Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/xml/revdep-pax.xml
blob: cbf318158e3daa49d7f3fe757f9b9510d2d205b4 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

<?xml version='1.0' encoding="UTF-8"?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
<!-- $Header: $ -->

<guide>
<title>Gentoo revdep-pax introduction</title>

<author title="Author">
  <mail link="klondike"/>
</author>

<abstract>
This guide provides an introduction to revdep-pax and how to use it to propagate
the PaC markings caused by libraries requiring them, for example, libraries
requiring RWX memory in order to process JIT code.
</abstract>

<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
<license/>

<version>1</version>
<date>2012-02-19</date>

<chapter>
<title>What's revdep-pax about?</title>

<section>
<body>

<p by="Geroge Orwell">
Since the early days of PaX it was known that all programs were equal although
some were more equal than others and needed an environment with less
restrictions in order to be able to run. Thus, in order to have a secure way of
allowing system administrators and users telling the system which binaries
needed this lessened environment the PaX marks were created.
</p>

</body>
</section>

<section>
<title>A quick introduction to PaX markings.</title>
<body>

<p>
There are some programs which won't be able to run in an environment with all
the PaX features enabled, for example you may have a program which has so called
<e>text relocations</e> or you may have a language interpreter doing JIT code
compilation and requiring <e>RWX</e> mappings you may also have a program that
saves data including internal pointers into an mmaped file and which needs to be
restored in the same place no matter what. You could also be holding a security
competition and need to disable the execution restrictions and force it to
use fixed addresses on a particular program so it can be exploited doing a
simple nop sled based stack overflow to get to the next level. For taking into
account these issues binaries can be marked to force on or off some of the PaX
features.
</p>

<p>
Currently, the PaX features that can be lessened or enforced to allow programs
to run are:
</p>

<dl>
  <dt><b>PAGEEXEC</b></dt>
  <dd>Paging based execution restrictions. This is what other OSes know as
  <e>NX</e>.</dd>
  <dt><b>EMUTRAMP</b></dt>
  <dd>Trampoline emulation. Required by for amongst other things code with
  nested functions.</dd>
  <dt><b>MPROTECT</b></dt>
  <dd>Prevents the introduction of new executable code in the task. This is the
  one you are more likely to need disabling with libraries generating JIT code.
  </dd>
  <dt><b>RANDMMAP</b></dt>
  <dd>Randomizes the addresses where mappings are made unless the program
  explicitly requests one (using the MAP_FIXED flag).</dd>
  <dt><b>RANDEXEC</b></dt>
  <dd>This flag is currently deprecated and was used to enforce random placement
  of the executable part of the binary.</dd>
  <dt><b>SEGMEXEC</b></dt>
  <dd>This flag enables segmentation based execution protection. This feature is
  not available on the amd64 architecture so in that architecture is disables by
  default.</dd>
</dl>

<p>
There are various ways in which this advice to lessen the environment can be
provided to the system, amongst others Mandatory Access Control rules, extended
attributes and two kinds of markings on the binaries themselves, the legacy ones
which abuse an unused field in the ELF headers and the new ones which add a new
specific section to the ELF file with the markings.
</p>

<p>
All this markings though are only read in the executable and not in the
libraries linked by it to prevent some possible attacks (like libraries being
injected via LD_PRELOAD) and because it eases a lot the implementation since the
kernel shouldn't be aware of linking details.
</p>

<p>
This system has a problem: if we have a binary linking to a library which
requires, for example, trampoline emulation because it uses nested functions how
can we make sure the binary gets the propper markings? Yeah we could add PaX
marks to the library to state it needs trampoline emulation but still we haven't
fixed the issue since the kernel will only read the marks on the binary being
called. In order to solve this issue we have created <c>revdep-pax</c>.
</p>

</body>
</section>
<section>
<title>What's revdep-pax?</title>
<body>

<p>
<c>revdep-pax</c> is a tool that allows to check for differences in PaX markings
between elf objects linking to libraries (for example <path>/bin/bash</path>)
and the libraries themselves (for example <path>/lib64/libc.so.6</path>).
</p>

<p>
<c>revdep-pax</c> is able to do this in various ways, it can check for
differences <e>forward</e> from one binary to all the libraries it links and it
can also check for PaX marking differences <e>backwards</e> from one library to
all the binaries linking to it (which may include other libraries too). In a
similar way it is possible to have all the forward and reverse mappings in the
system checked to try finding issues.
</p>

<p>
<c>revdep-pax</c> is also able to propagate these markings both forward to the
libraries linked by an object and backwards to the objects linked by a library.
</p>

</body>
</section>
</chapter>

<chapter>
<title>Using revdep-pax</title>

<section>
<body>

<p by="The Emperor">
In order to witness the firepower of this fully ARMED and OPERATIONAL tool
you'll first need to learn how to use it, once you are done, you'll be
able to fire at will.
</p>

</body>
</section>
    
<section>
<title>Propagating PaX marks backwards from a library to objects that link at it
</title>
<body>

<p>
This is going to be probably the main way in which you are going to use this
utility. What it does is check all the libraries linked statically by the
binaries using <c>ldd</c> and then smartly add the paxmarks of those libraries
to generate the new set. As a result if <path>/usr/games/bin/armagetronad</path>
links with <path>/usr/lib64/libGL.so.1</path> which has the <e>-m</e> PaX mark
(allow RWX mappings) because you are using a llvm requiring graphics driver
you'll get that binary marked with the <e>-m</e> PaX mark too since it needs it.
Below you can see how to run it.
</p>

<pre caption="Propagating the PaX marks from the libraries">
# <i>mv /etc/grsec/learning.roles /etc/grsec/policy</i>
# <i>chmod 0600 /etc/grsec/policy</i>
</pre>


<note>
Due to the way in which <c>ldd</c> works you'll get all the libraries required
at runtime, even those required by libraries you link to (and so on recursively)
as a result <c>revdep-pax</c> will detect all dependencies in a single pass. If
the behaviour of <c>ldd</c> changes so may change the behaviour of
<c>revdep-pax</c>
</note>

<p>
The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> package.
With this application you can print out information specific to the ELF
structure of a binary. The following table sums up the various options.
</p>

</body>
</section>
</chapter>
</guide>