From: John Richard Moser <nigelenki@comcast.net>
To: linux-kernel@vger.kernel.org
Subject: NX: List of apps that probably break with NX
Date: Sun, 11 Jul 2004 10:15:17 -0400 [thread overview]
Message-ID: <40F14B75.1010802@comcast.net> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi.
I've noticed you're pondering an NX technology in the kernel. I help
maintain a list of applications that break under PaX, an NX/ASLR patch,
used for a script which applies reduced restrictions to these binaries.
~ The result is that I have a handfull of unprotected apps; but
everything works. You either have to trade off the security for the
usability, or the usability for the security.
PaX uses two tools to set reduced restrictions: chpax and paxctl. The
chpax tool uses a free field in the ELF header; while paxctl uses a
special field set aside by a specially patched binutils. Binaries with
this extra field are natively compatible with vanilla Linux.
The different flags are as follows:
P PageExec (NX method) to supply functionality of NX marking of pages
S SegmExec (NX method) to supply functionality of NX marking of pages
E Emulate Trampolines
M Reduced mprotect() restrictions (basically fixes things wanting +X
stack)
R Random mmap() base
X Random ET_EXEC base
I supply these as shell patterns. Be familiar with bash, or try:
$ echo `exec <pattern>`
NX-Exempt (-psem)
~ Wine:
/usr/lib/wine/bin/{wine{,build,clipsrv,dump,gcc,server,wrap,-{k,p}thread},w{mc,rc,idl}}
~ Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*
OpenOffice.org:
/opt/OpenOffice.org*/program/soffice.bin
Misc:
/usr/X11R6/bin/XFree86
/usr/X11R6/bin/Xorg
/usr/bin/blender
/usr/bin/gxine
/usr/bin/xine
/usr/bin/totem
/usr/bin/acme
/usr/bin/gnome-sound-recorder
/usr/games/bin/bzflag
/usr/bin/xfce4-panel
/usr/bin/{g,}xine
Randmap Exempt (-r)
Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*
X:
/usr/X11R6/bin/XFree86
/usr/X11R6/bin/Xorg
mprotect() restriction exempt (-m)
Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*
Firefox:
/usr/lib/MozillaFirefox/firefox{,-bin}
xmms:
/usr/bin/xmms
RandExec Exempt (-x):
Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*
X:
/usr/X11R6/bin/XFree86
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*
The bug used to track changes in the scripts that supply the application
of reduced restrictions is at
http://bugs.gentoo.org/show_bug.cgi?id=40665 . This may prove
interesting, as I or someone else will need to update it as more
applications break, or as more begin to work.
- --John
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFA8Ut0hDd4aOud5P8RAmPyAJ0abHDHZAvb+nyl5Fs0CDXYwX7ZDACgibwV
Ls2RB3CjkY8VHKUS1GAAcmE=
=ASsQ
-----END PGP SIGNATURE-----
next reply other threads:[~2004-07-11 14:15 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-11 14:15 John Richard Moser [this message]
2004-07-13 21:42 ` NX: List of apps that probably break with NX John Richard Moser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40F14B75.1010802@comcast.net \
--to=nigelenki@comcast.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox