diff options
| author |   klondike <klondike@xiscosoft.es> | 2010-11-12 18:32:30 +0100 |
|---|---|---|
| committer | klondike <klondike@xiscosoft.es> | 2010-11-12 18:32:30 +0100 |
| commit | b499b0f83177293b546cc99aaf3319d72c7add67 (patch) | |
| tree | c28adcf00d43475234f06967b2db43ce2cb1fe67 | |
| parent | merging with CVS tree (diff) | |
| download | hardened-docs-b499b0f83177293b546cc99aaf3319d72c7add67.tar.gz hardened-docs-b499b0f83177293b546cc99aaf3319d72c7add67.tar.bz2 hardened-docs-b499b0f83177293b546cc99aaf3319d72c7add67.zip | |
updating html previews
44 files changed, 11821 insertions, 24 deletions
diff --git a/html/capabilities.html b/html/capabilities.html new file mode 100644 index 0000000..4bf9719 --- /dev/null +++ b/html/capabilities.html @@ -0,0 +1,428 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + POSIX Capabilities</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>POSIX Capabilities</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. CAP_CHOWN</option> +<option value="#doc_chap2">2. CAP_DAC_OVERRIDE</option> +<option value="#doc_chap3">3. CAP_DAC_READ_SEARCH</option> +<option value="#doc_chap4">4. CAP_FOWNER</option> +<option value="#doc_chap5">5. CAP_FSETID</option> +<option value="#doc_chap6">6. CAP_FS_MASK</option> +<option value="#doc_chap7">7. CAP_KILL</option> +<option value="#doc_chap8">8. CAP_SETGID</option> +<option value="#doc_chap9">9. CAP_SETUID</option> +<option value="#doc_chap10">10. CAP_SETPCAP</option> +<option value="#doc_chap11">11. CAP_LINUX_IMMUTABLE</option> +<option value="#doc_chap12">12. CAP_NET_BIND_SERVICE</option> +<option value="#doc_chap13">13. CAP_NET_BROADCAST</option> +<option value="#doc_chap14">14. CAP_NET_ADMIN</option> +<option value="#doc_chap15">15. CAP_NET_RAW</option> +<option value="#doc_chap16">16. CAP_IPC_LOCK</option> +<option value="#doc_chap17">17. CAP_IPC_OWNER</option> +<option value="#doc_chap18">18. CAP_SYS_MODULE</option> +<option value="#doc_chap19">19. CAP_SYS_RAWIO</option> +<option value="#doc_chap20">20. CAP_SYS_CHROOT</option> +<option value="#doc_chap21">21. CAP_SYS_PTRACE</option> +<option value="#doc_chap22">22. CAP_SYS_PACCT</option> +<option value="#doc_chap23">23. CAP_SYS_ADMIN</option> +<option value="#doc_chap24">24. CAP_SYS_BOOT</option> +<option value="#doc_chap25">25. CAP_SYS_NICE</option> +<option value="#doc_chap26">26. CAP_SYS_RESOURCE</option> +<option value="#doc_chap27">27. CAP_SYS_TIME</option> +<option value="#doc_chap28">28. CAP_SYS_TTY_CONFIG</option> +<option value="#doc_chap29">29. CAP_MKNOD</option> +<option value="#doc_chap30">30. CAP_LEASE</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>CAP_CHOWN</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: CAP_CHOWN</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_CHOWN</span> + In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, + this overrides the restriction of changing file ownership and + group ownership. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>CAP_DAC_OVERRIDE</p> +<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: CAP_DAC_OVERRIDE</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_DAC_OVERRIDE</span> + Override all DAC access, including ACL execute access + if [_POSIX_ACL] is defined. + Excluding DAC access covered by CAP_LINUX_IMMUTABLE. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>CAP_DAC_READ_SEARCH</p> +<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: CAP_DAC_READ_SEARCH</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_DAC_READ_SEARCH</span> + Overrides all DAC restrictions, regarding read and search on files + and directories, including ACL restrictions, if [_POSIX_ACL] is + defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>CAP_FOWNER</p> +<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: CAP_FOWNER</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_FOWNER</span> + Overrides all restrictions about allowed operations on files, where + file owner ID must be equal to the user ID, except where CAP_FSETID + is applicable. It doesn't override MAC and DAC restrictions. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>CAP_FSETID</p> +<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: CAP_FSETID</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_FSETID</span> + Overrides the following restrictions, that the effective user ID shall + match the file owner ID, when setting the S_ISUID and S_ISGID bits on + that file; that the effective group ID (or one of the supplementary + group IDs) shall match the file owner ID when setting the S_ISGID bit + on that file; that the S_ISUID and S_ISGID bits are cleared on + successful return from chown(2) (not implemented). +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>CAP_FS_MASK</p> +<a name="doc_chap6_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.1: CAP_FS_MASK</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_FS_MASK</span> + Used to decide between falling back on the old suser() or fsuser(). +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7. + </span>CAP_KILL</p> +<a name="doc_chap7_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.1: CAP_KILL</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_KILL</span> + Overrides the restriction, that the real or effective user ID of a process, + sending a signal, must match the real or effective user ID of the process, + receiving the signal. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap8"></a><span class="chapnum">8. + </span>CAP_SETGID</p> +<a name="doc_chap8_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing8.1: CAP_SETGID</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SETGID</span> + Allows setgid(2) manipulation; + Allows setgroups(2); + Allows forged gids on socket credentials passing. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap9"></a><span class="chapnum">9. + </span>CAP_SETUID</p> +<a name="doc_chap9_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing9.1: CAP_SETUID</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SETUID</span> + Allows set*uid(2) manipulation (including fsuid); + Allows forged pids on socket credentials passing. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap10"></a><span class="chapnum">10. + </span>CAP_SETPCAP</p> +<a name="doc_chap10_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing10.1: CAP_SETPCAP</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SETPCAP</span> + Transfer any capability in your permitted set to any pid, remove any capability in your permitted set from any pid. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap11"></a><span class="chapnum">11. + </span>CAP_LINUX_IMMUTABLE</p> +<a name="doc_chap11_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing11.1: CAP_LINUX_IMMUTABLE</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_LINUX_IMMUTABLE</span> + Allow modification of S_IMMUTABLE and S_APPEND file attributes. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap12"></a><span class="chapnum">12. + </span>CAP_NET_BIND_SERVICE</p> +<a name="doc_chap12_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing12.1: CAP_NET_BIND_SERVICE</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_NET_BIND_SERVICE</span> + Allows binding to TCP/UDP sockets below 1024; + Allows binding to ATM VCIs below 32. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap13"></a><span class="chapnum">13. + </span>CAP_NET_BROADCAST</p> +<a name="doc_chap13_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing13.1: CAP_NET_BROADCAST</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_NET_BROADCAST</span> + Allow broadcasting, listen to multicast. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap14"></a><span class="chapnum">14. + </span>CAP_NET_ADMIN</p> +<a name="doc_chap14_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing14.1: CAP_NET_ADMIN</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_NET_ADMIN</span> + Allow interface configuration; + Allow administration of IP firewall, masquerading and accounting; + Allow setting debug option on sockets; + Allow modification of routing tables; + Allow setting arbitrary process / process group ownership on sockets; + Allow binding to any address for transparent proxying; + Allow setting TOS (type of service); + Allow setting promiscuous mode; + Allow clearing driver statistics; + Allow multicasting; + Allow read/write of devicespecific registers; + Allow activation of ATM control sockets. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap15"></a><span class="chapnum">15. + </span>CAP_NET_RAW</p> +<a name="doc_chap15_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing15.1: CAP_NET_RAW</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_NET_RAW</span> + Allow use of RAW sockets; + Allow use of PACKET sockets. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap16"></a><span class="chapnum">16. + </span>CAP_IPC_LOCK</p> +<a name="doc_chap16_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing16.1: CAP_IPC_LOCK</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_IPC_LOCK</span> + Allow locking of shared memory segments; + Allow mlock and mlockall (which doesn't really have anything to do with IPC). +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap17"></a><span class="chapnum">17. + </span>CAP_IPC_OWNER</p> +<a name="doc_chap17_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing17.1: CAP_IPC_OWNER</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_IPC_OWNER</span> + Override IPC ownership checks. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap18"></a><span class="chapnum">18. + </span>CAP_SYS_MODULE</p> +<a name="doc_chap18_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing18.1: CAP_SYS_MODULE</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SYS_MODULE</span> + Insert and remove kernel modules modify kernel without limit; + Modify cap_bset. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap19"></a><span class="chapnum">19. + </span>CAP_SYS_RAWIO</p> +<a name="doc_chap19_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing19.1: CAP_SYS_RAWIO</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SYS_RAWIO</span> + Allow ioperm/iopl access; + Allow sending USB messages to any device via /proc/bus/usb. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap20"></a><span class="chapnum">20. + </span>CAP_SYS_CHROOT</p> +<a name="doc_chap20_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing20.1: CAP_SYS_CHROOT</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SYS_CHROOT</span> + Allow use of chroot(). +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap21"></a><span class="chapnum">21. + </span>CAP_SYS_PTRACE</p> +<a name="doc_chap21_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing21.1: CAP_SYS_PTRACE</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SYS_PTRACE</span> + Allow ptrace() of any process. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap22"></a><span class="chapnum">22. + </span>CAP_SYS_PACCT</p> +<a name="doc_chap22_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing22.1: CAP_SYS_PACCT</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SYS_PACCT</span> + Allow configuration of process accounting. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap23"></a><span class="chapnum">23. + </span>CAP_SYS_ADMIN</p> +<a name="doc_chap23_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing23.1: CAP_SYS_ADMIN</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SYS_ADMIN</span> + Allow configuration of the secure attention key; + Allow administration of the random device; + Allow examination and configuration of disk quotas; + Allow configuring the kernel's syslog (printk behaviour); + Allow setting the domainname; + Allow setting the hostname; + Allow calling bdflush(); + Allow mount() and umount(), setting up new smb connection; + Allow some autofs root ioctls; + Allow nfsservctl; Allow VM86_REQUEST_IRQ; + Allow to read/write pci config on alpha; Allow irix_prctl on mips (setstacksize); + Allow flushing all cache on m68k (sys_cacheflush); + Allow removing semaphores; Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory; + Allow locking/unlocking of shared memory segment; + Allow turning swap on/off; + Allow forged pids on socket credentials passing; + Allow setting readahead and flushing buffers on block devices; + Allow setting geometry in floppy driver; + Allow turning DMA on/off in xd driver; + Allow administration of md devices (mostly the above, but some extra ioctls); + Allow tuning the ide driver; + Allow access to the nvram device; + Allow administration of apm_bios, serial and bttv (TV) device; + Allow manufacturer commands in isdn CAPI support driver; + Allow reading nonstandardized portions of pci configuration space; + Allow DDI debug ioctl on sbpcd driver; + Allow setting up serial ports; + Allow sending raw qic117 commands; + Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands; + Allow setting encryption key on loopback filesystem. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap24"></a><span class="chapnum">24. + </span>CAP_SYS_BOOT</p> +<a name="doc_chap24_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing24.1: CAP_SYS_BOOT</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SYS_BOOT</span> + Allow use of reboot(). +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap25"></a><span class="chapnum">25. + </span>CAP_SYS_NICE</p> +<a name="doc_chap25_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing25.1: CAP_SYS_NICE</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SYS_NICE</span> + Allow raising priority and setting priority on other (different UID) processes; + Allow use of FIFO and roundrobin (realtime) scheduling on own processes and setting + the scheduling algorithm used by another process. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap26"></a><span class="chapnum">26. + </span>CAP_SYS_RESOURCE</p> +<a name="doc_chap26_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing26.1: CAP_SYS_RESOURCE</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SYS_RESOURCE</span> + Override resource limits. Set resource limits; + Override quota limits; + Override reserved space on ext2 filesystem; + Modify data journaling mode on ext3 filesystem + (uses journaling resources); NOTE: ext2 honors fsuid when checking for + resource overrides, so you can override using fsuid too; + Override size restrictions on IPC message queues; + Allow more than 64hz interrupts from the realtime clock; + Override max number of consoles on console allocation; + Override max number of keymaps. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap27"></a><span class="chapnum">27. + </span>CAP_SYS_TIME</p> +<a name="doc_chap27_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing27.1: CAP_SYS_TIME</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SYS_TIME</span> + Allow manipulation of system clock; + Allow irix_stime on mips; + Allow setting the realtime clock. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap28"></a><span class="chapnum">28. + </span>CAP_SYS_TTY_CONFIG</p> +<a name="doc_chap28_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing28.1: CAP_SYS_TTY_CONFIG</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_SYS_TTY_CONFIG</span> + Allow configuration of tty devices; Allow vhangup() of tty. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap29"></a><span class="chapnum">29. + </span>CAP_MKNOD</p> +<a name="doc_chap29_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing29.1: CAP_MKNOD</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_MKNOD</span> + Allow the privileged aspects of mknod(). +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap30"></a><span class="chapnum">30. + </span>CAP_LEASE</p> +<a name="doc_chap30_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing30.1: CAP_LEASE</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + <span class="code-input">CAP_LEASE</span> + Allow taking of leases on files. +</pre></td></tr> +</table> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/capabilities.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated January 22, 2005</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +POSIX capabilities are a partitioning of the all powerful root privilege into a +set of distinct privileges +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:solar@gentoo.org" class="altlink"><b>solar</b></a> +<br><i>Author</i><br><br> + <a href="mailto:tocharian@gentoo.org" class="altlink"><b>Adam Mondl</b></a> +<br><i>Contributor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/docs/devel-chroots-intro.html b/html/docs/devel-chroots-intro.html new file mode 100644 index 0000000..6153d11 --- /dev/null +++ b/html/docs/devel-chroots-intro.html @@ -0,0 +1,465 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/../../css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/../../favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Developer Chroots Utility Guide</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Developer Chroots Utility Guide</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option> +<option value="#doc_chap2">2. Installation</option> +<option value="#doc_chap3">3. Configuration</option> +<option value="#doc_chap4">4. Startup and maintenance</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction</p> +<p class="secthead"><a name="doc_chap1_sect1">What is this all about?</a></p> +<p> +The normal procedure for a developer setting up a chroot is +to fetch a stage, find a directory where to unpack it, unroll the stage, +make some modifications to basic files like <span class="code" dir="ltr">/etc/resolv.conf</span>, +<span class="code" dir="ltr">/etc/hosts</span> and others. +Then she or he is usually incorporating some kind of custom script +to start the chroot again once the machine gets rebooted +or she/he needs to reenter it for another reason. +More advanced scripts use screen sessions for making the chroot +command launching the chroot independent of the +currently connected user. +</p> +<p> +However, lots of these scripts exist and people are using more +and more chroots on our development servers, +which is a very good thing in fact because it's relieving stress +off the main system and is making our production systems +more stable if development is done inside contained chroots. +</p> +<p> +There has been a previous version of <span class="code" dir="ltr">devel-chroots</span>, +but the old version only had limited multiuser capabilities and +was rather bulky compared to the code in the script and the +configuration abilities of the different chroots. +</p> +<p> +For this reason, the new version of <span class="code" dir="ltr">devel-chroots</span> has been +completely rewritten and is using a three-layered approach +of configuration data for setting up chroots and populating +the config files in these. +</p> +<p> +Finishing this introduction, this guide is not meant to be exclusive +to Gentoo development machines and their maintainers and users, +the tool has been developed to be usable on any machine +where chroots should be set up in an automatic and configurable fashion. +</p> +<p> +Your input is welcome and there is always room for improving +this little program as it aims at easing development and promotes +thorough regression and live testing by providing an easy way +of setting up a testbed, which a chroot basically is. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Installation</p> +<p class="secthead"><a name="doc_chap2_sect1">Ebuild installation</a></p> +<p> +The utility can be emerged with the following shell command: +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> +If you want to emerge only the basic tool without the sample configuration, +activate the <span class="code" dir="ltr">"minimal"</span> USE-flag. +</p></td></tr></table> +<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Installation of devel-chroots</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">USE="-minimal" emerge -pv devel-chroots</span> + +These are the packages that would be merged, in order: + +Calculating dependencies... done! +[ebuild R ] dev-util/devel-chroots-2.0.0 USE="-minimal*" 0 kB + +Total size of downloads: 0 kB + +# <span class="code-input">USE="-minimal" emerge -v devel-chroots</span> +</pre></td></tr> +</table> +<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Installation of devel-chroots without configuration files</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">USE="minimal" emerge -pv devel-chroots</span> + +These are the packages that would be merged, in order: + +Calculating dependencies... done! +[ebuild R ] dev-util/devel-chroots-2.0.0 USE="minimal" 0 kB + +Total size of downloads: 0 kB + +# <span class="code-input">USE="minimal" emerge -v devel-chroots</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap2_sect2">Fetching the source code</a></p> +<p> +The source code for the project can be found in the following +anonymous <span class="code" dir="ltr">cvs</span> or <span class="code" dir="ltr">svn</span> location, along with viewcvs: +</p> +<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: fetching the project source code with anonymous cvs</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +/tmp/dc $ <span class="code-input">cvs -d :pserver:anonymous@anoncvs.gentoo.org/var/cvsroot co gentoo-projects</span> +</pre></td></tr> +</table> +<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: fetching the project source code with anonymous svn</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +/tmp/dc $ <span class="code-input">svn co http://anonsvn.gentoo.org/repositories/gentoo-projects</span> +</pre></td></tr> +</table> +<p> +Then dive into the +<span class="code" dir="ltr">gentoo-projects/devel-chroots/devel-chroots-2.0.0/</span> +directory to see the source code for the project. +</p> +<p> +As you can see, it's just the same as the scripts +that are getting installed by the ebuild. +Which positively means that you can theoretically also use +these scripts without having an ebuild install them. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Configuration</p> +<p class="secthead"><a name="doc_chap3_sect1">General machine configuration</a></p> +<p> +There is no standard location where a <span class="code" dir="ltr">stage3</span> +file may be located on the mirrors. +For this reason, it is highly advised to edit the +default configuration file and explicitly set the <span class="code" dir="ltr">STAGE_URL</span> variable. +</p> +<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: STAGE_URL in default configuration</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">grep STAGE_URL /etc/devel-chroots/default/config</span> +STAGE_URL="$(echo ${GENTOO_MIRRORS} | awk '{ print $1; }')/${STAGE_PATH}/${STAGE_NAME}" +# STAGE_URL="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/releases/x86/2006.0/stages/stage3-x86-2006.0.tar.bz2" +</pre></td></tr> +</table> +<p> +As you can see, the default mechanism is to pick the first mirror, +add the stage path for a typical x86 stage and construct +the name for a current profile's stage. +However, this doesn't work for sparc for example, +because they are differentiating between sparc32 and sparc64. +The same holds true for hppa, where it's stages pertaining +to the 1.1 ABI and the 2.0 ABI of different types of machines. +</p> +<p> +Also remember that users and specific chroots can always +override this variable, so it would be the best thing +to make sure it points to a reasonable default stable stage. +</p> +<p> +As said, users wishing to enable a hardened toolchain chroot, +a linux32 chroot on an amd64 machine or a new bleeding edge stage +from one of their private mirrors can always override +this setting in their own <span class="code" dir="ltr">config</span>. +</p> +<p> +Another important piece of the configuration is the global <span class="code" dir="ltr">make.conf</span>. +Basically, every single chroot contains a file +<span class="code" dir="ltr">/usr/local/chroot/conf.d/make.conf</span> +which is constructed from three possible <span class="code" dir="ltr">make.conf</span> files +residing in the configuration directory of <span class="code" dir="ltr">devel-chroots</span>: +</p> +<p> +<span class="code" dir="ltr">/etc/devel-chroots/default/make.conf</span> is the main file for chroots. +</p> +<p> +<span class="code" dir="ltr">/etc/devel-chroots/pappy/make.conf</span> is holding user specific addons. +</p> +<p> +<span class="code" dir="ltr">/etc/devel-chroots/pappy/chroot001/make.conf</span> is a chroot specific file. +</p> +<p> +These three files make up the final +<span class="code" dir="ltr">/usr/local/chroot/conf.d/make.conf</span> +which then can be sourced by the real <span class="code" dir="ltr">/etc/make.conf</span> of the chroot. +</p> +<p class="secthead"><a name="doc_chap3_sect2">User specific configuration</a></p> +<p> +As noted in the previous section, each user can define her or his +own versions of <span class="code" dir="ltr">config</span> and <span class="code" dir="ltr">make.conf</span> in the +configuration directory <span class="code" dir="ltr">/etc/devel-chroots/username</span>. +This enables the highest possible versatility and flexibility. +For example, it is possible to allow a user define her or his own +debugging settings for +<span class="code" dir="ltr">FEATURES</span> and <span class="code" dir="ltr">USE</span> flags in <span class="code" dir="ltr">make.conf</span>. +</p> +<p> +Another example is the custom setting of the screenrc: +</p> +<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: user specific screenrc for chroot screen sessions</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">cat /etc/devel-chroots/pappy/screenrc</span> +backtick 1 5 0 /home/pappy/bin/mem.sh +backtick 2 1 0 /home/pappy/bin/cetclock.sh 'CET' '-0200' '-0100' + +hardstatus string '%{= kG}[%= %{= kw}%?%-Lw%?%{r}[%{W}%n*%f %t%?{%u}%?%{r}]%{w}%?%+Lw%?%?%= %{g}]%{W} %2`:%s %{g}%{.w}%H%{.c} [%l] %1`MB ram' +</pre></td></tr> +</table> +<p> +This makes it easy for users to include their own scripts +in screen sessions of chroots, +for example to measure disk usage or load of the system. +</p> +<a name="doc_chap3_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.3: Example: user specific CET date display on chroot screen</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +~ $ cat bin/cetclock.sh +#!/bin/bash + +# check for daylight saving time being currently active at this time +if [ "x$(perl -e '@timeData = localtime(time); print ${timeData}[-1];')y" == "x1y" ] +then + date --utc --date="$(date --utc '+%F %T') $2" "+$1 %H:%M" +else + date --utc --date="$(date --utc '+%F %T') $3" "+$1 %H:%M" +fi + +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap3_sect3">Chroot specific configuration</a></p> +<p> +Last but not least, on some arches (notably amd64), +there is the possibility to install an x86 chroot using a special emulator +command, called <span class="code" dir="ltr">linux32</span>. + +Redefining the respective variables in the chroot-specific +<span class="code" dir="ltr">/etc/devel-chroots/pappy/chroot001/config</span> enables users to +set up those special chroots on amd64 test machines: +</p> +<a name="doc_chap3_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.4: chroot specific config for linux32 chroot on amd64</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">cat /etc/devel-chroots/pappy/chroot001/config</span> +CHROOT_BINARY="linux32 /usr/bin/chroot" +STAGE_URL="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/releases/x86/2006.0/stages/stage3-x86-2006.0.tar.bz2" +</pre></td></tr> +</table> +<p> +These variables are learned by the script and will +be used for setting up the chroot. +Other chroots are not affected by this setting, however. +This makes it very easy for users to set up and maintain +different chroots for their needs on the same machine at a time. +</p> +<p> +As you can see, in every case, +chroot-specific data is overwriting default and user-specific data. +Please do not change system-internal variables like +the maximum number of chroots for a user +and similar definitions inside a chroot-specific <span class="code" dir="ltr">config</span> file. +</p> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Startup and maintenance</p> +<p class="secthead"><a name="doc_chap4_sect1">Automatic startup</a></p> +<p> +Automatic startup of the developer chroots is attained with an init script +that is conforming to the Gentoo standards. +</p> +<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: starting the devel-chroots init script</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# /etc/init.d/devel-chroots status + * status: stopped + +# /etc/init.d/devel-chroots start + * Starting developer chroots for all users ... + * pappy: starting chroot001 in (/space/devel-chroots/pappy/chroot001) + * pappy: mounting chroot filesystems: /space/devel-chroots/pappy/chroot001 + * pappy: chroot001: creating conf: make.conf + * pappy: starting chroot002 in (/space/devel-chroots/pappy/chroot002) + * pappy: mounting chroot filesystems: /space/devel-chroots/pappy/chroot002 + * pappy: chroot002: creating conf: make.conf + * config file [/etc/devel-chroots/pappy/chroot002/make.conf] not existing, skipping + * no /etc/devel-chroots/pappy/chroot003 config dir + * no /etc/devel-chroots/pappy/chroot004 config dir + * no /etc/devel-chroots/pappy/chroot005 config dir + * no /etc/devel-chroots/pappy/chroot006 config dir + * no /etc/devel-chroots/pappy/chroot007 config dir + * no /etc/devel-chroots/pappy/chroot008 config dir + * launching detached screen session for pappy's chroots + * remember that you have to source /usr/local/chroot/conf.d/make.conf + * in the make.conf of created chroots for user-specific settings + * for multiuser mode, you need to set /usr/bin/screen to mode 4755 + * and also change the directory /var/run/screen to mode 0755 [ <span class="code-identifier">ok</span> ] +</pre></td></tr> +</table> +<a name="doc_chap4_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.2: restarting the chroots init script</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# /etc/init.d/devel-chroots restart + * Stopping developer chroots for all users ... + * stopping chroot001 of user pappy (/space/devel-chroots/pappy/chroot001) + * pappy: terminating the following screen sessions: 8638 + * pappy: unmounting chroot filesystems: /space/devel-chroots/pappy/chroot001 + * stopping chroot002 of user pappy (/space/devel-chroots/pappy/chroot002) + * pappy: unmounting chroot filesystems: /space/devel-chroots/pappy/chroot002 + * no /etc/devel-chroots/pappy/chroot003 config dir + * no /etc/devel-chroots/pappy/chroot004 config dir + * no /etc/devel-chroots/pappy/chroot005 config dir + * no /etc/devel-chroots/pappy/chroot006 config dir + * no /etc/devel-chroots/pappy/chroot007 config dir + * no /etc/devel-chroots/pappy/chroot008 config dir [ <span class="code-identifier">ok</span> ] + * Starting developer chroots for all users ... + * pappy: starting chroot001 in (/space/devel-chroots/pappy/chroot001) + * pappy: mounting chroot filesystems: /space/devel-chroots/pappy/chroot001 + * pappy: chroot001: creating conf: make.conf + * pappy: starting chroot002 in (/space/devel-chroots/pappy/chroot002) + * pappy: mounting chroot filesystems: /space/devel-chroots/pappy/chroot002 + * pappy: chroot002: creating conf: make.conf + * config file [/etc/devel-chroots/pappy/chroot002/make.conf] not existing, skipping + * no /etc/devel-chroots/pappy/chroot003 config dir + * no /etc/devel-chroots/pappy/chroot004 config dir + * no /etc/devel-chroots/pappy/chroot005 config dir + * no /etc/devel-chroots/pappy/chroot006 config dir + * no /etc/devel-chroots/pappy/chroot007 config dir + * no /etc/devel-chroots/pappy/chroot008 config dir + * launching detached screen session for pappy's chroots + * remember that you have to source /usr/local/chroot/conf.d/make.conf + * in the make.conf of created chroots for user-specific settings + * for multiuser mode, you need to set /usr/bin/screen to mode 4755 + * and also change the directory /var/run/screen to mode 0755 [ <span class="code-identifier">ok</span> ] +</pre></td></tr> +</table> +<p> +As you can see, the init script is maybe generating +lots of considered unnecessary output, +however this is important for being able +to judge why a certain chroot has not been set up +and adds in easy understanding what is happening and what is not. +</p> +<p> +For example, as you can see, a chroot for a given user is only started +if a configuration directory for that chroot could be found. +It can be empty, but it has to exist for the given chroot to be started. +</p> +<p> +Please note that the usage of the init script should be left +up to the discretion of the system administrator. +</p> +<p class="secthead"><a name="doc_chap4_sect2">User management of chroots</a></p> +<p> +Users should be issuing the following script for +starting and stopping their own chroots: +</p> +<a name="doc_chap4_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.3: user maintenance of chroots: stopping chroots</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ sudo /usr/sbin/devel-chroots stop pappy + * stopping chroot001 of user pappy (/space/devel-chroots/pappy/chroot001) + * pappy: terminating the following screen sessions: 9371 + * pappy: unmounting chroot filesystems: /space/devel-chroots/pappy/chroot001 + * stopping chroot002 of user pappy (/space/devel-chroots/pappy/chroot002) + * pappy: unmounting chroot filesystems: /space/devel-chroots/pappy/chroot002 +</pre></td></tr> +</table> +<a name="doc_chap4_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.4: user maintenance of chroots: starting chroots</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ sudo /usr/sbin/devel-chroots start pappy + * pappy: starting chroot001 in (/space/devel-chroots/pappy/chroot001) + * pappy: mounting chroot filesystems: /space/devel-chroots/pappy/chroot001 + * pappy: chroot001: creating conf: make.conf + * pappy: starting chroot002 in (/space/devel-chroots/pappy/chroot002) + * pappy: mounting chroot filesystems: /space/devel-chroots/pappy/chroot002 + * pappy: chroot002: creating conf: make.conf + * launching detached screen session for pappy's chroots +</pre></td></tr> +</table> +<p> +Please remember there is no restart command: +</p> +<a name="doc_chap4_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.5: illegal use of restart command for chroot</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ sudo /usr/sbin/devel-chroots restart pappy + * error: unknown mode: restart +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap4_sect3">Final notes</a></p> +<p> +As noted in the init script, for users being able to reattach +to root screen sessions as a user and +use the <span class="code" dir="ltr">acladd</span> command to see who is working with them, +it is necessary to change screen and +the working directory of the screen session sockets. +</p> +<p> +However, this is a cosmetic advantage, +because normally everybody is supposed to be root +on a development system and there is no security restrictions. +</p> +<p> +But on the other hand, having a system of voluntarily +least priviledges used for reconnecting to screen sessions +as an authorized user never hurts, avoids mistakes and problems +and opens up room for cutting down the necessary priviledges +of scripts and users for having their work done! +</p> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/devel-chroots-intro.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated December 6, 2006</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +This guide covers the installation, configuration and set up +of chroots using a tool developed for the Gentoo dev machines. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:pappy@gentoo.org" class="altlink"><b>Alexander Gabert</b></a> +<br><i>Author</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/docs/glossary.html b/html/docs/glossary.html new file mode 100644 index 0000000..b1d56b9 --- /dev/null +++ b/html/docs/glossary.html @@ -0,0 +1,166 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/../css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/../favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Introduction to Gentoo Hardened</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Introduction to Gentoo Hardened</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. What is Gentoo Hardened?</option> +<option value="#doc_chap2">2. ACL's (Access Control Lists)</option> +<option value="#doc_chap3">3. PIE/SSP</option> +<option value="#doc_chap4">4. Instrusion Detection Systems</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>What is Gentoo Hardened?</p> +<p> +Gentoo Hardened is a subproject that works to bring advanced +security features to Gentoo Linux. Hardened is not a single product +but rather a set of complimentary pieces of software intended to cover +many aspects of Linux security. The major components are ACL systems, +PIE/SSP and Intrusion Detection Systems. +</p> +<p class="chaphead"><a name="acl"></a><a name="doc_chap2"></a><span class="chapnum">2. + </span>ACL's (Access Control Lists)</p> +<p> +ACL's give the systems administrator a more powerful tool to control access +to various system resources than was possible in traditional UNIX systems. +Such systems allow you to allow/disallow access to all aspects of a system to +users or groups of users, and to create powerful rulesets. +</p> +<p> +ACL systems supported by Gentoo Hardened include Grsecurity, SELinux, RSBAC, and +Systrace. +</p> +<p class="secthead"><a name="grsecurity"></a><a name="doc_chap2_sect2">Grsecurity</a></p> +<p> +Grsecurity may be the most common ACL system, and is found in several of +Gentoo's patched kernel source trees. An advantage of Grsecurity is that +it includes more than just an ACL system. It also provides PaX, a kernel +patch that forces memory to be nonexecutable, thwarting common attacks. +It also adds some other hardening features, including more randomness in +memory allocation and TCP packets, and stricter enforcement of chroot. +</p> +<p class="secthead"><a name="selinux"></a><a name="doc_chap2_sect3">SELinux</a></p> +<p> +SELinux was written by the NSA and can enforce policies on all processes and +objects on a system. Many people, including the Hardened project, are so +confident in its ability to lock down a system that they have setup public +machines and challenge anyone to take down the box (given a root password!) +</p> +<p class="secthead"><a name="rsbac"></a><a name="doc_chap2_sect4">RSBAC</a></p> +<p> +RSBAC is an independent project driven by Amon Ott. It supports many different +security models which are implemented as modules. It can work together with PaX +and while the implementation and models are a bit different, it is often +compared to SELinux features wise. +</p> +<p class="secthead"><a name="systrace"></a><a name="doc_chap2_sect5">Systrace</a></p> +<p> +Systrace is a lightweight ACL system with an easy to use policy editor and a +gui for on-the-fly policy management. Additionally this allows applications +which require root capabilities to run without setuid and setgid flags. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>PIE/SSP</p> +<p> +These two hardening features are added to binaries at compile time by GCC. +</p> +<p class="secthead"><a name="et_dyn"></a><a name="doc_chap3_sect2">PIE/SSP</a></p> +<p> +Another compile time feature to protect a programs space in memory from +exploitation. This feature tells the compiler to create a Position Independent +Executable, which can be used by a PaX (see below) enabled kernel to fully +randomize the executable's memory space. This protection method has no +noticable performance impact, and prevents exploits that are written to +target specific memory addresses. This can be enabled transparently via +hardened-gcc (See Below.) +</p> +<p class="secthead"><a name="ssp"></a><a name="doc_chap3_sect3">SSP (Stack Smashing Protection)</a></p> +<p> +Known commonly as ProPolice, this GCC patch is included by default in Gentoo, +but not enabled. This protects binaries from malicious code insertion into the +stack. Whenever a buffer (area in memory where a program accepts user input) is +created, ProPolice inserts a cryptographic "canary", and after each write to a +buffer verifies that the canary has not been overwritten. This nullifies a +common attack where a cracker inserts malicious code past the edge of a buffer +and the program blindly executes it. This feature is enabled via the compiler +flag "-fstack-protector" or transparently via hardened-gcc (See Below.) +</p> +<p class="secthead"><a name="hardened-gcc"></a><a name="doc_chap3_sect4">Hardened GCC</a></p> +<p> +When GCC is built with USE="hardened", modified spec files are installed that allow +for transparent PIE/SSP compiles. Since these options are enabled by the spec file +there is no reason to also add them to CFLAGS. In fact, in the case of PIE this can +even cause problems. +</p> +<p class="chaphead"><a name="ids"></a><a name="doc_chap4"></a><span class="chapnum">4. + </span>Instrusion Detection Systems</p> +<p> +This class of programs monitor log files for suspicious activity and report +it to the administrator. +</p> +<p class="secthead"><a name="prelude"></a><a name="doc_chap4_sect2">Prelude</a></p> +<p> +Prelude is a hybrid intrusion detection system that tracks both network +intrusions and host intrusions with an lml (log monitoring lackey). +Integrating this on a large scale, adding support to certain apps, and adding +rules so that lml can monitor other projects like SELinux. +</p> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/docs/glossary.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated August 07, 2004</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +This document introduces the Gentoo Hardened project and covers +each of its subprojects in simple terms. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:tseng@gentoo.org" class="altlink"><b>Brandon Hale</b></a> +<br><i>Author</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/docs/index.html b/html/docs/index.html new file mode 100644 index 0000000..ee625a2 --- /dev/null +++ b/html/docs/index.html @@ -0,0 +1,160 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title> + Gentoo Linux -- Hardened Gentoo Documentation Resources</title> +</head> +<body style="margin:0px;" bgcolor="#000000"><table border="0" width="100%" cellspacing="0" cellpadding="0"> +<tr> +<td valign="top" height="125" width="1%" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td> +<td valign="bottom" align="left" bgcolor="#000000" colspan="2" lang="en"><p class="menu"> +<a class="menulink" href="http://www.gentoo.org/main/en/about.xml">About</a> | +<a class="menulink" href="http://www.gentoo.org/proj/en/">Projects</a> | +<a class="menulink" href="http://www.gentoo.org/doc/en/">Docs</a> | +<a class="menulink" href="http://forums.gentoo.org/">Forums</a> | +<a class="menulink" href="http://www.gentoo.org/main/en/lists.xml">Lists</a> | +<a class="menulink" href="http://bugs.gentoo.org/">Bugs</a> | +<a class="menulink" href="http://www.gentoo.org/main/en/where.xml">Get Gentoo!