Re: PaX on Debian
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andres Salomon wrote:
| On Sun, 25 Jul 2004 12:57:29 -0400, John Richard Moser wrote:
|
|
| I'm interested in discussing the viability of PaX on Debian. I'd like
| to discuss the changes to the base system that would be made, the costs
| in terms of overhead and compatibility, the gains in terms of security,
| and the mutability (elimination) of the costs.
|
|
|
|
|> I think debian-kernel would be a better place to discuss this (at least,
|> the PAX stuff). I have used PAX/grsec for a while now, on 2.4, and have
|> been very pleased with it. I would love to be able to include it in
|> debian 2.6 kernels, but we need to make sure that:
|
|> a) it's stable (currently, we have a glibc bug that breaks PAX; #245563.
|> I've also heard reports of various grsec problems on 2.6; I don't
know how
|> many of those are PAX issues)
Did some digging. pipacs said that PAGEEXEC force-enables the 'disable
vsyscall' option, so you'd be forced to use SEGMEXEC on x86 to avoid
#245563, if I'm reading this right. On amd64, it should be fine; he
said that vsyscall is force disabled because having a high page
executable area will cause PAGEEXEC performance to fall through the
ground, due to the workings of the recent speed-up (which follows the
same method Exec Shield uses as a speed boost, and falls back to the old
way when that fails). Because amd64 has hardware NX, there's no
emulation issue, thus I'm supposing no breakage due to vsyscall.
: Tags added: fixed-upstream Request was from GOTO Masanori
: <gotom@debian.or.jp> to control@bugs.debian.org. Full text available.
Fixed in upstream. Either use an updated glibc in the next debian
release (I know there's no way you're going to suddenly shift STABLE to
PaX/pie/ssp, and I'm even going to recommend AGAINST that due to
Debian's development model), or backport the changes to whatever glibc
you use.
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitely stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBBU97hDd4aOud5P8RAjRuAJ9k3EiS+zVnEFmLoCM8KnTOZehe8ACgh7FC
a9PyG2GbEkpMi17HlrUcyTY=
=3Mtk
-----END PGP SIGNATURE-----
Reply to: