NX: List of apps that probably break with NX

NX: List of apps that probably break with NX

[John Richard Moser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi.

I've noticed you're pondering an NX technology in the kernel.  I help
maintain a list of applications that break under PaX, an NX/ASLR patch,
used for a script which applies reduced restrictions to these binaries.
~ The result is that I have a handfull of unprotected apps; but
everything works.  You either have to trade off the security for the
usability, or the usability for the security.

PaX uses two tools to set reduced restrictions: chpax and paxctl.  The
chpax tool uses a free field in the ELF header; while paxctl uses a
special field set aside by a specially patched binutils.  Binaries with
this extra field are natively compatible with vanilla Linux.

The different flags are as follows:

P  PageExec (NX method) to supply functionality of NX marking of pages
S  SegmExec (NX method) to supply functionality of NX marking of pages
E  Emulate Trampolines
M  Reduced mprotect() restrictions (basically fixes things wanting +X
stack)
R  Random mmap() base
X  Random ET_EXEC base


I supply these as shell patterns.  Be familiar with bash, or try:

$ echo `exec <pattern>`


NX-Exempt (-psem)
~  Wine:
/usr/lib/wine/bin/{wine{,build,clipsrv,dump,gcc,server,wrap,-{k,p}thread},w{mc,rc,idl}}

~  Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*

OpenOffice.org:
/opt/OpenOffice.org*/program/soffice.bin

Misc:
/usr/X11R6/bin/XFree86
/usr/X11R6/bin/Xorg
/usr/bin/blender
/usr/bin/gxine
/usr/bin/xine
/usr/bin/totem
/usr/bin/acme
/usr/bin/gnome-sound-recorder
/usr/games/bin/bzflag
/usr/bin/xfce4-panel
/usr/bin/{g,}xine

Randmap Exempt (-r)
Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*

X:
/usr/X11R6/bin/XFree86
/usr/X11R6/bin/Xorg

mprotect() restriction exempt (-m)
Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*

Firefox:
/usr/lib/MozillaFirefox/firefox{,-bin}

xmms:
/usr/bin/xmms

RandExec Exempt (-x):
Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*

X:
/usr/X11R6/bin/XFree86
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*



The bug used to track changes in the scripts that supply the application
of reduced restrictions is at
http://bugs.gentoo.org/show_bug.cgi?id=40665 .  This may prove
interesting, as I or someone else will need to update it as more
applications break, or as more begin to work.

- --John
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA8Ut0hDd4aOud5P8RAmPyAJ0abHDHZAvb+nyl5Fs0CDXYwX7ZDACgibwV
Ls2RB3CjkY8VHKUS1GAAcmE=
=ASsQ
-----END PGP SIGNATURE-----

Re: NX: List of apps that probably break with NX

[John Richard Moser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, I missed that mozilla needs mprotect() restrictions relieved too,
i.e. it needs an executable stack to work:

/usr/lib/mozilla/mozilla-bin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA9FdFhDd4aOud5P8RAmJJAJ0euk8h7UviRo0QYHSgCwRxOlwgOgCeJZ5C
vk7tTvSMQQpO7uayXyqqhts=
=b0fV
-----END PGP SIGNATURE-----