
no-one has
| volunteered to do the kernel coding work.

Are you talking PaX or grsecurity?  PaX is significantly less invasive
than grsecurity.  There will still be issues, of course.

Where would I see debian's 2.6.7 source tree?  I'm not a deb user,
remember, so I'll need a tarball or something.

|>A PaX protected base system would be best compiled ET_DYN, which can be
|>done by using modified spec files or a specially patched gcc to make
|>pies-by-default binaries.  Certain things don't compile this way; and
|>thus would need this functionality disabled (modified spec, -fno-pic
|>-nopie).  This will be discussed in greater detail later.
| Debian does not use spec files, spec files are for RPM based
| It would have to be a modification to debian/rules in all the
packages, or a
| modification to gcc and/or dpkg-buildpackage.

No, gcc spec files, that tell gcc how to behave.  This was used on
gentoo to mess with gcc's default behavior for a while.

try the command:

gcc -dumpspecs

Also try looking at:


You'd need to fudge that file I believe to alter gcc's default behavior.
~ This was done by the Hardened Gentoo project, but was dropped in favor
of a gcc patch.  Either way, it's been done before.

|>A PaX protected base would also benefit from Stack Smash Protection,
|>which can be done via the gcc patch ProPolice.  This imposes minimal
|>overhead, which will be discussed in greater detail later.  It overlaps
|>and extends many of the protections PaX offers, but catches earlier on;
|>and is thus a good system to pair with PaX.
| We have recently discussed this on at least one of the lists you
posted to.
| The end result of the discussion is that GCC is getting another SSP type
| technology known as "mudflap".  Mudflap depends on some major new
features of
| GCC 3.5, so it looks like we won't be getting this until GCC 3.5 as the
| Debian GCC people don't want to merge in other patches which have no
| chance of being included upstream.

Then don't use ProPolice/SSP for now.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitely stated.

Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


Reply to: