NetBSD Problem Report #37992
From aw-netbsd@instandbesetzt.net Sun Feb 10 12:00:09 2008
Return-Path: <aw-netbsd@instandbesetzt.net>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 474C563B101
for <gnats-bugs@gnats.NetBSD.org>; Sun, 10 Feb 2008 12:00:09 +0000 (UTC)
Message-Id: <4936a74862ee6b3485911074f09e60ad@localhost>
Date: Sun, 10 Feb 2008 13:00:04 +0100
From: Andreas Wiese <aw-netbsd@instandbesetzt.net>
To: gnats-bugs@gnats.NetBSD.org
Subject: PaX flags on non-NetBSD binaries
>Number: 37992
>Category: kern
>Synopsis: There's no way to save PaX flags on non-native binaries
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Feb 10 12:05:00 +0000 2008
>Last-Modified: Mon Feb 11 12:00:04 +0000 2008
>Originator: Andreas Wiese
>Release: NetBSD 4.99.49
>Organization:
BSD-Crew Dresden, Germany
>Environment:
System: NetBSD schroeder.lan.instandbesetzt.net 4.99.49 NetBSD 4.99.49
(SCHROEDER) #0: Tue Jan 22 18:18:53 CET 2008
root@schroeder.lan.instandbesetzt.net:/usr/obj/sys/arch/i386/compile/SCHROEDER
i386
Architecture: i386
Machine: i386
>Description:
Hey, folks.
I played around with PaX and its several sysctl variables a while and
was happy to see that setting security.pax.*.global to 1 seems to work
for most programs. The only native program not running was mplayer, but
for this I set the according flags via paxctl(8) and everything is fine.
Then I needed to use OpenOffice (I only have the Linux version
installed) and Linux glibc complained about being unable to write-enable
certain ELF sections. paxctl(8) (naturally) doesn't solve the problem
here, so I have to disable mprotect globally to get OpenOffice work.
Is there any solution for this problem or had anybody an idea for this,
yet? If not: Why not save the PaX flags via the extattr(9) framework?
If I understood this right, its purpose is associating meta-data with
files, for which is no room in another way. Why not create a
paxflags=0x?? key-value pair for each binary, you want to set PaX flags
on? I see several advantages in this approach:
1) It's transparent for different ELF formats.
2) You don't touch the binary itself, therefor not messing around with
checksums and veriexec(9), for example.
3) You could easily transfer your binaries to another system (for
whatever reason) without taking the PaX flags with you.
4) We would have another use for extattr(9) to present the other guys ;)
Just a quick idea I wanted to share. Could be nonsene, too =]
HAND & LG -- aw
np: nothing
>How-To-Repeat:
paxctl /path/to/linuxbinary
>Fix:
see above
>Audit-Trail:
From: Elad Efrat <elad@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/37992: PaX flags on non-NetBSD binaries
Date: Sun, 10 Feb 2008 14:54:49 +0200
Andreas Wiese wrote:
>> Number: 37992
>> Category: kern
>> Synopsis: There's no way to save PaX flags on non-native binaries
>> Confidential: no
>> Severity: non-critical
>> Priority: medium
>> Responsible: kern-bug-people
>> State: open
>> Class: sw-bug
>> Submitter-Id: net
>> Arrival-Date: Sun Feb 10 12:05:00 +0000 2008
>> Originator: Andreas Wiese
>> Release: NetBSD 4.99.49
>> Organization:
> BSD-Crew Dresden, Germany
>> Environment:
> System: NetBSD schroeder.lan.instandbesetzt.net 4.99.49 NetBSD 4.99.49
> (SCHROEDER) #0: Tue Jan 22 18:18:53 CET 2008
> root@schroeder.lan.instandbesetzt.net:/usr/obj/sys/arch/i386/compile/SCHROEDER
> i386
> Architecture: i386
> Machine: i386
>> Description:
> Hey, folks.
>
> I played around with PaX and its several sysctl variables a while and
> was happy to see that setting security.pax.*.global to 1 seems to work
> for most programs. The only native program not running was mplayer, but
> for this I set the according flags via paxctl(8) and everything is fine.
>
> Then I needed to use OpenOffice (I only have the Linux version
> installed) and Linux glibc complained about being unable to write-enable
> certain ELF sections. paxctl(8) (naturally) doesn't solve the problem
> here, so I have to disable mprotect globally to get OpenOffice work.
>
> Is there any solution for this problem or had anybody an idea for this,
> yet? If not: Why not save the PaX flags via the extattr(9) framework?
> If I understood this right, its purpose is associating meta-data with
> files, for which is no room in another way. Why not create a
> paxflags=0x?? key-value pair for each binary, you want to set PaX flags
> on? I see several advantages in this approach:
>
> 1) It's transparent for different ELF formats.
> 2) You don't touch the binary itself, therefor not messing around with
> checksums and veriexec(9), for example.
> 3) You could easily transfer your binaries to another system (for
> whatever reason) without taking the PaX flags with you.
> 4) We would have another use for extattr(9) to present the other guys ;)
>
> Just a quick idea I wanted to share. Could be nonsene, too =]
>
> HAND & LG -- aw
> np: nothing
>> How-To-Repeat:
> paxctl /path/to/linuxbinary
>> Fix:
> see above
>
>
You are correct. I'm not sure what's the state of extended attributes,
but we can use fileassoc(9). See:
http://mail-index.netbsd.org/source-changes/2007/06/24/0054.html
I'm pretty sure this was discussed before, but I can't seem to find the
thread...
-e.
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: kern/37992: PaX flags on non-NetBSD binaries
Date: Sun, 10 Feb 2008 09:47:08 -0500
On Feb 10, 12:05pm, aw-netbsd@instandbesetzt.net (Andreas Wiese) wrote:
-- Subject: kern/37992: PaX flags on non-NetBSD binaries
| >Number: 37992
| >Category: kern
| >Synopsis: There's no way to save PaX flags on non-native binaries
| >Confidential: no
| >Severity: non-critical
| >Priority: medium
| >Responsible: kern-bug-people
| >State: open
| >Class: sw-bug
| >Submitter-Id: net
| >Arrival-Date: Sun Feb 10 12:05:00 +0000 2008
| >Originator: Andreas Wiese
| >Release: NetBSD 4.99.49
| >Organization:
| BSD-Crew Dresden, Germany
| >Environment:
| System: NetBSD schroeder.lan.instandbesetzt.net 4.99.49 NetBSD 4.99.49
| (SCHROEDER) #0: Tue Jan 22 18:18:53 CET 2008
| root@schroeder.lan.instandbesetzt.net:/usr/obj/sys/arch/i386/compile/SCHROEDER
| i386
| Architecture: i386
| Machine: i386
| >Description:
| Hey, folks.
|
| I played around with PaX and its several sysctl variables a while and
| was happy to see that setting security.pax.*.global to 1 seems to work
| for most programs. The only native program not running was mplayer, but
| for this I set the according flags via paxctl(8) and everything is fine.
|
| Then I needed to use OpenOffice (I only have the Linux version
| installed) and Linux glibc complained about being unable to write-enable
| certain ELF sections. paxctl(8) (naturally) doesn't solve the problem
| here, so I have to disable mprotect globally to get OpenOffice work.
|
| Is there any solution for this problem or had anybody an idea for this,
| yet? If not: Why not save the PaX flags via the extattr(9) framework?
| If I understood this right, its purpose is associating meta-data with
| files, for which is no room in another way. Why not create a
| paxflags=0x?? key-value pair for each binary, you want to set PaX flags
| on? I see several advantages in this approach:
|
| 1) It's transparent for different ELF formats.
| 2) You don't touch the binary itself, therefor not messing around with
| checksums and veriexec(9), for example.
| 3) You could easily transfer your binaries to another system (for
| whatever reason) without taking the PaX flags with you.
| 4) We would have another use for extattr(9) to present the other guys ;)
|
| Just a quick idea I wanted to share. Could be nonsene, too =]
Yes, it is noted in the bugs section of paxctl :-)
christos
From: Jason Thorpe <thorpej@shagadelic.org>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: kern/37992: PaX flags on non-NetBSD binaries
Date: Sun, 10 Feb 2008 09:51:30 -0800
On Feb 10, 2008, at 4:05 AM, Andreas Wiese wrote:
> yet? If not: Why not save the PaX flags via the extattr(9)
> framework?
