Re: [ubuntu-hardened] Re: Collecting NX information

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Brandon Hale <brandon@smarterits.com>
To: John Richard Moser <nigelenki@comcast.net>
Cc: Arjan van de Ven <arjan@infradead.org>,
	ubuntu-hardened@lists.ubuntu.com, linux-kernel@vger.kernel.org
Subject: Re: [ubuntu-hardened] Re: Collecting NX information
Date: Mon, 28 Mar 2005 15:54:05 -0500	[thread overview]
Message-ID: <1112043246.10117.5.camel@localhost.localdomain> (raw)
In-Reply-To: <424857B0.4030302@comcast.net>

> > actually Linus was really against adding non-related things to this
> > flag. And I think he is right...
> > 

Makes sense to me.

> I'm not interested in altering and hacking up PT_GNU_STACK; PT_PAX_FLAGS
> already supplies enough to do what I want.  My goal is to have
> PT_PAX_FLAGS code in mainline and Exec Shield, so that if it exists in
> the binary it will be used; else PT_GNU_STACK will be fallen back to.
> 
> > Now.. do you have any examples of when you want a binary marked for no-
> > randomisation ?? (eg something the setarch flag won't fix/won't be good
> > enough for)

I also recall a few oddball cases where PaX randomization broke things,
I'll try and dig one up and see if it fails as well on ExecShield.

> What's setarch do for one?  Anyway, ASLR has been known to break some
> things.  Blackdown Java used to break IIRC; also there's the poorly
> designed Oracle and the poorly designed solution of Oracle on a 32 bit
> platform; and of course there's Emacs, which I heard was broken due to
> Exec Shield's randomization.  Temporary work-arounds are sometimes needed.

> Remember also that I'm not just trying to make a more robust setting for
> ES and mainline; I'm trying to find a way to make it so that
> distribution maintainers can set one set of flags and have it assure
> that the program works in Mainline, Exec Shield, and PaX.  Just a little
> less work for the distribution maintainers, which I think would be a
> good thing considering that apparently Ubuntu Linux might support both
> PaX and Exec Shield in the future, if I'm reading this[1] right.
> 
> [1] http://thread.gmane.org/gmane.linux.ubuntu.devel/6130

IMO you have this backwards, John.  Rather than having the majority (ES,
mainline NX stuff) respect your less popular branch, it would make sense
to have PaX work as well as possible with PT_GNU_STACK, and politely
request that any missing functionality be duplicated in ES. PT_GNU_STACK
is the most widely available header, and we should leverage that
ubiquity as much as possible.  Marking our binaries with PT_PAX_FLAGS
and then begging everyone else to support our way of doing things will
never work.

---
Brandon Hale

next prev parent reply	other threads:[~2005-03-28 20:59 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-03-28 18:21 Collecting NX information John Richard Moser
2005-03-28 18:37 ` Arjan van de Ven
2005-03-28 18:50   ` John Richard Moser
2005-03-28 18:55     ` Arjan van de Ven
2005-03-28 19:14       ` John Richard Moser
2005-03-28 20:54         ` Brandon Hale [this message]
2005-03-28 22:17           ` [ubuntu-hardened] " John Richard Moser
2005-03-29  7:16             ` Arjan van de Ven
2005-03-29  7:53               ` John Richard Moser
2005-03-29  8:09                 ` Arjan van de Ven
     [not found]                   ` <424911FF.1080702@comcast.net>
2005-03-29  8:46                     ` Arjan van de Ven
     [not found]                       ` <42499C40.5030202@comcast.net>
     [not found]                         ` <1112121756.6282.88.camel@laptopd505.fenrus.org>
     [not found]                           ` <4249A78A.1040407@comcast.net>
2005-03-29 19:34                             ` Arjan van de Ven
2005-03-29 20:41                               ` John Richard Moser
2005-03-29  8:45                 ` John Richard Moser
2005-03-29  8:15               ` John Richard Moser

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1112043246.10117.5.camel@localhost.localdomain \
    --to=brandon@smarterits.com \
    --cc=arjan@infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nigelenki@comcast.net \
    --cc=ubuntu-hardened@lists.ubuntu.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox