/[gentoo]/xml/htdocs/proj/en/hardened/pax-quickstart.xml
Gentoo

Diff of /xml/htdocs/proj/en/hardened/pax-quickstart.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.6 Revision 1.7
1<?xml version='1.0' encoding="UTF-8"?> 1<?xml version='1.0' encoding="UTF-8"?>
2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml,v 1.6 2005/04/18 19:39:05 solar Exp $ --> 2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml,v 1.7 2005/07/12 01:02:46 solar Exp $ -->
3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> 3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4 4
5<guide link="/proj/en/hardened/pax-quickstart.xml"> 5<guide link="/proj/en/hardened/pax-quickstart.xml">
6<title>Hardened Gentoo PaX Quickstart</title> 6<title>Hardened Gentoo PaX Quickstart</title>
7 7
9 <mail link="tseng@gentoo.org">Brandon Hale</mail> 9 <mail link="tseng@gentoo.org">Brandon Hale</mail>
10</author> 10</author>
11<author title="Editor"> 11<author title="Editor">
12 <mail link="blackace@gentoo.org">Blackace</mail> 12 <mail link="blackace@gentoo.org">Blackace</mail>
13</author> 13</author>
14<author title="Editor">
15 <mail link="solar@gentoo.org">solar</mail>
16</author>
14 17
15<abstract> 18<abstract>
16A quickstart covering PaX and Hardened Gentoo. 19A quickstart covering PaX and Hardened Gentoo.
17</abstract> 20</abstract>
18 21
19<!-- The content of this document is licensed under the CC-BY-SA license --> 22<!-- The content of this document is licensed under the CC-BY-SA license -->
20<!-- See http://creativecommons.org/licenses/by-sa/2.0 --> 23<!-- See http://creativecommons.org/licenses/by-sa/2.0 -->
21<license/> 24<license/>
22 25
23<version>1.2</version> 26<version>1.3</version>
24<date>2004-08-07</date> 27<date>2005-07-11</date>
25 28
26<chapter> 29<chapter>
27<title>What is Hardened Gentoo?</title> 30<title>What is Hardened Gentoo?</title>
28<section> 31<section>
29<body> 32<body>
30 33
31<p> 34<p>
32Hardened Gentoo is a project interested in the hardening of a Gentoo system. 35Hardened Gentoo is a project interested in the hardening of a Gentoo system.
33Several different solutions are supported by us and there is a fair bit of 36Several different solutions are supported by us and there is a fair bit of
34flexibility to create your own setup. At the heart of Hardened Gentoo is 37flexibility to create your own setup. At the heart of a common Hardened Gentoo
35<e>PaX</e>. 38setup is <e>PaX</e>.
36</p> 39</p>
37 40
38</body> 41</body>
39</section> 42</section>
40</chapter> 43</chapter>
115<p> 118<p>
116Several Gentoo kernel trees are already patched with PaX. 119Several Gentoo kernel trees are already patched with PaX.
117</p> 120</p>
118 121
119<p> 122<p>
120For 2.4 based machines, the recommended kernels are <c>hardened-sources</c> or 123For 2.4/2.6 based machines, the recommended kernels are <c>hardened-sources</c>
121<c>grsec-sources</c>. For 2.6 machines, <c>hardened-dev-sources</c> are
122recommended.
123</p> 124</p>
124 125
125<p> 126<p>
126Grab one of the recommended source trees, or apply the appropriate patch from 127Grab one of the recommended source trees, or apply the appropriate patch from
127<uri>http://pax.grsecurity.net</uri> to your own tree and configure it as you 128<uri>http://pax.grsecurity.net</uri> to your own tree and configure it as you
177Hardened Gentoo has added support for transparent PIE/SSP building via GCC's 178Hardened Gentoo has added support for transparent PIE/SSP building via GCC's
178specfile. This means that any users upgrading an older Hardened install should 179specfile. This means that any users upgrading an older Hardened install should
179remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the 180remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the
180<c>hardened-gcc</c> package is now deprecated and should be unmerged 181<c>hardened-gcc</c> package is now deprecated and should be unmerged
181(version 5.0 is a dummy package). To get the current GCC, add 182(version 5.0 is a dummy package). To get the current GCC, add
182<c>USE="hardened pic"</c> to <path>/etc/make.conf</path>. 183<c>USE="hardened pic"</c> to <path>/etc/make.conf</path> if not using the hardened