</a> | +<a class="menulink" href="http://www.gentoo.org/main/en/support.xml">Support</a> | +<a class="menulink" href="http://planet.gentoo.org/">Planet</a> +</p></td> +</tr> +<tr> +<td valign="top" align="right" width="1%" bgcolor="#dddaec"><table width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td height="1%" valign="top" align="right"><img src="http://www.gentoo.org/images/gridtest.gif" alt="Gentoo Spaceship"></td></tr> +<tr><td height="99%" valign="top" align="left"><table cellspacing="0" cellpadding="5" border="0"><tr><td valign="top" class="leftmenu" lang="en"> +<p class="altmenu">Get Started<br> +<a class="altlink" href="http://www.gentoo.org/doc/en/handbook/">Gentoo Handbook</a><br> +<a class="altlink" href="http://www.gentoo.org/doc/en/?catid=install#doc_chap2">Installation Docs</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/where.xml">Downloads</a><br><br> +News<br> +<a class="altlink" href="http://www.gentoo.org/security/en/">Security Announcements</a><br> +<a class="altlink" href="https://www.google.com/calendar/embed?src=88di0t0pl2cfau7oak48rbccfs%40group.calendar.google.com&showCalendars=0&color=%235229A3">Calendar</a><br><br> +Documentation<br> +<a class="altlink" href="http://www.gentoo.org/doc/en/handbook/">Gentoo Handbook</a><br> +<a class="altlink" href="http://www.gentoo.org/doc/en/list.xml?desc=1">Documentation List</a><br> +<a class="altlink" href="http://www.gentoo.org/doc/en/articles/">IBM dW/Intel article archive</a><br><br> +Get Gentoo<br> +<a class="altlink" href="http://www.gentoo.org/main/en/where.xml">Downloads</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/mirrors2.xml">Mirrors</a><br><br> + +Community<br> +<a class="altlink" href="http://forums.gentoo.org/">Discussion Forums</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/irc.xml">IRC Channels</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/lists.xml">Mailing Lists</a><br> +<a class="altlink" href="http://bugs.gentoo.org">Report Issues</a><br> +<a class="altlink" href="http://planet.gentoo.org">Planet (Blogs)</a><br> +<a class="altlink" href="http://packages.gentoo.org/">Online Package Database</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/contact.xml">Contact Us</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/sponsors.xml">Sponsors</a><br><br> +Get Involved<br> +<a class="altlink" href="http://bugs.gentoo.org">Report Issues</a><br> +<a class="altlink" href="http://www.gentoo.org/proj/en/devrel/staffing-needs/">Help Wanted</a><br> +<a class="altlink" href="http://forums.gentoo.org/">Discussion Forums</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/irc.xml">IRC Channels</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/lists.xml">Mailing Lists</a><br> +<a class="altlink" href="http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml">Become a Developer</a><br> +<a class="altlink" href="http://www.gentoo.org/proj/en/userrel/adopt-a-dev/">Offer Resources</a><br> +<a class="altlink" href="http://www.gentoo.org/proj/en/glep/">Enhancement Proposals (GLEPs)</a><br> +<a class="altlink" href="http://anoncvs.gentoo.org/">Source Repositories</a><br> +<a class="altlink" href="http://devmanual.gentoo.org">Developer's Manual</a><br><br> +Other<br> +<a class="altlink" href="http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml">DeveloperList</a><br> +<a class="altlink" href="http://www.gentoo.org/proj/en/devrel/roll-call/devmap.xml">DeveloperMap</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/stores.xml">Gentoo Stores</a><br> +<a class="altlink" href="http://www.gentoo.org/proj/en/">Projects</a><br><br> +About<br> +<a class="altlink" href="http://www.gentoo.org/main/en/about.xml">About Gentoo</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/philosophy.xml">Philosophy</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/contract.xml">Social Contract</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/name-logo.xml">Name and Logo Guidelines</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/graphics.xml">Logos and themes</a><br> +<a class="altlink" href="http://www.gentoo.org/main/en/shots.xml">Screenshots</a><br><br> +</p> +<br><br> +</td></tr></table></td></tr> +</table></td> +<td valign="top" bgcolor="#ffffff"> +<br><table border="0" class="content"><tr><td> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Hardened Gentoo Documentation Resources</p> +<p> +The <b><a href="glossary.xml">Hardened Gentoo Glossary</a></b> breifly +explains the several technologies that make up Hardened Gentoo. +</p> +<p class="secthead"><a name="doc_chap1_sect2">SELinux</a></p> +<p> +SELinux is a system of mandatory access controls. SELinux can enforce the security +policy over all processes and objects in the system. The following documents will +help you to build a new SELinux-enabled system, or to convert an existing system, +and get up to speed with the basics of SELinux policies. +</p> +<p> +The <b><a href="../selinux/selinux-x86-install.xml">SELinux x86 Install Guide +</a></b> provides a step-by-step explanation on how to install and configure +a new system using SELinux. +</p> +<p> +The <b><a href="../selinux/selinux-quickstart.xml">SELinux QuickStart Guide +</a></b> includes instructions on converting your existing Gentoo install to +SELinux. +</p> +<p> +The <b><a href="../selinux/selinux-policy.xml">SELinux Policy Overview</a></b> +covers the basics of working with SELinux policies. +</p> +<p> +The <b><a href="../selinux/selinux-faq.xml">SELinux FAQ</a></b> answers many +frequently asked questions and has solutions for common pitfalls. +</p> +<p class="secthead"><a name="doc_chap1_sect3">RSBAC</a></p> +<p> +RSBAC is Mandatory Access Control security system based on the Role Compatibility +model. It can enforce access rules on your operating system. +</p> +<p> +The <b><a href="../rsbac/overview.xml">RSBAC Overview</a></b> is a glossary +that establishes a basic understanding of RSBAC-related concepts. +</p> +<p> +The <b><a href="../rsbac/quickstart.xml">RSBAC Quickstart</a></b> +covers converting an existing system to RSBAC. +</p> +<p class="secthead"><a name="doc_chap1_sect4">PaX</a></p> +<p> +PaX is a combination of technologies that enable comprehensive memory protection +in Linux. The following docs cover both the PaX kernel and complementary userland +technologies. +</p> +<p> +The <b><a href="pax-howto.xml">PaX Howto</a></b> helps to get a system +up and running with a PaX kernel and PIE/SSP userland. +</p> +</td></tr></table> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated August 7, 2004</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr> +<tr lang="en"><td align="right" class="infohead" colspan="3"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/docs/pax-howto.html b/html/docs/pax-howto.html new file mode 100644 index 0000000..3bfc2c1 --- /dev/null +++ b/html/docs/pax-howto.html @@ -0,0 +1,273 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/../css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/../favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Hardened Gentoo PaX Quickstart</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Hardened Gentoo PaX Quickstart</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. What is Hardened Gentoo?</option> +<option value="#doc_chap2">2. What is PaX?</option> +<option value="#doc_chap3">3. An Introduction to PIE and SSP</option> +<option value="#doc_chap4">4. Building a PaX-enabled Kernel</option> +<option value="#doc_chap5">5. Building a PIE/SSP Enabled Userland</option> +<option value="#doc_chap6">6. When Things Misbehave (PaX Control)</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>What is Hardened Gentoo?</p> +<p> +Hardened Gentoo is a project interested in the hardening of a Gentoo system. +Several different solutions are supported by us and there is a fair bit of +flexibility to create your own setup. At the heart of Hardened Gentoo is +<span class="emphasis">PaX</span>. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>What is PaX?</p> +<p> +PaX is a patch to the Linux kernel that provides hardening in two ways. +</p> +<p> +The first, <span class="emphasis">ASLR</span> (Address Space Layout Randomization) provides a means to +randomize the addressing scheme of all data loaded into memory. When an +application is built as a <span class="emphasis">PIE</span> (Position Independent Executable), PaX is +able to also randomize the addresses of the application base in addition. +</p> +<p> +The second protection provided by PaX is non-executable memory. This prevents a +common form of attack where executable code is inserted into memory by an +attacker. More information on PaX can be found throughout this guide, but the +homepage can be found at <a href="http://pax.grsecurity.net">http://pax.grsecurity.net</a>. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>An Introduction to PIE and SSP</p> +<p> +As mentioned above, PaX is complemented by PIE. This method of building +executables stores information needed to relocate parts of the executable in +memory, hence the name <span class="emphasis">Position Independent</span>. +</p> +<p> +<span class="emphasis">SSP</span> (Stack Smashing Protector) is a second complementary technology we +introduce at executable build time. SSP was originally introduced by IBM under +the name <span class="emphasis">ProPolice</span>. It modifies the C compiler to insert initialization +code into functions that create a buffer in memory. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> +In newer versions of SSP, it is possible to apply SSP to all functions, +adding protection to functions whose buffer would normally be below the size +limit for SSP. This is enabled via the CFLAG -fstack-protector-all. +</p></td></tr></table> +<p> +At run time, when a buffer is created, SSP adds a secret random value, the +canary, to the end of the buffer. When the function returns, SSP makes sure +that the canary is still intact. If an attacker were to perform a buffer +overflow, he would overwrite this value and trigger that stack smashing +handler. Currently this kills the target process. +</p> +<p> +<a href="http://www.trl.ibm.com/projects/security/ssp/">Further reading on +SSP.</a> +</p> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Building a PaX-enabled Kernel</p> +<p> +Several Gentoo kernel trees are already patched with PaX. +</p> +<p> +For 2.4 based machines, the recommended kernels are <span class="code" dir="ltr">hardened-sources</span> or +<span class="code" dir="ltr">grsec-sources</span>. For 2.6 machines, <span class="code" dir="ltr">hardened-dev-sources</span> are +recommended. +</p> +<p> +Grab one of the recommended source trees, or apply the appropriate patch from +<a href="http://pax.grsecurity.net">http://pax.grsecurity.net</a> to your own tree and configure it as you +normally would for the target machine. +</p> +<p> +In <span class="code" dir="ltr">Security Options -> PaX</span>, apply the options as shown below. +</p> +<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: Kernel configuration</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +[*] Enable various PaX features + +PaX Control -> + + [ ] Support soft mode + [*] Use legacy ELF header marking + [*] Use ELF program header marking + MAC system integration (none) ---> + +Non-executable page -> + + [*] Enforce non-executable pages + [*] Paging based non-executable pages + [*] Segmentation based non-executable pages + [*] Emulate trampolines + [*] Restrict mprotect() + [ ] Disallow ELF text relocations + +Address Space Layout Randomization -> + + [*] Address Space Layout Randomization + [*] Randomize kernel stack base + [*] Randomize user stack base + [*] Randomize mmap() base + [*] Randomize ET_EXEC base +</pre></td></tr> +</table> +<p> +Build this kernel as you normally would and install it to <span class="path" dir="ltr">/boot</span>. +</p> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>Building a PIE/SSP Enabled Userland</p> +<p> +Hardened Gentoo has added support for transparent PIE/SSP building via GCC's +specfile. This means that any users upgrading an older Hardened install should +remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the +<span class="code" dir="ltr">hardened-gcc</span> package is now deprecated and should be unmerged +(version 5.0 is a dummy package). To get the current GCC, add +<span class="code" dir="ltr">USE="hardened"</span> to <span class="path" dir="ltr">/etc/make.conf</span>. +</p> +<p> +To maintain a consistant toolchain, first <span class="code" dir="ltr">emerge binutils gcc glibc</span>. +Next, rebuild the entire system with <span class="code" dir="ltr">emerge -e world</span>. All future packages +will be built with PIE/SSP. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b> +Both PIE and SSP are known to cause issues with some packages. If you come +across a package that fails to compile, please file a bug report including a log +of the failed compile and the output of <span class="code" dir="ltr">emerge info</span> to +<a href="http://bugs.gentoo.org/">http://bugs.gentoo.org/</a>. +</p></td></tr></table> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>When Things Misbehave (PaX Control)</p> +<p> +Some legitimate applications will attempt to generate code at run time which is +executed out of memory. Naturally, PaX does not allow this and it will promptly +kill the offending application. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> +The most notable of these applications are XFree, mplayer and multimedia tools +based on xine-lib. The easiest way around these problems are to disable PaX +protections. +</p></td></tr></table> +<p> +Luckily there is a utility to toggle protections on a per-executable basis, +<span class="emphasis">paxctl</span>. As with any other package in Gentoo, install paxctl with the +command <span class="code" dir="ltr">emerge paxctl</span>. Usage is show by <span class="code" dir="ltr">paxctl -h</span>. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> +If you have an older version of binutils, you will need to use <span class="emphasis">chpax</span>, +which edits the old-style PaX markings. Usage of chpax is largely the same as +paxctl. This also requires legacy marking support built into your kernel. +</p></td></tr></table> +<a name="doc_chap6_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.1: paxctl -h</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +usage: paxctl <options> <files> + +options: + -p: disable PAGEEXEC -P: enable PAGEEXEC + -e: disable EMUTRMAP -E: enable EMUTRMAP + -m: disable MPROTECT -M: enable MPROTECT + -r: disable RANDMMAP -R: enable RANDMMAP + -x: disable RANDEXEC -X: enable RANDEXEC + -s: disable SEGMEXEC -S: enable SEGMEXEC + + -v: view flags -z: restore default flags + -q: suppress error messages -Q: report flags in short format flags +</pre></td></tr> +</table> +<p> +The first option we will note is <span class="code" dir="ltr">-v</span>, which can display flags set on a +particular binary. +</p> +<a name="doc_chap6_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.2: paxctl -v</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +y0shi brandon # paxctl -v /usr/X11R6/bin/XFree86 +PaX control v0.2 +Copyright 2004 PaX Team <pageexec@freemail.hu> + +- PaX flags: -p-sM--x-eR- [/usr/X11R6/bin/XFree86] + PAGEEXEC is disabled + SEGMEXEC is disabled + MPROTECT is enabled + RANDEXEC is disabled + EMUTRAMP is disabled + RANDMMAP is enabled +</pre></td></tr> +</table> +<p> +This shows an XFree binary with all protections disabled. +</p> +<p> +To set flags on a binary, the <span class="code" dir="ltr">-z</span> flag is useful as it restores the +default flags. +</p> +<p> +To disable protections on XFree, run +<span class="code" dir="ltr">paxctl -zpeMRxs /usr/X11R6/bin/XFree86</span>. +</p> +<p> +Play around with disabling/enabling protections to see what is the least needed +to run. +</p> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/docs/pax-howto.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated August 07, 2004</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +A quickstart covering PaX and Hardened Gentoo. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:tseng@gentoo.org" class="altlink"><b>Brandon Hale</b></a> +<br><i>Author</i><br><br> + <a href="mailto:blackace@gentoo.org" class="altlink"><b>Blackace</b></a> +<br><i>Editor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/etdyn.html b/html/etdyn.html new file mode 100644 index 0000000..64c8b3c --- /dev/null +++ b/html/etdyn.html @@ -0,0 +1,213 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1></h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option> +<option value="#doc_chap2">2. How to produce ET_DYN ELF executables</option> +<option value="#doc_chap3">3. ET_DYN ELF executables (The Gentoo Way)</option> +<option value="#doc_chap4">4. Credits</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction</p> +<p>One of the features of PaX is Address Space Layout Randomization (ASLR) + that allows the kernel to randomize the addresses of various areas in + the task's address space. While most of ASLR requires no changes in + userland, randomizing the main executable's base address presents a + challenge as traditionally such ELF executables of the ET_EXEC kind + do not contain enough relocation information. Nevertheless, PaX provides + two ways to solve this problem: RANDEXEC and RANDMMAP. </p> +<p>RANDEXEC works by mapping the ET_EXEC ELF file in a special way in memory + and requires no changes in userland (except for actually enabling it on + a given file, as this feature is disabled by default). The drawback of + this approach is that it is slow (the kernel compilation benchmark sees + a 3 times slow down for example) and prone to false positive detections + of so-called return-to-libc style attacks (which renders it unusable on + such executables). </p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>Therefore this method mainly exists to prove a point + and is not intended for production use.</p></td></tr></table> +<p>RANDMMAP on the other hand works on ELF files of the ET_DYN kind which is + normally used for dynamically linkable libraries. This approach has none + of the drawbacks that plague RANDEXEC because such ET_DYN ELF files have + enough relocation information and the dynamic linker has no problem with + relocating them (and there is no performance penalty at runtime), nor is + there a chance for false positive attack detections as none is done in the + first place. This means that protecting against the return-to-libc style + attack (in case the information about the randomization can leak to the + attacker) requires other approaches, which is not discussed here.</p> +<p>It should be clear by now that the preferable way of randomizing the main + executable's base address is via RANDMMAP and not RANDEXEC. This in turn + means that we need a way to produce ET_DYN ELF executables instead of the + ET_EXEC kind. The following parts describe the process in detail and + hopefully provide enough information so that modifying existing packages + to produce ET_DYN ELF targets will not be a problem. Software authors + and/or package maintainers are encouraged to provide such make targets + themselves in the future.</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>How to produce ET_DYN ELF executables</p> +<p>The following discussion assumes that the GNU toolchain (such as gcc and + ld) is used to produce the target file, other languages and tools should + follow the same principles however. The process has two main steps, first + compilation then linking, both of which need to be modified for producing + an ET_DYN ELF executable.</p> +<p>Compilation has to be modified in order to produce position independent + code (PIC) which in turn allows the linker to not emit so-called text + relocations in the final ET_DYN ELF file. Although this step is not + strictly required (it does not affect the relocatability of the result), + it is useful as this allows for another security related hardening: PaX + normally makes it impossible to make an executable file mapping writable, + however for text relocations it has to make an exception. If there are + no such ET_DYN ELF files on a system, this exception can be removed and + then the only way to introduce new executable code into a task's address + space will be via file creation and mapping (which can be prevented by + other methods such as ACL systems). Producing PIC is very easy, one just + has to add the -fPIC switch to the compiler command line. This will not + get rid of all text relocations however as there are other sources of + (position dependent) code contributing to the final ET_DYN ELF file that + will lead us to the next step.</p> +<p>Linking the main executable is governed by a special script called the + 'specs' file ('gcc -v' tells us what is used by default). Studying it in + detail is beyond our scope, but let's note the fact that there are more + object files linked into the result than one has specified on the linker + command line. These extra objects are necessary for implementing such + features as calling constructors/destructors or the low-level entry point + of the code (the main() C function is not the actual entry point of an ELF + executable). </p> +<p>Linking an ET_DYN ELF file is initiated by specifying the -shared switch + on the gcc command line which in turn will affect what extra object files + go into the result. Since our actual goal is to produce the main executable + (vs. a shared library), we have to make sure that we link in all extra + objects normally expected by an ET_EXEC target and not necessarily those + specified by the specs file for libraries. Luckily there is only one extra + object we have to take care of: crt1.o (we will ignore profiling and not + care about gcrt1.o). It is no coincidence that crt1.o is not linked into + shared libraries as this object contains (among others) the low-level entry + point and startup code that invokes the C library startup code which in + turn calls main(). + <table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>Initiating the building of ET_DYN executables on Gentoo does not require us to put -shared in our CFLAGS or LDFLAGS</p></td></tr></table></p> +<p>Making crt1.o position independent is easy, we just have to make use of the + GOT (in keeping with the tradition of the glibc naming convention for the + position independent version of the extra object files, we will call it + crt1S.o). There is one last issue to take care of: a dynamically linked + executable requires a special program header that specifies the dynamic + linker to be mapped into memory by the kernel on task creation. As we can + see it from the specs file, having the -shared switch on the linker command + line will omit the dynamic linker specification and would produce an + unusable ET_DYN ELF file. The solution is simple, we follow the approach + of glibc which is also an executable ET_DYN ELF file: the dynamic linker + is specified in an object file that contains the full path to the dynamic + linker in a specific ELF section that ld will recognize and convert into + the corresponding program header.</p> +<p>The above method is demonstrated on a simple 'hello world' program that + is included with this document. The source code of the main executable + is in a.c, our PIC crt1 is in crt1S.S (it has to be written in assembly, + the code is directly derived from glibc 2.2) and finally interp.c defines + the dynamic linker (technically it could be put into crt1S.S as well to + reduce the number of extra files to a minimum). The makefile is very + simple as well, it compiles each source file into an object file and then + links them together. One important thing to note is the order of the + object files on the linker command line: crt1S.o must come first (that is, + before any object file of the application) and interp.o should follow it + directly as this will result in the interpreter program header getting + emitted before the PT_LOAD headers (which is the normal program header + ordering in ET_EXEC files, although it is not strictly necessary). Since + crt1S.o and interp.o are constant (they do not depend on the application + code) they can be compiled once and put into the same directory where + the other systemwide crt* files are.</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>ET_DYN ELF executables (The Gentoo Way)</p> +<p>On Gentoo this is accomplished by merging <span class="code-input">hardened-gcc</span>: </p> +<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Emerging hardened-gcc</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code" dir="ltr"># emerge hardened-gcc</span> +</pre></td></tr> +</table> +<p><span class="code-input">hardened-gcc</span> is an umbrella package for non-mainstream gcc modifications + The <span class="code-input">hardened-gcc</span> packages was initially created by Alexander Gabert + for this special purpose we are serving here: rolling out the etdyn + specs file and interp.o together with the position independent + crt1S.o. But this package is not limited to that purpose. + It was designed to be the be used for any future changes to gentoo-hardened systems + regarding the improvement of gcc compiling binaries that are more secure + than the default product coming out when the vanilla gcc is used. And it can be used for ebuild packages to + "trigger" some alternative action once they "realize" that they are + getting built on a system equipped with a modified gcc for enforcing + gentoo hardened protection measures. Straight this means that when a + package is found to be breaking when used with the hardened-gcc changes, + the particular ebuild of that failing package can and will be modified + by our gentoo-hardened developers to put some "check" logic into it when + the hardened-gcc is found on the target system. </p> +<p>As an example lets try the rebuilding our chpax binary as an ET_DYN + shared executable. We can use the file(1) command to determine if we + in fact we are building our executables as ET_EXEC or ET_DYN.</p> +<p>The first example here we have chpax built as an ET_DYN and the second + one is chpax built as an ET_EXEC.</p> +<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: Example files</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code" dir="ltr"># file /sbin/chpax</span> +/sbin/chpax: ELF 32-bit LSB shared object, Intel 80386, version 1 \ +(GNU/Linux), stripped +/sbin/chpax: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for \ +GNU/Linux 2.0.0, dynamically linked (uses shared libs), stripped +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Credits</p> +<p class="secthead"><a name="doc_chap4_sect1">Works Cited</a></p> +<ul><li><a href="http://pax.grsecurity.net">PaX Homepage</a></li></ul> +<ul><li><a href="http://pax.grsecurity.net/docs/index.html">PaX Documentation</a></li></ul> +<ul><li>Collective Work. PaX - Gentoo Wiki.</li></ul> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/etdyn.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated 5 Aug 2003</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +This guide contains documentation and examples on how to create dynamic ELF executables. +These guidelines are required to achieve full Address Space Layout Randomization. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:pageexec@freemail.hu" class="altlink"><b>The PaX Team</b></a> +<br><i>Author</i><br><br> + <a href="mailto:solar@gentoo.org" class="altlink"><b>solar</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:pappy@gentoo.org" class="altlink"><b>Alexander Gabert</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:zhen@gentoo.org" class="altlink"><b>John Davis</b></a> +<br><i>Editor</i><br><br> + <a href="mailto:klasikahl@gentoo.org" class="altlink"><b>Zack Gilburd</b></a> +<br><i>Editor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/gnu-stack.html b/html/gnu-stack.html new file mode 100644 index 0000000..7f2b227 --- /dev/null +++ b/html/gnu-stack.html @@ -0,0 +1,425 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + The GNU Stack Quickstart</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>The GNU Stack Quickstart</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option> +<option value="#doc_chap2">2. Causes of executable stack markings</option> +<option value="#doc_chap3">3. Finding ELFs that ask for an executable stack</option> +<option value="#doc_chap4">4. What needs to be fixed</option> +<option value="#doc_chap5">5. How to fix the stack (in theory)</option> +<option value="#doc_chap6">6. How to fix the stack (in practice)</option> +<option value="#doc_chap7">7. Arch Status</option> +<option value="#doc_chap8">8. References</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction</p> +<p> +With the rise of mainstream consumer machines with hardware stack protection +(e.g. the <a href="http://en.wikipedia.org/wiki/NX_bit">NX bit</a> on +amd64), we developers have to be doubly sure that our packages build with the +correct stack settings. Keep in mind that stack protection is an issue for all +architectures, not just x86 or amd64. +</p> +<p> +The purpose of this document is to help package maintainers fix their packages +when they break. We will be focusing our attention on the GNU_STACK ELF +marking. ELF is simply a file format which all modern linux distros use. An +ELF can be an executable (say <span class="path" dir="ltr">/bin/ls</span>) or a library (say +<span class="path" dir="ltr">/lib/libncurses.so</span>). GNU_STACK is just an ELF program header +which tells the system how to control the stack when the ELF is loaded into +memory. +</p> +<p> +Before getting started, you should read through the Wikipedia entry on the +<a href="http://en.wikipedia.org/wiki/NX_bit">NX bit</a>. You can skip it +of course if you're already familiar with the concept of executable versus +non-executable stacks. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Causes of executable stack markings</p> +<p> +ELF files end up with executable stack markings in one of three ways: +</p> +<ol> + <li>GCC generates code that uses executable stack</li> + <li>an object built from assembler source includes a marking indicating to + the linker that it needs an executable stack (the GNU-stack note set for + executable stack)</li> + <li>an object built from assembler source is missing the GNU-stack note; + a very common occurrence especially for code expected to work on + many platforms</li> +</ol> +<p> +GCC generates code to be executed on the stack when it implements a +<a href="http://gcc.gnu.org/onlinedocs/gccint/Trampolines.html">trampoline +for nested functions</a>. To remove the need for an executable stack in +this case, it is necessary to rewrite the code another way. Sometimes this +is relatively easy, other times not. +</p> +<p> +If an assembler source file includes a GNU-stack note that indicates it needs +an executable stack, presumably this is by design. Again, in order to remove +the need for an executable stack, the code probably needs to be rewritten. +</p> +<p> +If an assembler source contains no GNU-stack note, the system by default +assumes that an executable stack may be required. However, usually if there's +no GNU-stack note, this is simply because the author didn't include one, +rather than the code actually needing an executable stack. +</p> +<p> +In the first two cases above, the executable stack marking is correct, and +should only be removed by rewriting the code to eliminate the executable +stack requirement. Such rewriting has to be considered on a case-by-case +basis and is outside the scope of this document, at least for now. Here we +focus on the third case, where the upstream author has not indicated whether +the assembler object needs an executable stack; fixing this means adding the +GNU-stack note to the source to indicate an executable stack is not necessary. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Finding ELFs that ask for an executable stack</p> +<p> +Before you can start fixing something, you have to make sure it's broken first, +right? For this reason, we've developed a suite of tools named <a href="http://www.gentoo.org/proj/en/hardened/pax-utils.xml">PaX Utilities</a>. If you are not +familiar with these utilities, you should read the <a href="http://www.gentoo.org/proj/en/hardened/pax-utils.xml">PaX Utilities Guide</a> now. Gentoo users +can simply do <span class="code" dir="ltr">emerge pax-utils</span>. Non-Gentoo users should be able to +find a copy of the source tarball in the <span class="path" dir="ltr">distfiles</span> on a <a href="http://www.gentoo.org/main/en/mirrors.xml">Gentoo Mirror</a>. Once you have the PaX +Utilities setup on your system, we can start playing around with +<span class="code" dir="ltr">scanelf</span>. +</p> +<p> +Let's see if your system has any ELFs that want an executable stack. +</p> +<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Scan your system</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">scanelf -lpqe</span> +RWX --- --- /usr/lib/opengl/xorg-x11/lib/libGL.so.1.2 +RWX --- --- /usr/lib/libcrypto.so.0.9.7 +RWX --- --- /usr/lib/libmp.so.3.1.7 +RWX --- --- /usr/lib/libSDL-1.2.so.0.7.2 +RWX --- --- /usr/lib/libsmpeg-0.4.so.0.1.3 +RWX --- --- /usr/lib/libImlib2.so.1.2.0 +RWX --- --- /usr/lib/libOSMesa.so.4.0 +RWX --- --- /usr/lib/libxvidcore.so.4.1 +RWX --- --- /usr/lib/libgmp.so.3.3.3 +RWX --- --- /usr/bin/mencoder +RWX --- --- /usr/bin/Xorg +RWX --- --- /usr/bin/mplayer +</pre></td></tr> +</table> +<p> +We really only need to look at the first column (which corresponds to the ELF +GNU_STACK markings). Most of the time, if we fix that field, all the others +fall into place. As we can see above, many files are marked with an +executable stack (<span class="emphasis">RWX</span>). We want to make sure all files are marked +with <span class="emphasis">RW-</span>. The large majority of the time this means the package was +compiled incorrectly, so not much will have to be done with patching up the +source code. +</p> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>What needs to be fixed</p> +<p> +We now know what files need to be fixed, but what source files are causing +this breakage? The only way to find this out is to compile the package and +analyze the object files before they are combined into the final executable or +library. +</p> +<p class="secthead"><a name="doc_chap4_sect2">Fixing smpeg</a></p> +<p> +So we first have to compile smpeg before we can analyze it. +</p> +<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: Compiling smpeg</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">ebuild /usr/portage/media-libs/smpeg/smpeg-0.4.4-r6.ebuild clean unpack compile</span> +$ <span class="code-input">cd /var/tmp/portage/smpeg-0.4.4-r6/work/smpeg-0.4.4/</span> +</pre></td></tr> +</table> +<p> +Now we need to look at each object file and see if it has a +<span class="emphasis">.note.GNU-stack</span> ELF section. Chances are, the object which is causing +us trouble lacks this section completely. In that case, the compiler will +assume that the ELF should not be restricted at all and mark it as <span class="emphasis">RWX</span>. +The <span class="code" dir="ltr">scanelf</span> utility will display output slightly different when +presented with an object that is missing the ELF section. The <b>!WX</b> +below means that "Oh no, the GNU-stack is missing and write/execute permissions +will be used by default!" +</p> +<a name="doc_chap4_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.2: Locate missing .note.GNU-stack sections</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">scanelf -qeR .</span> +!WX --- --- ./video/mmxflags_asm.o +!WX --- --- ./video/mmxflags_asm.lo +!WX --- --- ./video/mmxidct_asm.o +!WX --- --- ./video/mmxidct_asm.lo +</pre></td></tr> +</table> +<p> +Sure enough, these objects lack the <span class="emphasis">.note.GNU-stack</span> ELF section and +they are linked into the final <span class="path" dir="ltr">libsmpeg.so</span> library. If we were +to patch the source files <span class="path" dir="ltr">video/mmxflags_asm.S</span> and +<span class="path" dir="ltr">video/mmxidct_asm.S</span> so that they contain <span class="emphasis">.note.GNU-stack</span>, +everything would be peachy. +</p> +<p class="secthead"><a name="doc_chap4_sect3">Check objects by hand</a></p> +<p> +For fun, lets see how we could use the more common <span class="code" dir="ltr">readelf</span> utility +(which is part of the <span class="emphasis">binutils</span> package). +</p> +<a name="doc_chap4_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.3: Using readelf</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">This is what the output should look like, notice the .note.GNU-stack line</span> + +$ <span class="code-input">readelf -S plaympeg.o</span> +There are 12 section headers, starting at offset 0x256c: + +Section Headers: + [Nr] Name Type Addr Off Size ES Flg Lk Inf Al + [ 0] NULL 00000000 000000 000000 00 0 0 0 + [ 1] .text PROGBITS 00000000 000040 001ede 00 AX 0 0 16 + [ 2] .rel.text REL 00000000 0030c0 000728 08 10 1 4 + [ 3] .data PROGBITS 00000000 001f20 000000 00 WA 0 0 4 + [ 4] .bss NOBITS 00000000 001f20 000000 00 WA 0 0 4 + [ 5] .rodata.str1.4 PROGBITS 00000000 001f20 0003db 01 AMS 0 0 4 + [ 6] .rodata.str1.1 PROGBITS 00000000 0022fb 0001c9 01 AMS 0 0 1 + <span class="code-input">[ 7] .note.GNU-stack PROGBITS 00000000 0024c4 000000 00 0 0 1</span> + [ 8] .comment PROGBITS 00000000 0024c4 00003e 00 0 0 1 + [ 9] .shstrtab STRTAB 00000000 002502 000067 00 0 0 1 + [10] .symtab SYMTAB 00000000 00274c 0005e0 10 11 9 4 + [11] .strtab STRTAB 00000000 002d2c 000394 00 0 0 1 +Key to Flags: + W (write), A (alloc), X (execute), M (merge), S (strings) + I (info), L (link order), G (group), x (unknown) + O (extra OS processing required) o (OS specific), p (processor specific) + + +<span class="code-comment">Notice how there is no .note.GNU-stack section here</span> + +$ <span class="code-input">readelf -S video/mmxidct_asm.o</span> +There are 8 section headers, starting at offset 0x738: + +Section Headers: + [Nr] Name Type Addr Off Size ES Flg Lk Inf Al + [ 0] NULL 00000000 000000 000000 00 0 0 0 + [ 1] .text PROGBITS 00000000 000034 0005ee 00 AX 0 0 4 + [ 2] .rel.text REL 00000000 000a4c 0000f0 08 6 1 4 + [ 3] .data PROGBITS 00000000 000630 0000d8 00 WA 0 0 16 + [ 4] .bss NOBITS 00000000 000708 000000 00 WA 0 0 4 + [ 5] .shstrtab STRTAB 00000000 000708 000030 00 0 0 1 + [ 6] .symtab SYMTAB 00000000 000878 000120 10 7 17 4 + [ 7] .strtab STRTAB 00000000 000998 0000b1 00 0 0 1 +Key to Flags: + W (write), A (alloc), X (execute), M (merge), S (strings) + I (info), L (link order), G (group), x (unknown) + O (extra OS processing required) o (OS specific), p (processor specific) +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>How to fix the stack (in theory)</p> +<p> +When you compile source code normally, gcc takes care of adding the GNU_STACK +markings so that the final object code is not marked with an executable +stack unless it actually needs it. However, if you compile assembly code, +gcc will not automatically add GNU_STACK markings. So, the most common source +of executable stacks in ELF binaries are packages which include raw assembly +code. Note that we're not talking about inline assembly code, but rather +files like <span class="emphasis">.S</span> which are written in pure assembler. +</p> +<p> +We can either patch each source file written in assembler and send the fixes +upstream, or we can be lazy and simply force the package build system to +assemble the source files with the GNU as option <span class="emphasis">--noexecstack</span> (but +this is highly discouraged). +</p> +<p> +The advantage to patching the code is that it's easy to do, it's portable, +and we can usually convince upstream to add it to their packages with little +fuss. The disadvantage to patching is that we may have to patch many many +files. +</p> +<p> +The advantage to just using <span class="emphasis">--noexecstack</span> is that you can simply add it +to your ebuild and be done. The disadvantage is that the option isn't very +portable (it won't work with non-GNU systems, and it probably won't even +work with all GNU systems), and we can't really convince upstream to make this +change. Thus, the only people who see the benefit here is Gentoo users. You +gotta think big baby! +</p> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>How to fix the stack (in practice)</p> +<p class="secthead"><a name="doc_chap6_sect1">Patching</a></p> +<p> +The great thing about patching is that you can copy and paste this stuff +everywhere. Just make sure the code will be preprocessed (e.g. the source +file is named with <span class="emphasis">.S</span> and not <span class="emphasis">.s</span>). Stick these code snippets +at the end of the source file, recompile, and do a jig. +</p> +<a name="doc_chap6_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.1: Stack markings for GNU as (arch-independent)</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif +</pre></td></tr> +</table> +<a name="doc_chap6_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.2: Stack markings for NASM/YASM (x86/amd64-only)</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +%ifidn __OUTPUT_FORMAT__,elf +section .note.GNU-stack noalloc noexec nowrite progbits +%endif +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap6_sect2">Compiling with --noexecstack</a></p> +<p> +Often times you only need to add the following code in your ebuild. You must +first be sure that the code does not actually require an executable stack as +forcing this flag will break the package otherwise. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> +Please rethink patching before using this option. Patching source code +benefits a lot more people which is the goal of OSS. +</p></td></tr></table> +<a name="doc_chap6_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.3: Using --noexecstack</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment"># This line goes at the top of your ebuild</span> +inherit flag-o-matic + +<span class="code-comment"># This line goes before CFLAGS is used (either by the ebuild or by econf/emake)</span> +append-flags -Wa,--noexecstack +</pre></td></tr> +</table> +<p> +On the off chance that you cannot assemble the files, you can tell the linker +to disable execstack stack. +</p> +<a name="doc_chap6_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.4: Using -z noexecstack</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment"># This line goes at the top of your ebuild</span> +inherit flag-o-matic + +<span class="code-comment"># This line goes before LDFLAGS is used (either by the ebuild or by econf/emake)</span> +append-ldflags -Wl,-z,noexecstack +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap6_sect3">If all else fails ...</a></p> +<p> +If all else fails, ask around on #gentoo-dev on the irc server +irc.freenode.net. Or send an e-mail to the <a href="http://www.gentoo.org/main/en/lists.xml">gentoo-dev mailing list</a>. +If no one can seem to answer your question, give me a poke either on irc +(nickname SpanKY/vapier) or via <a href="mailto:vapier@gentoo.org">e-mail</a>. +</p> +<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7. + </span>Arch Status</p> +<table class="ntable"> + <tr> +<td class="infohead"><b>Arch</b></td> <td class="infohead"><b>Status</b></td> +</tr> + <tr> +<td class="tableinfo">alpha</td> <td class="tableinfo">gcc generates proper .note.GNU-stack, but final link results in exec stack</td> +</tr> + <tr> +<td class="tableinfo">amd64</td> <td class="tableinfo">fully supported</td> +</tr> + <tr> +<td class="tableinfo">arm</td> <td class="tableinfo">fully supported (gcc-4.1.x/glibc-2.5)</td> +</tr> + <tr> +<td class="tableinfo">blackfin</td> <td class="tableinfo">fully supported (gcc-4.3+)</td> +</tr> + <tr> +<td class="tableinfo">hppa</td> <td class="tableinfo">gcc-3.4.x does not generate .note.GNU-stack</td> +</tr> + <tr> +<td class="tableinfo">ia64</td> <td class="tableinfo">fully supported (gcc-3.4.4+)</td> +</tr> + <tr> +<td class="tableinfo">m68k</td> <td class="tableinfo">fully supported (gcc-3.4.x)</td> +</tr> + <tr> +<td class="tableinfo">mips</td> <td class="tableinfo">gcc-3.4.x does not generate .note.GNU-stack</td> +</tr> + <tr> +<td class="tableinfo">ppc</td> <td class="tableinfo">gcc generates proper .note.GNU-stack, but final link results in exec stack</td> +</tr> + <tr> +<td class="tableinfo">ppc64</td> <td class="tableinfo">gcc generates proper .note.GNU-stack, but final link results in exec stack</td> +</tr> + <tr> +<td class="tableinfo">s390</td> <td class="tableinfo">fully supported</td> +</tr> + <tr> +<td class="tableinfo">s390x</td> <td class="tableinfo">fully supported</td> +</tr> + <tr> +<td class="tableinfo">sh</td> <td class="tableinfo">fully supported (gcc-3.4.x/glibc-2.5)</td> +</tr> + <tr> +<td class="tableinfo">sparc</td> <td class="tableinfo">fully supported</td> +</tr> + <tr> +<td class="tableinfo">x86</td> <td class="tableinfo">fully supported</td> +</tr> +</table> +<p class="chaphead"><a name="doc_chap8"></a><span class="chapnum">8. + </span>References</p> +<ul> + <li>thanks to the <a href="http://pax.grsecurity.net/">PaX team</a> for holding my hand</li> + <li>Roland McGrath's <a href="http://www.redhat.com/archives/fedora-devel-list/2003-November/msg00838.html">brain dump</a> +</li> + <li> +<a href="http://en.wikipedia.org/wiki/NX_bit">NX bit</a> Wikipedia entry</li> +</ul> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/gnu-stack.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated September 29, 2010</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>Handbook for proper GNU Stack management in ELF systems</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:vapier@gentoo.org" class="altlink"><b>Mike Frysinger</b></a> +<br><i>Author</i><br><br> + <a href="mailto:solar@gentoo.org" class="altlink"><b>solar</b></a> +<br><i>Author</i><br><br> + <a href="mailto:pageexec@freemail.hu" class="altlink"><b>The PaX team</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:kevquinn@gentoo.org" class="altlink"><b>Kevin F. Quinn</b></a> +<br><i>Contributor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/grsecurity.html b/html/grsecurity.html new file mode 100644 index 0000000..65dffff --- /dev/null +++ b/html/grsecurity.html @@ -0,0 +1,809 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Gentoo Grsecurity v2 Guide</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Gentoo Grsecurity v2 Guide</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. About Grsecurity</option> +<option value="#doc_chap2">2. PaX</option> +<option value="#doc_chap3">3. RBAC</option> +<option value="#doc_chap4">4. Filesystem Protection</option> +<option value="#doc_chap5">5. Kernel Auditing</option> +<option value="#doc_chap6">6. Process Restrictions</option> +<option value="#doc_chap7">7. The Hardened Toolchain</option> +<option value="#doc_chap8">8. Resources</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>About Grsecurity</p> +<p class="secthead"><a name="doc_chap1_sect1">The Grsecurity Project</a></p> +<p> +The grsecurity project, hosted on <a href="http://www.grsecurity.org">http://www.grsecurity.org</a>, provides +various patches to the Linux kernel which enhance your system's overall +security. The various features brought by grsecurity are discussed in the next +chapter; a comprehensive list is maintained on the <a href="http://www.grsecurity.org/features.php">grsecurity features page</a> +itself. +</p> +<p> +As grsecurity's features are mostly kernel-based, the majority of this document +explains the various kernel features and their respective sysctl operands (if +applicable). +</p> +<p class="secthead"><a name="doc_chap1_sect2">Gentoo Hardened Integration</a></p> +<p> +The <a href="http://hardened.gentoo.org">Gentoo Hardened Project</a> +maintains security-enhancement features for Gentoo, including but not limited to +grsecurity. +</p> +<p class="secthead"><a name="doc_chap1_sect3">Kernel Configuration</a></p> +<p> +Throughout this document we will talk about kernel configuration using the +kernel variables like <span class="code" dir="ltr">CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS</span>. These are the +variables that the kernel build process uses to determine if a certain feature +needs to be compiled. +</p> +<p> +When you configure your kernel through <span class="code" dir="ltr">make menuconfig</span> or similar, you +receive a user interface through which you can select the various kernel +options. If you select the <span class="emphasis">Help</span> button at a certain kernel feature you +will see at the top that it lists such a kernel variable. +</p> +<p> +You can therefore still configure your kernel as you like - with a bit of +thinking. And if you can't find a certain option, there's always the possibility +to edit <span class="path" dir="ltr">/usr/src/linux/.config</span> by hand :) +</p> +<p> +Of course, to be able to select the various grsecurity kernel options, you must +enable grsecurity in your kernel: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Activating grsecurity</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +CONFIG_GRKERNSEC=y +CONFIG_GRKERNSEC_CUSTOM=y +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>PaX</p> +<p class="secthead"><a name="doc_chap2_sect1">Fighting the Exploitation of Software Bugs</a></p> +<p> +PaX introduces a couple of security mechanisms that make it harder for attackers +to exploit software bugs that involve memory corruption (so don't treat PaX as +if it protects against all possible software bugs). The <a href="http://pax.grsecurity.net/docs/pax.txt">PaX introduction document</a> +talks about three possible exploit techniques: +</p> +<ol> + <li>introduce/execute arbitrary code</li> + <li>execute existing code out of original program order</li> + <li>execute existing code in original program order with arbitrary data</li> +</ol> +<p> +One prevention method disallows executable code to be stored in writable +memory. When we look at a process, it requires five memory regions: +</p> +<ol> + <li> + a <span class="emphasis">data section</span> which contains the statically allocated and global + data + </li> + <li> + a <span class="emphasis">BSS region</span> (Block Started by Symbol) which contains information + about the zero-initialized data of the process + </li> + <li> + a <span class="emphasis">code region</span>, also called the <span class="emphasis">text segment</span>, which contains + the executable instructions + </li> + <li> + a <span class="emphasis">heap</span> which contains the dynamically allocated memory + </li> + <li> + a <span class="emphasis">stack</span> which contains the local variables + </li> +</ol> +<p> +The first PaX prevention method, called <b>NOEXEC</b>, is meant to give control +over the runtime code generation. It marks memory pages that do not contain +executable code as non-executable. This means that the heap and the stack, +which only contain variable data and shouldn't contain executable +code, are marked as non-executable. Exploits that place code in these areas with +the intention of running it will fail. +</p> +<p> +NOEXEC does more than this actually, interested readers should focus their +attention to the <a href="http://pax.grsecurity.net/docs/noexec.txt">PaX +NOEXEC documentation</a>. +</p> +<p> +The second PaX prevention method, called <b>ASLR</b> (Address Space Layout +Randomization), randomize the addresses given to memory requests. Where +previously memory was assigned contiguously (which means exploits know where +the tasks' memory regions are situated) ASLR randomizes this allocation, +rendering techniques that rely on this information useless. +</p> +<p> +More information about ASLR can be found <a href="http://pax.grsecurity.net/docs/aslr.txt">online</a>. +</p> +<p class="secthead"><a name="doc_chap2_sect2">Enabling PaX</a></p> +<p> +The recommended kernel setting for PaX is: +</p> +<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Recommended PaX Kernel Configuration</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment"># +# PaX Control +# +# CONFIG_GRKERNSEC_PAX_SOFTMODE is not set</span> +CONFIG_GRKERNSEC_PAX_EI_PAX=y +CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y +CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS=y +<span class="code-comment"># CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS is not set +# CONFIG_GRKERNSEC_PAX_HOOK_ACL_FLAGS is not set + +# +# Address Space Protection +#</span> +CONFIG_GRKERNSEC_PAX_NOEXEC=y +<span class="code-comment"># CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set</span> +CONFIG_GRKERNSEC_PAX_SEGMEXEC=y +CONFIG_GRKERNSEC_PAX_EMUTRAMP=y +CONFIG_GRKERNSEC_PAX_MPROTECT=y +<span class="code-comment"># CONFIG_GRKERNSEC_PAX_NOELFRELOCS is not set</span> +CONFIG_GRKERNSEC_PAX_ASLR=y +CONFIG_GRKERNSEC_PAX_RANDKSTACK=y +CONFIG_GRKERNSEC_PAX_RANDUSTACK=y +CONFIG_GRKERNSEC_PAX_RANDMMAP=y +CONFIG_GRKERNSEC_PAX_RANDEXEC=y +<span class="code-comment"># CONFIG_GRKERNSEC_KMEM is not set +# CONFIG_GRKERNSEC_IO is not set</span> +CONFIG_GRKERNSEC_PROC_MEMMAP=y +CONFIG_GRKERNSEC_HIDESYM=y +</pre></td></tr> +</table> +<p> +If you are running a non-x86 system you will observe that there is no +CONFIG_GRKERNSEC_PAX_NOEXEC. You should select CONFIG_GRKERNSEC_PAX_PAGEEXEC +instead as it is the only non-exec implementation around. +</p> +<p class="secthead"><a name="doc_chap2_sect3">Controlling PaX</a></p> +<p> +Not all Linux applications are happy with the PaX security restrictions. These +tools include xorg-x11, java, mplayer, xmms and others. If you plan on using +them you can elevate the protections for these applications using <span class="code" dir="ltr">chpax</span> +and <span class="code" dir="ltr">paxctl</span>. +</p> +<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Installing the chpax and paxctl tools</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">emerge sys-apps/chpax</span> +# <span class="code-input">emerge sys-apps/paxctl</span> +</pre></td></tr> +</table> +<p> +chpax provides an init script that handles most known application settings for +you: +</p> +<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Adding the chpax init script to the default runlevel</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rc-update add chpax default</span> +</pre></td></tr> +</table> +<p> +<span class="code" dir="ltr">pax-utils</span> is a small toolbox which contains useful applications to +administrate a PaX aware server. +</p> +<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Installing pax-utils</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">emerge pax-utils</span> +</pre></td></tr> +</table> +<p> +Interesting tools include <span class="code" dir="ltr">scanelf</span> and <span class="code" dir="ltr">pspax</span>: +</p> +<ul> + <li> + With <span class="code" dir="ltr">scanelf</span> you can scan over library and binary directories and + list the various permissions and ELF types that pertain to running an ideal + pax/grsec setup + </li> + <li> + With <span class="code" dir="ltr">pspax</span> you can display PaX flags/capabilities/xattr from the + kernel's perspective + </li> +</ul> +<p class="secthead"><a name="doc_chap2_sect4">Verifying the PaX Settings</a></p> +<p> +Peter Busser has written a regression test suite called <span class="code" dir="ltr">paxtest</span>. This +tool will check various cases of possible attack vectors and inform you of the +result. When you run it, it will leave a logfile called <span class="path" dir="ltr">paxtest.log</span> +in the current working directory. +</p> +<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Installing and running paxtest</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">emerge paxtest</span> + +# <span class="code-input">paxtest</span> +Executable anonymous mapping : Killed +Executable bss : Killed +Executable data : Killed +Executable heap : Killed +Executable stack : Killed +Executable anonymous mapping (mprotect) : Killed +Executable bss (mprotect) : Killed +Executable data (mprotect) : Killed +Executable heap (mprotect) : Killed +Executable stack (mprotect) : Killed +Executable shared library bss (mprotect) : Killed +Executable shared library data (mprotect): Killed +Writable text segments : Killed +Anonymous mapping randomisation test : 16 bits (guessed) +Heap randomisation test (ET_EXEC) : 13 bits (guessed) +Heap randomisation test (ET_DYN) : 25 bits (guessed) +Main executable randomisation (ET_EXEC) : 16 bits (guessed) +Main executable randomisation (ET_DYN) : 17 bits (guessed) +Shared library randomisation test : 16 bits (guessed) +Stack randomisation test (SEGMEXEC) : 23 bits (guessed) +Stack randomisation test (PAGEEXEC) : No randomisation +Return to function (strcpy) : Vulnerable +Return to function (memcpy) : Vulnerable +Return to function (strcpy, RANDEXEC) : Killed +Return to function (memcpy, RANDEXEC) : Killed +Executable shared library bss : Killed +Executable shared library data : Killed +</pre></td></tr> +</table> +<p> +In the above example run you notice that: +</p> +<ul> + <li> + strcpy and memcpy are listed as <span class="emphasis">Vulnerable</span>. This is expected and + normal - it is simply showing the need for a technology such as ProPolice/SSP + </li> + <li> + there is no randomization for PAGEEXEC. This is normal since our recommended + x86 kernel configuration didn't activate the PAGEEXEC setting. However, on + arches that support a true NX (non-executable) bit (most of them do, + including x86_64), PAGEEXEC is the only method available for NOEXEC and + has no performance hit. + </li> +</ul> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>RBAC</p> +<p class="secthead"><a name="doc_chap3_sect1">Role Based Access Control</a></p> +<p> +There are two basic types of access control mechanisms used to prevent +unauthorized access to files (or information in general): DAC (Discretionary +Access Control) and MAC (Mandatory Access Control). By default, Linux uses a DAC +mechanism: the creator of the file can define who has access to the file. A MAC +system however forces everyone to follow rules set by the administrator. +</p> +<p> +The MAC implementation grsecurity supports is called Role Based Access +Control. RBAC associates <span class="emphasis">roles</span> with each user. Each role defines what +operations can be performed on certain objects. Given a well-written collection +of roles and operations your users will be restricted to perform only those +tasks that you tell them they can do. The default "deny-all" ensures you that a +user cannot perform an action you haven't thought of. +</p> +<p class="secthead"><a name="doc_chap3_sect2">Configuring the Kernel</a></p> +<p> +The recommended kernel setting for RBAC is: +</p> +<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Recommended RBAC Kernel Configuration</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment"># +# Role Based Access Control Options +#</span> +CONFIG_GRKERNSEC_ACL_HIDEKERN=y +CONFIG_GRKERNSEC_ACL_MAXTRIES=3 +CONFIG_GRKERNSEC_ACL_TIMEOUT=30 +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap3_sect3">Working with gradm</a></p> +<p> +<span class="code" dir="ltr">gradm</span> is a tool which allows you to administer and maintain a policy for +your system. With it, you can enable or disable the RBAC system, reload +the RBAC roles, change your role, set a password for admin mode, etc. +</p> +<p> +When you install <span class="code" dir="ltr">gradm</span> a default policy will be installed in +<span class="path" dir="ltr">/etc/grsec/policy</span>: +</p> +<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: Installing gradm</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">emerge gradm</span> +</pre></td></tr> +</table> +<p> +By default, the RBAC policies are not activated. It is the sysadmin's job to +determine when the system should have an RBAC policy enforced and not Gentoo's. +Before activating the RBAC system you should set an admin password. +</p> +<a name="doc_chap3_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.3: Activating the RBAC system</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">gradm -P</span> +Setting up grsecurity RBAC password +Password: <span class="code-comment">(Enter a well-chosen password)</span> +Re-enter Password: <span class="code-comment">(Enter the same password for confirmation)</span> +Password written in /etc/grsec/pw +# <span class="code-input">gradm -E</span> +</pre></td></tr> +</table> +<p> +To disable the RBAC system, run <span class="code" dir="ltr">gradm -D</span>. If you are not allowed to, you +first need to switch to the admin role: +</p> +<a name="doc_chap3_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.4: Disabling the RBAC system</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">gradm -a admin</span> +Password: <span class="code-comment">(Enter your admin role password)</span> +# <span class="code-input">gradm -D</span> +</pre></td></tr> +</table> +<p> +If you want to leave the admin role, run <span class="code" dir="ltr">gradm -u admin</span>: +</p> +<a name="doc_chap3_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.5: Dropping the admin role</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">gradm -u admin</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap3_sect4">Generating a Policy</a></p> +<p> +The RBAC system comes with a great feature called "learning mode". The learning +mode can generate an anticipatory least privilege policy for your system. This +allows for time and money savings by being able to rapidly deploy multiple +secure servers. +</p> +<p> +To use the learning mode, activate it using <span class="code" dir="ltr">gradm</span>: +</p> +<a name="doc_chap3_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.6: Activating the RBAC learning mode</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">gradm -F -L /etc/grsec/learning.log</span> +</pre></td></tr> +</table> +<p> +Now use your system, do the things you would normally do. Try to avoid rsyncing, +running locate of any other heavy file i/o operation as this can really slow +down the processing time. +</p> +<p> +When you believe you have used your system sufficiently to obtain a good policy, +let <span class="code" dir="ltr">gradm</span> process them and propose roles under +<span class="path" dir="ltr">/etc/grsec/learning.roles</span>: +</p> +<a name="doc_chap3_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.7: Processing learning mode logs</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.roles</span> +</pre></td></tr> +</table> +<p> +Audit the <span class="path" dir="ltr">/etc/grsec/learning.roles</span> and save it as +<span class="path" dir="ltr">/etc/grsec/policy</span> (mode 0600) when you are finished. +</p> +<a name="doc_chap3_pre8"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.8: Saving the policies</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">mv /etc/grsec/learning.roles /etc/grsec/policy</span> +# <span class="code-input">chmod 0600 /etc/grsec/policy</span> +</pre></td></tr> +</table> +<p> +You will now be able to enable the RBAC system with your new learned policy. +</p> +<p class="secthead"><a name="doc_chap3_sect5">Tweaking your Policy</a></p> +<p> +An interesting feature of grsecurity 2.x is <span class="emphasis">Set Operation Support</span> for the +configuration file. Currently it supports unions, intersections and differences +of sets (of objects in this case). +</p> +<a name="doc_chap3_pre9"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.9: Example sets</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +define objset1 { +/root/blah rw +/root/blah2 r +/root/blah3 x +} + +define somename2 { +/root/test1 rw +/root/blah2 rw +/root/test3 h +} +</pre></td></tr> +</table> +<p> +Here is an example of its use, and the resulting objects that will be added to +your subject: +</p> +<a name="doc_chap3_pre10"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.10: & Example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +subject /somebinary o +$objset1 & $somename2 +</pre></td></tr> +</table> +<p> +The above would expand to: +</p> +<a name="doc_chap3_pre11"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.11: Resulting subject settings</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +subject /somebinary o +/root/blah2 r +</pre></td></tr> +</table> +<p> +This is the result of the & operator which takes both sets and returns the +files that exist in both sets and the permission for those files that exist +in both sets. +</p> +<a name="doc_chap3_pre12"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.12: | Example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +subject /somebinary o +$objset1 | $somename2 +</pre></td></tr> +</table> +<p> +This example would expand to: +</p> +<a name="doc_chap3_pre13"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.13: Resulting subject settings</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +subject /somebinary o +/root/blah rw +/root/blah2 rw +/root/blah3 x +/root/test1 rw +/root/test3 h +</pre></td></tr> +</table> +<p> +This is the result of the | operator which takes both sets and returns the +files that exist in either set. If a file exists in both sets, it is returned +as well and the mode contains the flags that exist in either set. +</p> +<a name="doc_chap3_pre14"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.14: - Example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +subject /somebinary o +$objset1 - $somename2 +</pre></td></tr> +</table> +<p> +This example would expand to: +</p> +<a name="doc_chap3_pre15"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.15: Resulting subject settings</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +subject /somebinary o +/root/blah rw +/root/blah2 h +/root/blah3 x +</pre></td></tr> +</table> +<p> +This is the result of the - operator which takes both sets and returns the +files that exist in the set on the left but not in the match of the file in +set on the right. If a file exists on the left and a match is found on the +right (either the filenames are the same, or a parent directory exists in +the right set), the file is returned and the mode of the second set is +removed from the first set, and that file is returned. +</p> +<p> +In some obscure pseudo-language you could see this as: +</p> +<a name="doc_chap3_pre16"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.16: Pseudo-language explanation</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +if ( (<span class="code-input">$objset1</span> contained <span class="code-input">/tmp/blah rw</span>) and + (<span class="code-input">$objset2</span> contained <span class="code-input">/tmp/blah r</span>) ) +then + <span class="code-input">$objset1 - $objset2</span> would contain <span class="code-input">/tmp/blah w</span> + +if ( (<span class="code-input">$objset1</span> contained <span class="code-input">/tmp/blah rw</span>) and + (<span class="code-input">$objset2</span> contained <span class="code-input">/ rwx</span>) ) +then + <span class="code-input">$objset1 - $objset2</span> would contain <span class="code-input">/tmp/blah h</span> +</pre></td></tr> +</table> +<p> +As for order of precedence (from highest to lowest): "-, & |". +</p> +<p> +If you do not want to bother remembering precedence, parenthesis support +is also included, so you can do things like: +</p> +<a name="doc_chap3_pre17"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.17: Parenthesis example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +(($set1 - $set2) | $set3) & $set4 +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Filesystem Protection</p> +<p class="secthead"><a name="doc_chap4_sect1">Fighting Chroot and Filesystem Abuse</a></p> +<p> +Grsecurity2 includes many patches that prohibits users from gaining unnecessary +knowledge about the system. This includes restrictions on <span class="path" dir="ltr">/proc</span> +usage, chrooting, linking, etc. +</p> +<p class="secthead"><a name="doc_chap4_sect2">Kernel Configuration</a></p> +<p> +We recommend the following grsecurity kernel configuration for filesystem +protection: +</p> +<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: Activating Filesystem Protection</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment"># +# Filesystem Protections +#</span> +CONFIG_GRKERNSEC_PROC=y +<span class="code-comment"># CONFIG_GRKERNSEC_PROC_USER is not set</span> +CONFIG_GRKERNSEC_PROC_USERGROUP=y +CONFIG_GRKERNSEC_PROC_GID=10 +CONFIG_GRKERNSEC_PROC_ADD=y +CONFIG_GRKERNSEC_LINK=y +CONFIG_GRKERNSEC_FIFO=y +CONFIG_GRKERNSEC_CHROOT=y +CONFIG_GRKERNSEC_CHROOT_MOUNT=y +CONFIG_GRKERNSEC_CHROOT_DOUBLE=y +CONFIG_GRKERNSEC_CHROOT_PIVOT=y +CONFIG_GRKERNSEC_CHROOT_CHDIR=y +CONFIG_GRKERNSEC_CHROOT_CHMOD=y +CONFIG_GRKERNSEC_CHROOT_FCHDIR=y +CONFIG_GRKERNSEC_CHROOT_MKNOD=y +CONFIG_GRKERNSEC_CHROOT_SHMAT=y +CONFIG_GRKERNSEC_CHROOT_UNIX=y +CONFIG_GRKERNSEC_CHROOT_FINDTASK=y +CONFIG_GRKERNSEC_CHROOT_NICE=y +CONFIG_GRKERNSEC_CHROOT_SYSCTL=y +CONFIG_GRKERNSEC_CHROOT_CAPS=y +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap4_sect3">Triggering the Security Mechanism</a></p> +<p> +When you're using a kernel compiled with the above (or similar) settings, you +will get the option to enable/disable many of the options through the +<span class="path" dir="ltr">/proc</span> filesystem or via <span class="code" dir="ltr">sysctl</span>. +</p> +<p> +The example below shows an excerpt of a typical <span class="path" dir="ltr">/etc/sysctl.conf</span>: +</p> +<a name="doc_chap4_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.2: Example settings inside /etc/sysctl.conf</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +kernel.grsecurity.chroot_deny_sysctl = 1 +kernel.grsecurity.chroot_caps = 1 +kernel.grsecurity.chroot_execlog = 0 +kernel.grsecurity.chroot_restrict_nice = 1 +kernel.grsecurity.chroot_deny_mknod = 1 +kernel.grsecurity.chroot_deny_chmod = 1 +kernel.grsecurity.chroot_enforce_chdir = 1 +kernel.grsecurity.chroot_deny_pivot = 1 +kernel.grsecurity.chroot_deny_chroot = 1 +kernel.grsecurity.chroot_deny_fchdir = 1 +kernel.grsecurity.chroot_deny_mount = 1 +kernel.grsecurity.chroot_deny_unix = 1 +kernel.grsecurity.chroot_deny_shmat = 1 +</pre></td></tr> +</table> +<p> +You can enable or disable settings at will using the <span class="code" dir="ltr">sysctl</span> command: +</p> +<a name="doc_chap4_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.3: Enabling sysctl settings</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">(Toggling the exec_logging feature ON)</span> +# <span class="code-input">sysctl -w kernel.grsecurity.exec_logging = 1</span> +<span class="code-comment">(Toggling the exec_logging feature OFF)</span> +# <span class="code-input">sysctl -w kernel.grsecurity.exec_logging = 0</span> +</pre></td></tr> +</table> +<p> +There is a very important sysctl setting pertaining to grsecurity, namely +<span class="code" dir="ltr">kernel.grsecurity.grsec_lock</span>. When set, you are not able to change any +setting anymore. +</p> +<a name="doc_chap4_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.4: Locking the sysctl interface</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">sysctl -w kernel.grsecurity.grsec_lock = 1</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>Kernel Auditing</p> +<p class="secthead"><a name="doc_chap5_sect1">Extend your System's Logging Facilities</a></p> +<p> +grsecurity adds extra functionality to the kernel pertaining the logging. With +grsecurity's <span class="emphasis">Kernel Auditing</span> the kernel informs you when applications are +started, devices (un)mounted, etc. +</p> +<p class="secthead"><a name="doc_chap5_sect2">The various Kernel Audit Settings</a></p> +<p> +The following kernel configuration section can be used to enable grsecurity's +Kernel Audit Settings: +</p> +<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: Activating Kernel Auditing</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment"># +# Kernel Auditing +# +# CONFIG_GRKERNSEC_AUDIT_GROUP is not set</span> +CONFIG_GRKERNSEC_EXECLOG=y +CONFIG_GRKERNSEC_RESLOG=y +CONFIG_GRKERNSEC_CHROOT_EXECLOG=y +CONFIG_GRKERNSEC_AUDIT_CHDIR=y +CONFIG_GRKERNSEC_AUDIT_MOUNT=y +CONFIG_GRKERNSEC_AUDIT_IPC=y +CONFIG_GRKERNSEC_SIGNAL=y +CONFIG_GRKERNSEC_FORKFAIL=y +CONFIG_GRKERNSEC_TIME=y +CONFIG_GRKERNSEC_PROC_IPADDR=y +CONFIG_GRKERNSEC_AUDIT_TEXTREL=y +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>Process Restrictions</p> +<p class="secthead"><a name="doc_chap6_sect1">Executable Protection</a></p> +<p> +With grsecurity you can restrict executables. Since most exploits work through +one or more running processes this protection can save your system's health. +</p> +<p class="secthead"><a name="doc_chap6_sect2">Network Protection</a></p> +<p> +Linux' TCP/IP stack is vulnerable to prediction-based attacks. grsecurity +includes randomization patches to counter these attacks. Apart from these you +can also enable socket restrictions, disallowing certain groups network access +alltogether. +</p> +<p class="secthead"><a name="doc_chap6_sect3">Kernel Settings</a></p> +<p> +The following kernel settings enable various executable and network protections: +</p> +<a name="doc_chap6_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.1: Kernel setting</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment"># +# Executable Protections +#</span> +CONFIG_GRKERNSEC_EXECVE=y +CONFIG_GRKERNSEC_DMESG=y +CONFIG_GRKERNSEC_RANDPID=y +CONFIG_GRKERNSEC_TPE=y +CONFIG_GRKERNSEC_TPE_ALL=y +CONFIG_GRKERNSEC_TPE_GID=100 + +<span class="code-comment"># +# Network Protections +#</span> +CONFIG_GRKERNSEC_RANDNET=y +CONFIG_GRKERNSEC_RANDISN=y +CONFIG_GRKERNSEC_RANDID=y +CONFIG_GRKERNSEC_RANDSRC=y +CONFIG_GRKERNSEC_RANDRPC=y +<span class="code-comment"># CONFIG_GRKERNSEC_SOCKET is not set</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7. + </span>The Hardened Toolchain</p> +<p> +Although it is outside the scope of this document we mention the use of the +hardened toolchain which completes the grsec/PaX model from userspace. As a +quickstart you can do: +</p> +<a name="doc_chap7_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.1: Using the hardened toolchain</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">cd /etc</span> +# <span class="code-input">rm make.profile</span> +# <span class="code-input">ln -s ../usr/portage/profiles/hardened/x86 make.profile</span> +# <span class="code-input">emerge -e world</span> +</pre></td></tr> +</table> +<p> +If you don't want to use this profile, add these <span class="code" dir="ltr">hardened pic</span> USE flags to your +USE variable in <span class="path" dir="ltr">/etc/make.conf</span>. +</p> +<p class="chaphead"><a name="doc_chap8"></a><span class="chapnum">8. + </span>Resources</p> +<ul> + <li><a href="http://grsecurity.net/">Grsecurity Homepage</a></li> + <li><a href="http://forums.grsecurity.net/">Grsecurity Forums</a></li> + <li> + <a href="http://grsecurity.net/researchpaper.pdf">Increasing Performance + and Granularity in Role-Based Access Control Systems</a> + + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/capabilities.xml"> + Capability Names and Descriptions</a> + </li> + <li> + <a href="http://grsecurity.net/quickstart.pdf">Grsecurity Quick-Start + Guide</a> (NEW .pdf) + </li> + + <li> + <a href="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml">Using PaX with + Gentoo QuickStart</a> (NEW) + </li> + <li> + <a href="http://hardened.gentoo.org/grsecurity.xml">Grsecurity with + Gentoo 1.9.x MAC system</a> (OLD) + </li> + <li> + <a href="http://grsecurity.net/PaX-presentation_files/frame.htm">PaX: The + Guaranteed End of Arbitrary Code Execution</a> + + </li> + <li> + <a href="http://pax.grsecurity.net">PaX HomePage and Documentation</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/infrastructure/tenshi">Tenshi</a> + </li> +</ul> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/grsecurity.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated January 5, 2010</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +This document features the grsecurity 2.x security patches, supported kernel +configuration options and tools provided by the grsecurity project to lift your +system's security to higher standards. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:solar@gentoo.org" class="altlink"><b>solar</b></a> +<br><i>Author</i><br><br> + <a href="mailto:swift@gentoo.org" class="altlink"><b>Sven Vermeulen</b></a> +<br><i>Author</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/hardened-toolchain.html b/html/hardened-toolchain.html new file mode 100644 index 0000000..2079abf --- /dev/null +++ b/html/hardened-toolchain.html @@ -0,0 +1,357 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + The Gentoo Hardened Toolchain</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b> + This document is a work in progress and should not be considered official yet. + </p></td></tr></table> +<br><h1>The Gentoo Hardened Toolchain</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction to the Gentoo Hardened toolchain</option> +<option value="#doc_chap2">2. The Stack Smashing Protector (SSP)</option> +<option value="#doc_chap3">3. Position Independent Executables (PIEs)</option> +<option value="#doc_chap4">4. Mark Read-Only Appropriate Sections</option> +<option value="#doc_chap5">5. Binding policy NOW</option> +<option value="#doc_chap6">6. References</option></select> +</form> +<p class="chaphead"><a name="introduction"></a><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction to the Gentoo Hardened toolchain</p> +<p class="secthead"><a name="todo"></a><a name="doc_chap1_sect1">TODO</a></p> +<ul> +<li>Binutils modifications for PaX</li> +<li>Comment on relationship to SELinux</li> +</ul> +<p class="secthead"><a name="overview"></a><a name="doc_chap1_sect2">Overview</a></p> +<p> +The Gentoo Hardened project introduces a number of changes to the default behaviour of the toolchain (gcc, binutils, glibc/uclibc) intended to improve security. It supports other initiatives taken by the hardened project; most directly PaX and Grsecurity, but can also be applied to SELinux and RSBAC. This document describes each of the modifications made to the toolchain, showing what they achieve and how they relate to the Gentoo hardened strategy. +</p> +<p class="secthead"><a name="SSPintro"></a><a name="doc_chap1_sect3">Default addition of the Stack Smashing Protector (SSP)</a></p> +<p> +First developed by Dr Hiroaki Etoh at IBM for the 3.x series of GCC (originally under the name ProPolice) and re-developed in a different way for the 4.x series by RedHat, the Stack Smashing Protector attempts to protect against stack buffer overflows. It causes the compiler to insert a check for stack buffer overflows before function returns. If an attempt is made to exploit a previously unfixed (and probably undiscovered) error that exposes a buffer overflow vulnerability, the application will be killed immediately. This reduces any potential exploit to a denial-of-service. +</p> +<p> +Normally the compiler must be explicitly directed to switch on the stack protection via compiler options. The Gentoo hardened GCC switches on the stack protector by default unless explicitly requested not to. The chapter "<a href="#SSP">The Stack Smashing Protector</a>" describes the toolchain modifications to make this happen, and issues that may arise. +</p> +<p class="secthead"><a name="PIEintro"></a><a name="doc_chap1_sect4">Automatic generation of Position Independent Executables (PIEs)</a></p> +<p> +Standard executables have a fixed base address, and they must be loaded to this address otherwise they will not execute correctly. Position Independent Executables can be loaded anywhere in memory much like shared libraries, allowing <a href="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml">PaX</a>'s Address Space Layout Randomisation (ASLR) to take effect. This is achieved by building the code to be position-independent, and linking them as ELF shared objects. +</p> +<p> +In 2003 Hardened Gentoo introduced an approach referred to as '-y etdyn' which consisted of building all code with -fPIC, and modifying the link stage to provide an ET_DYN executable using a modified PIC version of crt1.o, and setting the interp header to cause the executable to be loaded by the loader from glibc. ET_DYN versions of the crt1.o object were created for x86, parisc, ppc and sparc. +</p> +<p> +Further work was undertaken by RedHat, who implemented a '-pie' switch for the linker, and '-fPIE' to be used when compiling objects for linking into a Position Independent Executable. Building an object with -fPIE is slightly different from -fPIC; in particular not all symbols are vectored through the GOT which means pre-loaded shared libraries do not override these symbols in the executable, which is also the case for ET_EXEC executables. +</p> +<p> +As the support for PIEs in the upstream toolchain matured, Hardened Gentoo switched to PIE, dropping the earlier "-y et_dyn" support. PIEs have several advantages, not least of which is that upstream have taken on the burden of support in gcc, glibc and binutils. +</p> +<p> +The Gentoo hardened GCC automatically builds PIEs when building application code, unless explicitly requested not to (with a few built-in exceptions for cases where it is undesirable). The chapter "<a href="#PIE">Position Independent Executables</a> describes the toolchain modifications to make this happen, and issues that may arise. +</p> +<p class="secthead"><a name="RELROintro"></a><a name="doc_chap1_sect5">Default to marking read-only, sections that can be so marked after the loader is finished (RELRO)</a></p> +<p> +There are several sections that need to be writable by the loader before the application starts, but do not need to be writable by the application itself later. Setting relro instructs the linker to record which sections this applies to, and the loader will mark them read-only before passing or returning execution control to the application. Typical sections affected include .ctors, .dtors, .jcr, .dynamic and .got, although the exact list varies according to arch. If <a href="#NOWintro">BIND_NOW</a> is also set then on some arches all of the GOT (i.e. including the PLT) can be set read-only in this way, preventing various attack methods that involve overwriting it. +</p> +<p> +The Gentoo hardened GCC automatically sets the linker to set RELRO, unless explicitly requested not to. The chapter "<a href="#RELRO">Read-Only Relocation tables</a>" describes the toolchain modifications to make this happen. +</p> +<p class="secthead"><a name="NOWintro"></a><a name="doc_chap1_sect6">Default full binding at load-time (BIND_NOW)</a></p> +<p> +To reduce the time between starting an application and actually being able to use it, most software is built with "lazy binding". This means that references to functions in shared libraries are resolved when they are actually used for the first time, rather than when the application is loaded. The hardened toolchain changes this behaviour so that by default it will set the "BIND_NOW" flag, which causes the loader to sort out all of these links before starting execution. It improves the effectiveness of <a href="#RELROintro">RELRO</a>. +</p> +<p> +The Gentoo hardened GCC automatically sets the linker to set the BIND_NOW flag, unless explicitly requested not to. The chapter "<a href="#NOW">Binding policy NOW</a>" describes the toolchain modifications to make this happen. +</p> +<p class="chaphead"><a name="SSP"></a><a name="doc_chap2"></a><span class="chapnum">2. + </span>The Stack Smashing Protector (SSP)</p> +<p class="secthead"><a name="SSPrationale"></a><a name="doc_chap2_sect1">Rationale for enabling the stack smashing protector globally</a></p> +<p> +The stack smashing protector arranges the code so that a stack overflow is very likely to be detected by the application, which then aborts. This means that an attacker who tries to exploit such a stack overflow error can cause the application to die, but cannot exploit the error to execute code. So the threat is reduced from a privilege elevation to at most a denial of service. Obviously, any such errors in the code should be fixed - SSP is not an excuse to avoid fixing them - however it is extremely difficult to be confident no such errors remain, even after thorough code review and testing. So SSP remains as a safety-net for unfixed stack overflow errors. +</p> +<p> +This is an important part of the overall Hardened Toolchain/PaX/GRsecurity strategy. PaX prevents stack overflows from being executable by making the stack non-executable so an attacker cannot just put his shellcode into a buffer that overflows - however it does not prevent attacks that alter data that affect the program flow; in particular attacks that modify return addresses on the stack. +</p> +<p class="secthead"><a name="SSPtoolchain"></a><a name="doc_chap2_sect2">Toolchain modifications for default SSP</a></p> +<p> +At Gentoo we add stack smashing protection patches to the GCC-3.x series compilers and the C library (glibc-2.3.x and uclibc). As such this is the most invasive action taken to harden the toolchain. From gcc-4.1 and glibc-2.4 onwards a different implementation of SSP is provided by the upstream GNU toolchain; glibc-2.4 is also patched by Gentoo to support the GCC-3.x implementation of SSP so binaries built with either SSP implementation will work. +</p> +<p> +The patches to GCC-3.x are not trivial, so a detailed explanation here is not suitable, even if we could write one. The modifications to the C library are simpler; they provide the canary value which is randomised separately for every process (and separately for every thread in the gcc-4.x/glibc-2.4 implementation), and the handler function called when the canary is checked and found to be corrupt. The handler function reports an error and shuts down the process; this has to be done very carefully to ensure the handler itself cannot be exploited. +</p> +<p class="secthead"><a name="SSPissues"></a><a name="doc_chap2_sect3">Issues arising from default SSP</a></p> +<p> +The SSP implementation in gcc-3.x is not perfect, and can cause problems. In particular C++ code can be built incorrectly when SSP is enabled, although the exact details are not clear at the moment. +</p> +<p> +The SSP implementation in gcc-4.x is completely different, even so far as changing the semantics of the compiler switches. At the time of writing, we have little experience in the SSP implementation in gcc-4.x. +</p> +<p class="chaphead"><a name="PIE"></a><a name="doc_chap3"></a><span class="chapnum">3. + </span>Position Independent Executables (PIEs)</p> +<p class="secthead"><a name="PIErationale"></a><a name="doc_chap3_sect1">Rationale for building Position Indepedent Executables (PIEs)</a></p> +<p> +The reason for building applications as position-independent is to allow the application to be loaded at a random address; normally the kernel loads all executables to the same fixed address. Randomising this address makes it harder for an attacker to exploit the executable, since it is harder to know where the code (and heap) reside. +</p> +<p> +This is most effective when running a PaX kernel with Address Space Layout Randomisation (ASLR), which increases the randomness of the various parts of a process significantly. It is also necessary to enable the GRsecurity option to hide the location information in the /proc filesystem - otherwise the attacker can just look there to find the addresses needed! +</p> +<p> +A note on prelink: prelinking sets hints for the address at which an ELF file will be loaded. These hints, if followed, would make ASLR ineffective. The PaX kernel causes these hints to be ignored, so prelinking does nothing useful for a Gentoo Hardened system. Since there is no point using prelink, just don't use it. +</p> +<p> +Not using prelink also means you don't have to worry about knock-on effects of prelink. Since prelink modifies the ELF files whenever it prelink is run, these changes need to be propogated to other systems that depend on them. For example host-based Intrusion Detection Systems (IDS) watch for changes to executables and libraries and need to be informed of the changes prelink makes - if prelink is not used then maintenance of such systems is simplified. +</p> +<p> +There are some technologies on the way which reduce the need for prelink. These include: +</p> +<ul> +<li>Symbol visibility support, which when used properly, reduces dramatically the number of symbols to resolve and hence the amount of time taken to resolve them</li> +<li>Hash tables, which will be generated by the linker and included as a extra section in the ELF file, which make looking up symbols to resolve them nearly free.</li> +<li>Direct binding, which simplifies the search that the loader by incorporating information in each library detailing exactly where the symbol to be resolved is located.</li> +</ul> +<p> +See <a href="#NOWissues">Issues arising from BIND_NOW</a> for more. +</p> +<p class="secthead"><a name="PIEtoolchain"></a><a name="doc_chap3_sect2">Toolchain modifications for automatic PIEs</a></p> +<p> +Support for position-independent executables is provided by the standard GNU toolchain. For PIEs, GCC has different versions of some of the compiler support objects so that for example instead of using crtbegin.o, crt1.o and crtend.o it uses crtbeginS.o, Scrt1.o and crtendS.o (the exact files vary according to the compiler target). It also builds code in a similar fashion to library PIC code, although in the case of executables some symbols are not referenced via the Global Offset Table (GOT). The compiler obtains the list of compiler support objects via the "specs" file - see "info gcc" section 3 (Invoking GCC) subsection 15 (Spec Files). Building code for PIEs is achieved by adding '-fPIE' when compiling and '-fPIE -pie' when linking. +</p> +<p> +To change the default for building executables from absolute to position-independent, it is necessary to change the selection of support objects and to set the -fPIE and -pie options appropriately. The specs rules for this are startfile, endfile, cc1 and link_command. Exact details of the modifications vary according to the target; to illustrate here are the changes for x86: +</p> +<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: standard cc1 rule for x86</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +%(cc1_cpu) %{profile:-p} +</pre></td></tr> +</table> +<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: addition to cc1 rule for x86</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +%{!D__KERNEL__: %{!static: %{!fno-PIC: %{!fno-pic: %{!shared: +%{!nostdlib: %{!nostartfiles: %{!fno-PIE: %{!fno-pie: %{!nopie: +%{!fPIC: %{!fpic:-fPIE} } } } } } } } } } } } +</pre></td></tr> +</table> +<p> +This looks a lot more scary than it really is. All it says is that unless one or more of the listed options are specified, add -fPIE to the compilation. The kernel defines __KERNEL__ on all its compilations, so the -D__KERNEL__ check ensures that -fPIE is not added when building the kernel; the kernel is a static executable but as <a href="#PIEissues">explained below</a> this is not so easy to detect. When building shared libraries, either -fPIC or -fpic should be specified, so this is used to prevent adding -fPIE when building shared libraries. The -fno-* checks are to ensure that if a build explicitly requests no position-indepedent code, -fPIE is not added. +</p> +<a name="doc_chap3_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.3: standard link_command rule for x86</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +%{!fsyntax-only:%{!c:%{!M:%{!MM:%{!E:%{!S: %(linker) %l +%{pie: -pie} %X %{o*} %{A} %{d} %{e*} %{m} %{N} %{n} %{r} +%{s} %{t} %{u*} %{x} %{z} %{Z} %{!A:%{!nostdlib:%{!nostartfiles:%S}}} +%{static:} %{L*} %(link_libgcc) %o %{fprofile-arcs|fprofile-generate:-lgcov} +%{!symbolic:%{!shared:%{fbounds-checking:libboundscheck.a%s}}} +%{!symbolic:%{!shared:%{fbc-strings-only:libboundscheck.a%s}}} +%{!nostdlib:%{!nodefaultlibs:%(link_gcc_c_sequence)}} +%{!A:%{!nostdlib:%{!nostartfiles:%E}}} %{T*} }}}}}} +</pre></td></tr> +</table> +<a name="doc_chap3_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.4: replacement for %{pie: -pie} in link_command rule for x86</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +%{!nopie: %{!static: %{!A: %{!shared: %{!nostdlib: %{!nostartfiles: +%{!fno-PIE: %{!fno-pie: -pie} } } } } } } } %{pie: -pie} +</pre></td></tr> +</table> +<p> +As with the cc1 rule, the addition causes -pie to be set for link commands unless one of the listed options are specified. Note that this replaces the '%{pie: -pie}' section in the original link_command rule. +</p> +<p> +In both rules, there is an additional condition '!nopie' - this provides a mechanism to stop the hardened compiler defaulting to PIE by adding '-nopie' to CFLAGS. This is what filter-flags does when asked to filter -fPIE and the compiler is hardened. +</p> +<p class="secthead"><a name="PIEissues"></a><a name="doc_chap3_sect3">Issues with PIEs</a></p> +<p> +Ideally, when building a static executable, a shared library, or building without the standard gcc system files, PIE would not be automatically enabled. Unfortunately, the options -static, -shared, -nostdlib and -nostartfiles are link options, so are usually only supplied to the link command of an executable and not to the compilation commands for individual objects. In these cases, -fPIE will be added to the compilation commands when in fact it shouldn't be. This is an unavoidable limitation, since it is impossible to know from a compilation command for an object exactly what the link command is going to be. Indeed in some cases more than one link command can happen using the same objects. Such cases have to be handled by the relevant ebuild on a case-by-case basis. The -nostdlib and -nostartfiles options occur rarely. The -shared option is usually used when the compilation commands have been performed with -fPIC, so the majority of such cases are not a problem. +</p> +<p> +Where an application builds libraries without -fPIC, it is necessary to modify the build process to avoid -fPIE being added by the compiler. For packages that build only libraries, it is sufficient to do: +</p> +<a name="doc_chap3_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.5: switch off automatic PIE for library ebuilds</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +inherit flag-o-matic +... +src_compile() { +... +filter-flags -fPIE +... +} +</pre></td></tr> +</table> +<p> +However if an ebuild creates both executables and libraries then more detailed modifications need to be made, to add the -fno-PIE to the compilation of objects destined for the libraries. Where an object is used for both a shared library and an executable, it is necessary to modify the build process significantly in order to obtain two objects, one built -fPIC and one built -fPIE for linking to the library and the executable respectively. Most packages that provide both a shared library and a static archive do so by using libtool which does the right thing automatically. Both of these approaches can be taken unconditionally; i.e. it is not necessary to make such changes conditional on the presence of the hardened compiler. +</p> +<p> +Occasionally application code will fail to compile with -fPIE. If this happens it is usually down to non-position-independent assembler code, and is most prevelant on X86 which has a limited general purpose register set. However this is rare in application code as normally application authors push most of their code into shared libraries, although it does happen. Most position-independent build problems occur in shared libraries which are not built position-independent - this is a problem regardless of Hardened, and is nothing to do with PIE; it is just that the issue is highlighted by the hardened compiler due to the automatic enabling of -fPIE when -fPIC is not specified as described above. See the <a href="http://www.gentoo.org/proj/en/hardened/pic-fix-guide.xml">PIC fixing guide</a> for information on how to fix this sort of problem. +</p> +<p> +Some applications have been reported to segfault when built as PIEs. Exactly why this occurs is unclear, but it is likely due to a compiler bug so later compiler versions may resolve such problems. +</p> +<p> +Debugging PIEs at the time of writing only works with sys-devel/gdb-6.3-r5, which includes patches by Elena Zannoni at RedHat. These patches were not included in the main trunk of gdb, so have not been maintained in later versions. +</p> +<p class="chaphead"><a name="RELRO"></a><a name="doc_chap4"></a><span