From: John Richard Moser <nigelenki@comcast.net>
To: linux-kernel@vger.kernel.org
Subject: NX: List of apps that probably break with NX
Date: Sun, 11 Jul 2004 10:15:17 -0400 [thread overview]
Message-ID: <40F14B75.1010802@comcast.net> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi.
I've noticed you're pondering an NX technology in the kernel. I help
maintain a list of applications that break under PaX, an NX/ASLR patch,
used for a script which applies reduced restrictions to these binaries.
~ The result is that I have a handfull of unprotected apps; but
everything works. You either have to trade off the security for the
usability, or the usability for the security.
PaX uses two tools to set reduced restrictions: chpax and paxctl. The
chpax tool uses a free field in the ELF header; while paxctl uses a
special field set aside by a specially patched binutils. Binaries with
this extra field are natively compatible with vanilla Linux.
The different flags are as follows:
P PageExec (NX method) to supply functionality of NX marking of pages
S SegmExec (NX method) to supply functionality of NX marking of pages
E Emulate Trampolines
M Reduced mprotect() restrictions (basically fixes things wanting +X
stack)
R Random mmap() base
X Random ET_EXEC base
I supply these as shell patterns. Be familiar with bash, or try:
$ echo `exec <pattern>`
NX-Exempt (-psem)
~ Wine:
/usr/lib/wine/bin/{wine{,build,clipsrv,dump,gcc,server,wrap,-{k,p}thread},w{mc,rc,idl}}
~ Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*
OpenOffice.org:
/opt/OpenOffice.org*/program/soffice.bin
Misc:
/usr/X11R6/bin/XFree86
/usr/X11R6/bin/Xorg
/usr/bin/blender
/usr/bin/gxine
/usr/bin/xine
/usr/bin/totem
/usr/bin/acme
/usr/bin/gnome-sound-recorder
/usr/games/bin/bzflag
/usr/bin/xfce4-panel
/usr/bin/{g,}xine
Randmap Exempt (-r)
Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*
X:
/usr/X11R6/bin/XFree86
/usr/X11R6/bin/Xorg
mprotect() restriction exempt (-m)
Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*
Firefox:
/usr/lib/MozillaFirefox/firefox{,-bin}
xmms:
/usr/bin/xmms
RandExec Exempt (-x):
Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*
X:
/usr/X11R6/bin/XFree86
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*
The bug used to track changes in the scripts that supply the application
of reduced restrictions is at
http://bugs.gentoo.org/show_bug.cgi?id=40665 . This may prove
interesting, as I or someone else will need to update it as more
applications break, or as more begin to work.
- --John
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFA8Ut0hDd4aOud5P8RAmPyAJ0abHDHZAvb+nyl5Fs0CDXYwX7ZDACgibwV
Ls2RB3CjkY8VHKUS1GAAcmE=
=ASsQ
-----END PGP SIGNATURE-----
next reply other threads:[~2004-07-11 14:15 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-11 14:15 John Richard Moser [this message]
2004-07-13 21:42 ` NX: List of apps that probably break with NX John Richard Moser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40F14B75.1010802@comcast.net \
--to=nigelenki@comcast.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.