Re: PaX on Debian
-----BEGIN PGP SIGNED MESSAGE-----
Andres Salomon wrote:
| On Sun, 25 Jul 2004 12:57:29 -0400, John Richard Moser wrote:
| I'm interested in discussing the viability of PaX on Debian. I'd like
| to discuss the changes to the base system that would be made, the costs
| in terms of overhead and compatibility, the gains in terms of security,
| and the mutability (elimination) of the costs.
|> I think debian-kernel would be a better place to discuss this (at least,
|> the PAX stuff). I have used PAX/grsec for a while now, on 2.4, and have
|> been very pleased with it. I would love to be able to include it in
|> debian 2.6 kernels, but we need to make sure that:
|> a) it's stable (currently, we have a glibc bug that breaks PAX; #245563.
|> I've also heard reports of various grsec problems on 2.6; I don't
|> many of those are PAX issues)
Did some digging. pipacs said that PAGEEXEC force-enables the 'disable
vsyscall' option, so you'd be forced to use SEGMEXEC on x86 to avoid
#245563, if I'm reading this right. On amd64, it should be fine; he
said that vsyscall is force disabled because having a high page
executable area will cause PAGEEXEC performance to fall through the
ground, due to the workings of the recent speed-up (which follows the
same method Exec Shield uses as a speed boost, and falls back to the old
way when that fails). Because amd64 has hardware NX, there's no
emulation issue, thus I'm supposing no breakage due to vsyscall.
: Tags added: fixed-upstream Request was from GOTO Masanori
: <firstname.lastname@example.org> to email@example.com. Full text available.
Fixed in upstream. Either use an updated glibc in the next debian
release (I know there's no way you're going to suddenly shift STABLE to
PaX/pie/ssp, and I'm even going to recommend AGAINST that due to
Debian's development model), or backport the changes to whatever glibc
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitely stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----