class="chapnum">4. + </span>Mark Read-Only Appropriate Sections</p> +<p class="secthead"><a name="RELROrationale"></a><a name="doc_chap4_sect1">Rationale for enabling RELRO globally</a></p> +<p> +Various sections in an ELF file should be written only by the loader, and not by the application. However in normal circumstances these sections remain read/write throughout the life of the process, and there are attack methods that exploit this to affect program execution flow. Enabling RELRO causes the linker to include an extra header informing the loader which sections can be marked read-only after the loader has finished with them. It also affects the layout of sections slightly, to avoid having RELRO sections and read-write sections on the same memory page. Combining RELRO with BIND_NOW allows also the PLT to be managed this way on some arches. +</p> +<p class="secthead"><a name="RELROauto"></a><a name="doc_chap4_sect2">Toolchain modifications for default RELRO</a></p> +<p> +RELRO is a link option ("-z relro") provided by the standard GNU toolchain. To switch it on by default, it is simply a matter of adding a small rule to the specs file for GCC as illustrated below: +</p> +<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: standard link_command rule for x86</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +%{!fsyntax-only:%{!c:%{!M:%{!MM:%{!E:%{!S: %(linker) %l +%{pie: -pie} %X %{o*} %{A} %{d} %{e*} %{m} %{N} %{n} %{r} +%{s} %{t} %{u*} %{x} %{z} %{Z} %{!A:%{!nostdlib:%{!nostartfiles:%S}}} +%{static:} %{L*} %(link_libgcc) %o %{fprofile-arcs|fprofile-generate:-lgcov} +%{!symbolic:%{!shared:%{fbounds-checking:libboundscheck.a%s}}} +%{!symbolic:%{!shared:%{fbc-strings-only:libboundscheck.a%s}}} +%{!nostdlib:%{!nodefaultlibs:%(link_gcc_c_sequence)}} +%{!A:%{!nostdlib:%{!nostartfiles:%E}}} %{T*} }}}}}} +</pre></td></tr> +</table> +<a name="doc_chap4_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.2: additionl segment to follow %{pie: -pie} in link_command rule for x86</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +%{!norelro: -z relro} %{relro: } +</pre></td></tr> +</table> +<p> +So a new option is introduced, "norelro", which can be used to prevent the hardened compiler from automatically switching on RELRO. However this is likely to be phased out, as newer binutils provide a "-z norelro" option which can be appended to LDFLAGS as "-Wl,z,norelro". +</p> +<p class="secthead"><a name="RELROissues"></a><a name="doc_chap4_sect3">Issues arising from default RELRO</a></p> +<p> +So far, the hardened project has found no issues with switching on RELRO by default. It can make the executable image a little bit bigger (on average by half a page i.e. 2K bytes) which may be of interest for targets with extremely limited memory. +</p> +<p class="chaphead"><a name="NOW"></a><a name="doc_chap5"></a><span class="chapnum">5. + </span>Binding policy NOW</p> +<p class="secthead"><a name="NOWrationale"></a><a name="doc_chap5_sect1">Rationale for enabling NOW binding globally</a></p> +<p> +As described in the <a href="#RELRO">RELRO</a> chapter, setting BIND_NOW increases the effectiveness of setting RELRO, making attacks that involve overwriting data in the Global Offset Table (GOT) fail. +</p> +<p class="secthead"><a name="NOWauto"></a><a name="doc_chap5_sect2">Toolchain modifications for default NOW</a></p> +<p> +NOW binding is a link option ("-z now") provided by the standard GNU toolchain. To switch it on by default, it is simply a matter of adding a small rule to the specs file for GCC as illustrated below: +</p> +<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: standard link_command rule for x86</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +%{!fsyntax-only:%{!c:%{!M:%{!MM:%{!E:%{!S: %(linker) %l +%{pie: -pie} %X %{o*} %{A} %{d} %{e*} %{m} %{N} %{n} %{r} +%{s} %{t} %{u*} %{x} %{z} %{Z} %{!A:%{!nostdlib:%{!nostartfiles:%S}}} +%{static:} %{L*} %(link_libgcc) %o %{fprofile-arcs|fprofile-generate:-lgcov} +%{!symbolic:%{!shared:%{fbounds-checking:libboundscheck.a%s}}} +%{!symbolic:%{!shared:%{fbc-strings-only:libboundscheck.a%s}}} +%{!nostdlib:%{!nodefaultlibs:%(link_gcc_c_sequence)}} +%{!A:%{!nostdlib:%{!nostartfiles:%E}}} %{T*} }}}}}} +</pre></td></tr> +</table> +<a name="doc_chap5_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.2: additionl segment to follow %{pie: -pie} in link_command rule for x86</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +%{!nonow: -z now} %{now: } +</pre></td></tr> +</table> +<p> +So a new option is introduced, "nonow", which can be used to prevent the hardened compiler from automatically switching on NOW binding. However this is likely to be phased out, as newer binutils provide a "-z lazy" option which can be appended to LDFLAGS as "-Wl,z,lazy". +</p> +<p class="secthead"><a name="NOWissues"></a><a name="doc_chap5_sect3">Issues arising from default NOW</a></p> +<p> +NOW binding has several noticeable effects. The first is that initial loading time for applications increases, sometimes very noticeably, as the loader resolves all the references before passing execution to the loaded process. +</p> +<p> +One technology that could reduce this overhead significantly is the introduction of "Direct Binding", something that exists on Unix systems (e.g. Solaris) but does not exist in the GNU toolchain. Direct binding adds information to libraries when they are built, to tell the linker which library contains the symbol it is looking for. Normally the linker performs a search across all referenced libraries to find symbols, which adds significantly to the time taken to resolve them. However the implications of direct-binding are significant, and cannot be taken lightly. Michael Meeks at Novell is working on this; see our <a href="http://bugs.gentoo.org/114008">bug #114008</a> for our status on this. +</p> +<p> +Other technologies which should help are symbol visibility and hash tables in the ELF files. Both are technologies supported upstream, so when they appear they will be supported directly. With these two together, it is likely that there will not be much further benefit from direct binding and the complications that arise from direct binding may mean it won't be supported. +</p> +<p> +The second more serious effect is that applications that are not written to refer to shared libraries in the standard way can fail; the most obvious of these is X, which has modules with circular resolution dependencies amongst other unusual behaviour. Another trick occasionally performed by applications is to decide between a number of shared libraries at run time, and use lazy binding to resolve references to the chosen library. Normally this would be done with dlopen(3) and friends, including obtaining symbol addresses via dlsym(3), but it is possible to avoid using dlsym(3) and a plethora of pointers in the code by using lazy binding, although it's not pretty. +</p> +<p> +The following packages have issues with BIND_NOW at the time of writing, and it has to be relaxed somewhat for them: +</p> +<ul> +<li>X - some drivers consist of several libraries which are co-dependent, and the modules frequently have references to modules that they load.</li> +<li>transcode - relies on lazy binding to be able to load its modules; the issues are similar to the X issues.</li> +</ul> +<p class="chaphead"><a name="references"></a><a name="doc_chap6"></a><span class="chapnum">6. + </span>References</p> +<p class="secthead"><a name="gentoorefs"></a><a name="doc_chap6_sect1">Other Gentoo Documentation</a></p> +<ul> +<li><a href="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml">PaX QuickStart</a></li> +<li><a href="http://www.gentoo.org/proj/en/hardened/pic-guide.xml">Introduction to Position-Independent Code (PIC)</a></li> +<li><a href="http://www.gentoo.org/proj/en/hardened/pic-fix-guide.xml">Guide to fixing non-PIC shared libraries</a></li> +</ul> +<p class="secthead"><a name="externalrefs"></a><a name="doc_chap6_sect2">External Documentation</a></p> +<ul> +<li> +<a href="http://people.redhat.com/drepper/dsohowto.pdf">How to Write Shared Libraries</a> by Ulrich Drepper (PDF)</li> +</ul> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated August 31, 2006</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +Technical description of, and rationale for, the Gentoo Hardened Toolchain modifications. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> +<a href="mailto:kevquinn@gentoo.org" class="altlink"><b>Kevin F. Quinn</b></a> +<br><i>Author</i><br><br> +<a href="mailto:solar@gentoo.org" class="altlink"><b>Ned Ludd</b></a> +<br><i>Contributor</i><br><br> +<a href="mailto:pageexec@freemail.hu" class="altlink"><b>The PaX Team</b></a> +<br><i>Contributor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/hardened-virtualization.html b/html/hardened-virtualization.html index 593115f..d99ed3e 100644 --- a/html/hardened-virtualization.html +++ b/html/hardened-virtualization.html @@ -14,7 +14,7 @@ Gentoo Hardened Virtualization Guide</title> </head> <body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> <tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> <td width="99%" class="content" valign="top" align="left"> <table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b> @@ -120,7 +120,7 @@ KVM related resources: --><br> </td> <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="/proj/en/hardened/hardened-virtualization.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/hardened-virtualization.xml?style=printable">Print</a></p></td></tr> <tr><td class="topsep" align="center"><p class="alttext">Updated October 31, 2010</p></td></tr> <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> Virtualization is a key component in current IT infrastructure. Although @@ -142,7 +142,7 @@ insight on how to harden the host using Gentoo Hardened. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="/main/en/contact.xml">Contact us</a>. +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/hardeneddebug.html b/html/hardeneddebug.html index d31f7de..555d2bb 100644 --- a/html/hardeneddebug.html +++ b/html/hardeneddebug.html @@ -14,7 +14,7 @@ Gentoo Hardened debugging</title> </head> <body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> <tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> <td width="99%" class="content" valign="top" align="left"> <br><h1>Gentoo Hardened debugging</h1> @@ -186,7 +186,7 @@ used <span class="code" dir="ltr">paxctl</span> you can reset the flags to defau --><br> </td> <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="/proj/en/hardened/hardenedfaq.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml?style=printable">Print</a></p></td></tr> <tr><td class="topsep" align="center"><p class="alttext">Updated October 26, 2010</p></td></tr> <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> In this document we study the ways to do proper binary debugging when using a @@ -209,7 +209,7 @@ hardened kernel and toolcahin with PaX/Grsec, PIE and SSP. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="/main/en/contact.xml">Contact us</a>. +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/hardenedxorg.html b/html/hardenedxorg.html new file mode 100644 index 0000000..cea97ae --- /dev/null +++ b/html/hardenedxorg.html @@ -0,0 +1,150 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Using Xorg on Hardened Gentoo</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Using Xorg on Hardened Gentoo</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Background</option> +<option value="#doc_chap2">2. Kernel Configuration options</option> +<option value="#doc_chap3">3. Installation</option> +<option value="#doc_chap4">4. Configuration</option> +<option value="#doc_chap5">5. Known Issues</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Background</p> +<p class="secthead"><a name="doc_chap1_sect1">What is different about running Xorg with Hardened Gentoo?</a></p> +<p> +PaX, a patch for the Linux kernel, is a central part of the Hardened Gentoo +project. PaX provides various functionality such as ASLR and NX memory. More +information is available at <a href="http://www.gentoo.org/proj/en/hardened/docs/pax-howto.xml">http://www.gentoo.org/proj/en/hardened/docs/pax-howto.xml</a> +For the purposes of this document, it will be assumed that the reader has a general +understanding of how PaX works as well as the concept of Position Independent Executables (PIE). +</p> +<p> +The specific feature of PaX of interest in this article is MPROTECT, which +guards against executable code in a program's address space. One of the main features +of Hardened Gentoo is the ability to run PaX effectively because of the ET_DYN/PIE base. +The eventual goal for Xorg is to have the binary itself built as ET_DYN/PIE to remove text +relocations from it and randomize the base address without the EX_EXEC performance hit. +</p> +<p> +At this point, compiling Xorg with PIC code sounds like an obvious, logical choice. Hardened +Gentoo offers hardened gcc for this purpose, which provides transparent PIE/SSP compiling. This +is where you begin to run into problems with Xorg. Xorg currently uses elfloader to handle loading +the modules it needs, however elfloader is unable to resolve various types of relocatable symbols that are +always generated by PIC code. Most importantly, the elfloader has no support for Global Offset +Table (GOT) or Procedure Linkage Table (PLT) type symbols which are both essential for shared libraries. +</p> +<p> +So if elfloader won't work then what will? Luckily there is already a fully operational, well tested, +mature dynamic loader installed on your system. It is ld-linux.so which is provided by glibc. The obvious idea +that occurs at this point, is that ideally there would be a programmatic interface to the glibc loader, and the +X loader could be modified to use that instead of home-brewing its own loader. Turns out that such an interface +exists - dlopen(3) et. al. - and this is exactly what the dlloader uses. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>Starting with Xorg 7.0, dlloader is the default module loader for X.</p></td></tr></table> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Kernel Configuration options</p> +<p class="secthead"><a name="doc_chap2_sect1">CONFIG_PAX_KERNEXEC</a></p> +<p> +The option 'CONFIG_PAX_KERNEXEC' is the kernel land equivalent of PAGEEXEC and MPROTECT. By enabling this option, it will get +harder to inject and execute 'foreign' code in kernel memory itself. This option may also give you some strange experiences on +a hardened Xorg setup (being the Mouse pointer being stuck on the left side of the screen). +Suggestion therefore is, to turn this option off by deselecting it in your config. +</p> +<p class="secthead"><a name="doc_chap2_sect2">CONFIG_GRKERNSEC_IO</a></p> +<p> +Enabling this option will result in all ioperm(2) and iopl(2) calls returning an error messge. ioperm(2) and iopl(2) might be +used to modify the running kernel. As you wish to run a Xorg server on top of your hardened kernel (mostly GRsecurity), you'll +have to disable this config option, in order to get the XServer up and running. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Installation</p> +<p class="secthead"><a name="doc_chap3_sect1">Current Install Options</a></p> +<p> +Since Xorg 7.0 and up uses the dlloader instead of the elfloader by default, there is no need to do anything special to get Xorg +compiling and working on a hardened profile. +</p> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Configuration</p> +<p class="secthead"><a name="doc_chap4_sect1">/etc/X11/xorg.conf</a></p> +<p> +You can setup your Xorg configuration file using The X Server +Configuration HOWTO found at: +<a href="http://www.gentoo.org/doc/en/xorg-config.xml">http://www.gentoo.org/doc/en/xorg-config.xml</a> +</p> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>Known Issues</p> +<p class="secthead"><a name="doc_chap5_sect1">The dlloader Experiences</a></p> +<p> +Hardened Gentoo makes the default link strategy to resolve all symbols at load time, and enforces +this on all shared libraries when they are built. Normally the loader uses "lazy" resolution if requested, +whereby symbols are resolved as and when they are used. Unfortunately some Xorg modules have mutual +dependencies and other issues that mean they cannot load unless lazy symbol resolution is enabled. To work +around this issue, currently Gentoo compiles the Xorg modules and the server itself with the -nonow gcc flag. +This fixes the "dlopen: undefined symbol" errors so previous methods of manually detecting and loading modules are +no longer needed. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> +Please report all issues to bugs.gentoo.org with full attached +logs and configs. +</p></td></tr></table> +<p class="secthead"><a name="doc_chap5_sect2">Binary Drivers</a></p> +<p> +Binary drivers are currently not supported on the hardened profile and you are encouraged to use the +opensource drivers instead. +</p> +<p class="secthead"><a name="doc_chap5_sect3">PaX Flags</a></p> +<p> +The PaX flags -P (PAGEEXEC), -S (SEGMEXEC), -M (MPROTECT) as well as -R (RANDMMAP) now work with Xorg. +</p> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="hardenedxorg.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated December 23, 2006</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +How to install and use Xorg on Hardened Gentoo +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:tocharian@gentoo.org" class="altlink"><b>Adam Mondl</b></a> +<br><i>Author</i><br><br> + <a href="mailto:kevquinn@gentoo.org" class="altlink"><b>Kevin Quinn</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:solar@gentoo.org" class="altlink"><b>Ned Ludd</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:phreak@gentoo.org" class="altlink"><b>Christian Heim</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:zaid_a@users.sourceforge.net" class="altlink"><b>Zaid A.</b></a> +<br><i>Contributor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/index.html b/html/index.html index 80f7056..438d0c3 100644 --- a/html/index.html +++ b/html/index.html @@ -3,7 +3,7 @@ <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="/favicon.ico" TYPE="image/x-icon"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> <link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> <link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> <link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> @@ -14,7 +14,7 @@ Hardened Gentoo</title> </head> <body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> <tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> <td width="99%" class="content" valign="top" align="left"> <br><h1>Hardened Gentoo</h1> @@ -111,7 +111,7 @@ Gentoo once they've been tested for security and stability by the Hardened team. </tr> <tr> <td class="tableinfo"> - <a href="/proj/en/hardened/selinux/index.xml">SELinux</a> + <a href="http://www.gentoo.org/proj/en/hardened/selinux/index.xml">SELinux</a> </td> <td class="tableinfo">pebenito</td> <td class="tableinfo">SELinux is a system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system.</td> @@ -161,67 +161,67 @@ Hardened Gentoo subprojects. project are:</p> <ul> <li> - <a href="/proj/en/hardened/primer.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/primer.xml"> Introduction to Hardened Gentoo </a> </li> <li> - <a href="/proj/en/hardened/hardenedfaq.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml"> Hardened Frequently Asked Questions </a> </li> <li> - <a href="/proj/en/hardened/roadmap.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/roadmap.xml"> Hardened Roadmap </a> </li> <li> - <a href="/proj/en/hardened/hardenedxorg.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/hardenedxorg.xml"> Using Xorg with Hardened </a> </li> <li> - <a href="/proj/en/hardened/hardened-toolchain.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml"> Hardened Toolchain Technical Description </a> </li> <li> - <a href="/proj/en/hardened/pax-quickstart.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml"> A quickstart covering PaX and Hardened Gentoo </a> </li> <li> - <a href="/proj/en/hardened/pax-utils.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/pax-utils.xml"> PaX Utils </a> </li> <li> - <a href="/proj/en/hardened/grsecurity.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/grsecurity.xml"> Grsecurity2 QuickStart Guide </a> </li> <li> - <a href="/proj/en/hardened/capabilities.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/capabilities.xml"> Capabilities Listing </a> </li> <li> - <a href="/proj/en/hardened/pic-guide.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/pic-guide.xml"> PIC Intro (beginner) </a> </li> <li> - <a href="/proj/en/hardened/pic-internals.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/pic-internals.xml"> PIC Internals (intermediate) </a> </li> <li> - <a href="/proj/en/hardened/pic-fix-guide.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/pic-fix-guide.xml"> PIC Fixing (advanced) </a> </li> <li> - <a href="/proj/en/hardened/gnu-stack.xml"> + <a href="http://www.gentoo.org/proj/en/hardened/gnu-stack.xml"> GNU Stack Quickstart </a> </li> @@ -231,7 +231,7 @@ GNU Stack Quickstart </b> <ul> <li> - <a href="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook</a> + <a href="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook</a> </li> </ul> </li> @@ -297,7 +297,7 @@ greatly appreciated. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="/main/en/contact.xml">Contact us</a>. +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/index2.html b/html/index2.html new file mode 100644 index 0000000..658e58e --- /dev/null +++ b/html/index2.html @@ -0,0 +1,296 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Projects +-- + Hardened Gentoo</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Hardened Gentoo</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Project Description</option> +<option value="#doc_chap2">2. Project Goals</option> +<option value="#doc_chap3">3. Developers</option> +<option value="#doc_chap4">4. Subprojects</option> +<option value="#doc_chap5">5. Resources</option> +<option value="#doc_chap6">6. Herds</option> +<option value="#doc_chap7">7. I Want to Participate</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Project Description</p> +<p> +Hardened Gentoo is a project which oversees the research, implementation, and +maintenance of security oriented projects for Gentoo Linux. We are a team of +very competent individuals dedicated to bringing advanced security to Gentoo +with a number of subprojects. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Project Goals</p> +<p> +Hardened Gentoo's purpose is to make Gentoo viable for high security, high +stability production server environments. This project is not a standalone +project separated from the rest of Gentoo. Instead, it is intended to be a team +of Gentoo developers which are focused on delivering solutions to Gentoo that +provide strong security and stability. These solutions will be available in +Gentoo once they've been tested for security and stability by the Hardened team. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Developers</p> +<table class="ntable"> + <tr> + <td class="infohead"><b>Developer</b></td> + <td class="infohead"><b>Nickname</b></td> + <td class="infohead"><b>Role</b></td> + </tr> + <tr> + <td class="tableinfo"></td> + <td class="tableinfo">chainsaw</td> + <td class="tableinfo">Member ( Hardened sources )</td> + </tr> + <tr> + <td class="tableinfo"></td> + <td class="tableinfo">battousai</td> + <td class="tableinfo">Member ( Bastille Lead )</td> + </tr> + <tr> + <td class="tableinfo"></td> + <td class="tableinfo">blueness</td> + <td class="tableinfo">Member ( PaX/Grsecurity, Hardened sources )</td> + </tr> + <tr> + <td class="tableinfo"></td> + <td class="tableinfo">gengor</td> + <td class="tableinfo">Member ( PaX/Grsecurity, Hardened sources )</td> + </tr> + <tr> + <td class="tableinfo"></td> + <td class="tableinfo">nixnut</td> + <td class="tableinfo">Member ( PPC arch team liaison )</td> + </tr> + <tr> + <td class="tableinfo"></td> + <td class="tableinfo">quantumsummers</td> + <td class="tableinfo">Member ( Hardened sources, Doc )</td> + </tr> + <tr> + <td class="tableinfo"></td> + <td class="tableinfo">zorry</td> + <td class="tableinfo">Project Lead ( Hardened Toolchain, Doc )</td> + </tr> + <tr> + <td class="infohead"><b>Members from subproject + SELinux</b></td> + <td class="infohead"><b></b></td> + <td class="infohead"><b></b></td> + </tr> + <tr> + <td class="tableinfo"></td> + <td class="tableinfo">pebenito</td> + <td class="tableinfo">Lead ( Policy, x86, AMD64 )</td> + </tr> + </table> +<p> + All developers can be reached by e-mail using <span class="code" dir="ltr">nickname@gentoo.org</span>. + </p> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Subprojects</p> +<p>The hardened + project has the following subprojects: + </p> +<table class="ntable"> + <tr> + <td class="infohead"><b>Project</b></td> + <td class="infohead"><b>Lead</b></td> + <td class="infohead"><b>Description</b></td> + </tr> + <tr> + <td class="tableinfo"> + <a href="http://www.gentoo.org/proj/en/hardened/selinux/index.xml">SELinux</a> + </td> + <td class="tableinfo">pebenito</td> + <td class="tableinfo">SELinux is a system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system.</td> + </tr> + <tr> + <td class="tableinfo">PaX/Grsecurity</td> + <td class="tableinfo">blueness</td> + <td class="tableinfo"> +Grsecurity is a complete security solution providing such features as a MAC or +RBAC system, Chroot restrictions, address space modification protection (via +PaX), auditing features, randomization features, linking restrictions to prevent +file race conditions, ipc protections and much more. +</td> + </tr> + <tr> + <td class="tableinfo">Hardened Toolchain</td> + <td class="tableinfo">Zorry</td> + <td class="tableinfo"> +Transparent implementation of +<a href="http://pax.grsecurity.net/docs/aslr.txt">PaX</a> address space +layout randomizations and stack smashing protections using ELF shared objects as +executables. +</td> + </tr> + <tr> + <td class="tableinfo">Hardened-Sources</td> + <td class="tableinfo">blueness</td> + <td class="tableinfo"> +A kernel which provides patches for hardened subprojects, and stability/security +oriented patches. Includes Grsecurity and SELinux. +</td> + </tr> + <tr> + <td class="tableinfo">Bastille</td> + <td class="tableinfo">battousai</td> + <td class="tableinfo"> +Bastille is an interactive application which gives the user suggestions on +securing their machine. It will be customized to make suggestions about other +Hardened Gentoo subprojects. +</td> + </tr> + </table> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>Resources</p> +<p>Resources offered by the + hardened + project are:</p> +<ul> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/primer.xml"> +Introduction to Hardened Gentoo</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml"> +Hardened Frequently Asked Questions</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/roadmap.xml"> +Hardened Roadmap</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/hardenedxorg.xml"> +Using Xorg with Hardened</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml"> +Hardened Toolchain Technical Description</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml"> +A quickstart covering PaX and Hardened Gentoo</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/pax-utils.xml"> +PaX Utils</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/grsecurity.xml"> +Grsecurity2 QuickStart Guide</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/capabilities.xml"> +Capabilities Listing</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/pic-guide.xml"> +PIC Intro (beginner)</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/pic-internals.xml"> +PIC Internals (intermediate)</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/pic-fix-guide.xml"> +PIC Fixing (advanced)</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/gnu-stack.xml"> +GNU Stack Quickstart</a> + </li> + <li> + <b>SELinux + subproject resources + </b> + <ul> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook</a> + </li> + </ul> + </li> + </ul> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>Herds</p> +<p>The hardened + project maintains the following herds: + </p> +<table class="ntable"> + <tr> + <td class="infohead"><b>Herd</b></td> + <td class="infohead"><b>Members</b></td> + <td class="infohead"><b>Description</b></td> + </tr> + <tr> + <td class="tableinfo">hardened</td> + <td class="tableinfo">battousai, blueness, chainsaw, dragonheart, gengor, nixnut, pebenito, solar, zorry</td> + <td class="tableinfo">Hardened Gentoo project packages and policy</td> + </tr> + </table> +<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7. + </span>I Want to Participate</p> +<p> +To participate in the Hardened Gentoo project first join the mailing list at +<span class="code" dir="ltr"><a href="mailto:gentoo-hardened@lists.gentoo.org"> +gentoo-hardened@lists.gentoo.org</a></span>. Then ask if there are plans to +support something that you are interested in, propose a new subproject that you +are interested in, choose one of the planned subprojects to work on or simply +ask if you can help with something. You can also talk to the developers and +users in the IRC channel <span class="code" dir="ltr">#gentoo-hardened</span> on <span class="code" dir="ltr">irc.freenode.net</span> for +more information or just to chat about the project or any subprojects. +</p> +<p> +If you think you don't have the knowledge or abilities to help, then try reading +the current documents (there are always sections that can be improved or typos +which we miss) and when you feel brave enough then try writing those documents +you missed. Usually this only requires some internet research on your side and +after some documents you'll most probably be able to help with other things you +though you weren't able before. +</p> +<p> +Also, if you don't have time to actively help by contributing work we will +always need testers to maintain the security and stability of the overall +product. All development, testing, and productive comments and feedback will be +greatly appreciated. +</p> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="index.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated October 25, 2010</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>Hardened Gentoo brings advanced security measures to Gentoo Linux.</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext">Gentoo Project<br><i>script generated</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/pax-quickstart.html b/html/pax-quickstart.html new file mode 100644 index 0000000..bf8ed4d --- /dev/null +++ b/html/pax-quickstart.html @@ -0,0 +1,280 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Hardened Gentoo PaX Quickstart</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Hardened Gentoo PaX Quickstart</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. What is Hardened Gentoo?</option> +<option value="#doc_chap2">2. What is PaX?</option> +<option value="#doc_chap3">3. An Introduction to PIE and SSP</option> +<option value="#doc_chap4">4. Building a PaX-enabled Kernel</option> +<option value="#doc_chap5">5. Building a PIE/SSP Enabled Userland</option> +<option value="#doc_chap6">6. When Things Misbehave (PaX Control)</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>What is Hardened Gentoo?</p> +<p> +Hardened Gentoo is a project interested in the hardening of a Gentoo system. +Several different solutions are supported by us and there is a fair bit of +flexibility to create your own setup. At the heart of a common Hardened Gentoo +setup is <span class="emphasis">PaX</span>. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>What is PaX?</p> +<p> +PaX is a patch to the Linux kernel that provides hardening in two ways. +</p> +<p> +The first, <span class="emphasis">ASLR</span> (Address Space Layout Randomization) provides a means to +randomize the addressing scheme of all data loaded into memory. When an +application is built as a <span class="emphasis">PIE</span> (Position Independent Executable), PaX is +able to also randomize the addresses of the application base in addition. +</p> +<p> +The second protection provided by PaX is non-executable memory. This prevents a +common form of attack where executable code is inserted into memory by an +attacker. More information on PaX can be found throughout this guide, but the +homepage can be found at <a href="http://pax.grsecurity.net">http://pax.grsecurity.net</a>. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>An Introduction to PIE and SSP</p> +<p> +As mentioned above, PaX is complemented by PIE. This method of building +executables stores information needed to relocate parts of the executable in +memory, hence the name <span class="emphasis">Position Independent</span>. +</p> +<p> +<span class="emphasis">SSP</span> (Stack Smashing Protector) is a second complementary technology we +introduce at executable build time. SSP was originally introduced by IBM under +the name <span class="emphasis">ProPolice</span>. It modifies the C compiler to insert initialization +code into functions that create a buffer in memory. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> +In newer versions of SSP, it is possible to apply SSP to all functions, +adding protection to functions whose buffer would normally be below the size +limit for SSP. This is enabled via the CFLAG -fstack-protector-all. +</p></td></tr></table> +<p> +At run time, when a buffer is created, SSP adds a secret random value, the +canary, to the end of the buffer. When the function returns, SSP makes sure +that the canary is still intact. If an attacker were to perform a buffer +overflow, he would overwrite this value and trigger that stack smashing +handler. Currently this kills the target process. +</p> +<p> +<a href="http://www.trl.ibm.com/projects/security/ssp/">Further reading on +SSP.</a> +</p> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Building a PaX-enabled Kernel</p> +<p> +Several Gentoo kernel trees are already patched with PaX. +</p> +<p> +For 2.4/2.6 based machines, the recommended kernels are <span class="code" dir="ltr">hardened-sources</span> +</p> +<p> +Grab one of the recommended source trees, or apply the appropriate patch from +<a href="http://pax.grsecurity.net">http://pax.grsecurity.net</a> to your own tree and configure it as you +normally would for the target machine. +</p> +<p> +In <span class="code" dir="ltr">Security Options -> PaX</span>, apply the options as shown below. +</p> +<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: Kernel configuration</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +[*] Enable various PaX features + +PaX Control -> + + [ ] Support soft mode + [*] Use legacy ELF header marking + [*] Use ELF program header marking + MAC system integration (none) ---> + +Non-executable page -> + + [*] Enforce non-executable pages + [*] Paging based non-executable pages + [*] Segmentation based non-executable pages + [*] Emulate trampolines + [*] Restrict mprotect() + [ ] Disallow ELF text relocations + +Address Space Layout Randomization -> + + [*] Address Space Layout Randomization + [*] Randomize kernel stack base + [*] Randomize user stack base + [*] Randomize mmap() base + [*] Randomize ET_EXEC base +</pre></td></tr> +</table> +<p> +Build this kernel as you normally would and install it to <span class="path" dir="ltr">/boot</span>. +</p> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>Building a PIE/SSP Enabled Userland</p> +<p> +Hardened Gentoo has added support for transparent PIE/SSP building via GCC's +specfile. This means that any users upgrading an older Hardened install should +remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the +<span class="code" dir="ltr">hardened-gcc</span> package is now deprecated and should be unmerged +(version 5.0 is a dummy package). To get the current GCC, add +<span class="code" dir="ltr">USE="hardened pic"</span> to <span class="path" dir="ltr">/etc/make.conf</span> if not using the hardened +profile. +</p> +<p> +To maintain a consistant toolchain, first <span class="code" dir="ltr">emerge binutils gcc virtual/libc</span>. +Next, rebuild the entire system with <span class="code" dir="ltr">emerge -e world</span>. All future packages +will be built with PIE/SSP. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b> +Both PIE and SSP are known to cause issues with some packages. If you come +across a package that fails to compile, please file a detailed bug report including +a log of the failed compile and the output of <span class="code" dir="ltr">emerge info</span> to +<a href="http://bugs.gentoo.org/">http://bugs.gentoo.org/</a>. +</p></td></tr></table> +<p> +You will probably also want to merge pax-utils. +Often if an ELF has executable relocations in the text segment these can cause problems for us. +scanelf -BRylptq +</p> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>When Things Misbehave (PaX Control)</p> +<p> +Some legitimate applications will attempt to generate code at run time which is +executed out of memory. Naturally, PaX does not allow this and it will promptly +kill the offending application. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> +The most notable of these applications are XFree/Xorg, mplayer and multimedia tools +based on xine-lib. The easiest way around these problems are to disable PaX +protections. +</p></td></tr></table> +<p> +Luckily there is a utility to toggle protections on a per-executable basis, +<span class="emphasis">paxctl</span>. As with any other package in Gentoo, install paxctl with the +command <span class="code" dir="ltr">emerge paxctl</span>. Usage is show by <span class="code" dir="ltr">paxctl -h</span>. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> +If you have an older version of binutils, you will need to use <span class="emphasis">chpax</span>, +which edits the old-style PaX markings. Usage of chpax is largely the same as +paxctl. This also requires legacy marking support built into your kernel. +New versions of paxctl make chpax obsolete. +</p></td></tr></table> +<a name="doc_chap6_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.1: paxctl -h</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +usage: paxctl <options> <files> + +options: + -p: disable PAGEEXEC -P: enable PAGEEXEC + -e: disable EMUTRMAP -E: enable EMUTRMAP + -m: disable MPROTECT -M: enable MPROTECT + -r: disable RANDMMAP -R: enable RANDMMAP + -x: disable RANDEXEC -X: enable RANDEXEC + -s: disable SEGMEXEC -S: enable SEGMEXEC + + -v: view flags -z: restore default flags + -q: suppress error messages -Q: report flags in short format flags +</pre></td></tr> +</table> +<p> +The first option we will note is <span class="code" dir="ltr">-v</span>, which can display flags set on a +particular binary. +</p> +<a name="doc_chap6_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.2: paxctl -v</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +shell user # paxctl -v /usr/bin/Xorg +PaX control v0.2 +Copyright 2004 PaX Team <pageexec@freemail.hu> + +- PaX flags: -p-sM--x-eR- [/usr/bin/Xorg] + PAGEEXEC is disabled + SEGMEXEC is disabled + MPROTECT is enabled + RANDEXEC is disabled + EMUTRAMP is disabled + RANDMMAP is enabled +</pre></td></tr> +</table> +<p> +This shows an XFree binary with all protections disabled. +</p> +<p> +To set flags on a binary, the <span class="code" dir="ltr">-z</span> flag is useful as it restores the +default flags. +</p> +<p> +To disable protections on Xorg, run +<span class="code" dir="ltr">paxctl -zpeMRxs /usr/bin/Xorg</span>. +</p> +<p> +Play around with disabling/enabling protections to see what is the least needed +to run. Often we find that we need the -m -sp combos. +</p> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated September 11, 2007</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +A quickstart covering PaX and Hardened Gentoo. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:tseng@gentoo.org" class="altlink"><b>Brandon Hale</b></a> +<br><i>Author</i><br><br> + <a href="mailto:blackace@gentoo.org" class="altlink"><b>Blackace</b></a> +<br><i>Editor</i><br><br> + <a href="mailto:solar@gentoo.org" class="altlink"><b>solar</b></a> +<br><i>Editor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/pax-utils.html b/html/pax-utils.html new file mode 100644 index 0000000..485fb43 --- /dev/null +++ b/html/pax-utils.html @@ -0,0 +1,693 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Gentoo PaX Utilities</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Gentoo PaX Utilities</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. What is this guide about?</option> +<option value="#doc_chap2">2. Extracting ELF Information from Binaries</option> +<option value="#doc_chap3">3. Listing PaX Flags and Capabilities</option> +<option value="#doc_chap4">4. Programming with ELF files</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>What is this guide about?</p> +<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> +<p> +The security of a system goes beyond setting up a decent firewall and good +service configurations. The binaries you run, the libraries you load, might +also be vulnerable against attacks. Although the exact vulnerabilities are not +known until they are discovered, there are ways to prevent them from happening. +</p> +<p> +One possible attack vector is to make advantage of writable <span class="emphasis">and</span> +executable segments in a program or library, allowing malicious users to run +their own code using the vulnerable application or library. +</p> +<p> +This guide will inform you how to use the <span class="code" dir="ltr">pax-utils</span> package to find +and identify problematic binaries. We will also cover the use of <span class="code" dir="ltr">pspax</span> (a +tool to view PaX-specific capabilities) and <span class="code" dir="ltr">dumpelf</span> (a tool that prints +out a C structure containing a workable copy of a given object). +</p> +<p> +But before we start with that, some information on <span class="emphasis">objects</span> is in place. +Users familiar with segments and dynamic linking will not learn anything from +this and can immediately continue with <a href="#scanelf">Extracting ELF +Information from Binaries</a>. +</p> +<p class="secthead"><a name="doc_chap1_sect2">ELF objects</a></p> +<p> +Every executable binary on your system is structured in a specific way, +allowing the Linux kernel to load and execute the file. Actually, this goes +beyond plain executable binaries: this also holds for shared objects; more +about those later. +</p> +<p> +The structure of such a binary is defined in the ELF standard. ELF stands for +<span class="emphasis">Executable and Linkable Format</span>. If you are really interested in the gory +details, check out the <a href="http://refspecs.linux-foundation.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/elf-generic.html"> +Generic ELF spec</a> or the <span class="code" dir="ltr">elf(5)</span> man page. +</p> +<p> +An executable ELF file has the following parts: +</p> +<ul> + <li> + The <span class="emphasis">ELF header</span> contains information on the <span class="emphasis">type</span> of file (is it + an executable, a shared library, ...), the target architecture, the + location of the Program Header, Section Header and String Header in the + file and the location of the first executable instruction + </li> + <li> + The <span class="emphasis">Program Header</span> informs the system how to create a process from + the binary file. It is actually a table consisting of entries for each + segment in the program. Each entry contains the type, addresses (physical + and virtual), size, access rights, ... + </li> + <li> + The <span class="emphasis">Section Header</span> is a table consisting of entries for each section + in the program. Each entry contains the name, type, size, ... and + <span class="emphasis">what</span> information the section holds. + </li> + <li> + Data, containing the sections and segments mentioned previously. + </li> +</ul> +<p> +A <span class="emphasis">section</span> is a small unit consisting of specific data: instructions, +variable data, symbol table, relocation information, and so on. A <span class="emphasis">segment</span> +is a collection of sections; segments are the units that are actually +transferred to memory. +</p> +<p class="secthead"><a name="doc_chap1_sect3">Shared Objects</a></p> +<p> +Way back when, every application binary contained <span class="emphasis">everything</span> it needed to +operate correctly. Such binaries are called <span class="emphasis">statically linked</span> binaries. +They are, however, space consuming since different applications use the same +functions over and over again. +</p> +<p> +A <span class="emphasis">shared object</span> contains the definition and instructions for such +functions. Every application that wants can <span class="emphasis">dynamically</span> link against such +a shared object so that it can benefit from the already existing functionality. +</p> +<p> +An application that is dynamically linked to a shared object contains +<span class="emphasis">symbols</span>, references for the real functionality. When such an application +is loaded in memory, it will first ask the runtime linker to resolve each and +every symbol it has. The runtime linker will load the appropriate shared objects +in memory and resolve the symbolic references between them. +</p> +<p class="secthead"><a name="doc_chap1_sect4">Segments and Sections</a></p> +<p> +How the ELF file is looked upon depends on the view we have: when we are dealing +with a binary file in Execution View, the ELF file contains segments. When +the file is seen in Linking View, the ELF file contains sections. +One segment spans just one or more (continuous) sections. +</p> +<p class="chaphead"><a name="scanelf"></a><a name="doc_chap2"></a><span class="chapnum">2. + </span>Extracting ELF Information from Binaries</p> +<p class="secthead"><a name="doc_chap2_sect1">The scanelf Application</a></p> +<p> +The <span class="code" dir="ltr">scanelf</span> application is part of the <span class="code" dir="ltr">app-misc/pax-utils</span> package. +With this application you can print out information specific to the ELF +structure of a binary. The following table sums up the various options. +</p> +<table class="ntable"> +<tr> + <td class="infohead"><b>Option</b></td> + <td class="infohead"><b>Long Option</b></td> + <td class="infohead"><b>Description</b></td> +</tr> +<tr> + <td class="tableinfo">-p</td> + <td class="tableinfo">--path</td> + <td class="tableinfo">Scan all directories in PATH environment</td> +</tr> +<tr> + <td class="tableinfo">-l</td> + <td class="tableinfo">--ldpath</td> + <td class="tableinfo">Scan all directories in /etc/ld.so.conf</td> +</tr> +<tr> + <td class="tableinfo">-R</td> + <td class="tableinfo">--recursive</td> + <td class="tableinfo">Scan directories recursively</td> +</tr> +<tr> + <td class="tableinfo">-m</td> + <td class="tableinfo">--mount</td> + <td class="tableinfo">Don't recursively cross mount points</td> +</tr> +<tr> + <td class="tableinfo">-y</td> + <td class="tableinfo">--symlink</td> + <td class="tableinfo">Don't scan symlinks</td> +</tr> +<tr> + <td class="tableinfo">-A</td> + <td class="tableinfo">--archives</td> + <td class="tableinfo">Scan archives (.a files)</td> +</tr> +<tr> + <td class="tableinfo">-L</td> + <td class="tableinfo">--ldcache</td> + <td class="tableinfo">Utilize ld.so.cache information (use with -r/-n)</td> +</tr> +<tr> + <td class="tableinfo">-X</td> + <td class="tableinfo">--fix</td> + <td class="tableinfo">Try and 'fix' bad things (use with -r/-e)</td> +</tr> +<tr> + <td class="tableinfo">-z [arg]</td> + <td class="tableinfo">--setpax [arg]</td> + <td class="tableinfo">Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</td> +</tr> +<tr> + <td class="infohead"><b>Option</b></td> + <td class="infohead"><b>Long Option</b></td> + <td class="infohead"><b>Description</b></td> +</tr> +<tr> + <td class="tableinfo">-x</td> + <td class="tableinfo">--pax</td> + <td class="tableinfo">Print PaX markings</td> +</tr> +<tr> + <td class="tableinfo">-e</td> + <td class="tableinfo">--header</td> + <td class="tableinfo">Print GNU_STACK/PT_LOAD markings</td> +</tr> +<tr> + <td class="tableinfo">-t</td> + <td class="tableinfo">--textrel</td> + <td class="tableinfo">Print TEXTREL information</td> +</tr> +<tr> + <td class="tableinfo">-r</td> + <td class="tableinfo">--rpath</td> + <td class="tableinfo">Print RPATH information</td> +</tr> +<tr> + <td class="tableinfo">-n</td> + <td class="tableinfo">--needed</td> + <td class="tableinfo">Print NEEDED information</td> +</tr> +<tr> + <td class="tableinfo">-i</td> + <td class="tableinfo">--interp</td> + <td class="tableinfo">Print INTERP information</td> +</tr> +<tr> + <td class="tableinfo">-b</td> + <td class="tableinfo">--bind</td> + <td class="tableinfo">Print BIND information</td> +</tr> +<tr> + <td class="tableinfo">-S</td> + <td class="tableinfo">--soname</td> + <td class="tableinfo">Print SONAME information</td> +</tr> +<tr> + <td class="tableinfo">-s [arg]</td> + <td class="tableinfo">--symbol [arg]</td> + <td class="tableinfo">Find a specified symbol</td> +</tr> +<tr> + <td class="tableinfo">-k [arg]</td> + <td class="tableinfo">--section [arg]</td> + <td class="tableinfo">Find a specified section</td> +</tr> +<tr> + <td class="tableinfo">-N [arg]</td> + <td class="tableinfo">--lib [arg]</td> + <td class="tableinfo">Find a specified library</td> +</tr> +<tr> + <td class="tableinfo">-g</td> + <td class="tableinfo">--gmatch</td> + <td class="tableinfo">Use strncmp to match libraries. (use with -N)</td> +</tr> +<tr> + <td class="tableinfo">-T</td> + <td class="tableinfo">--textrels</td> + <td class="tableinfo">Locate cause of TEXTREL</td> +</tr> +<tr> + <td class="tableinfo">-E [arg]</td> + <td class="tableinfo">--etype [arg]</td> + <td class="tableinfo">Print only ELF files matching etype ET_DYN,ET_EXEC ...