That would require all file systems that support exec support extattr.
-- thorpej
From: Andreas Wiese <aw-netbsd@instandbesetzt.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/37992: PaX flags on non-NetBSD binaries
Date: Sun, 10 Feb 2008 19:22:37 +0100
--fUYQa+Pmc3FrFX/N
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Feb 10, 2008 at 05:55:02PM +0000, Jason Thorpe wrote:
> The following reply was made to PR kern/37992; it has been noted by GNATS.
>=20
> From: Jason Thorpe <thorpej@shagadelic.org>
> To: gnats-bugs@NetBSD.org
> Cc: kern-bug-people@netbsd.org,
> gnats-admin@netbsd.org,
> netbsd-bugs@netbsd.org
> Subject: Re: kern/37992: PaX flags on non-NetBSD binaries
> Date: Sun, 10 Feb 2008 09:51:30 -0800
>=20
> On Feb 10, 2008, at 4:05 AM, Andreas Wiese wrote:
> =20
> > yet? If not: Why not save the PaX flags via the extattr(9) =20
> > framework?
> =20
> =20
> That would require all file systems that support exec support extattr.
> =20
Okay, thanks. I kept wondering where exactly is the benefit of
fileassoc(9) over extattr(9), so I think that is the point I missed.
[snip...]
Sorry for missing the paxctl(8) BUGS section, though. Is there anyone
working on this right now?
HAND & LG -- aw
np: Elias Schwerdtfeger (Tote V=C3=B6gel haben Spa=C3=9F) -- 03. Zeitgem=C3=
=A4=C3=9Fe Romanze
--=20
Unn=C3=BCtzes Wissen (=C2=BBneon=C2=AB, 01/05):
17. Die Titanic war 22,5 Knoten schnell, als sie den Eisberg rammte.
--fUYQa+Pmc3FrFX/N
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)
iQIVAwUBR69A7CCslUm6YF9JAQKMUxAAtJDPjakjicojvScRAuLz8XnAoqhWSkZy
IHecEplRLNdA9oZp3gU012j263zVMXKHGS/Ml+6qIqTO8O+pLgU7HfcsGPziWo1K
o8FGDMGI05Z0kPhgzs6qREO7PtRVMcMBFAh/o92VbQYvsPziNM2DzUgnzoaaE61C
RKh+AjwwcFAOKwZ5rC9sfXYoeVCuRm73AHtrS5k3SjL8ght4Jgm35ZTre9KWvSCZ
7hIj6F5cUdUEGib8HS82S0rXvCALw8mODpTj+O4TVG9qqkU91mq5Y/QXpmU9qTEw
dhHD9EQPmPb2fqath4nLfhwDYEVQLIfVXYD69I5X6sc8diA3i7mGhjz8iUBkVQSE
u2PFbiamdd6Lw157BKul+WJgP+0rTXbKCxT88FvQAYjViV3USUMwmeZpi+OrleLx
EOPQGxdw8NLVQ8Lqq+jmCiashu64x2yavJfHbS9O+v70THmaDnZG1b0NrT2nZld5
2NOsKcy454Y3j8fwT0lqqK9j8R9lEgWi9CqECaHI8nI4/rg09K2YcZqbceO9MIkZ
aF/43UDiCLS4QeiOGP3d+xejbrZwXovMxJtlqL1bdZPYSi+YmkUxDbazHF14EZGT
gD8FCnmTTC3+L3MMvoSRksAOk536U99lX1fISxIE7Bgf7ar2QQN6UkoPcl+Nv3HI
WxqVTP7UVbg=
=dxfw
-----END PGP SIGNATURE-----
--fUYQa+Pmc3FrFX/N--
From: Elad Efrat <elad@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: Andreas Wiese <aw-netbsd@instandbesetzt.net>
Subject: Re: kern/37992: PaX flags on non-NetBSD binaries
Date: Mon, 11 Feb 2008 13:56:30 +0200
Andreas Wiese wrote:
> Okay, thanks. I kept wondering where exactly is the benefit of
> fileassoc(9) over extattr(9), so I think that is the point I missed.
>
> [snip...]
>
> Sorry for missing the paxctl(8) BUGS section, though. Is there anyone
> working on this right now?
It's in my to-do list. :)
-e.
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home