184profile.
183</p> 185</p>
184 186
185<p> 187<p>
186To maintain a consistant toolchain, first <c>emerge binutils gcc virtual/libc</c>. 188To maintain a consistant toolchain, first <c>emerge binutils gcc virtual/libc</c>.
187Next, rebuild the entire system with <c>emerge -e world</c>. All future packages 189Next, rebuild the entire system with <c>emerge -e world</c>. All future packages
188will be built with PIE/SSP. 190will be built with PIE/SSP.
189</p> 191</p>
190 192
191<warn> 193<warn>
192Both PIE and SSP are known to cause issues with some packages. If you come 194Both PIE and SSP are known to cause issues with some packages. If you come
193across a package that fails to compile, please file a bug report including a log 195across a package that fails to compile, please file a detailed bug report including
194of the failed compile and the output of <c>emerge info</c> to 196a log of the failed compile and the output of <c>emerge info</c> to
195<uri>http://bugs.gentoo.org/</uri>. 197<uri>http://bugs.gentoo.org/</uri>.
196</warn> 198</warn>
199
200<p>
201You will probably also want to merge pax-utils.
202Often if an ELF has executable relocations in the text segment these can cause problems for us.
203scanelf -BRylptq
204</p>
205
197 206
198</body> 207</body>
199</section> 208</section>
200</chapter> 209</chapter>
201 210
209executed out of memory. Naturally, PaX does not allow this and it will promptly 218executed out of memory. Naturally, PaX does not allow this and it will promptly
210kill the offending application. 219kill the offending application.
211</p> 220</p>
212 221
213<note> 222<note>
214The most notable of these applications are XFree, mplayer and multimedia tools 223The most notable of these applications are XFree/Xorg, mplayer and multimedia tools
215based on xine-lib. The easiest way around these problems are to disable PaX 224based on xine-lib. The easiest way around these problems are to disable PaX
216protections. 225protections.
217</note> 226</note>
218 227
219<p> 228<p>
247The first option we will note is <c>-v</c>, which can display flags set on a 256The first option we will note is <c>-v</c>, which can display flags set on a
248particular binary. 257particular binary.
249</p> 258</p>
250 259
251<pre caption="paxctl -v"> 260<pre caption="paxctl -v">
252y0shi brandon # paxctl -v /usr/X11R6/bin/XFree86 261shell user # paxctl -v /usr/bin/Xorg
253PaX control v0.2 262PaX control v0.2
254Copyright 2004 PaX Team &lt;pageexec@freemail.hu&gt; 263Copyright 2004 PaX Team &lt;pageexec@freemail.hu&gt;
255 264
256- PaX flags: -p-sM--x-eR- [/usr/X11R6/bin/XFree86] 265- PaX flags: -p-sM--x-eR- [/usr/bin/Xorg]
257 PAGEEXEC is disabled 266 PAGEEXEC is disabled
258 SEGMEXEC is disabled 267 SEGMEXEC is disabled
259 MPROTECT is enabled 268 MPROTECT is enabled
260 RANDEXEC is disabled 269 RANDEXEC is disabled
261 EMUTRAMP is disabled 270 EMUTRAMP is disabled
270To set flags on a binary, the <c>-z</c> flag is useful as it restores the 279To set flags on a binary, the <c>-z</c> flag is useful as it restores the
271default flags. 280default flags.
272</p> 281</p>
273 282
274<p> 283<p>
275To disable protections on XFree, run 284To disable protections on Xorg, run
276<c>paxctl -zpeMRxs /usr/X11R6/bin/XFree86</c>. 285<c>paxctl -zpeMRxs /usr/bin/Xorg</c>.
277</p> 286</p>
278 287
279<p> 288<p>
280Play around with disabling/enabling protections to see what is the least needed 289Play around with disabling/enabling protections to see what is the least needed
281to run. 290to run. Often we fine that we need the -m -sp combos.
291</p>
292
293<p>
294A default init/conf.d script gets installed when you merge the chpax package
295that setups some reasonable defaults on the well known misbehaviors.
296You may want to enable the setting of these permissions at every boot.
297Todo that you can run the following command
298<c>emerge chpax ; rc-update add chpax default ; /etc/inid.d/chpax start</c>
282</p> 299</p>
283 300
284</body> 301</body>
285</section> 302</section>
286</chapter> 303</chapter>

Legend:
Removed from v.1.6  
changed lines
  Added in v.1.7

  ViewVC Help
Powered by ViewVC 1.1.20