</td> +</tr> +<tr> + <td class="tableinfo">-M [arg]</td> + <td class="tableinfo">--bits [arg]</td> + <td class="tableinfo">Print only ELF files matching numeric bits</td> +</tr> +<tr> + <td class="tableinfo">-a</td> + <td class="tableinfo">--all</td> + <td class="tableinfo">Print all scanned info (-x -e -t -r -b)</td> +</tr> +<tr> + <td class="infohead"><b>Option</b></td> + <td class="infohead"><b>Long Option</b></td> + <td class="infohead"><b>Description</b></td> +</tr> +<tr> + <td class="tableinfo">-q</td> + <td class="tableinfo">--quiet</td> + <td class="tableinfo">Only output 'bad' things</td> +</tr> +<tr> + <td class="tableinfo">-v</td> + <td class="tableinfo">--verbose</td> + <td class="tableinfo">Be verbose (can be specified more than once)</td> +</tr> +<tr> + <td class="tableinfo">-F [arg]</td> + <td class="tableinfo">--format [arg]</td> + <td class="tableinfo">Use specified format for output</td> +</tr> +<tr> + <td class="tableinfo">-f [arg]</td> + <td class="tableinfo">--from [arg]</td> + <td class="tableinfo">Read input stream from a filename</td> +</tr> +<tr> + <td class="tableinfo">-o [arg]</td> + <td class="tableinfo">--file [arg]</td> + <td class="tableinfo">Write output stream to a filename</td> +</tr> +<tr> + <td class="tableinfo">-B</td> + <td class="tableinfo">--nobanner</td> + <td class="tableinfo">Don't display the header</td> +</tr> +<tr> + <td class="tableinfo">-h</td> + <td class="tableinfo">--help</td> + <td class="tableinfo">Print this help and exit</td> +</tr> +<tr> + <td class="tableinfo">-V</td> + <td class="tableinfo">--version</td> + <td class="tableinfo">Print version and exit</td> +</tr> +</table> +<p> +The format specifiers for the <span class="code" dir="ltr">-F</span> option are given in the following table. +Prefix each specifier with <span class="code" dir="ltr">%</span> (verbose) or <span class="code" dir="ltr">#</span> (silent) accordingly. +</p> +<table class="ntable"> +<tr> + <td class="infohead"><b>Specifier</b></td> + <td class="infohead"><b>Full Name</b></td> + <td class="infohead"><b>Specifier</b></td> + <td class="infohead"><b>Full Name</b></td> +</tr> +<tr> + <td class="tableinfo">F</td> + <td class="tableinfo">Filename</td> + <td class="tableinfo">x</td> + <td class="tableinfo">PaX Flags</td> +</tr> +<tr> + <td class="tableinfo">e</td> + <td class="tableinfo">STACK/RELRO</td> + <td class="tableinfo">t</td> + <td class="tableinfo">TEXTREL</td> +</tr> +<tr> + <td class="tableinfo">r</td> + <td class="tableinfo">RPATH</td> + <td class="tableinfo">n</td> + <td class="tableinfo">NEEDED</td> +</tr> +<tr> + <td class="tableinfo">i</td> + <td class="tableinfo">INTERP</td> + <td class="tableinfo">b</td> + <td class="tableinfo">BIND</td> +</tr> +<tr> + <td class="tableinfo">s</td> + <td class="tableinfo">Symbol</td> + <td class="tableinfo">N</td> + <td class="tableinfo">Library</td> +</tr> +<tr> + <td class="tableinfo">o</td> + <td class="tableinfo">Type</td> + <td class="tableinfo">p</td> + <td class="tableinfo">File name</td> +</tr> +<tr> + <td class="tableinfo">f</td> + <td class="tableinfo">Base file name</td> + <td class="tableinfo">k</td> + <td class="tableinfo">Section</td> +</tr> +<tr> + <td class="tableinfo">a</td> + <td class="tableinfo">ARCH/e_machine</td> + <td class="tableinfo"></td> + <td class="tableinfo"></td> +</tr> +</table> +<p class="secthead"><a name="doc_chap2_sect2">Using scanelf for Text Relocations</a></p> +<p> +As an example, we will use <span class="code" dir="ltr">scanelf</span> to find binaries containing text +relocations. +</p> +<p> +A relocation is an operation that rewrites an address in a loaded segment. Such +an address rewrite can happen when a segment has references to a shared object +and that shared object is loaded in memory. In this case, the references are +substituted with the real address values. Similar events can occur inside the +shared object itself. +</p> +<p> +A text relocation is a relocation in the text segment. Since text segments +contain executable code, system administrators might prefer not to have these +segments writable. This is perfectly possible, but since text relocations +actually write in the text segment, it is not always feasible. +</p> +<p> +If you want to eliminate text relocations, you will need to make sure +that the application and shared object is built with <span class="emphasis">Position Independent +Code</span> (PIC), making references obsolete. This not only increases security, +but also increases the performance in case of shared objects (allowing writes in +the text segment requires a swap space reservation and a private copy of the +shared object for each application that uses it). +</p> +<p> +The following example will search your library paths recursively, without +leaving the mounted file system and ignoring symbolic links, for any ELF binary +containing a text relocation: +</p> +<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Scanning the system for text relocation binaries</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">scanelf -lqtmyR</span> +</pre></td></tr> +</table> +<p> +If you want to scan your entire system for <span class="emphasis">any</span> file containing text +relocations: +</p> +<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Scanning the entire system for text relocation files</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">scanelf -qtmyR /</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap2_sect3">Using scanelf for Specific Header</a></p> +<p> +The scanelf util can be used to quickly identify files that contain a +given section header using the -k .section option. +</p> +<p> +In this example we are looking for all files in /usr/lib/debug +recursively using a format modifier with quiet mode enabled that have been +stripped. A stripped elf will lack a .symtab entry, so we use the '!' +to invert the matching logic. +</p> +<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Scanning for stripped or non stripped executables</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap2_sect4">Using scanelf for Specific Segment Markings</a></p> +<p> +Each segment has specific flags assigned to it in the Program Header of the +binary. One of those flags is the type of the segment. Interesting values are +PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the +segment contains dynamic linking information), PT_INTERP (the segment +contains the name of the program interpreter), PT_GNU_STACK (a GNU extension +for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS +(a PaX extension for the ELF format, used by the security-minded +<a href="http://pax.grsecurity.net/">PaX Project</a>. +</p> +<p> +If we want to scan all executables in the current working directory, PATH +environment and library paths and report those who have a writable and +executable PT_LOAD or PT_GNU_STACK marking, you could use the following command: +</p> +<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">scanelf -lpqe .</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap2_sect5">Using scanelf's Format Modifier Handler</a></p> +<p> +A useful feature of the <span class="code" dir="ltr">scanelf</span> utility is the format modifier handler. +With this option you can control the output of <span class="code" dir="ltr">scanelf</span>, thereby +simplifying parsing the output with scripts. +</p> +<p> +As an example, we will use <span class="code" dir="ltr">scanelf</span> to print the file names that contain +text relocations: +</p> +<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Example of the scanelf format modifier handler</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">scanelf -l -p -R -q -F "%F #t"</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="pspax"></a><a name="doc_chap3"></a><span class="chapnum">3. + </span>Listing PaX Flags and Capabilities</p> +<p class="secthead"><a name="doc_chap3_sect1">About PaX</a></p> +<p> +<a href="http://pax.grsecurity.net">PaX</a> is a project hosted by the <a href="http://www.grsecurity.net">grsecurity</a> project. Quoting the <a href="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</a>, its main +goal is "to research various defense mechanisms against the exploitation of +software bugs that give an attacker arbitrary read/write access to the +attacked task's address space. This class of bugs contains among others +various forms of buffer overflow bugs (be they stack or heap based), user +supplied format string bugs, etc." +</p> +<p> +To be able to benefit from these defense mechanisms, you need to run a Linux +kernel patched with the latest PaX code. The <a href="http://hardened.gentoo.org">Hardened Gentoo</a> project supports PaX and +its parent project, grsecurity. The supported kernel package is +<span class="code" dir="ltr">sys-kernel/hardened-sources</span>. +</p> +<p> +The Gentoo/Hardened project has a <a href="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml">Gentoo PaX Quickstart Guide</a> +for your reading pleasure. +</p> +<p class="secthead"><a name="doc_chap3_sect2">Flags and Capabilities</a></p> +<p> +If your toolchain supports it, your binaries can have additional PaX flags in +their Program Header. The following flags are supported: +</p> +<table class="ntable"> +<tr> + <td class="infohead"><b>Flag</b></td> + <td class="infohead"><b>Name</b></td> + <td class="infohead"><b>Description</b></td> +</tr> +<tr> + <td class="tableinfo">P</td> + <td class="tableinfo">PAGEEXEC</td> + <td class="tableinfo"> + Refuse code execution on writable pages based on the NX bit + (or emulated NX bit) + </td> +</tr> +<tr> + <td class="tableinfo">S</td> + <td class="tableinfo">SEGMEXEC</td> + <td class="tableinfo"> + Refuse code execution on writable pages based on the + segmentation logic of IA-32 + </td> +</tr> +<tr> + <td class="tableinfo">E</td> + <td class="tableinfo">EMUTRAMP</td> + <td class="tableinfo"> + Allow known code execution sequences on writable pages that + should not cause any harm + </td> +</tr> +<tr> + <td class="tableinfo">M</td> + <td class="tableinfo">MPROTECT</td> + <td class="tableinfo"> + Prevent the creation of new executable code to the process + address space + </td> +</tr> +<tr> + <td class="tableinfo">R</td> + <td class="tableinfo">RANDMMAP</td> + <td class="tableinfo"> + Randomize the stack base to prevent certain stack overflow + attacks from being successful + </td> +</tr> +<tr> + <td class="tableinfo">X</td> + <td class="tableinfo">RANDEXEC</td> + <td class="tableinfo"> + Randomize the address where the application maps to to + prevent certain attacks from being exploitable + </td> +</tr> +</table> +<p> +The default Linux kernel also supports certain capabilities, grouped in the +so-called <span class="emphasis">POSIX.1e Capabilities</span>. You can find a listing of those +capabilities in our <a href="http://www.gentoo.org/proj/en/hardened/capabilities.xml">POSIX Capabilities</a> document. +</p> +<p class="secthead"><a name="doc_chap3_sect3">Using pspax</a></p> +<p> +The <span class="code" dir="ltr">pspax</span> application, part of the <span class="code" dir="ltr">pax-utils</span> package, displays the +run-time capabilities of all programs you have permission for. On Linux kernels +with additional support for extended attributes (such as SELinux) those +attributes are shown as well. +</p> +<p> +When ran, <span class="code" dir="ltr">pspax</span> shows the following information: +</p> +<table class="ntable"> +<tr> + <td class="infohead"><b>Column</b></td> + <td class="infohead"><b>Description</b></td> +</tr> +<tr> + <td class="tableinfo">USER</td> + <td class="tableinfo">Owner of the process</td> +</tr> +<tr> + <td class="tableinfo">PID</td> + <td class="tableinfo">Process id</td> +</tr> +<tr> + <td class="tableinfo">PAX</td> + <td class="tableinfo">Run-time PaX flags (if applicable)</td> +</tr> +<tr> + <td class="tableinfo">MAPS</td> + <td class="tableinfo">Write/eXecute markings for the process map</td> +</tr> +<tr> + <td class="tableinfo">ELF_TYPE</td> + <td class="tableinfo">Process executable type: ET_DYN or ET_EXEC</td> +</tr> +<tr> + <td class="tableinfo">NAME</td> + <td class="tableinfo">Name of the process</td> +</tr> +<tr> + <td class="tableinfo">CAPS</td> + <td class="tableinfo">POSIX.1e capabilities (see note)</td> +</tr> +<tr> + <td class="tableinfo">ATTR</td> + <td class="tableinfo">Extended attributes (if applicable)</td> +</tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> +<span class="code" dir="ltr">pspax</span> only displays these capabilities when it is linked with +the external capabilities library. This requires you to build <span class="code" dir="ltr">pax-utils</span> +with -DWANT_SYSCAP. +</p></td></tr></table> +<p> +By default, <span class="code" dir="ltr">pspax</span> does not show any kernel processes. If you want those +to be taken as well, use the <span class="code" dir="ltr">-a</span> switch. +</p> +<p class="chaphead"><a name="dumpelf"></a><a name="doc_chap4"></a><span class="chapnum">4. + </span>Programming with ELF files</p> +<p class="secthead"><a name="doc_chap4_sect1">The dumpelf Utility</a></p> +<p> +With the <span class="code" dir="ltr">dumpelf</span> utility you can convert a ELF file into human readable C +code that defines a structure with the same image as the original ELF file. +</p> +<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: dumpelf example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">dumpelf /bin/hostname</span> +#include <elf.h> + +<span class="code-comment">/* + * ELF dump of '/bin/hostname' + * 10276 (0x2824) bytes + */</span> + +struct { + Elf32_Ehdr ehdr; + Elf32_Phdr phdrs[8]; + Elf32_Shdr shdrs[26]; +} dumpedelf_0 = { + +.ehdr = { +<span class="code-comment">(... Output stripped ...)</span> +</pre></td></tr> +</table> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="swift?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated August 29, 2010</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +This guide provides instruction on securing your system by using the pax-utils +package to find and identify problematic binaries. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:swift@gentoo.org" class="altlink"><b>swift</b></a> +<br><i>Author</i><br><br> + <a href="mailto:solar@gentoo.org" class="altlink"><b>solar</b></a> +<br><i>Editor</i><br><br> + <a href="mailto:nightmorph@gentoo.org" class="altlink"><b>nightmorph</b></a> +<br><i>Editor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/pic-fix-guide.html b/html/pic-fix-guide.html new file mode 100644 index 0000000..179eab0 --- /dev/null +++ b/html/pic-fix-guide.html @@ -0,0 +1,877 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + HOWTO Locate and Fix .text Relocations (TEXTRELs)</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>HOWTO Locate and Fix .text Relocations (TEXTRELs)</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option> +<option value="#doc_chap2">2. Finding broken object code</option> +<option value="#doc_chap3">3. Dissecting broken object code</option> +<option value="#doc_chap4">4. Finding the broken source code</option> +<option value="#doc_chap5">5. How to write PIC (in theory)</option> +<option value="#doc_chap6">6. Cookie cutter PIC fixes</option> +<option value="#doc_chap7">7. How to fix broken PIC (in practice)</option> +<option value="#doc_chap8">8. References</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction</p> +<p> +You should make sure to read the <a href="pic-guide.xml">Introduction to +Position Independent Code</a> before tackling this guide. +</p> +<p> +This guide is x86-centric for now. The reason being, the majority of broken +object files are due to poorly written x86 assembly stemming from the simple +fact that the x86 architecture has so few registers. Other architectures have +a large enough register set that they can reserve a register as the "PIC +register" without incurring a performance hit. Every architecture has to be +mindful of PIC and its implications, x86 just happens to be the dominant +architecture at the moment in the 'desktop' world of open source. +</p> +<p> +We will update for non-x86 as we aquire details and useful examples. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Finding broken object code</p> +<p> +Before you can start fixing something, you got to make sure it's broken first, +right? For this reason, we've developed a suite of tools named <a href="http://www.gentoo.org/proj/en/hardened/pax-utils.xml">PaX Utilities</a>. If you are not +familiar with these utilities, you should read the <a href="http://www.gentoo.org/proj/en/hardened/pax-utils.xml">PaX Utilities Guide</a> now. Gentoo +users can simply do <span class="code" dir="ltr">emerge pax-utils</span>. Non-Gentoo users should be able +to find a copy of the source tarball in the <span class="path" dir="ltr">distfiles</span> on a <a href="http://www.gentoo.org/main/en/mirrors.xml">Gentoo Mirror</a>. Once you have the PaX +Utilities setup on your system, we can start playing around with +<span class="code" dir="ltr">scanelf</span>. +</p> +<p> +Keep in mind that although these utilities are named PaX Utilities, they +certainly do not require PaX or anything else like that on your system. +The name is a historical artifact and want of a better name, has stuck. +</p> +<p> +Let's see if your system has any broken files. +</p> +<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Scan your system</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">scanelf -lpqt</span> +TEXTREL /usr/lib/opengl/xorg-x11/lib/libGL.so.1.2 +TEXTREL /usr/lib/libSDL-1.2.so.0.7.2 +TEXTREL /usr/lib/libdv.so.4.0.2 +TEXTREL /usr/lib/libsmpeg-0.4.so.0.1.3 +TEXTREL /usr/lib/libOSMesa.so.4.0 +TEXTREL /usr/lib/libxvidcore.so.4.1 +</pre></td></tr> +</table> +<p> +Ideally, scanelf should not display anything, but on an x86 system, this is +rarely the case. Here we can see six libraries with TEXTRELs in them. +To quickly find out what package these files come from, Gentoo users can +<span class="code" dir="ltr">emerge portage-utils</span> and use <span class="code" dir="ltr">qfile</span>. +</p> +<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Determine the broken packages</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">qfile `scanelf -qylpF%F#t`</span> +media-libs/libdv (/usr/lib/libdv.so.4.0.2) +media-libs/libsdl (/usr/lib/libSDL-1.2.so.0.7.2) +media-libs/smpeg (/usr/lib/libsmpeg-0.4.so.0.1.3) +media-libs/xvid (/usr/lib/libxvidcore.so.4.1) +x11-base/xorg-x11 (/usr/lib/opengl/xorg-x11/lib/libGL.so.1.2) +x11-base/xorg-x11 (/usr/lib/libOSMesa.so.4.0) +</pre></td></tr> +</table> +<p> +Now that we know the offenders, we have a choice. We can file a bug upstream +(who generally don't care unless you can provide a fix), file a bug in the +<a href="http://bugs.gentoo.org/">Gentoo Bugzilla</a> (which is a nice +lazy cop out), or we can fix it ourselves (that is why you're reading this +guide right?). You should double check that the package version you have +installed is the latest upstream has to offer and the latest version your +distro has to offer. Who knows, maybe you can get lucky and someone else has +already fixed it. If you wish to get feedback on your work, feel free to +contact the <a href="mailto:hardened@gentoo.org">Gentoo hardened team</a>. +</p> +<p class="secthead"><a name="doc_chap2_sect2">"False" Positives</a></p> +<p> +Sometimes you may come across a package which contains a mountain of TEXTRELs +with seemingly no relation to assembler. This may simply be because the +objects were not properly compiled with the appropriate PIC flag. The fix is +quite simple: make sure every object file that is linked into the final shared +object is compiled with the appropriate PIC flag (typically -fPIC). +</p> +<p> +For example, let's look at the silc-plugin package. It builds up a few +modules, but only compiles some of the objects with -fPIC that are linked into +the final libsilc_core.so module. The output of scanelf here is quite +extensive! +</p> +<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Run scanelf on silc-plugin</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">scanelf -qT /usr/lib/irssi/modules/libsilc_core.so | wc -l</span> +10734 +$ <span class="code-input">scanelf -qT /usr/lib/irssi/modules/libsilc_core.so</span> +... + libsilc_core.so: silc_client_ftp_ask_name [0xD542C] in silc_client_receive_new_id [0xD5380] + libsilc_core.so: silc_client_run_one [0xD55CA] in silc_client_receive_new_id [0xD5380] + libsilc_core.so: silc_id_payload_parse [0xD5842] in silc_client_packet_parse_type [0xD57B0] + libsilc_core.so: fgetc@@GLIBC_2.0 [0xD5857] in silc_client_packet_parse_type [0xD57B0] +... +</pre></td></tr> +</table> +<p> +A TEXTREL on glibc's fgetc() function!? Either people are calling fgetc() from +assembler (and should be shot), or something else is going on. A good rule of +thumb is that if it seems like just about every function/variable reference +causes a TEXTREL and it is all done in C code, then the file was not built as +PIC. Just review the build output and see if the command to compile it was +invoked with -fPIC. If not, go fix the build system as you do not need to dig +into the source. Dodged the bullet this time! +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Dissecting broken object code</p> +<p> +So we have identified some broken libraries, and we want to fix them. The +trouble is, shared library code can be huge. They can have thousands of +functions which come from thousands of object files and thousands of source +code files which total megabytes in size (source code and compiled objects). +Where the hell do we start!? Once again, Mighty Mouse^W^W<span class="code" dir="ltr">scanelf</span> is +here to save the day. Before we dive into source code, lets check out a few +libraries. +</p> +<p class="secthead"><a name="doc_chap3_sect2">Dissect libsmpeg</a></p> +<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Scan libsmpeg</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">[The output has been truncated from about 35 lines]</span> +$ <span class="code-input">scanelf -qT /usr/lib/libsmpeg-0.4.so.0.1.3</span> + libsmpeg-0.4.so.0.1.3: (memory/fake?) [0x2FB3C] in cpu_flags [0x2FB10] + libsmpeg-0.4.so.0.1.3: (memory/fake?) [0x2FB42] in cpu_flags [0x2FB10] + libsmpeg-0.4.so.0.1.3: (memory/fake?) [0x2FB55] in IDCT_mmx [0x2FB48] + libsmpeg-0.4.so.0.1.3: (memory/fake?) [0x2FB84] in IDCT_mmx [0x2FB48] + /usr/lib/libsmpeg-0.4.so.0.1.3 +</pre></td></tr> +</table> +<p> +The output here tells us that the <span class="emphasis">cpu_flags</span> and the <span class="emphasis">IDCT_mmx</span> +functions are to blame for our TEXTRELs. The first field indicates that this +is poor usage of memory references. Unfortunately, the symbolic name of the +memory being referenced has not been retained in the object code (probably +because the code is hand written assembly), so we need to do a little more +digging. This is where the offset addresses come in to play along with the +<span class="code" dir="ltr">objdump</span> utility from the <span class="emphasis">binutils</span> package. The first address +(e.g. 0x2FB3C) is the offset of the TEXTREL while the second address is the +offset of the function (e.g. 0x2FB10). Get used to this because the behavior +of not retaining the symbol name is quite common. +</p> +<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: Dissecting libsmpeg</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">objdump -d /usr/lib/libsmpeg-0.4.so.0.1.3</span> +... + 2fb0f: 90 nop + +<span class="code-input">0002fb10 <cpu_flags>:</span> + 2fb10: 9c pushf + 2fb11: 58 pop %eax +... + 2fb32: 60 pusha + 2fb33: b8 01 00 00 00 mov $0x1,%eax + 2fb38: 0f a2 cpuid + <span class="code-input">2fb3a: 89 15 d0 d3 03 00 mov %edx,0x3d3d0</span> + 2fb40: 61 popa + <span class="code-input">2fb41: a1 d0 d3 03 00 mov 0x3d3d0,%eax</span> + 2fb46: c3 ret + 2fb47: 90 nop +... +</pre></td></tr> +</table> +<p> +As you can see here, the two lines picked out in the body of <span class="emphasis">cpu_flags</span> +have absolute memory references. In this case, they both refer to memory +location <span class="emphasis">0x3d3d0</span>. Since this object code may be loaded into any +address, using an aboslute reference obviously won't fly. That means +everytime libsmpeg is loaded into memory, the dynamic loader has to rewrite +the <span class="emphasis">0x3d3d0</span> to the actual calculated address on the fly. +</p> +<p class="secthead"><a name="doc_chap3_sect3">Dissect libdv</a></p> +<a name="doc_chap3_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.3: Scan libdv</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">[The output has been truncated from about 180 lines]</span> +$ <span class="code-input">scanelf -qT /usr/lib/libdv.so.4.0.2</span> + libdv.so.4.0.2: (memory/fake?) [0x14AA9] in dv_parse_ac_coeffs_pass0 [0x14A84] + libdv.so.4.0.2: (memory/fake?) [0x14C28] in dv_parse_ac_coeffs_pass0 [0x14A84] + libdv.so.4.0.2: (memory/fake?) [0x14C8A] in dv_parse_video_segment [0x14C6F] + libdv.so.4.0.2: (memory/fake?) [0x14CA6] in dv_parse_video_segment [0x14C6F] + libdv.so.4.0.2: (memory/fake?) [0x15248] in _dv_idct_block_mmx [0x15210] + libdv.so.4.0.2: (memory/fake?) [0x152BE] in _dv_idct_block_mmx [0x15210] + libdv.so.4.0.2: (memory/fake?) [0x1583D] in _dv_dct_88_block_mmx [0x157F8] + libdv.so.4.0.2: (memory/fake?) [0x15847] in _dv_dct_88_block_mmx [0x157F8] + libdv.so.4.0.2: (memory/fake?) [0x15F91] in _dv_dct_248_block_mmx [0x15F58] + libdv.so.4.0.2: (memory/fake?) [0x15FE6] in _dv_dct_248_block_mmx [0x15F58] + libdv.so.4.0.2: (memory/fake?) [0x163D3] in _dv_rgbtoycb_mmx [0x163C8] + libdv.so.4.0.2: (memory/fake?) [0x163DD] in _dv_rgbtoycb_mmx [0x163C8] + libdv.so.4.0.2: dv_vlc_class_index_mask [0x149A7] in dv_decode_vlc [0x14998] + libdv.so.4.0.2: dv_vlc_class_index_rshift [0x149B0] in dv_decode_vlc [0x14998] + libdv.so.4.0.2: dv_vlc_classes [0x149B9] in dv_decode_vlc [0x14998] + libdv.so.4.0.2: dv_vlc_index_mask [0x149C4] in dv_decode_vlc [0x14998] + libdv.so.4.0.2: sign_mask [0x149EB] in dv_decode_vlc [0x14998] + libdv.so.4.0.2: sign_mask [0x14A5D] in __dv_decode_vlc [0x14A1C] + libdv.so.4.0.2: sign_mask [0x14B82] in dv_parse_ac_coeffs_pass0 [0x14A84] + libdv.so.4.0.2: dv_vlc_class_lookup5 [0x14A2F] in __dv_decode_vlc [0x14A1C] + libdv.so.4.0.2: dv_parse_ac_coeffs_pass0 [0x14E03] in dv_parse_video_segment [0x14C6F] + libdv.so.4.0.2: dv_parse_ac_coeffs [0x14E51] in dv_parse_video_segment [0x14C6F] + libdv.so.4.0.2: dv_quant_offset [0x14E69] in _dv_quant_88_inverse_x86 [0x14E5C] + libdv.so.4.0.2: dv_quant_offset [0x14FB3] in _dv_quant_x86 [0x14FA4] + /usr/lib/libdv.so.4.0.2 +</pre></td></tr> +</table> +<p> +Again, we can see that many functions (like <span class="emphasis">dv_parse_ac_coeffs_pass0</span> +and <span class="emphasis">_dv_idct_block_mmx</span>) have absolute memory references. What we also +see is that a bunch of functions which refer to variables. For example, +<span class="emphasis">dv_decode_vlc</span> misuses the variable <span class="emphasis">dv_vlc_class_index_mask</span> while +<span class="emphasis">dv_parse_video_segment</span> misuses the variable <span class="emphasis">dv_parse_ac_coeffs</span>. +Much easier to locate the problem in the source code when you have the symbol +name. +</p> +<p class="secthead"><a name="doc_chap3_sect4">Dissect libSDL</a></p> +<a name="doc_chap3_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.4: Scan libSDL</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">[The output has been truncated from about 50 lines]</span> +$ <span class="code-input">scanelf -qT /usr/lib/libSDL-1.2.so.0.7.2</span> + libSDL-1.2.so.0.7.2: (memory/fake?) [0x4E213] in _ConvertMMXpII32_24RGB888 [0x4E210] + libSDL-1.2.so.0.7.2: (memory/fake?) [0x4E29E] in _ConvertMMXpII32_16RGB565 [0x4E29B] + libSDL-1.2.so.0.7.2: (memory/fake?) [0x4E3F6] in _ConvertMMXpII32_16BGR555 [0x4E3F3] + libSDL-1.2.so.0.7.2: (memory/fake?) [0x4E402] in _ConvertMMXpII32_16RGB555 [0x4E3FF] + libSDL-1.2.so.0.7.2: (memory/fake?) [0x4E555] in _Hermes_X86_CPU [0x4E529] + libSDL-1.2.so.0.7.2: _copy_row [0x316A2] in SDL_SoftStretch [0x313C0] + libSDL-1.2.so.0.7.2: _mmxreturn [0x4E4FB] in _ConvertMMXpII32_16RGB555 [0x4E3FF] + libSDL-1.2.so.0.7.2: _x86return [0x4E590] in _ConvertX86p16_16BGR565 [0x4E560] + libSDL-1.2.so.0.7.2: _x86return [0x4EE99] in _ConvertX86p32_16BGR555 [0x4EDCA] + libSDL-1.2.so.0.7.2: _x86return [0x4EF4D] in _ConvertX86p32_8RGB332 [0x4EE9D] + /usr/lib/libSDL-1.2.so.0.7.2 +</pre></td></tr> +</table> +<p> +Doesn't seem to be anything new here. Poor memory usage in functions like +<span class="emphasis">_ConvertMMXpII32_24RGB888</span> and no symbol name which means it's probably +pure hand written assembler. The <span class="emphasis">SDL_SoftStretch</span> function misuses the +symbol <span class="emphasis">_copy_row</span> and since the symbol name has been retained, it's +probably inline assembly code. +</p> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Finding the broken source code</p> +<p> +We've identified the functions and sometimes the variables which are causing +us such headaches. Before we can actually fix them though, we have to narrow +down the source code to the offending lines. Since we know the function +names and either the symbol name or a relative position in the function, we +should be able to focus our efforts quite easily. +</p> +<p class="secthead"><a name="doc_chap4_sect2">libsmpeg source dive</a></p> +<p> +Let's start with libsmpeg. We know that both the <span class="emphasis">cpu_flags</span> and +<span class="emphasis">IDCT_mmx</span> functions are broken. But where are they defined? +</p> +<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: Searching libsmpeg source</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">tar zxf smpeg-0.4.4.tar.gz</span> +$ <span class="code-input">cd smpeg-0.4.4.tar.gz</span> + +<span class="code-comment">[Find the cpu_flags function]</span> +$ <span class="code-input">grep -Rl cpu_flags *</span> +video/mmxflags_asm.S +video/parseblock.cpp +$ <span class="code-input">grep cpu_flags video/mmxflags_asm.S</span> +.globl cpu_flags + .type cpu_flags,@function <span class="code-comment"><-- here is what we want</span> +cpu_flags: + jz cpu_flags.L1 # Processor is 386 + je cpu_flags.L1 +cpu_flags.L1: + .size cpu_flags,.Lfe1-cpu_flags + +<span class="code-comment">[Find the IDCT_mmx function]</span> +$ <span class="code-input">grep -Rl IDCT_mmx *</span> +video/parseblock.cpp +video/mmxidct_asm.S +$ <span class="code-input">grep IDCT_mmx video/mmxidct_asm.S</span> +.globl IDCT_mmx + .type IDCT_mmx,@function <span class="code-comment"><-- here is what we want</span> +IDCT_mmx: + .size IDCT_mmx,.Lfe1-IDCT_mmx +</pre></td></tr> +</table> +<p> +As we suspected, both the <span class="emphasis">cpu_flags</span> and the <span class="emphasis">IDCT_mmx</span> functions +are written in pure assembly code. This makes tracking down the unamed +memory reference easier because the source code should closely match the +output of <span class="code" dir="ltr">objdump</span>. If we review the output from earlier, we know the +<span class="emphasis">cpuid</span> instruction is used. Since it isn't a common instruction, we +search for it in the source code. +</p> +<a name="doc_chap4_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.2: Find cpuid in cpu_flags</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">grep -A 8 cpuid video/mmxflags_asm.S</span> + cpuid + + movl %edx,flags + + popa + + movl flags,%eax + +cpu_flags.L1: +</pre></td></tr> +</table> +<p> +In GNU assembler, registers are prefixed with a <span class="emphasis">%</span> and constants are +prefixed with a <span class="emphasis">$</span>, that <span class="emphasis">flags</span> looks suspicious. It also lines +up well with the <span class="code" dir="ltr">objdump</span> output from earlier. So what is <span class="emphasis">flags</span>? +</p> +<a name="doc_chap4_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.3: What is 'flags'?</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">grep -C 2 flags video/mmxflags_asm.S</span> +.data + .align 16 + .type flags,@object +flags: .long 0 + +.text +</pre></td></tr> +</table> +<p> +Seems <span class="emphasis">flags</span> is a data variable local to <span class="path" dir="ltr">mmxflags_asm.S</span> +which functions access with absolute memory references rather than relative. +Now we are pretty much done. That's all there is to it. We started with the +library <span class="path" dir="ltr">libsmpeg.so</span> and tracked it back to the function +<span class="emphasis">cpu_flags</span> and the variable <span class="emphasis">flags</span> in the +<span class="path" dir="ltr">video/mmxflags_asm.S</span> file. That wasn't so hard now was it? :) +</p> +<p> +If we analyze the <span class="emphasis">IDCT_mmx</span> function, we find a similar trend. +</p> +<a name="doc_chap4_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.4: IDCT_mmx snippets</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">[Local variables]</span> +.data + .align 8 + .type x4546454645464546,@object + .size x4546454645464546,8 +<span class="code-input">x4546454645464546</span>: + .long 0x45464546,0x45464546 + + .align 8 + .type x61f861f861f861f8,@object + .size x61f861f861f861f8,8 +<span class="code-input">x61f861f861f861f8</span>: + .long 0x61f861f8,0x61f861f8 + + .align 8 + .type scratch1,@object + .size scratch1,8 +<span class="code-input">scratch1</span>: + .long 0,0 + +<span class="code-comment">[Absolute memory references]</span> +.text +... + psraw $1, %mm5 /* t90=t93 */ + pmulhw <span class="code-input">x4546454645464546</span>,%mm0 /* V35 */ + psraw $1, %mm2 /* t97 */ +... + psubsw %mm2, %mm1 /* V32 ; free mm2 */ + pmulhw <span class="code-input">x61f861f861f861f8</span>,%mm1 /* V36 */ + psllw $1, %mm7 /* t107 */ +... + movq 8*3(%esi), %mm7 + psraw $4, %mm4 + movq %mm2, <span class="code-input">scratch1</span> /* out1 */ +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap4_sect3">libSDL source dive</a></p> +<p> +Again, before we jump into how to fix these, lets analyze a few more source +files to get a better handle on identifying problematic code. +</p> +<a name="doc_chap4_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.5: Broken _ConvertMMXpII32_24RGB888 in libSDL code</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">[objdump of _ConvertMMXpII32_24RGB888 memory reference]</span> +<span class="code-input">0004e210 <_ConvertMMXpII32_24RGB888>:</span> + <span class="code-input">4e210: 0f 6f 35 50 55 05 00 movq 0x55550,%mm6</span> + 4e217: 0f ef ff pxor %mm7,%mm7 + +<span class="code-comment">[_ConvertMMXpII32_24RGB888 is defined in src/hermes/mmxp2_32.asm]</span> + SECTION .data +ALIGN 8 +;; Constants for conversion routines +mmx32_rgb888_mask dd 00ffffffh,00ffffffh +... + SECTION .text +_ConvertMMXpII32_24RGB888: <span class="code-comment">start of function 0x4E210</span> + ; set up mm6 as the mask, mm7 as zero + movq mm6, qword [mmx32_rgb888_mask] <span class="code-comment">memory reference 0x4E213</span> + pxor mm7, mm7 +</pre></td></tr> +</table> +<p> +Simple enough, the <span class="emphasis">_ConvertMMXpII32_24RGB888</span> function refers to the +<span class="emphasis">mmx32_rgb888_mask</span> variable. +</p> +<a name="doc_chap4_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.6: Broken SDL_SoftStretch in libSDL code</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">[SDL_SoftStretch is defined in src/video/SDL_stretch.c]</span> +int SDL_SoftStretch(SDL_Surface *src, SDL_Rect *srcrect, + SDL_Surface *dst, SDL_Rect *dstrect) +{ +... +#ifdef __GNUC__ + __asm__ __volatile__ ( + "call _copy_row" + : "=&D" (u1), "=&S" (u2) + : "0" (dstp), "1" (srcp) + : "memory" ); +#else +</pre></td></tr> +</table> +<p> +Another straight forward bug. An absolute reference to the <span class="emphasis">_copy_row</span> +variable in assembly. If we were to let gcc handle the <span class="emphasis">_copy_row</span> +reference instead though ... +</p> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>How to write PIC (in theory)</p> +<p class="secthead"><a name="doc_chap5_sect1">Rules of thumb</a></p> +<p> +Now we know what broken code looks like. We can point out issues in code and +confidently declare "that crap is broken". While this is a good thing, it +certainly doesn't help much if no one knows how it's supposed to be written. +Let's start with some rules of thumb. +</p> +<p>General rules</p> +<ul> + <li>Do not mix PIC and non-PIC object code</li> + <li>Shared libraries contain PIC objects</li> + <li>Static libraries contain non-PIC objects (normal/non-PIE systems only)</li> + <li>Let gcc figure out the details whenever possible (e.g. inline asm)</li> + <li>Use the stack for loading of large masks instead of variables</li> + <li>Do not clobber the PIC register when generating PIC objects</li> +</ul> +<p>x86-specific rules</p> +<ul> + <li>Use @GOT relocations when using external symbols</li> + <li>Use @GOTOFF relocations when using local symbols</li> +</ul> +<p class="secthead"><a name="doc_chap5_sect2">PIC registers by architecture</a></p> +<table class="ntable"> + <tr> +<td class="infohead"><b>arch</b></td> +<td class="infohead"><b>register</b></td> +</tr> + <tr> +<td class="tableinfo">blackfin</td> +<td class="tableinfo">P3</td> +</tr> + <tr> +<td class="tableinfo">frv</td> +<td class="tableinfo">GR15</td> +</tr> + <tr> +<td class="tableinfo">hppa</td> +<td class="tableinfo">r19</td> +</tr> + <tr> +<td class="tableinfo">x86</td> +<td class="tableinfo">ebx</td> +</tr> +</table> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>Cookie cutter PIC fixes</p> +<p class="secthead"><a name="doc_chap6_sect1">Don't use the PIC register</a></p> +<p> +If you come across code which uses the PIC register in some inline assembly, +one fix may be to simply use a different register. For example, the x86 +architecture has 6 general purpose registers (<span class="emphasis">eax</span>, <span class="emphasis">ebx</span>, +<span class="emphasis">ecx</span>, <span class="emphasis">edx</span>, <span class="emphasis">esi</span>, <span class="emphasis">edi</span>). If the code uses just +<span class="emphasis">eax</span> and <span class="emphasis">ebx</span>, just change all references to <span class="emphasis">ebx</span> to +<span class="emphasis">ecx</span> and you're done! +</p> +<p> +A cleaner fix might be to just let gcc allocate the registers accordingly. If +the inline assembly doesn't actually care which registers it uses, change the +references from <span class="emphasis">ebx</span> to <span class="emphasis">r</span> in the clobber list, and refer to the +variable by number. +</p> +<p> +Or, if the assembly uses an instruction which always clobbers <span class="emphasis">ebx</span> (e.g. +<span class="emphasis">cpuid</span>), simply hide the value in another register (like <span class="emphasis">esi</span>). +</p> +<p> +If all else fails, you can fall back to the slow push/pop <span class="emphasis">ebx</span> on the +stack method. +</p> +<a name="doc_chap6_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.1: Just don't use the PIC register</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">/* change this code from */</span> +asm(" + mov %0, %%eax + mov %1, %%ebx + add %%eax, %%ebx + " : : "m"(input1), "m"(input2) : "eax" "ebx"); + +<span class="code-comment">/* to this functionality equivalent version */</span> +asm(" + mov %0, %%eax + mov %1, %%ecx + add %%eax, %%ecx + " : : "m"(input1), "m"(input2) : "eax" "ecx"); +</pre></td></tr> +</table> +<a name="doc_chap6_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.2: Let gcc allocate registers</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">/* change this code from */</span> +asm(" + mov %2, %%eax + mov %3, %%ebx + add %%eax, %%ebx + " : "=a"(output1) "=b"(output2) : "m"(input1), "m"(input2)); + +<span class="code-comment">/* to this functionality equivalent version */</span> +asm(" + mov %2, %0 + mov %3, %1 + add %0, %1 + " : "=r"(output1) "=r"(output2) : "m"(input1), "m"(input2)); +</pre></td></tr> +</table> +<a name="doc_chap6_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.3: Hide the PIC register</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +asm("cpuid" : : : "eax", "ebx", "ecx", "edx"); + +<span class="code-comment">/* can be written to hide ebx */</span> +asm(" + movl %%ebx, %%edi + cpuid + movl %%edi, %%ebx + " : : : "eax", "ecx", "edx", "edi"); + +<span class="code-comment">/* or a slower version using the stack */</span> +asm(" + pushl %%ebx + cpuid + popl %%ebx + " : : : "eax", "ecx", "edx"); +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap6_sect2">MMX/SSE masks</a></p> +<p> +A lot of x86 MMX/SSE code loads bitmasks from local variables since they need +to fill up a register which is larger (MMX/64bits or SSE/128bits) than the +native bitsize (x86/32bits). They do this by defining the mask in +consecutive bytes in memory and then having the cpu load the data from the +memory region. +</p> +<p> +One way to get around this is by being creative with the stack. Rather than +use an absolute memory reference for the mask, push a bunch of 32bit values +onto the stack and use the address specified by the <span class="emphasis">esp</span> register. +Once you're finished, just add a constant to <span class="emphasis">esp</span> rather than popping +off since you don't care about the actual values once they are loaded into +the MMX/SSE registers. +</p> +<a name="doc_chap6_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.4: Load masks into registers via stack</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">/* Load masks from memory (causes TEXTRELs) */</span> + .data +m0X000000: .byte 0, 0, 0, 0, 0, 0, 255, 0 + .text +movq m0X000000, %mm5 + +<span class="code-comment">/* Load mask from stack (no TEXTRELs)*/</span> +pushl $0x00FF0000 +pushl $0x00000000 +movq (%esp), %mm5 +addl 8, %esp +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap6_sect3">Let gcc worry about it</a></p> +<p> +A lot of inline assembly is written with the symbol names placed right in the +code. Rather than trying to write custom code to handle PIC in assembly, just +let gcc worry about it. Pass in the symbol via the input operand list as a +memory constraint ("m") and gcc will handle all the rest. +</p> +<a name="doc_chap6_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.5: How to make gcc worry about it</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +unsigned long long a_mmx_mask = 0xf8007c00ffea0059ULL; +void somefunction() +{ + <span class="code-comment">/* Common (but incorrect) method for loading masks */</span> + asm("pmullw a_mmx_mask, %%mm0" : : ); + + <span class="code-comment">/* The correct way is to let gcc do it */</span> + asm("pmullw %0, %%mm0" : : "m"(a_mmx_mask)); +} +</pre></td></tr> +</table> +<p> +If your get a warning/error about one of the memory inputs needing to be an +lvalue, then this usually means you're trying to pass in a pointer to an +array/structure rather than the memory location itself. Fixing this may be as +simple as dereferencing the variable in the constraint list rather than in the +assembly itself. +</p> +<p class="secthead"><a name="doc_chap6_sect4">Thunk it in assembly</a></p> +<p> +Hand written assembly sometimes need to access variables (whether they be +local or global). Since none of the previous tricks will work, you just need +to grind your teeth and dig in to write real PIC references yourself using +the GOT. Make sure you keep in mind the first rule of thumb: Do not mix PIC +and non-PIC object code. This probably will require the hand written +assembly be preprocessed before it is assembled, so an assembly source file +with a <span class="emphasis">.s</span> suffix will not work. It needs to be <span class="emphasis">.S</span>. +</p> +<p> +Also keep in mind that using @GOTOFF will return the variable while using @GOT +will return a pointer to the variable. So accessing a variable with @GOT will +require two steps. +</p> +<a name="doc_chap6_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.6: How to refer to variables via the GOT</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +#ifdef __PIC__ + +# undef __i686 /* gcc builtin define gets in our way */ +# define MUNG_LOCAL(sym) sym ## @GOTOFF(%ebx) +# define MUNG_EXTERN(sym) sym ## @GOT(%ebx) +# define DEREF_EXTERN(reg) movl (reg), reg +# define INIT_PIC() \ + call __i686.get_pc_thunk.bx ; \ + addl $_GLOBAL_OFFSET_TABLE_, %ebx + +#else + +# define MUNG_LOCAL(sym) sym +# define MUNG_EXTERN(sym) sym +# define DEREF_EXTERN(reg) +# define INIT_PIC() + +#endif + +... +some_function: +... + <span class="code-comment">/* needs to be before first memory reference */</span> + INIT_PIC() +... + movl MUNG_EXTERN(some_external_variable), %eax + DEREF_EXTERN(%eax) +... + movl %eax, MUNG_LOCAL(some_local_variable) +... + +#ifdef __PIC__ + .section .gnu.linkonce.t.