[arch-dev-public] providing grsecurity in [community]

[Daniel Micay]

On 16/04/14 02:46 AM, Allan McRae wrote:
>
> Which packages?  We need the details.

For just the basics (most of PaX disabled), there's no external work
required. It would be useful with just the kernel and userland tools in
[community] and no extra work done on other packages.

Enabling the PaX features requires marking a fairly long list of
binaries with exceptions to the rules via the PaX extended attributes in
the install scripts. For example, web browsers require memory that's
both executable + writable (requiring an mprotect exception) and many
programs are broken by stuff like the ASLR improvements due to depending
on all kinds of undefined behaviour.

The `paxctl` command for this is a 0.06MiB package with a single binary
and man page, so the drawback would be the work required rather than any
form of dependency bloat. It wouldn't be reasonable to report every case
via the issue tracker, someone would actually have to be interested in
systematically adding to to [core] and [extra] packages.

If you want a nearly full list of the packages, you can look in the
linux-pax-flags AUR package, which is a total hack adding the PaX xattrs
when the user runs a command. Doing it that way means any upgrades are
going to break everything until the user runs the script, so I'm just
planning on leaving the features disabled at first. Pacman hooks would
be a nicer solution than editing all the install scripts, but we don't
have those :).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140416/457c7498/attachment.asc>