__i686.get_pc_thunk.bx,"ax",@progbits +.globl __i686.get_pc_thunk.bx + .hidden __i686.get_pc_thunk.bx + .type __i686.get_pc_thunk.bx,@function +__i686.get_pc_thunk.bx: + movl (%esp), %ebx + ret +#endif +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> +Usage of <span class="emphasis">ebx</span> as the register to do relative addressing is not required, +it is just common convention. The above examples could just as easily be done +by using <span class="emphasis">ecx</span> or <span class="emphasis">edx</span>. +</p></td></tr></table> +<p> +Since we hide the PIC details behind the preprocessor define <span class="emphasis">__PIC__</span>, +we know that the correct code will be generated for both the PIC and non-PIC +cases. +</p> +<p> +The <span class="emphasis">__i686.get_pc_thunk.bx</span> function is a standard method for acquiring +the address of the GOT at runtime and storing the result in <span class="emphasis">ebx</span>. The +funky name is what gcc uses by convention when generating PIC objects, so we +too use the same name. The <span class="emphasis">@GOT</span> and <span class="emphasis">@GOTOFF</span> notation tells the +assembler where to find the variables in memory. The <span class="emphasis">.section +.gnu.linkonce.t</span> is useful because it tells the linker to only include one +instance of this function in the final object code. So if you have multiple +files which declare this same function which are compiled and linked into the +same final library, the linker will discard all duplicate instances of the +function thus saving space (which is always a good thing). +</p> +<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7. + </span>How to fix broken PIC (in practice)</p> +<p> +So if the previous code snippets were broken, what should they look like you +may wonder. Well let's find out. +</p> +<p class="secthead"><a name="doc_chap7_sect2">Fix libsmpeg</a></p> +<a name="doc_chap7_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.1: Fixing cpu_flags in libsmpeg by rewriting it</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">[Non-PIC Version]</span> +.type flags,@object +flags: .long 0 +... + pusha + movl $1,%eax + cpuid + movl %edx,flags + popa + movl flags,%eax + + +<span class="code-comment">[PIC Version]</span> + pushl %ebx + movl $1,%eax + cpuid + movl %edx,%eax + popl %ebx +</pre></td></tr> +</table> +<a name="doc_chap7_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.2: Fixing IDCT_mmx in libsmpeg by using relative addressing</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">[Non-PIC Version]</span> + pmulhw x5a825a825a825a82, %mm1 + + +<span class="code-comment">[PIC Version]</span> +#ifdef __PIC__ +# undef __i686 /* gcc define gets in our way */ + call __i686.get_pc_thunk.bx + addl $_GLOBAL_OFFSET_TABLE_, %ebx +#endif +... + pmulhw x5a825a825a825a82@GOTOFF(%ebx), %mm1 +... +#ifdef __PIC__ + .section .gnu.linkonce.t.__i686.get_pc_thunk.bx,"ax",@progbits +.globl __i686.get_pc_thunk.bx + .hidden __i686.get_pc_thunk.bx + .type __i686.get_pc_thunk.bx,@function +__i686.get_pc_thunk.bx: + movl (%esp), %ebx + ret +#endif +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap7_sect3">Fix libSDL</a></p> +<a name="doc_chap7_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.3: Fixing _ConvertMMXpII32_24RGB888 in libSDL</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">[Non-PIC Version]</span> +mmx32_rgb888_mask dd 00ffffffh,00ffffffh +... + movq mm6, qword [mmx32_rgb888_mask] + + +<span class="code-comment">[PIC Version]</span> +%macro _push_immq_mask 1 + push dword %1 + push dword %1 +%endmacro +%macro load_immq 2 + _push_immq_mask %2 + movq %1, [esp] +%endmacro +%define mmx32_rgb888_mask 00ffffffh +... + load_immq mm6, mmx32_rgb888_mask + CLEANUP_IMMQ_LOADS(1) +</pre></td></tr> +</table> +<a name="doc_chap7_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.4: Fixing SDL_SoftStretch in libSDL</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">[Non-PIC Version]</span> + __asm__ __volatile__ ( + "call _copy_row" + : "=&D" (u1), "=&S" (u2) + : "0" (dstp), "1" (srcp) + : "memory" ); + + +<span class="code-comment">[PIC Version]</span> + __asm__ __volatile__ ( + "call *%4" + : "=&D" (u1), "=&S" (u2) + : "0" (dstp), "1" (srcp), "r" (&_copy_row) + : "memory" ); +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap8"></a><span class="chapnum">8. + </span>References</p> +<ul> + <li>thanks to the PaX team for holding my hand</li> + <li><a href="http://www.ibiblio.org/gferg/ldp/GCC-Inline-Assembly-HOWTO.html">GCC Inline Assembly HOWTO</a></li> + <li> +<a href="http://nasm.sourceforge.net/">NASM</a>'s Documentation on <a href="http://nasm.sourceforge.net/doc/html/nasmdoc6.html#section-6.5.2">ELF shared libraries</a> +</li> + <li>Linkers and Loaders <a href="http://www.iecc.com/linker/linker08.html">chapter 8</a> and <a href="http://www.iecc.com/linker/linker10.html">chapter 10</a> +</li> +</ul> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/pic-fix-guide.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated August 19, 2007</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>A guide for tracking down and fixing .text relocations (TEXTRELs)</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:vapier@gentoo.org" class="altlink"><b>Mike Frysinger</b></a> +<br><i>Author</i><br><br> + <a href="mailto:solar@gentoo.org" class="altlink"><b>solar</b></a> +<br><i>Author</i><br><br> + <a href="mailto:pageexec@freemail.hu" class="altlink"><b>The PaX team</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:kevquinn@gentoo.org" class="altlink"><b>Kevin F. Quinn</b></a> +<br><i>Contributor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/pic-guide.html b/html/pic-guide.html new file mode 100644 index 0000000..035b444 --- /dev/null +++ b/html/pic-guide.html @@ -0,0 +1,175 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Introduction to Position Independent Code</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Introduction to Position Independent Code</h1> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction to PIC - (Position Independent Code)</p> +<p> +PIC code radically differs from conventional code in the way it +calls functions and operates on data variables.<br> + +It will access these functions and data through an indirection table, +the "Global Offset Table" (GOT), by software convention accessible using +the reserved name "_GLOBAL_OFFSET_TABLE_".<br> + +The exact mechanism used for this is hardware architecture dependent, +but usually a special machine register is reserved for setting up +the location of the GOT when entering a function.<br> + +The rationale behind this indirect addressing is to generate code +that can be independently accessed of the actual load address.<br> + +In a true PIC library without relocations in the text segment, +only the symbols exported in the "Global Offset Table" need updating +at run-time depending on the current load address of the various +shared libraries in the address space of the running process. +</p> +<p> +Likewise, procedure calls to globally defined functions are redirected +through the "Procedure Linkage Table" (PLT) residing in the data segment +of the core image. Again, this is done to avoid run-time modifications +to the text segment. +</p> +<p> +The linker-editor allocates the Global Offset Table and Procedure +Linkage Table when combining PIC object files into an image suitable for +mapping into the process address space. It also collects all symbols +that may be needed by the run-time link-editor and stores these along +with the image's text and data bits. Another reserved symbol, _DYNAMIC +is used to indicate the presence of the run-time linker structures. +Whenever _DYNAMIC is relocated to 0, there is no need to invoke the +run-time link- editor. If this symbol is non-zero, it points at a data +structure from which the location of the necessary relocation- and +symbol information can be derived. This is most notably used by the +start-up module, crt0, crt1S and more recently Scrt1. The _DYNAMIC +structure is conventionally located at the start of the data segment of +the image to which it pertains. +</p> +<p> +On most architectures, when you compile source code to object code, you +need to specify whether the object code should be position independent +or not. There are occasional architectures which don't make the +distinction, usually because all object code is position independent by +virtue of the Application Binary Interface (ABI), or less often because +the load address of the object is fixed at compile time, which implies +that shared libraries are not supported by such a platform). + +If an object is compiled as position independent code (PIC), +then the operating system can load the object at any address +in preparation for execution. This involves a time overhead, +in replacing direct address references with relative addresses at +compile time, and a space overhead, in maintaining information to help +the runtime loader fill in the unresolved addresses at runtime. +Consequently, PIC objects are usually slightly larger and slower at +runtime than the equivalent non-PIC object. The advantage of sharing +library code on disk and in memory outweigh these problems as soon as +the PIC object code in shared libraries is reused. +</p> +<p> +PIC compilation is exactly what is required for objects which will +become part of a shared library. Consequently, libtool builds PIC +objects for use in shared libraries and non-PIC objects for use in +static libraries. Whenever libtool instructs the compiler to generate a +PIC object, it also defines the preprocessor symbol, `PIC', so that +assembly code can be aware of whether it will reside in a PIC object or +not. +</p> +<p> +Typically, as libtool is compiling sources, it will generate a `.lo' +object, as PIC, and a `.o' object, as non-PIC, and then it will use the +appropriate one of the pair when linking executables and libraries of +various sorts. On architectures where there is no distinction, the `.lo' +file is just a soft link to the `.o' file. +</p> +<p> +In practice, you can link PIC objects into a static archive for a small +overhead in execution and load speed, and often you can similarly link +non-PIC objects into shared archives. +</p> +<p> +When you use position-independent code, relocatable references are +generated as an indirection that use data in the shared object's data +segment. The text segment code remains read-only, and all relocation +updates are applied to corresponding entries within the data segment. +</p> +<p> +If a shared object is built from code that is not position-independent, +the text segment will usually require a large number of relocations to +be performed at runtime. Although the runtime linker is equipped to +handle this, the system overhead this creates can cause serious +performance degradation. +</p> +<p> +You can identify a shared object that requires relocations against its +text segment using tools such as 'readelf -d foo' and inspect the output +for any TEXTREL entry. The value of the TEXTREL entry is irrelevant. Its +presence in a shared object indicates that text relocations exist. +</p> +<p> +References: +</p> +<ul> + <li><a href="link.5.html">NetBSD link(5) File Formats Manual</a></li> + <li><a href="http://sources.redhat.com/autobook/autobook/autobook_71.html#SEC71">Autobook (Position Independent Code) from Chapter 10.2.1</a></li> + <li><a href="http://docs.sun.com/app/docs/doc/817-1984">docs.sun.com: Linker and Libraries Guide</a></li> + <li>Linkers and Loaders <a href="http://www.iecc.com/linker/linker08.html">chapter 8</a> and <a href="http://www.iecc.com/linker/linker10.html">chapter 10</a> +</li> +</ul> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/pic-guide.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated October 11, 2005</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>What every developer should understand about using Position Independent Code</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:solar@gentoo.org" class="altlink"><b>solar</b></a> +<br><i>Author</i><br><br> + <a href="mailto:pappy@gentoo.org" class="altlink"><b>Alexander Gabert</b></a> +<br><i>Editor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/pic-internals.html b/html/pic-internals.html new file mode 100644 index 0000000..fec39e1 --- /dev/null +++ b/html/pic-internals.html @@ -0,0 +1,249 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Position Independent Code internals</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Position Independent Code internals</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Excerpt</option> +<option value="#doc_chap2">2. Introduction to PIC - (Position Independent Code)</option> +<option value="#doc_chap3">3. Using PIC for building shared libraries</option> +<option value="#doc_chap4">4. Relocations in the TEXT segment of shared libraries used by dynamically linked executables</option> +<option value="#doc_chap5">5. Using prelink and LD_BIND_NOW</option> +<option value="#doc_chap6">6. More about negative side effects of text relocations in shared libraries</option> +<option value="#doc_chap7">7. So, why not use -fPIC building as default for all applications?</option> +<option value="#doc_chap8">8. Conclusion</option> +<option value="#doc_chap9">9. References</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Excerpt</p> +<p> +This technical documentation tries to explain and evaluate the technical background and the performance benefit or likewise penalty of PIC (Position Independent Code). +</p> +<p> +The goal should be achieved by illustrating an easy to follow learning path to understand text relocations and why they are imposing a security risk and a speed penalty to running applications. +</p> +<p> +To enhance the reading comfort for beginners, it is not covering stack layouts, the technical details of starting functions and discussing internal toolchain processings during building and executing programs. + +We are aware of the fact that this document may put a smile on the face of experienced readers due to the sometimes barely justified oversimplification of technical internals. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Introduction to PIC - (Position Independent Code)</p> +<p> +PIC code differs from traditional code in the method it will perform access to function code and data objects/variables through an indirect accessing table. + +This table is called the "Global Offset Table" because it contains the addresses of code functions and data objects exported by a shared library. +</p> +<p> +The dynamic loader modifies the GOT slots to resemble the current memory address for every exported symbol in the library. + +When the dynamic loader has completed, the GOT contains full absolute addresses for each symbol reference constructed from the load address (PT_LOAD) of the shared library that contains these symbols plus their offset inside this shared library. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Using PIC for building shared libraries</p> +<p> +Besides for using position independent executables (see PIE-SSP docs, PaX specs files using -shared and Jelinek binutils patches for -pie support), +the natural reason for using "-fPIC" (position independent code) is the use in shared dynamic libraries. + +This makes the overall footprint of all dynamically linked ELF executables on the system as small as possible, +while it also prevents possible code duplication and actively reduces requirements on memory and file system. +</p> +<p> +A unique characteristic of a typical shared library is that it can be located anywhere in the process memory layout. +Because of this, the contents of the shared library are not accessed directly but via clearly exported definitions in symbol tables during building. +Today, shared libraries can be easily implemented by incorporating this key advantage of the ELF standard. + +Making libraries larger, smaller or moving around functions in the library is very easy as long as the symbol table to access the functions does not change. +</p> +<p> +During building, The linker is only responsible for setting up exported symbols of the library in question. + +Telling the object code that it needs to be position independent is the task of the preprocessor and the compiler. +Here, the role of the Makefiles and the CFLAGS/LDFLAGS feeding the compiler with instructions becomes visible. + +The preprocessor is adding special definitions ("__PIC__" "__pic__") and the compiler is using "-fPIC" or "-fpic" depending on the data access model. +Hopefully, when there is no PIC unaware assembler in the source code, these flags are generating the object code needed for position independence. + +The object code needs to be generated PIC for successfully opening the doors to position independent relocation of the library, created from the PIC .o relocatable objects. +</p> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Relocations in the TEXT segment of shared libraries used by dynamically linked executables</p> +<p> +This chapter is going to explain the reasons why relocations in the TEXT segment of a library, also called "text relocations", must be avoided by designers of shared libraries. +</p> +<p> +The performance penalty of text relocations is the reason that every shared library object code should be generated with -fPIC or -fpic, depending on the addressing range of the data that is used. + +Otherwise the library is considered not "clean". +</p> +<p> +A text relocation is a memory address in the "LOAD READ-EXECUTE" text segment of a shared library where text segment means the segment that contains the program code. + +Such a nonPIC text segment often contains large amounts of memory addresses that need to be "patched" (manipulated, modified, corrected) with the runtime location of functions and data. + +This is performed by the dynamic loader (ld.so in glibc) during startup of the dynamically linked executable and invocation of these libraries in the process space. + +The reason that the dynamic loader needs to spend so much time "patching" memory addresses (relocations) was stated above: +a unique characteristic of a typical shared library is that it can be located anywhere in the process memory layout. + +</p> +<p> +So the dynamic loader is the key to the "located anywhere" functionality: it recognizes and reorganizes the memory addresses that need to be refurbished and applies the change to these locations. + +This means that the dynamic loader will be responsible for relocating the memory address. + +For example, in a non-PIC compiled libmpeg3 library there are roughly 6000 memory locations left inside the shared library to point to some 200-300 functions and data referred by the instructions. +</p> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>Using prelink and LD_BIND_NOW</p> +<p> +Using prelink somehow mitigates the performance-intensive relocation process to a one-time operation: the relocation is satisfied and prematurely resolved/patched inside the binaries and the nonPIC shared libraries. + +This can be reached with using a program like prelink that is working on the actual files and modifying the relocations and GOT slots in the executables and libraries directly, thus saving the dynamic loader a lot of work during actually starting and running the executable. + +While dealing with executables, note that prelink inserts a "hint" into the PT_LOAD segment of every shared library to make the kernel load it at the expected address. +</p> +<p> +Bear in mind that not all relocations are resolved at startup time. +When LD_BIND_NOW is not used, the lazy binding for libraries somehow tries to minimize the overhead to a more timely fashion by only relocating symbols at their first invocation during program flow. + +The environment variable LD_BIND_NOW (and the ld switch "-z now") tries to address this problem for slow machines by moving all needed relocations to be done at startup of a binary, invoking much much slower startup times but later making the binary run more fluently on slower machines because relocations are satisfied now :-) + +But you should be careful and know that using LD_BIND_NOW is not recommended on machines where responsiveness is an issue, clicking on an icon in KDE or GNOME and waiting 20 seconds for evolution to start is sometimes inacceptable by users. + +In doubt, use prelink! +</p> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>More about negative side effects of text relocations in shared libraries</p> +<p> +There are two drawbacks of nonPIC shared libraries currently. +</p> +<p> +There is a moderate security risk on nonPIC libraries containing text relocations. +The TEXT pages for shared libraries cannot be marked READONLY by the kernel starting the binary and mapping in ELF segments and libraries. +</p> +<p> +There is also a memory overhead and performance penalty: data and code cannot be shared amongst processes via COW. + +COW means "copy on write", this uses the same readonly memory pages for all instances of the same binary and for all processes referring to the same used libraries. + +Using COW, readonly memory pages for shared libraries and executables need not to be recreated for new processes in their memory until they are are about to be changed by the new process, like for patching in text relocations by the dynamic loader, this is all implemented transparently in the virtual memory management of the Linux kernel. +</p> +<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7. + </span>So, why not use -fPIC building as default for all applications?</p> +<p> +So why not compile all applications with -fPIC if it has so much advantages? + +The impact of "-fPIC" on certain arches like AMD64 can be tolerated due to the true PIC-oriented data and code addressing scheme and is even necessary on several (considered broken) architectures that refuse to build certain applications without -fPIC (errors with nonPIC relocation types on PARISC). + +There is only one official method to add flags like "-fPIC" to ebuilds: using the flag-o-matic eclass and "append-flags". + +However, it is not a good idea to enable "-fPIC" in global CFLAGS or create ebuilds that automatically add the "-fPIC" flag independent of the situation and architecture it is applied. + +There are people referring to a noticeable performance penalty when running executables containing position independent code compared to executables incorporating normally compiled object code. +</p> +<p> +Normally, the setup of the PIC register takes about three assembler commands per function that is entered and additional overhead of 1-2 assembler commands per accessed symbol (code function or data object). + +Thus, we have the inverted situation for normal executables that the invocation of the "-fPIC" flag is doing the exact opposite like in shared libraries. + +Instead of giving us speed for low memory profile by saving memory via COW and making text relocations unnecessary, the additional overhead in the addressing mode is imposing a speed penalty on our executable. +</p> +<p> +Why does a normal dynamically linked executable (not position independent shared executable) need no text relocations and PIC addressing? + +Because the kernel (in a normal world) always moves it to the same location in process memory when started, making it unnecessary for the dynamic loader to address any TEXT relocations in the normal executable: because there are none! + +We have learned that only shared libraries are located at a given, freely choosen, address space in the process memory of the dynamically linked executable. + +So, in the text segment of a "fixed load location" normal executable there are no TEXT segment relocations because all addresses are at the same location in memory during every invocation of the program. + +The addressing of data and functions inside the executable are provided via relative and absolute relocations in a common used set of platform-dependent, performance oriented assembler commands. +</p> +<p> +While the architectures supported by Gentoo are quite differently addressing memory, they all share the same characteristic: direct non-PIC-aware addressing is always cheaper (read: faster) than PIC addressing. + +For example the RISC (Reduced Instruction Set) architectures sparc, ppc and hppa sometimes use more than one assembler command issuing several more opcodes to do what x86 does with a single variable length assembler command, loading a full 32-Bit address for example. + +Only the AMD64 seems to support some kind of "emulation" mode where it does not seem to make a difference if PIC or normal addressing is used for referring code functions and data to access. +</p> +<p class="chaphead"><a name="doc_chap8"></a><span class="chapnum">8. + </span>Conclusion</p> +<p> +The only way that time-wasting text relocations are imposed on a process, leading to the dynamic loader having to work overtime, are with using nonPIC dynamically shared libraries. +</p> +<p> +For normal executables that are dynamically linked to these shared libraries, the executables themselves need not to be using -fPIC for building the object code they consist of. + +These executables simply do not need the PIC addressing mode for their functions and data and will use the PLT (Process Linkage Table) and the GOT (Global Offset Table) anyway for addressing external data in shared libraries. +</p> +<p class="chaphead"><a name="doc_chap9"></a><span class="chapnum">9. + </span>References</p> +<ul> + <li><a href="pic-guide.xml">Introduction to Position Independent Code</a></li> + <li> +<a href="http://www.iecc.com/linker/">Linkers and Loaders</a> by Levine (the Levine book)</li> + <li> +<a href="http://people.redhat.com/drepper/dsohowto.pdf">How to Write Shared Libraries</a> by Ulrich Drepper</li> +</ul> +<p>I would like to say personal thanks to the PaX team for supporting us with an extraordinary and outstanding commitment to our toolchain issues!</p> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/pic-internals.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated Feb 14 2004</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>Understanding the impact of text relocations and explaining the use of PIC in shared libraries</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:pappy@gentoo.org" class="altlink"><b>Alexander Gabert</b></a> +<br><i>Author</i><br><br> + <a href="mailto:solar@gentoo.org" class="altlink"><b>solar</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:pageexec@freemail.hu" class="altlink"><b>The PaX team</b></a> +<br><i>Contributor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/pie-ssp.html b/html/pie-ssp.html new file mode 100644 index 0000000..cb56c48 --- /dev/null +++ b/html/pie-ssp.html @@ -0,0 +1,258 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Gentoo Linux PIE-SSP Documentation</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Gentoo Linux PIE-SSP Documentation</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction to Randomization and Stack Protection</option> +<option value="#doc_chap2">2. Kernels with PaX patches</option> +<option value="#doc_chap3">3. GNU C Compiler and the history of PIE support</option> +<option value="#doc_chap4">4. A proven gcc extension for linear stack overflow protection</option> +<option value="#doc_chap5">5. Position Independent Executables with Propolice support</option> +<option value="#doc_chap6">6. Using distcc with hgcc</option> +<option value="#doc_chap7">7. Credits and Reference</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction to Randomization and Stack Protection</p> +<p> +First of all, the PaX homepage has moved to http://pax.grsecurity.net, +please update your bookmarks. +</p> +<p> +While the goal of the PaX suite has remained the same ever since, +preventing memory related security vulnerabilities, there has been major +advancements in the progress of getting similar and coexisting kernel +patches into the attention of the wide public. +</p> +<p> +Even though linear stack smashing attacks, formatstring overflows and +return to libc style attacks cannot be fully prevented or suppressed by +effective randomization of the running executable, there seems to be a +wide consent amongst information security experts and GNU/Linux +distributions that it does help putting up another barrier (see chapter +3). +</p> +<p> +The outstanding support and help from the Gentoo toolchain main developer +and coordinator, Martin Schlemmer as well as Dr. Hiroaki Etoh and moid +from the OpenBSD team with the closer integration of the SSP patch into +the Gentoo toolchain and userland has proven the common goals and +commitments between developers throughout the world striving for better +support and acceptance of technology that provides a security oriented, +high quality, automatic response to simple linear stack overflow attempts. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Kernels with PaX patches</p> +<p> +The positive feedback generated by users who are enhanced by the +grsecurity patch being included as a standard security measure in the +native gentoo-sources leads us to uphold the support for grsecurity in +this common practice kernel. +</p> +<p> +While the hardened-sources has been abolished in favour of the ongoing +concurrent development of fully supported MAC/ACL schemes in Gentoo +Hardened, selinux-sources and grsec-sources can benefit from the thorough +implementation of a true PIE (position independent executables) and SSP +(stack smashing protector) environment via the incorporated PaX patch. +</p> +<p> +Chris Pebenito holds up the high quality and standard of the +selinux-sources while keeping in touch with the PaX developments and +introducing randomization and userland features of PIE and SSP via PaX or +correlating patches according to the requirements of the solutions needed +by our partners. +</p> +<p> +The hardened-sources are maintained by hardened team and is the ideal +kernel to use with a hardened toolchain. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>GNU C Compiler and the history of PIE support</p> +<p> +As described in the introduction, in the last year we have seen major +advancements (and confusion) in the GNU upstream toolchain regarding the +implementation of a system wide scenario for storing information about +stack protection requirements and randomization of executables via PIE +(position independent executables) support. +</p> +<p> + +When the first PaX randomization patches came out, a modification to the +GNU C compiler specs file was needed to create so-called +"shared executables". +</p> +<p> + +This means that these days the linker was told to explicitly link -fPIC +(gcc function to force the creation of position independent code) compiled +.o object files with a interp.o interpreter field pointing to "http://www.gentoo.org/lib/ld.so" +from glibc on the intel platform, using a special custom formed crt1S.o +which was able to set up the addresses of "_main", "_init" (recent glibc: +"__libc_csu_init") and "_fini" (recent glibc: "__libc_csu_fini") in the +"_start" function in a position independent manner. +</p> +<p> +So basically a setup like in a shared library was used to set up the PIC +(position independent code) addressing of the data and the code segments +in the executable that needs to be started via the main() function. +</p> +<p> +There has been a bug on nonintel arches regarding the setup of the PIC +register (%r19 on parisc) for statically linked binaries. +Since this bug has been fixed on all arches we can support, it is now also +safe to create this library-like PIC setup for statically compiled +binaries. +</p> +<p> +When Ingo Molnar from Redhat started to introduce the execshield kernel +patches, the developers at Redhat also wanted to make use of the "hot and +new" randomization for binaries, so Jakub Jelinek invested a lot of time +in the preparation of the toolchain (binutils, glibc, gcc) to introduce +the -pie flag which generates these binaries with the correct interpreter +and a glibc provided Scrt1.o. +</p> +<p> +With Russell Coker involved in the Fedora distribution of Redhat, the +future directions to an Execshield based selinux setup with -pie support +from the toolchain are a visible example for the integration of security +improvements in a full-scale commercial office and home user distribution. +</p> +<p> +Russell Coker also seems to be interested in supporting selinux for +Debian. +</p> +<p> +However, the technical approach to support compatibility needs of +applications (java apps, gcc heuristically sets executable stack for +nested functions) over default security measures (as implemented in PaX +kernels) may not suit environments with higher risk analysis and threat +potential. +</p> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>A proven gcc extension for linear stack overflow protection</p> +<p> +When the OpenBSD team discovered SSP as their favourite utility to limit +the possibility of linear stack overflows, they also evaluated the stack +smash handler functions and found out that the best way to introduce SSP +into their toolchain was a modification of the dynamic linker for +executables requiring that no standard libraries were included (boot +loaders!) and giving all other dynamically linked applications the chance +to retrieve the guard object and the necessary related functions via their +standard C library. +Thus, the dynamically linked executables and shared libraries protected +via propolice were using one exact shared copy of the __guard reference +and the needed functions for setup and smash handling in a single +location. +</p> +<p> +Statically linked executables will have their own copy of __guard and the +functions to work properly. +</p> +<p> +On the Linux platform, Dr. Etoh decided to put the __guard, the +__guard_setup and the __stack_smash_handler into the libgcc of the gcc +package. +This led to problems with big packages like apache2 and mod_php4 producing +false positives because the wrong local __guard copies in shared libraries +and/or the main executable were used by different __stack_smash_handlers, +this odd momentum has been resolved and isolated in gdb sessions by pipacs +from the PaX team. +</p> +<p> +Having moid from the OpenBSD team to help us mitigating this negative side +effect of the GNU C compiler and working close together with Dr. Etoh from +the IBM labs in japan gave us the chance to introduce the first +glibc-based SSP setup for userland in GNU/Linux for Gentoo-Linux at all! +( PIE-SSP it works! ) +</p> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>Position Independent Executables with Propolice support</p> +<p>On a Gentoo system this is currently accomplished by merging <span class="code" dir="ltr">gcc</span>: </p> +<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: Emerging gcc</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">USE="hardened pic" emerge sys-devel/gcc</span> +</pre></td></tr> +</table> +<p>While a hardened <span class="code" dir="ltr">gcc</span> starts the transparent conversion of a system to position independence for your binaries via making use of gcc spec file handling.</p> +<p>Once the gcc has been equipped with that new specs file, a package or a kernel building can only return to the conventional building behaviour when it feeds the correct CFLAGS and LDFLAGS to the build process.</p> +<p>As an example lets try the rebuilding our chpax binary as a position independent + executable. We can use the file(1) command to determine if we + in fact we are building our executables as ET_EXEC or ET_DYN.</p> +<p>The first example here we have chpax built as a ET_DYN + and the second one is chpax not built as a standard ET_EXEC file.</p> +<a name="doc_chap5_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.2: Example files</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">file /sbin/chpax</span> +/sbin/chpax: ELF 32-bit LSB shared object, Intel 80386, version 1 \ + (GNU/Linux), stripped + +# <span class="code-input">file /sbin/chpax</span> +/sbin/chpax: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for \ + GNU/Linux 2.0.0, dynamically linked (uses shared libs), stripped +</pre></td></tr> +</table> +<p>The <span class="code" dir="ltr">gcc</span> package has been designed to easily revert back to a conventional building environment behaviour in case of problems.</p> +<p>Users can restore the original gcc specs file behaviour at any time by calling the gcc-config utility on the commandline. gcc-config -l ; gcc-config</p> +<p>Ebuilds that experience problems with the a hardened gcc automatic transparency can evaluate the existence of the hardened gcc package on the target system and use compatibility CFLAGS to restore the original gcc behaviour during the emerge.</p> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>Using distcc with hgcc</p> +<p> +<a href="mailto:lisa@gentoo.org">Lisa Marie Seelye</a> says you need the same hgcc and gcc versions on all distcc host volunteer machines. +</p> +<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7. + </span>Credits and Reference</p> +<ul> + <li><a href="http://pax.grsecurity.net">PaX Homepage</a></li> + <li><a href="http://pax.grsecurity.net/docs/index.html">PaX Documentation</a></li> + <li><a href="http://www.research.ibm.com/trl/projects/security/ssp/">Propolice/SSP Homepage</a></li> + <li><a href="http://www.grsecurity.net">Grsecurity Homepage</a></li> + <li><a href="http://fedora.redhat.com">Fedora Homepage</a></li> + <li><a href="http://www.openbsd.com">OpenBSD Homepage</a></li> + <li><a href="http://www.nsa.gov/selinux">SElinux Homepage</a></li> + <li><a href="http://www.gentoo.org/doc/en/distcc.xml">Gentoo Distcc Documentation</a></li> + </ul> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pie-ssp.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated 20050805</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>(This DOC is badly outdated and mostly obsolete) This introductionary guide explains the basic behaviour of the hardened toolchain.</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:pappy@gentoo.org" class="altlink"><b>Alexander Gabert</b></a> +<br><i>Author</i><br><br> + <a href="mailto:solar@gentoo.org" class="altlink"><b>solar</b></a> +<br><i>Contributor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/prelude-ids.html b/html/prelude-ids.html new file mode 100644 index 0000000..d1ab479 --- /dev/null +++ b/html/prelude-ids.html @@ -0,0 +1,624 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Gentoo Linux Documentation -- Prelude Intrusion Detection System</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Gentoo Linux Documentation -- Prelude Intrusion Detection System</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. About Prelude</option> +<option value="#doc_chap2">2. Installing Prelude</option> +<option value="#doc_chap3">3. Configuring Prelude</option> +<option value="#doc_chap4">4. Installing Sensors</option> +<option value="#doc_chap5">5. Post Installation</option> +<option value="#doc_chap6">6. Running and Managing Prelude</option> +<option value="#doc_chap7">7. Credits</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>About Prelude</p> +<p class="secthead"><a name="doc_chap1_sect1">Background Information</a></p> +<p> + Prelude was founded and writen by Yoann Vandoorselaere in 1998. Many others have also greatly contributed to it. + </p> +<p> + Prelude is a hybrid intrustion detection system that will detect and monitor security instrusions, whether they happen in an attack mobilized over the Internet or an attack mobilzed locally. The monitoring work that Prelude does is made possible via an LML (Log Monitoring Lackey). Prelude can also utilize the rulesets from intrusion detection systems such as Snort. + </p> +<p class="secthead"><a name="doc_chap1_sect2">What Are the Components?</a></p> +<ul><li> +<span class="path" dir="ltr">prelude-manager</span> : The manager is the place where all the main logging is done. When the manager receives a signal from the sensors, it logs the signal so the user can investigate. Logging can either be done to a file or to a datebase such as MySQL. The latter is the recommended solution.</li></ul> +<ul><li> +<span class="path" dir="ltr">prelude-nids</span> : NIDS is a plugin for Prelude and stands for Network Intrusion Detection System. The prelude-nids package should definately be used along side Prelude proper, but is not mandatory. The NIDS package also provides for functionality like that of <a href="http://snort.org">Snort</a> +</li></ul> +<ul><li> +<span class="path" dir="ltr">prelude-lml</span> : The LML stands for Log Monitoring Lackey. Like the NIDS, it is also a sensor. The LML watches your logfiles and looks for anything out of the ordinary. Should abnormalities be found, an alert is sent to the manager.</li></ul> +<ul><li> +<span class="path" dir="ltr">libprelude</span> : libprelude provides for the libraries necessary in order for the manager to be able to talk to the other plugins. It also provides the sensors with extra features.</li></ul> +<ul><li> +<span class="path" dir="ltr">piwi</span> : PIWI stands for Prelude Intrusion (Detection System) Web Interface. The title pretty much describes the said package; it is an interface powered by perl that can help the end user manage their rules and see when attacks are happening or have happened.</li></ul> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Installing Prelude</p> +<p class="secthead"><a name="doc_chap2_sect1">Emerging the Packages</a></p> +<p> + We will now begin by adding <span class="path" dir="ltr">ssl</span> to our <span class="path" dir="ltr">make.conf</span>, then emerging each of the packages described above. + </p> +<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: /etc/make.conf</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">You do not have to delete other entries from your USE, just add ssl.</span> +USE="ssl" +</pre></td></tr> +</table> +<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Starting the Emerges</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">Emerging the libraries.</span> +# <span class="code-input">emerge libprelude</span> +<span class="code-comment">Now for the log lackey.</span> +# <span class="code-input">emerge prelude-lml</span> +<span class="code-comment">Installing the Network Intrustion Detection System</span> +# <span class="code-input">emerge prelude-nids</span> +<span class="code-comment">Now for the most important component: The manager.</span> +# <span class="code-input">emerge prelude-manager</span> +<span class="code-comment">Lastly, we will install PIWI.</span> +# <span class="code-input">emerge piwi</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Configuring Prelude</p> +<p class="secthead"><a name="doc_chap3_sect1">Setting up the Manager</a></p> +<p> + We will now edit the Manager's main configuration file, <span class="path" dir="ltr">prelude-manager.conf</span>. Two of the most important settings are for changing where Prelude will listen. For instance, if you have two IPs but only one Prelude to listen on one of them, you would supply the said IP in the configuration.</p> +<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: /etc/prelude-manager/prelude-manager.conf</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# Sensor Server is listening on any IP +sensors-srvr = 0.0.0.0; +# Admin Server is listening on any IP +admin-srvr = 0.0.0.0; +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap3_sect2">Setting up the Database</a></p> +<p> + If you want to set up Prelude to work with its backend being a database like MySQL or PostgreSQL (and believe me, you do), then you will want to continue with this section. If you really and truly would rather use plaintext logging, then you can skip this section. + </p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>Your SQL server, whether it be MySQL or PostgreSQL, needs to be running before you proceed.</p></td></tr></table> +<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: Creating the Database</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">/usr/bin/prelude-manager-db-create.sh</span> + +Prelude Database Support Installation +===================================== + +*** Phase 0/7 *** + +Warning: if you want to use database support with prelude + You should dedicate the database for this job only. + +So if you ever have a database running for another job + please think about taking it away, because this script + will install prelude as a dedicated database and you + could meet some troubles with your old bases. + +<span class="code-comment">Since we want database support, we are going to say "y" here.</span> +Do you want to install a dedicated database for prelude ? + (y)es / (n)o : y + + +*** Phase 1/7 *** + +<span class="code-comment">Here you can either chose to have your database be MySQL (mysql) or +PostgreSQL (pgsql). I'll be choosing MySQL.</span> +Enter the type of the database [mysql|pgsql]: mysql + + +*** Phase 2/7 *** + +<span class="code-comment">Unless you are going to be running the MySQL server on a different +box than Prelude, just hit ENTER here to choose "localhost".</span> +Enter the name of the host where the database is running [localhost]: + + +*** Phase 3/7 *** + +<span class="code-comment">3306 is the default port for MySQL, so unless you plan on running +the MySQL daemon on a different port, then just hit ENTER here.</span> +Enter the port where the database is running [3306]: + + +*** Phase 4/7 *** + +<span class="code-comment">Hit ENTER here to have the database that stores all the information +that Prelude keeps track of be named "prelude".</span> +Enter the name of the database that should be created to stock alerts [prelude]: + +*** Phase 5/7 *** + +<span class="code-comment">You can go ahead and hit ENTER here unless you have your MySQL super-user +set up under a different name.</span> +This installation script has to connect to your mysql database in order to creat +e a user dedicated to stock prelude's alerts +What is the database administrative user ? [root]: + +We need the password of the admin user "root" to log on the database. +By default under mysql, root has an empty password. +Please enter a password: +Please confirm entered password: + +*** Phase 6/7 *** + +We need to create a database user account that will be used by the Prelude Manag +er in order to access the "prelude" database. + +Username to create [prelude] : + +We need to set a password for this special "prelude" account. +This password will have to be used by prelude-manager to access the database. +Please enter a password: +Please confirm entered password: + +*** Phase 7/7 *** + +Please confirm those information before processing : + +Database name : prelude +Database admin user: root +Database admin password: (not shown) + +prelude owner user: prelude +prelude owner password: (not shown) + +Is everything okay ? (yes/no) : yes + +Creating the database prelude... + +Creating user "prelude" for database "prelude", +using "root" to connect to the database. + +Creating tables with /usr/share/prelude-manager/mysql/mysql.sql + +-------------- End of Database Support Installation ------------- +If it succeeded, you should now be able to launch prelude-manager like that : +==> prelude-manager --mysql --dbhost localhost --dbname prelude --dbuser pre +lude --dbpass xxxxxx + +Or you may modify the prelude-manager configuration file (/usr/local/etc/prelude +-manager/prelude-manager.conf by default) in order to launch prelude-manager wit +hout database arguments: +---------- cut here ---> +[MySQL] +# Host the database is listening on. +dbhost = localhost; +# Port the database is listening on. +dbport = 3306; +# Name of the database. +dbname = prelude; +# Username to be used to connect the database. +dbuser = prelude; +# Password used to connect the database. +dbpass = xxxxxx; +<--- cut here ---------- + +Replace xxxxxx by the password you choose for the manager account +----------------------------------------------------------------- + +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap3_sect3">NIDS Configuration</a></p> +<p> + Now we just need to set up NIDS so it knows which ethernet device to monitor.</p> +<a name="doc_chap3_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.3: /etc/conf.d/prelude-nids</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">Change eth0 to match the ethernet device to be monitored.</span> +OPTIONS="-i eth0" +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Installing Sensors</p> +<p class="secthead"><a name="doc_chap4_sect1">Prerequisit Configuration</a></p> +<p> + We will now be setting up the default configuration for the sensors in the <span class="path" dir="ltr">/etc/prelude-sensors/sensors-default.conf</span> file. This will be used globally for the sensors. You can edit the below and then place it in the configuration file. + </p> +<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: /etc/prelude-sensors/sensors-default.conf</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment"># Replace this with the IP of the manager.</span> +manager-addr = 192.168.0.1; +<span class="code-comment"># Here you will want to fill in your full hostname.</span> +node-name = yourbox.yourdomain.com; +<span class="code-comment"># This is just a plaintext descriptor. You can put almost anything here.</span> +node-location = Rack 2, Server 5. Monitoring Network A from an SPAN port on switch 28A; +[Node Adress] +<span class="code-comment"># The IP address of the box Prelude is being set up on.</span> +address = 192.168.0.1; +<span class="code-comment"># The netmask for the box.</span> +netmask = 255.255.255.0; +</pre></td></tr> +</table> +<p> + We will now be adding our sensors to the manager. There are two ways of setting up the manager to talk to the sensors: via an SSL encrypted connection and via an unencrypted connection. The only time when you will want to opt for the latter is when the manager and the sensor are on the same box.</p> +<p class="secthead"><a name="doc_chap4_sect2">Installing the NIDS Sensor</a></p> +<p> + We will now run the necessary commands to set up the SSL connection. + </p> +<a name="doc_chap4_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.2: Setting Up the Encrypted Connection</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">manager-adduser</span> + +No Manager key exist... Building Manager private key... + +<span class="code-comment">How many bits should the encryption be? I would recommend just hitting +ENTER here.</span> +What keysize do you want [1024] ? + + +Please specify how long the key should be valid. + 0 = key does not expire + <n> = key expires in n days + +<span class="code-comment">Here you can hit ENTER again to select a key that does not expire.</span> +Key is valid for [0] : + + +Key length : 1024 +Expire : Never +<span class="code-comment">Granted everything is okay, type in "yes" and hit enter.</span> +Is this okay [yes/no] : yes + + +Generating a 1024 bit RSA private key... +................++++++ +...........................++++++ +Writing new private key to '/etc/prelude-manager/prelude-manager.key'. +Adding self signed Certificate to '/etc/prelude-manager/prelude-manager.key' + + +<span class="code-comment">This password is VERY important. Do NOT lose it until you've completed the sensor-adduser.</span> +Generated one-shot password is "p=7f6N7+". + +This password will be requested by "sensor-adduser" in order to connect. +Please remove the first and last quote from this password before using it. + +waiting for install request from Prelude sensors... +<span class="code-comment">Do not close this terminal! Leave it open an open another session to +continue the guide.</span> +</pre></td></tr> +</table> +<p> + Now open up another terminal if you have not already done so and proceed to add the sensor user. Right now we will be adding the user for the NIDS component to Prelude. + </p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>Remeber that if both the sensor and the manager are running on the same machine, it is important to specify the machines ethernet IP, not <span class="path" dir="ltr">127.0.0.1</span>. If you specify <span class="path" dir="ltr">127.0.0.1</span>, <span class="code" dir="ltr">sensor-adduser</span> will default to an unencrypted connection.<br><br>However, if you do not want to use SSL, specify the said IP. + </p></td></tr></table> +<a name="doc_chap4_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.3: Adding the Sensor User</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment"> You will want to change "192.168.1.102" if the manager is on a different IP.</span> +# <span class="code-input">sensor-adduser -s prelude-nids -m 192.168.1.102 -u 0</span> + + +Now please start "manager-adduser" on the Manager host where +you wish to add the new user. + +Please remember that you should call "sensor-adduser" for each configured +Manager entry. + +<span class="code-comment">We have already done this; hit ENTER.</span> +Press enter when done. + +Please use the one-shot password provided by the "manager-adduser" program. + +<span class="code-comment">Enter that password that I talked about above. I hope you did not lose it ;). +Also, be aware that while I am going to fill in the fields here, the password will +not echo back to you.</span> +Enter registration one shot password : p=7f6N7+ +Please confirm one shot password : p=7f6N7+ +<span class="code-comment">If you do not see that the connection suceeded then you closed the terminal +that I told you not to. Remove /etc/prelude-manager/prelude-manager.key and start +again with manager-adduser.</span> +connecting to Manager host (127.0.0.1:5553)... Succeeded. + + +What keysize do you want [1024] ? 1024 + + +Please specify how long the key should be valid. + 0 = key does not expire + <n> = key expires in n days + +Key is valid for [0] : 0 + + +Key length : 1024 +Expire : Never + +Is this okay [yes/no] : yes +Generating a 1024 bit RSA private key... +...........++++++ +........................................++++++ +Writing new private key to '/etc/prelude-sensors/ssl/prelude-nids-key.0'. +Adding self signed Certificate to '/etc/prelude-sensors/ssl/prelude-nids-key.0' +writing Prelude Manager certificate. +Using already allocated ident for prelude-nids@yourbox: 1057315311. +</pre></td></tr> +</table> +<p> + Now switch back to the terminal with manager-adduser running in it. You should see output that resembles that below. + </p> +<a name="doc_chap4_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.4: manager-adduser Output</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +Connection from 192.168.1.102. +sensor choose to use SSL communication method. +Writing Prelude certificate to /etc/prelude-manager/prelude-sensors.cert +Registration completed. +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap4_sect3">Adding the LML Sensor</a></p> +<p> + We will now set up the Log Monitoring Lackey. + </p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>You may realize that there are quite a bit of lines of output "missing" from this example. In fact, the lines of output that are not present in this example go away after the initial <span class="code" dir="ltr">manager-adduser</span></p></td></tr></table> +<a name="doc_chap4_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.5: Setting up the Manager for the LML</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">manager-adduser</span> + + +Generated one-shot password is "4;%f7%1Y". + +This password will be requested by "sensor-adduser" in order to connect. +Please remove the first and last quote from this password before using it. + +waiting for install request from Prelude sensors... +</pre></td></tr> +</table> +<p> + Again, switch over to another terminal and proceed with the next example. + </p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> + We will be using the same methods we used in the NIDS example, so the same comments in red from before apply here, too. + </p></td></tr></table> +<a name="doc_chap4_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.6: Setting up the LML</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">sensor-adduser -s prelude-lml -m 192.168.101 -u 0</span> + + +Now please start "manager-adduser" on the Manager host where +you wish to add the new user. + +Please remember that you should call "sensor-adduser" for each configured +Manager entry. + +<span class="code-comment">Hit enter; we have already started manager-adduser.</span> +Press enter when done. + + + +Please use the one-shot password provided by the "manager-adduser" program. + +Enter registration one shot password : 4;%f7%1Y +Please confirm one shot password : 4;%f7%1Y +connecting to Manager host (127.0.0.1:5553)... Succeeded. + +What keysize do you want [1024] ? 1024 + + +Please specify how long the key should be valid. + 0 = key does not expire + <n> = key expires in n days + +Key is valid for [0] : 0 + + +Key length : 1024 +Expire : Never + +Is this okay [yes/no] : yes +Generating a 1024 bit RSA private key... +...............++++++ +.++++++ +Writing new private key to '/etc/prelude-sensors/ssl/prelude-lml-key.0'. +Adding self signed Certificate to '/etc/prelude-sensors/ssl/prelude-lml-key.0' +writing Prelude Manager certificate. +Using already allocated ident for prelude-lml@yourbox: 1057887742. +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>Post Installation</p> +<p class="secthead"><a name="doc_chap5_sect1">Testing the Manager</a></p> +<p> + On the manager box, start the Prelude manager in the foreground. + </p> +<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: Starting the Manager</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">prelude-manager</span> +- Initialized 2 reporting plugins. +- Initialized 1 database plugins. +- Subscribing Prelude NIDS data decoder to active decoding plugins. +- Initialized 1 decoding plugins. +- Initialized 0 filtering plugins. +- Subscribing TextMod to active reporting plugins. +- sensors server started (listening on 127.0.0.1:5554). +</pre></td></tr> +</table> +<p> + Now go ahead and switch over to the sensor box. We will test the communication by using the NIDS sensor. + </p> +<a name="doc_chap5_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.2: Starting the NIDS Sensor</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">Remember to change the manager address if it differs from the example.</span> +# <span class="code-input">prelude-nids -i eth0 --manager-addr 127.0.0.1</span> +- Initialized 3 protocols plugins. +- Initialized 5 detections plugins. + +- RpcMod subscribed for "rpc" protocol handling. +- TelnetMod subscribed for "telnet" protocol handling. +- HttpMod subscribed for "http" protocol handling. +- Done loading Unicode table (663 Unichars, 0 ignored, 0 with errors) +- ScanDetect subscribed to : "[TCP,UDP]". +- ArpSpoof subscribed to : "[ARP]". +/etc/prelude-nids/ruleset/web-misc.rules (7) Parse error: Unknow key regex +/etc/prelude-nids/ruleset/web-misc.rules (65) Parse error: Unknow key regex +- Signature engine added 890 and ignored 2 signature. +- Connecting to Unix prelude Manager server. +- Plaintext authentication succeed with Prelude Manager. + +- Initializing packet capture. +</pre></td></tr> +</table> +<p> + Make sure that your output looks relatively the same. Let us make sure that we have the important output displaying correctly. + </p> +<a name="doc_chap5_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.3: Important output from NIDS</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +- Connecting to Unix prelude Manager server. +- Plaintext authentication succeed with Prelude Manager. +</pre></td></tr> +</table> +<a name="doc_chap5_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.4: Important output from the manager after we have started NIDS</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +[unix] - accepted connection. +[unix] - plaintext authentication succeed. +[unix] - sensor declared ident 578232824809457160. +</pre></td></tr> +</table> +<p> + If you do not see those two sets of output, make sure that the manager is listening on the right IP and that the manager address is supplied properly for NIDS. + </p> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>Running and Managing Prelude</p> +<p class="secthead"><a name="doc_chap6_sect1">Starting up the Prelude Daemons</a></p> +<p> + There are several init scripts that control the different parts to Prelude, so we will want to start those up now. + </p> +<a name="doc_chap6_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.1: Starting the Prelude Daemons</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">First, we will start up the manager.</span> +# <span class="code-input">/etc/init.d/prelude-manager start</span> +<span class="code-comment">Next, it is time to start the NIDS</span> +# <span class="code-input">/etc/init.d/prelude-nids start</span> +<span class="code-comment">And finally, we will start up the LML.</span> +# <span class="code-input">/etc/init.d/prelude-lml start</span> +</pre></td></tr> +</table> +<p> + Most likely, you are going to want Prelude and its components to start up when you boot up the computer. In order to achieve this, we will add the necessary components to the default runlevel. + </p> +<a name="doc_chap6_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.2: Adding the Daemons to the Run Level</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rc-update add prelude-manager default</span> +# <span class="code-input">rc-update add prelude-nids default</span> +# <span class="code-input">rc-update add prelude-lml default</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap6_sect2">Installing PIWI</a></p> +<p> + The first thing we will do to get PIWI working is emerge it. + </p> +<a name="doc_chap6_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.3: Emerging PIWI</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">emerge piwi</span> +</pre></td></tr> +</table> +<p> + We will now follow the instructions that the emerge process gives us + </p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>Depending on what version of Apache you are running, the following file names may vary. If you are using Apache2, the files will be located in <span class="path" dir="ltr">/etc/apache2/conf</span> and the files will be named differently. Usually, the file names will differ only by a present "2" that is not there in the Apache1 file names. For example, <span class="path" dir="ltr">apache.conf</span> becomes <span class="path" dir="ltr">apache2.conf</span> in Apache2.</p></td></tr></table> +<a name="doc_chap6_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.4: /etc/apache/conf/apache.conf</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">The best place for this line is probably at the end of the file.</span> +Include /etc/piwi/piwi-apache.conf +</pre></td></tr> +</table> +<p>Now we will tell Apache to load the PIWI specific configuration directives. If we were to skip this step, when you go to the location of your website with the PIWI files, the Perl scripts will likely just show up as plain text.</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>If you are already loading other Apache modules, you merely have to add <span class="path" dir="ltr">-D PIWI</span> rather than replacing the whole <span class="path" dir="ltr">APACHE_OPTS</span> line.</p></td></tr></table> +<a name="doc_chap6_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.5: /etc/conf.d/apache</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +APACHE_OPTS="-D PIWI" +</pre></td></tr> +</table> +<p> + Next, we need to edit the PIWI configuration file to match our MySQL database settings that we used for Prelude. + </p> +<a name="doc_chap6_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.6: /etc/piwi/config.pl</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">Edit the next two lines to suit your setup.</span> +$conf{'dblogin'}='prelude'; +$conf{'dbpasswd'}='dbpass'; +</pre></td></tr> +</table> +<p> + All that is left to do is start up Apache and check to make sure that the PIWI scripts are being processed correctly. + </p> +<a name="doc_chap6_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.7: Starting Apache</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">/etc/init.d/apache start</span> +</pre></td></tr> +</table> +<p> + Now point your browswer to <span class="path" dir="ltr">http://yoursite/piwi</span> and you should be greeted by a Web interface. + </p> +<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7. + </span>Credits</p> +<p class="secthead"><a name="doc_chap7_sect1">Works Cited</a></p> +<ul><li>Collective Work. PreludeIntrusionDetectionSystem - Gentoo Wiki.</li></ul> +<ul><li> +<a href="mailto:polombo@cartel-securite.fr">Polombo, Daniel</a>. <a href="http://prelude-ids.org/article.php3?id_article=6">Prelude Hybrid IDS</a>.</li></ul> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="prelude-ids.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated 17 Jul 2003</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> + This guide will assist you in setting up the Prelude Intrustion Detection System along with the rules needed to make it useful. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"><a href="mailto:zack@tehunlose.com" class="altlink"><b> + Zack Gilburd</b></a> +<br><i>Author</i><br><br> + <a href="mailto:mboman@gentoo.org" class="altlink"><b>Michael Boman</b></a> +<br><i>Contributors</i><br><br> + <a href="mailto:kzaraska@student.uci.agh.edu.pl" class="altlink"><b>Krzysztof Zaraska</b></a> +<br><i>Contributors</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/primer.html b/html/primer.html new file mode 100644 index 0000000..0554ca9 --- /dev/null +++ b/html/primer.html @@ -0,0 +1,274 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Introduction to Hardened Gentoo</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Introduction to Hardened Gentoo</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option> +<option value="#doc_chap2">2. Technologies Offered</option> +<option value="#doc_chap3">3. Resources</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction</p> +<p> + This guide is meant for anyone unsure about the offerings of the + Hardened Gentoo project, how to use them together, and what their + respective roles in the project are. + </p> +<p> + The basic security principle that we emphasize is layers of security. + Layers are fundamental in ensuring a users machine is not compromised, + and if it is, minimizing the damages done. By combining a series of + dissimilar, though security related technologies, we make an attacker + jump through additional hoops before a compromise may occur. For this + reason we always recommended that you decide what your specific needs + are and combine those solutions to protect your system. We will try to + explain the options and how they can be used together in this + document. + </p> +<p> + Hardened Gentoo is not a product or solution in itself, it is merely a + project with a group of developers all working toward the same goal of + very proactive security. The sub-projects contained in Hardened Gentoo + aren't related in any more way than they are hosted within the same + project. You might think of it as the same way KDE and GNOME are both + part of the desktop project, and both have a common goal but are + otherwise unrelated to each other. + </p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> + Asking for help installing or support of your 'Hardened Gentoo' machine + is not clear and should always be clarified by saying you have a + SELinux problem, PIE/SSP problem, and so on. + </p></td></tr></table> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Technologies Offered</p> +<p class="secthead"><a name="doc_chap2_sect1">PaX</a></p> +<p> + At the heart of the project is PaX. PaX is a kernel patch + that allows you to protect against buffer and heap overflows and + similar attacks. PaX is your first line of defense. + </p> +<p>Because of badly + written software you are always at risk of a compromise because of + buffer and heap overflows. Buffer and Heap overflows are the result of + unchecked bounds in user input in applications. When an attacker has + the ability to give input to an application that is inserted into + memory but not checked there exists the possibility of an overflow. + Lower level programming languages like C and C++ do not automatically + protect from overruns, and the end result is that when a buffer is + overrun adjacent executable code can be overwritten with input from the + user. This would normally cause the application to crash if the users + input isn't understood by the machine. This generally manifests itself + as a page fault because the characters that overrun the buffer into the + executable area will be treated as an address which probably won't + exist. This is the most benign result of an overrun. + </p> +<p>If the attacker + knows of an overrun, however, they will have the opportunity to add + shellcode to the input and rather than causing the application to crash + it will instead execute the instructions they give. This is done + because shellcode is how instructions are stored in memory for + execution by the processor. Basically shellcode consists of 'opcodes' + which translate to assembly routines. An attacker knows these opcodes + very well and can create shellcode which allows them to do anything + they desire, such as run a root shell and bind it to a port. When this + happens the user won't even be aware that it has because the + application doesn't crash, instead it starts executing the attackers + arbitrary code allowing them to do anything they please. PaX mitigates + this problem by randomly placing each function and buffer in an + application in memory. This is called ASLR or Address Space Layout + Randomization and is the cornerstone of PaX By having random offsets + for functions and buffers the attacker is unable to craft an input + which will guarantee that the shellcode will be executed (and makes it + very difficult since the application will probably crash and be + restarted with new random offsets). ASLR is most useful when used with + PIE (position independent executable) code but also works with standard + executable code, at the cost of overhead. + </p> +<p>PaX also offers the ability + for executable segments to be executable and not writable, and likewise + writable segments to be writable and not executable. This is called + pageexec. On x86 based processors there is no ability to do this on a + hardware level since the x86 designers collapsed the read and execute + memory flags into 1 to save space. Since a page can either be writable + or readable and executable it is not useful to set buffers as + non-executable since they would no longer be readable. So on x86 PaX + emulates this behavior at a software level, which introduces overhead + but is very helpful for security. + </p> +<p class="secthead"><a name="doc_chap2_sect2">PIE/SSP</a></p> +<p> + In the interest of clarity, while PIE and SSP are generally grouped in + discussion because they are both part of the hardened toolchain, they + are indeed different technologies with different purposes. PIE by itself + provides no additional security, but when combined with PaX in the kernel + provides a powerful tool against overflows. SSP is entirely implemented + in userland and protects against stack smashing attacks without the + assistance of the kernel. Since these are implemented separately and do + different things they are indeed 2 different layers of protection, for + example, one attack that might get past PaX, called ret2libc, would be + blocked by SSP. + </p> +<p> + We have gone through great lengths to provide users with an easy way to + build the entire userland with PIE code as to take advantage of ASLR + with very little overhead. In addition to PIE our 'hardened' toolchain + also provides SSP or stack smashing protection. SSP protects against + stack smashing by allocating an area outside of buffers and putting a + random, cryptographic canary (or marker) in it. This allows SSP to check + whether the canary was overwritten after any write to the buffer and + allows it to kill the app if it was overwritten. The hardened toolchain + gives users a PIE/SSP userland the easiest possible way. Stages marked + with 'hardened' are standard stages built with PIE and SSP, they do not + include SELinux/RSBAC/grsecurity access controls. + </p> +<p class="secthead"><a name="doc_chap2_sect3">Mandatory Access Control</a></p> +<p> + While PaX is the first layer of protection, perhaps even the second or + third if you have firewalls and/or network intrusion detection, it is + also recommended that you use access control to further secure your system. + It is very important that you realize access control as your <b>last</b> + layer of protection. Access control is very helpful to contain attackers + which already got access to your system, or local users. Currently + Hardened Gentoo supports 3 access control solutions: SELinux, + grsecurity, and RSBAC. + </p> +<p> + If you wish to use grsecurity you need not worry about which stages to use as grsecurity + requires no userland changes. Simply use the hardened stages and once you are + ready to build a kernel use a grsecurity-enabled kernel such as + hardened-sources. Once your system is up and running you can use + grsecurity's learning mode to build ACL's for your system. + </p> +<p> + Similar to grsecurity, RSBAC does not require any userland changes but can be + installed after setting up a normal Gentoo installation. RSBAC is supported by + the rsbac-sources kernel. Once your system is running you + can then choose from the different access control models offered by RSBAC + since they are all modules. The RSBAC Gentoo documentation lists the various models + offered and provides more information about each one. + </p> +<p> + So we've talked about 2 layers that we offer, we have intentions to offer more + and will in the future. Examples of additional layers are intrusion + detection/prevention, which would be first even before PaX. + Encrypted disks and swap which offer protection from 'physical' security + breaches. Auditing, which would allow you to see and act upon risks before + they become a compromise. Encrypted network traffic and strong authentication + are also layers which are very supported in mainline Linux installations and + probably won't be focused upon here. + </p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Resources</p> +<table class="ntable"> + <tr> + <td class="infohead"><b> + Project + </b></td> + <td class="infohead"><b> + Project homepage + </b></td> + <td class="infohead"><b> + Gentoo project page + </b></td> + </tr> + <tr> + <td class="tableinfo"> + PaX + </td> + <td class="tableinfo"> + <a href="http://pax.grsecurity.net">http://pax.grsecurity.net</a> + </td> + <td class="tableinfo"> + <a href="http://hardened.gentoo.org/pax-quickstart.xml">http://hardened.gentoo.org/pax-quickstart.xml</a> + </td> + </tr> + <tr> + <td class="tableinfo"> + PIE + </td> + <td class="tableinfo"> + Not Available + </td> + <td class="tableinfo"> + Not Available + </td> + </tr> + <tr> + <td class="tableinfo"> + SSP + </td> + <td class="tableinfo"> + <a href="http://www.trl.ibm.com/projects/security/ssp/">http://www.trl.ibm.com/projects/security/ssp/</a> + </td> + <td class="tableinfo"> + Not available + </td> + </tr> + <tr> + <td class="tableinfo"> + SELinux + </td> + <td class="tableinfo"> + <a href="http://www.nsa.gov/selinux">http://www.nsa.gov/selinux</a> + </td> + <td class="tableinfo"> + <a href="http://hardened.gentoo.org/selinux">http://hardened.gentoo.org/selinux</a> + </td> + </tr> + <tr> + <td class="tableinfo"> + grsecurity + </td> + <td class="tableinfo"> + <a href="http://www.grsecurity.net">http://www.grsecurity.net</a> + </td> + <td class="tableinfo"> + <a href="http://hardened.gentoo.org/grsecurity.xml">http://hardened.gentoo.org/grsecurity.xml</a> + </td> + </tr> + </table> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/primer.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated February 7, 2007</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>A Primer on Hardened Gentoo.</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:method@gentoo.org" class="altlink"><b>Joshua Brindle</b></a> + <br><i>Author</i><br><br> + <a href="mailto:tocharian@gentoo.org" class="altlink"><b>Adam Mondl</b></a> + <br><i>Contributor</i><br><br> + <a href="mailto:solar@gentoo.org" class="altlink"><b>Ned Ludd</b></a> + <br><i>Editor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/roadmap.html b/html/roadmap.html new file mode 100644 index 0000000..7f943ab --- /dev/null +++ b/html/roadmap.html @@ -0,0 +1,304 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Hardened Gentoo Roadmap</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Hardened Gentoo Roadmap</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Where the Hardened Gentoo Project Is Today</option> +<option value="#doc_chap2">2. Short-Term Goals</option> +<option value="#doc_chap3">3. Long-Term Goals</option> +<option value="#doc_chap4">4. Roadmap Tracking</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Where the Hardened Gentoo Project Is Today</p> +<p> +Past Hardened Gentoo work has focused on developing the hardened toolchain into +the more mature, consistent approach that it currently takes. It is +implemented as a patchset for gcc with rules that control object code creation +and linking scenarios. Since the spotlight of development is no longer on the +design aspect of the toolchain, the goals of the Hardened Gentoo Project must +shift accordingly. +</p> +<p> +Similarly, the access control systems offered by the Hardened Gentoo Project +have continued to mature, and both Grsecurity2 and the latest version of +SELinux are now offered. Recent work by Guillaume Destuynder (kang) has also +introduced RSBAC as another access control system available to Hardened Gentoo +users. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Short-Term Goals</p> +<p class="secthead"><a name="doc_chap2_sect1">Hardened Toolchain</a></p> +<p> +Now is the time to take a step back and examine the work that has been done so +far. A review of the current approach that the hardened toolchain takes is +needed. There may be ways to strengthen the current implementation or areas of +code that can be cleaned up to allow changes to be pushed upstream easier. +</p> +<p> +As a lingering effect of the previous hardened toolchain, many ebuilds +currently filter hardened CFLAGS such as -fPIC and -fstack-protector. Work can +now be devoted to reviewing those packages and seeking alternate solutions for +the filters. Also, the hardened code in flag-o-matic.eclass should be reviewed +and possibly rewritten. +</p> +<p class="secthead"><a name="doc_chap2_sect2">Access Control Systems</a></p> +<p><b>Grsecurity</b></p> +<ul> +<li> +Documents regarding Grsecurity are currently a major need for Gentoo. The +existing Grsecurity2 document needs to be converted to Handbook XML. Also, a +document describing the RBAC system in more detail is needed. +</li> +</ul> +<p><b>SELinux</b></p> +<ul> +<li> +Strengthen and extend current policies. +</li> +<li> +Extend support to more architectures. +</li> +<li> +Policy module support. +</li> +<li> +Additional Daemon Policies. +</li> +</ul> +<p><b>RSBAC</b></p> +<ul> +<li> +Bring policy support tool to Gentoo packages. +</li> +<li> +Develop default Gentoo policies with policy support tool. +</li> +<li> +Enhance current documentation, and possibly add documentation about desktop +RSBAC. +</li> </ul> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Long-Term Goals</p> +<p class="secthead"><a name="doc_chap3_sect1">Documentation</a></p> +<p> +The Hardened Gentoo Project is currently very lacking in documentation. The +hardened toolchain needs to be documented fully, and older documents that have +a relationship to the toolchain need to be updated, such as the SSP, PIE, and PIC +documents. Also, comparative documents should be written to explain the choices +that Hardened Gentoo has made in deciding which security tools to support and +which not to support. +</p> +<p class="secthead"><a name="doc_chap3_sect2">Support More Architectures</a></p> +<p> +A long-term goal of the Hardened Gentoo Project is to support all of the +architectures that are officially supported by Gentoo. The only strong support +that exists at the moment is for x86. +</p> +<p> +The hardened toolchain supports x86, amd64, and sparc64, and would like to extend +support to ppc, ppc64, s390, and similar architectures. With access to different +kinds of hardware, hardened support can slowly be extended to those architectures +as well. +</p> +<p class="secthead"><a name="doc_chap3_sect3">Expand the Hardened Team</a></p> +<p> +There will always be unfinished tasks for the Hardened Team. Users who take a +proactive approach to finding places for improvement and filling in the holes +will be noticed and probably recruited. Current Hardened Team members will be +responsible for training new developers to fill new roles. If you are +interested in helping out, stop by the IRC channel and let someone know what +you are interested in and what you will be doing about it. Input/peer review +should always be welcome as it helps everyone out in the long run. +</p> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Roadmap Tracking</p> +<p class="secthead"><a name="doc_chap4_sect1">Hardened Toolchain</a></p> +<table class="ntable"> + <tr> + <td class="infohead"><b>Description</b></td> +<td class="infohead"><b>Coordinator(s)</b></td> +<td class="infohead"><b>Status</b></td> + </tr> + <tr> + <td class="tableinfo">x86 Support</td> +<td class="tableinfo">solar</td> +<td class="tableinfo">Complete</td> + </tr> + <tr> + <td class="tableinfo">amd64 Support</td> +<td class="tableinfo">solar,r2d2</td> +<td class="tableinfo">In experimental</td> + </tr> + <tr> + <td class="tableinfo">sparc32 Support</td> +<td class="tableinfo"></td> +<td class="tableinfo">Unassigned</td> + </tr> + <tr> + <td class="tableinfo">sparc64 Support</td> +<td class="tableinfo"></td> +<td class="tableinfo">Stalled</td> + </tr> + <tr> + <td class="tableinfo">ppc Support</td> +<td class="tableinfo"></td> +<td class="tableinfo">In testing</td> + </tr> + <tr> + <td class="tableinfo">ppc64 Support</td> +<td class="tableinfo">solar,dostrow</td> +<td class="tableinfo">seed stage built</td> + </tr> + <tr> + <td class="tableinfo">s390 Support</td> +<td class="tableinfo"></td> +<td class="tableinfo">Unassigned</td> + </tr> + <tr> + <td class="tableinfo">hppa Support</td> +<td class="tableinfo"></td> +<td class="tableinfo">Not supported</td> + </tr> + <tr> + <td class="tableinfo">arm Support</td> +<td class="tableinfo"></td> +<td class="tableinfo">Unassigned (uclibc only)</td> + </tr> + <tr> + <td class="tableinfo">mips Support</td> +<td class="tableinfo"></td> +<td class="tableinfo">Unassigned (uclibc only)</td> + </tr> +</table> +<p class="secthead"><a name="doc_chap4_sect2">SELinux</a></p> +<table class="ntable"> + <tr> + <td class="infohead"><b>Description</b></td> +<td class="infohead"><b>Coordinator(s)</b></td> +<td class="infohead"><b>Status</b></td> + </tr> + <tr> + <td class="tableinfo">Strengthen and extend the current policies</td> +<td class="tableinfo">pebenito/kaiowas</td> +<td class="tableinfo">In Progress</td> + </tr> + <tr> + <td class="tableinfo">Extend support to more architectures</td> +<td class="tableinfo">pebenito</td> +<td class="tableinfo">In Progress</td> + </tr> + <tr> + <td class="tableinfo">Policy module support</td> +<td class="tableinfo">pebenito</td> +<td class="tableinfo">In Progress</td> + </tr> + <tr> + <td class="tableinfo">Additional Daemon Policies</td> +<td class="tableinfo">pebenito/kaiowas</td> +<td class="tableinfo">In Progress</td> + </tr> +</table> +<p class="secthead"><a name="doc_chap4_sect3">RSBAC</a></p> +<table class="ntable"> + <tr> + <td class="infohead"><b>Description</b></td> +<td class="infohead"><b>Coordinator(s)</b></td> +<td class="infohead"><b>Status</b></td> + </tr> + <tr> + <td class="tableinfo">Bring policy support tool to Gentoo packages.</td> +<td class="tableinfo">kang</td> +<td class="tableinfo">In Progress</td> + </tr> + <tr> + <td class="tableinfo">Enhance RSBAC Documentation</td> +<td class="tableinfo"></td> +<td class="tableinfo">Unassigned</td> + </tr> +</table> +<p class="secthead"><a name="doc_chap4_sect4">Documentation</a></p> +<table class="ntable"> + <tr> + <td class="infohead"><b>Description</b></td> +<td class="infohead"><b>Coordinator(s)</b></td> +<td class="infohead"><b>Status</b></td> + </tr> + <tr> + <td class="tableinfo">Comparative analysis of security approaches taken by distributions.</td> + <td class="tableinfo">Dave Monnier</td> +<td class="tableinfo">In Progress</td> + </tr> + <tr> + <td class="tableinfo">Rework Grsecurity Documentation</td> +<td class="tableinfo"></td> +<td class="tableinfo">Unassigned</td> + </tr> + <tr> + <td class="tableinfo">Update/Rewrite Propolice Documentation</td> +<td class="tableinfo">Adam Mondl</td> +<td class="tableinfo">In Progress</td> + </tr> + <tr> + <td class="tableinfo">Document the Hardened Toolchain</td> +<td class="tableinfo"></td> +<td class="tableinfo">Unassigned</td> + </tr> +</table> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated November 9, 2005</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +A roadmap that plots current needs and goals of the +Hardened Gentoo project. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:tocharian@gentoo.org" class="altlink"><b>Adam Mondl</b></a> +<br><i>Author</i><br><br> + <a href="mailto:tigger@gentoo.org" class="altlink"><b>Rob Holland</b></a> +<br><i>Editor</i><br><br> + <a href="mailto:solar@gentoo.org" class="altlink"><b>Ned Ludd</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:pebenito@gentoo.org" class="altlink"><b>Chris PeBenito</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:method@gentoo.org" class="altlink"><b>Joshua Brindle</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:kang@gentoo.org" class="altlink"><b>Guillaume Destuynder</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:pappy@retired" class="altlink"><b>Alexander Gabert</b></a> +<br><i>Contributor</i><br><br> + <a href="mailto:tseng@retired" class="altlink"><b>Brandon Hale</b></a> +<br><i>Contributor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/rsbac/index.html b/html/rsbac/index.html new file mode 100644 index 0000000..b5bcada --- /dev/null +++ b/html/rsbac/index.html @@ -0,0 +1,164 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Projects +-- + Rule Set Based Access Control</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Rule Set Based Access Control</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Project Description</option> +<option value="#doc_chap2">2. Project Goals</option> +<option value="#doc_chap3">3. What is RSBAC?</option> +<option value="#doc_chap4">4. Subprojects</option> +<option value="#doc_chap5">5. Planned subprojects</option> +<option value="#doc_chap6">6. Resources</option> +<option value="#doc_chap7">7. How Do I Use This?</option> +<option value="#doc_chap8">8. I Want to Participate</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Project Description</p> +<p> +This project manages the RSBAC support within Gentoo. This includes providing kernels with RSBAC support (loosely based on the hardened-sources), administration utilites to manage and write strong Gentoo-specific policies. RSBAC works on many different architectures using both the 2.4 or 2.6 Linux kernels. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Project Goals</p> +<p> +This project aims to make RSBAC available to more users, improve it, and improve it's integration in Gentoo Linux. We are developing a policy for the base system and the common daemons, as well as other popular programs. Currently we are mostly targetting servers, but desktops will also be supported in the future. +The required tool for the policies is still being developped. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>What is RSBAC?</p> +<p> + <a href="http://www.rsbac.org/">RSBAC</a> (Rule Set Based Access Control) is free Open Source (GPL) Linux kernel security extension. RSBAC's main concept is modularity. It uses <a href="http://rsbac.org/documentation:different_models">several</a> well-known and new security models, including MAC, ACLs, PaX and RC among a few others. RSBAC has control over individual users and program network accesses using any combination of the possible security models. It is also as extensible as it is modular: you can write your own models for runtime registration. Finally, RSBAC provides an excellent support for the most newest stable and development Linux kernels.It is in production use from January 2000 and has proven to be very stable. You are also suggested to read the more detailled <a href="http://www.gentoo.org/proj/en/hardened/rsbac/overview.xml">overview</a>. +</p> +<p> + However, RSBAC itself is not a complete security solution by itself: it only gives the possibility of applying security models. Fortunately, it works well with other Hardened projects to bring you a complete solution. +</p> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Subprojects</p> +<p>The RSBAC + project has the following subprojects: + </p> +<table class="ntable"> + <tr> + <td class="infohead"><b>Project</b></td> + <td class="infohead"><b>Lead</b></td> + <td class="infohead"><b>Description</b></td> + </tr> + <tr> + <td class="tableinfo">x86</td> + <td class="tableinfo"></td> + <td class="tableinfo"> + Support for the x86 architecture. +</td> + </tr> + <tr> + <td class="tableinfo">Documentation</td> + <td class="tableinfo"></td> + <td class="tableinfo"> + Full documentation for the RSBAC project. +</td> + </tr> + </table> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>Planned subprojects</p> +<p>The RSBAC + project has the following subprojects planned: + </p> +<table class="ntable"> + <tr> + <td class="infohead"><b>Project</b></td> + <td class="infohead"><b>Description</b></td> + </tr> + <tr> + <td class="tableinfo">Base Policy</td> + <td class="tableinfo"> + RSBAC policy for the core system, including users, administrators, and + daemons in the system profile. +</td> + </tr> + <tr> + <td class="tableinfo">Desktop</td> + <td class="tableinfo"> + RSBAC support on desktops. +</td> + </tr> + </table> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>Resources</p> +<p>Resources offered by the + RSBAC + project are:</p> +<ul> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/rsbac/overview.xml">RSBAC Overview</a> + </li> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/rsbac/quickstart.xml">RSBAC Quickstart</a> + </li> + </ul> +<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7. + </span>How Do I Use This?</p> +<p> + RSBAC can be installed new on a system by following the above install guide + for your architecture. If there is not an install guide for your architecuture + yet, it is still possible to install by following the <a href="http://www.gentoo.org/doc/en/handbook/index.xml">Gentoo Handbook</a>. + When the system is installed, convert it to RSBAC by using the + Quickstart Guide. + It is suggested that you use the Hardened profile or use "hardened pie" as your USE flags during this installation. + +</p> +<p> + Converting a preexisting Gentoo installation to RSBAC can be done by + following the Quickstart Guide. +</p> +<p class="chaphead"><a name="doc_chap8"></a><span class="chapnum">8. + </span>I Want to Participate</p> +<p> + To participate in the RSBAC project first join the mailing list at + <span class="code" dir="ltr">gentoo-hardened@gentoo.org</span>. Then ask if there are plans to support + something that you are interested in, propose a new subproject that you are + interested in or choose one of the planned subprojects to work on. You may talk + to the developers and users in the IRC channel <span class="code" dir="ltr">#gentoo-hardened</span> on + <span class="code" dir="ltr">irc.freenode.net</span> for more information or just to chat about the project + or any subprojects. If you don't have the ability to actively help by + contributing work we will always need testers to use and audit the RSBAC + policies. All development, testing, and productive comments and feedback will + be greatly appreciated. + +</p> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="index.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>RSBAC is Mandatory Access Control security system based on the GFAC framework logic. It includes standard models, like the Role Compatibility, Access Control Lists and Mandatory Access Control. RSBAC enforces access control rules on your operating system.</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext">Gentoo Project<br><i>script generated</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/rsbac/intro.html b/html/rsbac/intro.html new file mode 100644 index 0000000..233a911 --- /dev/null +++ b/html/rsbac/intro.html @@ -0,0 +1,113 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Rule Set Based Access Control (RSBAC) for Linux - +Introduction</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Rule Set Based Access Control (RSBAC) for Linux - +Introduction</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option> +<option value="#doc_chap2">2. References</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction</p> +<p class="secthead"><a name="doc_chap1_sect1">Traditional access +control systems and RSBAC</a></p> +<p> Traditional access control systems used to be melted into the system +kernel. The actual security policy was deeply connected to the whole +design of the system and hard-coded into the security part, making +modifications to meet changed requirements a difficult task. </p> +<p> In this work I used a new proposal by L. J. La Padula, based on the +"Generalized Framework for Access Control", which was developed by +a working group led by Marshall Abrams at MITRE. By division of the +functional components they made it possible to simply configure many +different security policies based on well-known and easily extensible +models. </p> +<p class="secthead"><a name="doc_chap1_sect2">Implementation</a></p> +<p> For the implementation I choosed the Unix Linux variant of Unix, +thanks to it's freely available source code. It is also very stable and +near to both La Padula's example system and also common Unix standards, +making the results easy to transfer to other systems. The package was +named "Rule Set Based Access Control" (RSBAC). </p> +<p> Using a Unix like system produced the major goal of extending a +weak, discretionary access control by a new, stronger, more flexible +and mandatory control. Instead of encoding it should make the adaption +of security policies possible by administration of several security +modules. Easy addition of other security modules was to be included +as well. </p> +<p> In this thesis La Padula's proposal is checked, extended, completed +for a real system and at last implemented in it. </p> +<p> As a special example for the ability of integration Dr. Simone +Fischer-Huebner's complex Privacy Model was chosen, implementing it for +the first time in a real system. Its adaption to my concept was done +together with Simone Fischer-Huebner. </p> +<p> Placing a focus on Privacy, the extensive logging is done using +pseudonyms that can be changed and read only by security managers or +data protection managers. </p> +<p> In the end the gain in security and safety is checked against the +ITSEC funtional criteria, extended by two privacy goals. </p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>References</p> +<p> <a href="http://www.cs.kau.se/~simone/">http://www.cs.kau.se/~simone/</a> +</p> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="intro.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated 2 June 2004</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> This document should introduce you to the RSBAC +access control system. </p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:ao@rsbac.org" class="altlink"><b>Amon Ott</b></a> +<br><i>Author</i><br><br> + <a href="mailto:albeiro@gentoo.pl" class="altlink"><b>Michal Purzynski</b></a> +<br><i>Editor</i><br><br> + <a href="mailto:kang@gentoo.org" class="altlink"><b>Guillaume Destuynder</b></a> +<br><i>Editor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/rsbac/overview.html b/html/rsbac/overview.html new file mode 100644 index 0000000..190648b --- /dev/null +++ b/html/rsbac/overview.html @@ -0,0 +1,225 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Rule Set Based Access Control (RSBAC) for Linux - Overview</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Rule Set Based Access Control (RSBAC) for Linux - Overview</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Key features</option> +<option value="#doc_chap2">2. What is RSBAC?</option> +<option value="#doc_chap3">3. Implemented models</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Key features</p> +<ul> +<li>Free Open Source (GPL) Linux kernel security extension</li> +<li>Independent of governments and big companies</li> +<li>Several well-known and new security models, including MAC, ACL and RC</li> +<li>Control over individual users and program network accesses</li> +<li>Any combination of models is possible</li> +<li>Easily extensible: write your own model for runtime registration</li> +<li>Supports all the current kernels</li> +<li>Stable for production use</li> +</ul> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>What is RSBAC?</p> +<p> +RSBAC is a flexible, powerful and fast open source access control +framework for current Linux kernels, which has been in stable production +use since January 2000 (version 1.0.9a). The full developement has been done independentely, and no existing access control code has been reused. +</p> +<p> +The standard package includes a range of access control models like MAC, +RC, ACL (see below). Furthermore, the runtime registration facility +(REG) makes it easy to implement your own access control model as a kernel +module and get it registered at runtime. +</p> +<p> +The RSBAC framework is based on the <a href="http://www.acsac.org/secshelf/book001/09.pdf">Generalized Framework for Access Control (GFAC)</a> by Abrams and LaPadula. All security relevant system calls +are extended by security enforcement code. This code calls the central +decision component, which in turn calls all active decision modules and +generates a combined decision. This decision is then enforced by the +system call extensions. +</p> +<p> +Decisions are based on the type of access (request type), the access +target and on the values of attributes attached to the subject calling and +to the target to be accessed. Additional independent attributes can be +used by individual modules, e.g. the privacy module (<a href="#doc_chap3_sect4">PM</a>). All attributes +are stored in fully protected directories, one on each mounted device. +Thus changes to attributes require special system calls. +</p> +<p> +All types of network accesses can be controlled +individually for all users and programs. This gives you full control over +their network behaviour and makes unintended network accesses easier to +prevent and detect. +</p> +<p> +As all types of access decisions are based on general decision requests, +many different security policies can be implemented as a decision module. +Apart from the builtin models shown below, the optional Module +Registration (REG) allows for registration of additional, individual +decision modules at runtime. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Implemented models</p> +<p> +In the RSBAC version 1.2.5, the following modules are included. Please +note that all modules are optional. +</p> +<p class="secthead"><a name="doc_chap3_sect2">MAC</a></p> +<p> +Bell-LaPadula Mandatory Access Control +</p> +<p class="secthead"><a name="doc_chap3_sect3">UM</a></p> +<p> +The User Management in RSBAC is kernel based and complements or totally replace +Linux’s subsystem. +Administration of users is enforced with granularity and flexibility. +</p> +<p class="secthead"><a name="doc_chap3_sect4">PM</a></p> +<p> +Privacy Model. <a href="http://www.cs.kau.se/~simone/">Simone Fischer-Huebner</a>'s Privacy Model in its +first implementation. See RSBAC <a href="http://rsbac.org/doc/media/niss98.php">paper on PM implementation</a> +for the National Information Systems Security Conference (NISSC 98) +</p> +<p class="secthead"><a name="doc_chap3_sect5">Dazuko</a></p> +<p> +This is not really an access control model, but rather a system protection module against +malware. Execution and reading of malware infected files can be prevented. +</p> +<p class="secthead"><a name="doc_chap3_sect6">FF</a></p> +<p> +File Flags. Provide and use flags for dirs and files, currently +execute_only (files), read_only (files and dirs), search_only +(dirs), secure_delete (files), no_execute (files), add_inherited +(files and dirs), no_rename_or_delete (files and dirs, no +inheritance) and append_only(files and dirs). Only FF security +officers may modify these flags. +</p> +<p class="secthead"><a name="doc_chap3_sect7">RC</a></p> +<p> +Role Compatibility. Defines roles and types for each target type +(file, dir, dev, ipc, scd, process). For each role, compatibility +to all types and to other roles can be set individually and with +request granularity. For administration there is a fine grained +separation-of-duty. Granted rights can have a time limit. Please +also refer to the <a href="http://rsbac.org/doc/media/rc-nordsec2002/index.html">Nordsec 2002 RC Paper</a> for the detailed model +design and specification. +</p> +<p class="secthead"><a name="doc_chap3_sect8">AUTH</a></p> +<p> +Authorization enforcement. Controls all CHANGE_OWNER requests for +process targets, only programs/processes with general setuid +allowance and those with a capability for the target user ID may +setuid. Capabilities can be controlled by other +programs/processes, e.g. authentication daemons. +</p> +<p class="secthead"><a name="doc_chap3_sect9">ACL</a></p> +<p> +Access Control Lists. For every object there is an Access Control +List, defining which subjects may access this object with which +request types. Subjects can be of type user, RC role and ACL +group. Objects are grouped by their target type, but have +individual ACLs. If there is no ACL entry for a subject at an +object, rights are inherited from parent objects, restricted by an +inheritance mask. Direct (user) and indirect (role, group) rights +are accumulated. For each object type there is a default ACL on +top of the normal hierarchy. Group management has been added in +version 1.0.9a. Granted rights and group memberships can have a +time limit. +</p> +<p class="secthead"><a name="doc_chap3_sect10">CAP</a></p> +<p> +Linux Capabilities. For all users and programs you +can define a minimum and a maximum Linux capability set ("set of +root special rights"). This lets you e.g. run server programs as +normal user, or restrict rights of root programs in the standard +Linux way. +</p> +<p class="secthead"><a name="doc_chap3_sect11">JAIL</a></p> +<p> +Process Jails. This module adds a new system call +rsbac_jail, which is basically a superset of the FreeBSD jail +system call. It encapsulates the calling process and all +subprocesses in a chroot environment with a fixed IP address and a +lot of further restrictions. +</p> +<p class="secthead"><a name="doc_chap3_sect12">RES</a></p> +<p> +Linux Resources. For all users and programs you can +define a minimum and a maximum Linux process resource set (e.g. +memory size, number of open files, number of processes per user). +Internally, these sets are applied to the standard Linux resource +flags. +</p> +<p> +All decision modules are described in detail on the module description +page. +</p> +<p> +A general goal of RSBAC design has been to some day reach the (obsolete) +Orange Book (TCSEC) B1 level. +</p> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="overview.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated 11 October 2005</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +This document should give you an overview of RSBAC access control system. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:ao@rsbac.org" class="altlink"><b>Amon Ott</b></a> +<br><i>Author</i><br><br> + <a href="mailto:albeiro@gentoo.pl" class="altlink"><b>Michal Purzynski</b></a> +<br><i>Editor</i><br><br> + <a href="mailto:kang@gentoo.org" class="altlink"><b>Guillaume Destuynder</b></a> +<br><i>Editor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/rsbac/quickstart.html b/html/rsbac/quickstart.html new file mode 100644 index 0000000..2c1bf09 --- /dev/null +++ b/html/rsbac/quickstart.html @@ -0,0 +1,353 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/../css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/../favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Rule Set Based Access Control (RSBAC) for Linux - Quickstart</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Rule Set Based Access Control (RSBAC) for Linux - Quickstart</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option> +<option value="#doc_chap2">2. Installation of the RSBAC enabled kernel</option> +<option value="#doc_chap3">3. Installation of the RSBAC admin utilities</option> +<option value="#doc_chap4">4. First boot</option> +<option value="#doc_chap5">5. Learning mode and the AUTH module</option> +<option value="#doc_chap6">6. Further information</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction</p> +<p> This guide will help you to install RSBAC on +Gentoo Linux. It is assumed that the users have read +the <a href="intro.xml">Introduction</a> and the <a href="overview.xml">Overview</a> already, so that they knows what is +RSBAC and its main concepts. </p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Installation of the RSBAC enabled kernel</p> +<p class="secthead"><a name="doc_chap2_sect1">Emerging the RSBAC kernel</a></p> +<p> This step is pretty straight forward, thanks to the way Gentoo +handles kernel installations. Start by emerging the rsbac-sources +kernel from your portage. </p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> There are two rsbac-sources kernel available: +one is for the 2.4 kernel branch, the other is for the newer 2.6 kernel branch. +</p></td></tr></table> +<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: RSBAC kernel installation (using the default profile and 2.6 kernel)</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">emerge rsbac-sources</span> +</pre></td></tr> +</table> +<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: RSBAC kernel installation (using the 2.4 kernel, since Gentoo profile 2005.0)</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rm /etc/make.profile</span> +# <span class="code-input">ln -s /usr/portage/profiles/default-linux/x86/2005.0/2.4/ /etc/make.profile</span> +# <span class="code-input"> echo "sys-kernel/hardened-sources rsbac" >> /etc/portage/package.use</span> +# <span class="code-input">emerge hardened-sources</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> It is advised to enable softmode on your first RSBAC kernel. It +allows you to turn off the RSBAC enforcement in one reboot, for testing +or in case something goes wrong. Only turn it off once you are sure of +what you are doing, or of course, for a production kernel. </p></td></tr></table> +<p class="secthead"><a name="doc_chap2_sect2">Configuring the RSBAC kernel</a></p> +<p> We will now configure the kernel. It is recommended that you +enable the following options, in the "Rule Set Based Access Control +(RSBAC)" category: </p> +<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Configuring and compiling the RSBAC kernel</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">Under "General RSBAC options"</span> +[*] RSBAC proc support +[*] Check on init +[*] Support transactions +[*] Randomize transaction numbers +[*] RSBAC debugging support +(400) RSBAC default security officer user ID + +<span class="code-comment">Under "User management"</span> +[*] User management +<span class="code-comment">Be sure to enable SHA1 in the Crypto API +Under "Cryptographic options" of the general kernel configuration, tick +[*] SHA1 digest algorithm +</span> +[*] Use Crypto API Digest SHA1 (NEW) + +<span class="code-comment">Under "RSBAC networking options"</span> +[*] RSBAC network support +[*] Net device control +[ ] Treat virtual devices as individuals +[*] Individual network device logging +[*] Net object control (sockets) +[*] Control UNIX address family +[*] Also intercept network object read and write +[*] Individual network object logging + +<span class="code-comment">(Do not turn on "RSBAC Maintenance Kernel", use softmode instead)</span> + +<span class="code-comment">Under "Decision module (policy) options"</span> +[*] Support for Registration of decision modules (REG) +[*] Build REG sample modules +---------------------------- +[*] RSBAC support for DAZuko policy <span class="code-comment">(For malware/antivirus scanning)</span> +DAZ Policy Options ---> + (604800) Scanning result lifetime in seconds + +<span class="code-comment">For each different policy/module you support you should check it's protection for AUTH module +and User Management module</span> +[*] RSBAC support for FF policy +[*] RSBAC support for RC policy +[*] RSBAC support for AUTH policy +<span class="code-comment">Please turn learning option off on production kernels. It is only used while setting up your RSBAC system.</span> +AUTH Policy Options ---> + [*] AUTH learning mode support +[*] RSBAC support for ACL policy +[*] RSBAC support for Linux Caps (CAP) policy +[*] RSBAC support for JAIL policy +[*] RSBAC support for PAX policy +[*] RSBAC support for System Resources (RES) policy + +<span class="code-comment">Under "Softmode and switching"</span> +[ ] RSBAC policies switchable +[*] RSBAC soft mode <span class="code-comment">(Turn that off on production kernels)</span> +[*] Individual module softmode support + +<span class="code-comment">Under "Logging": all except "Log to remote UDP network socket" +unless you want to log to remote machine</span> + +<span class="code-comment">Under "RSBAC symlink redirection"</span> +[*] RSBAC symlink redirection +[*] Add remote IP address +[*] Add user ID number +[*] Add RC role number + +<span class="code-comment">Under "Other RSBAC options"</span> +[*] Intercept sys_read and sys_write +[*] Intercept Semaphore IPC operations +[*] Control DAC process owner (seteuid, setfsuid) +[*] Hide processes in /proc +[*] Support freezing of RSBAC configuration +[*] RSBAC check sys_syslog +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> If you plan to run a X Window server (such as X.org or XFree86), +please also enable <span class="code" dir="ltr">"[*] X support (normal user MODIFY_PERM access +to ST_ioports)"</span>. +Please also see <a href="http://www.gentoo.org/proj/en/hardened/hardenedxorg.xml">Using Xorg on Hardened Gentoo</a></p></td></tr></table> +<p> We will now configure PaX which is a complement of the RSBAC hardened +kernel. It is also recommended that you enable the following options, +in the "Security options ---> PaX" section. </p> +<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Configuring PaX kernel options</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +[*] Enable various PaX features +PaX Control ---> + [*] Support soft mode <span class="code-comment">(Turn that option off on a production kernel)</span> + [ ] Use legacy ELF header marking + [ ] Use ELF program header marking + Use ELF program header marking MAC system integration (direct) ---> + (X) hook + +Non-executable pages ---> + [*] Enforce non-executable pages (NEW) + [*] Paging based non-executable pages +<span class="code-comment">(You usually want to select the PAGEEXEC method on x86 since on newer PaXs, +revert to SEGMEXEC if you are having issues)</span> + [*] Segmentation based non-executable pages (NEW) + [*] Restrict mprotect() + [ ] Disallow ELF text relocations <span class="code-comment">(This option breaks too much applications as of now)</span> + +Address Space Layout Randomization ---> + [*] Address Space Layout Randomization + [*] Randomize user stack base + [*] Randomize mmap() base +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> You should refer to the <a href="http://pax.grsecurity.net">PaX</a> website for more information +about PaX. </p></td></tr></table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> You must use the RSBAC admin utilities +to manage PaX, instead of chpax or paxctl with your RSBAC kernel. +You will be able to move to the PaX item and set the usual PaX flags. +</p></td></tr></table> +<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Managing PaX flags</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + # <span class="code-input">rsbac_fd_menu /path/to/the/target/item</span> + or + # <span class="code-input">attr_set_file_dir FILE /path/to/the/target/item pax_flags [pmerxs]</span> +</pre></td></tr> +</table> +<p> You can now compile and install the kernel as you would do with a +normal one concerning the other options. </p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> It is strongly suggested to build a second kernel without +the softmode options, neither the AUTH option, in order to use in +a production environment. Only do that once you finished testing and +setting up policies, as it'll remove the possiblity of switching off +the access control system. </p></td></tr></table> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Installation of the RSBAC admin utilities</p> +<p> In order to administrate your RSBAC enabled Gentoo, some userspace +utilites are required. Those are included in the rsbac-admin package +and it needs to be installed. </p> +<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Installing the RSBAC admin utilities</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">emerge rsbac-admin</span> +</pre></td></tr> +</table> +<p> Once emerged, the package will have created a new user account on your +system (secoff, with uid 400). He will become the security administrator +during the first boot. This is the only user, who is able to change the +RSBAC configuration. He will commonly be called the Security Officer. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> Please set-up a <span class="emphasis">secure</span> password for the secoff user. +</p></td></tr></table> +<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: Setting up a password for the Security Officer</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">passwd secoff</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>First boot</p> +<p> At the first boot, login into the system won't be possible, due to the +AUTH module <span class="emphasis">restricting</span> the programs privileges. To overcome this +problem please boot into softmode using the following kernel parameter +(in your lilo or grub configuration): </p> +<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: Softmode kernel parameter</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> <span class="code-input">rsbac_softmode</span> </pre></td></tr> +</table> +<p> The login application is managing user logins on the system. It +needs rights to setuid, which we will now give: </p> +<p> Login as the +Security Officer (secoff) and allow logins to be made by enterering the +following command: </p> +<a name="doc_chap4_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.2: Allowing users to login</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + # <span class="code-input">rsbac_fd_menu /bin/login</span> + or + # <span class="code-input">attr_set_fd AUTH FILE auth_may_setuid 1 /bin/login</span> +</pre></td></tr> +</table> +<p> As an alternative, if softmode isn't enabled, you can also use the +following kernel parameter in order to allow login at boot time: </p> +<a name="doc_chap4_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.3: Allowing users to login with a kernel parameter</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-input">rsbac_auth_enable_login</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>Learning mode and the AUTH module</p> +<p class="secthead"><a name="doc_chap5_sect1">Creating a policy for OpenSSH</a></p> +<p> Because there is almost no policy made yet (except the one generated +during the first boot), the AUTH module does not allows uid changes. +</p> +<p> Thanks to the intelligent learning mode there is an easy way to +alleviate this new problem: The AUTH module can automagically generate the +necessary policy by watching services while they start up, and note the +uids they are trying to switch to. For example to teach the AUTH module +about the uids needed by sshd (OpenSSH daemon), do the following: </p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>Make sure that sshd or the daemon you will use the learn mode with isn't running already before enabling learn mode.</p></td></tr></table> +<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: Making a policy for sshd, using the learning mode</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">Enable the learning mode for sshd</span> +# <span class="code-input">attr_set_file_dir AUTH FILE `which sshd` auth_learn 1</span> + +<span class="code-comment">Start the service</span> +# <span class="code-input">/etc/init.d/sshd start</span> + +<span class="code-comment">Disable the learning mode</span> +# <span class="code-input">attr_set_file_dir AUTH FILE `which sshd` auth_learn 0</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> One should also login to the system before switching the learning +mode off, because sshd will also attempt to change it's uids when the +user will login in. </p></td></tr></table> +<p> Now sshd should be working as expected again, <span class="emphasis">congratulations</span>, +you made your first policy :) The same procedure can be used on every +other daemon you will need. </p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> As an alternative to enable the learning mode for each daemon +of application you will need, you might want to enable the global +learning mode (which will learn about everything running, globally, +as it name tells). </p></td></tr></table> +<p> You can enable the global learning mode by issuing this kernel +parameter at boot time: </p> +<a name="doc_chap5_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.2: Enabling the global learning mode</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-input">rsbac_auth_learn</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>Further information</p> +<p> It is also strongly suggested that you subscribe to the <a href="http://www.gentoo.org/main/en/lists.xml">gentoo-hardened +mailing-list</a>. It is generally a low traffic list, +and RSBAC announcements for Gentoo will be available +there. We also recommend you to subscribe to the <a href="http://rsbac.org/mailman/listinfo/rsbac/">RSBAC mailing-list</a>. +Please also check the <a href="http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml">hardened FAQ</a> as your questions might already be covered in this document. +</p> +<table class="ntable"> <tr> + <td class="tableinfo">Links:</td> + <td class="tableinfo"><a href="http://www.rsbac.org">RSBAC Official site</a></td> +</tr> <tr> + <td class="tableinfo">IRC channels:</td> <td class="tableinfo"><a href="irc://irc.freenode.org/gentoo-hardened">#gentoo-hardened</a></td> + <td class="tableinfo"><a href="irc://irc.freenode.org/rsbac">#rsbac</a></td> +</tr> </table> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/rsbac/quickstart.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated 15 February 2006</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>This document will guide you through the installation of the +RSBAC on Gentoo Linux</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:albeiro@gentoo.pl" class="altlink"><b>Michal Purzynski</b></a> +<br><i>Author</i><br><br> + <a href="mailto:kang@gentoo.org" class="altlink"><b>Guillaume Destuynder</b></a> +<br><i>Editor</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/rsbac/transition.html b/html/rsbac/transition.html new file mode 100644 index 0000000..c33a09f --- /dev/null +++ b/html/rsbac/transition.html @@ -0,0 +1,90 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Rule Set Based Access Control (RSBAC) for Linux - +Transition from rsbac-sources to hardened-sources </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Rule Set Based Access Control (RSBAC) for Linux - +Transition from rsbac-sources to hardened-sources </h1> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>RSBAC</p> +<p class="secthead"><a name="doc_chap1_sect1">Why ?</a></p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> Currently only the 2.4 kernels are affected </p></td></tr></table> +<p> All hardened patches are currently present in the hardened-sources + kernel. SELinux as well as GrSecurity MAC solutions are also present. + The current RSBAC kernel is simply a copy of this hardened-sources + kernel, with RSBAC patches added and GrSecurity patches disabled. </p> +<p> When users are looking for the kernel to install, they install + this very one. Most often, they assume the RSBAC kernel is simply not + present because not inside of the "hardened kernel". </p> +<p> Finally, why having two versions of the almost same kernel when + it can just be one ? </p> +<p class="secthead"><a name="doc_chap1_sect2">How ?</a></p> +<p> The transition is very simple. In short, you just have to emerge + the hardened-sources kernel instead of the usual rsbac-sources one. + Make sure to also add the rsbac local use flag so that the RSBAC + patches get applied. </p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> Make sure you are using the 2.4 kernel. 2.6 kernels have not yet been + transitionned </p></td></tr></table> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Adding the rsbac local use flag</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + # <span class="code-input">echo "sys-kernel/hardened-sources rsbac" >> /etc/portage/packages.use</span> + # <span class="code-input">emerge hardened-sources</span> +</pre></td></tr> +</table> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="transition.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated 15 February 2006</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> This document will help you transioning from +rsbac-sources to hardened-sources </p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:kang@gentoo.org" class="altlink"><b>Guillaume Destuynder</b></a> +<br><i>Author</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-install.html b/html/selinux/hb-install.html new file mode 100644 index 0000000..167065d --- /dev/null +++ b/html/selinux/hb-install.html @@ -0,0 +1,76 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Gentoo SELinux Installation</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>SELinux is only supported on servers. Workstation support +will happen in the future.</p></td></tr></table> +<p> +The installation of Gentoo SELinux is the same as regular Gentoo. The regular +install should be followed from the +<a href="http://www.gentoo.org/doc/en/handbook/index.xml">Gentoo Handbook</a>, +keeping in mind the following notes. Then the +system should converted to SELinux using the +<span title="Link to other book part not available"><font color="#404080">(SELinux Conversion Guide)</font></span>. +It is recommended to use the hardened stage 3 tarball if you are building a +hardened Gentoo system (which is also recommended). +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Installation Notes</p> +<p class="secthead"><a name="doc_chap1_sect1">Filesystems</a></p> +<p> +Only ext2, ext3, ext4, JFS, XFS and Btrfs are supported at this time. Reiserfs + does not provide the necessary XATTR support, and Reiser4 is not well tested. +</p> +<p> +XFS users should use 512 byte inodes (the default is 256). SELinux keeps +file security lables in the extended attributes, which XFS stores in +the inode. If the inode is too small an extra block has to be used, which +wastes a lot of space and incurs performace penalties. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example XFS filesystem creation command</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">mkfs.xfs -i size=512 /dev/hda3</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap1_sect1">Kernel</a></p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>Kernels 2.6.14 and 2.6.15 have broken SELinux XFS support.</p></td></tr></table> +<p> +You can save time by looking ahead to the <span title="Link to other book part not available"><font color="#404080">(kernel options)</font></span> +required for SELinux, to save compiling the kernel multiple times. +</p> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated June 15, 2010</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-selinux-conv-profile.html b/html/selinux/hb-selinux-conv-profile.html new file mode 100644 index 0000000..fc6ff15 --- /dev/null +++ b/html/selinux/hb-selinux-conv-profile.html @@ -0,0 +1,118 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Change Profile</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>SELinux is only supported on ext2/3, XFS, JFS, and Btrfs. Other filesystems +lack the complete extended attribute support.</p></td></tr></table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>Users should convert from a 2006.1 or newer profile otherwise +there may be unpredictable results.</p></td></tr></table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>As always, keep a LiveCD at hand in case things go wrong.</p></td></tr></table> +<p>First switch your profile to the SELinux profile for your architecture:</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switch profiles</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rm -f /etc/make.profile</span> + + +<span class="code-comment">x86 (server):</span> +# <span class="code-input">ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/server /etc/make.profile</span> +<span class="code-comment">x86 (hardened):</span> +# <span class="code-input">ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/hardened /etc/make.profile</span> +<span class="code-comment">AMD64:</span> +# <span class="code-input">ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/server /etc/make.profile</span> +<span class="code-comment">AMD64 (hardened):</span> +# <span class="code-input">ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/hardened /etc/make.profile</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>You can also switch profiles with eselect if you have the gentoolkit + package installed. That method is not shown here because the specific options + available and their numbering will vary according to your system + configuration.</p></td></tr></table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>Do not use any profiles other than the ones listed above, even +if they seem to be out of date. SELinux profiles are not necessarily +created as often as default Gentoo profiles.</p></td></tr></table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>The SELinux profile has significanly fewer USE flags asserted than +the default profile. Use <span class="code" dir="ltr">emerge info</span> to see if any use flags +need to be reenabled in make.conf.</p></td></tr></table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>It is not necessary to add selinux to your USE flags in make.conf. +The SELinux profile already does this for you. +</p></td></tr></table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> + You may encounter this message from portage: "!!! SELinux module not found. + Please verify that it was installed." This is normal, and will be fixed + later in the conversion process. +</p></td></tr></table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Update Kernel Headers</p> +<p> + We will start by updating essential packages. First check which version + of linux-headers is installed. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Check linux-headers version</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">emerge -s linux-headers</span> +<span class="code-comment">or if you have gentoolkit installed:</span> +# <span class="code-input">equery list -i linux-headers</span> +</pre></td></tr> +</table> +<p> + If the linux-headers version is older than 2.4.20, newer headers must be merged. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Merge newer headers</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">emerge \>=sys-kernel/linux-headers-2.4.20</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Update Glibc</p> +<p> + If you have merged new headers, or you are unsure if your glibc was + compiled with newer headers, you must recompile glibc. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Recompile glibc</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">emerge glibc</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> + This is a critical operation. Glibc must be compiled with newer linux-headers, + otherwise some operations will malfunction. +</p></td></tr></table> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated June 15, 2010</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-selinux-conv-reboot1.html b/html/selinux/hb-selinux-conv-reboot1.html new file mode 100644 index 0000000..3724b71 --- /dev/null +++ b/html/selinux/hb-selinux-conv-reboot1.html @@ -0,0 +1,209 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/../../css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/../../favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Merge a SELinux Kernel</p> +<p>Merge an appropriate kernel. A 2.6 kernel is required. The + suggested kernel is hardened-sources. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>2.6.28-r9 is the current hardened release version at the time of this writing, + and all instructions in this document assume at least this version.</p></td></tr></table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>Kernels 2.6.14 and 2.6.15 should not be used by XFS users as they + have bugs in the SELinux XFS support.</p></td></tr></table> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Merge an appropriate kernel</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">Any 2.6 kernel</span> +# <span class="code-input">emerge hardened-sources</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Compile the Kernel with SELinux Options</p> +<p>The kernel must be compiled with security module support, SELinux support, +devpts, and extended attribute security labels. Refer to the main installation +guide for futher kernel options.</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> +The available options may vary slightly depending on the kernel version +being used. In particular, Btrfs first became available with the 2.6.29 +kernel, and the /dev/pts and tmpfs Extended Attributs and Security Labels +options were obsoleted in kernel 2.6.13 (they are now enabled by default). +"Default Linux Capabilies" under "Security options" was obsoleted in the +2.6.26 kernel (it is now enabled by default). + +XFS always enables security labeling, so there is no additional option +to set for this file system + +Ext4 should work, but is NOT well tested at the time of this writing! + +Any extended attribute options not specifically enabled below should be turned +off. +</p></td></tr></table> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Location and required options under menuconfig</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">Under "General setup"</span> +[*] Prompt for development and/or incomplete code/drivers +[*] Auditing support +[*] Enable system-call auditing support + +<span class="code-comment">Under "File systems"</span> +<*> Second extended fs support <span class="code-comment">(If using ext2)</span> +[*] Ext2 extended attributes +[ ] Ext2 POSIX Access Control Lists +[*] Ext2 Security Labels +[ ] Ext2 Execute in place support +<*> Ext3 journalling file system support <span class="code-comment">(If using ext3)</span> +[*] Ext3 extended attributes +[ ] Ext3 POSIX Access Control Lists +[*] Ext3 Security labels +<*> The Extended 4 (ext4) filesystem <span class="code-comment">(If using ext4)</span> +[ ] Enable ext4dev compatibility +[*] Ext4 extended attrributes +[ ] Ext4 POSIX Access Control Lists +[*] Ext4 Security Labels +<*> JFS filesystem support <span class="code-comment">(If using JFS)</span> +[ ] JFS POSIX Access Control Lists +[*] JFS Security Labels +[ ] JFS debugging +[ ] JFS statistics +<*> XFS filesystem support <span class="code-comment">(If using XFS)</span> +[ ] XFS Quota support +[ ] XFS POSIX ACL support +[ ] XFS Realtime subvolume support (EXPERIMENTAL) +[ ] XFS Debugging Support +<*> Btrfs filesystem (EXPERIMENTAL) Unstable disk format <span class="code-comment">(if +using Btrfs)</span> +[ ] Btrfs POSIX Access Control Lists (NEW) +<span class="code-comment">Under "Pseudo filesystems (via "File systems")</span> +[ ] /dev file system support (EXPERIMENTAL) +[*] /dev/pts Extended Attributes +[*] /dev/pts Security Labels +[*] Virtual memory file system support (former shm fs) +[*] tmpfs Extended Attributes +[*] tmpfs Security Labels + +<span class="code-comment">Under "Security options"</span> +[*] Enable different security models +[*] Socket and Networking Security Hooks +<*> Default Linux Capabilities +[*] NSA SELinux Support +[ ] NSA SELinux boot parameter +[ ] NSA SELinux runtime disable +[*] NSA SELinux Development Support +[ ] NSA SELinux AVC Statistics +(1) NSA SELinux checkreqprot default value +[ ] NSA SELinux enable new secmark network controls by default +[ ] NSA SELinux maximum supported policy format version + Default security module (SELinux) ---> +</pre></td></tr> +</table> +<p> + The extended attribute security labels must be turned on for devpts and + your filesystem(s). Devfs is not usable in SELinux, and should be + turned off. Not all options exist on older 2.6 kernels, + such as Auditing support, and runtime disable. In newer kernels, + the extended attributes support for proc and the virtual memory fs (tmpfs) + are enabled by default; thus, no options will appear in menuconfig. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>It is recommended to configure PaX if you are using harded-sources (also +recommended). More information about Pax can be found in the <a href="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml">Hardened Gentoo +PaX Quickstart Guide</a>. +</p></td></tr></table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b> + Do not enable the SELinux MLS policy option if its available, as it is + not supported, and will cause your machine to not start. +</p></td></tr></table> +<p> + Now compile and install the kernel and modules, but do not reboot. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Update fstab</p> +<p> + SElinuxfs must also be enabled to mount at boot. + Add this to /etc/fstab: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Fstab settings for selinuxfs</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +none /selinux selinuxfs defaults 0 0 +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Configure Baselayout</p> +<p> +SELinux does not support devfs. You must configure baselayout to +use either static device nodes or udev. If using udev, the +device tarball must be disabled. Edit the /etc/conf.d/rc file. +Set RC_DEVICES to static or udev, and RC_DEVICE_TARBALL to no. +If you have several custom device nodes, static is suggested, +otherwise udev is suggested (udev is the default at the time of this writing). +For more information on udev, consult the <a href="http://www.gentoo.org/doc/en/udev-guide.xml">Gentoo UDEV Guide</a>. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Init script configuration</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# Use this variable to control the /dev management behavior. +# auto - let the scripts figure out what's best at boot +# devfs - use devfs (requires sys-fs/devfsd) +# udev - use udev (requires sys-fs/udev) +# static - let the user manage /dev + +RC_DEVICES="<span class="code-comment">udev</span>" + +# UDEV OPTION: +# Set to "yes" if you want to save /dev to a tarball on shutdown +# and restore it on startup. This is useful if you have a lot of +# custom device nodes that udev does not handle/know about. + +RC_DEVICE_TARBALL="<span class="code-comment">no</span>" +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Reboot</p> +<p> + We need to make some directories before we reboot. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Making Required Directories</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">mkdir /selinux</span> +# <span class="code-input">mkdir /sys</span> +</pre></td></tr> +</table> +<p> + Now reboot. +</p> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated October 6, 2010</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-selinux-conv-reboot2.html b/html/selinux/hb-selinux-conv-reboot2.html new file mode 100644 index 0000000..f26e1aa --- /dev/null +++ b/html/selinux/hb-selinux-conv-reboot2.html @@ -0,0 +1,244 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="../../css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="../../favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="../../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Merge SELinux Packages</p> +<p>Merge the libraries, utilities and base-policy. The policy version may need + be adjusted, refer to the SELinux Overview + for more information on policy versions. Then load the policy.</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Merge base SELinux packages and policy</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">emerge -1 checkpolicy policycoreutils</span> +# <span class="code-input">FEATURES=-selinux emerge -1 selinux-base-policy</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> +The "FEATURES=-selinux" part of the emerge command should only be used on the above command. +It is required to merge selinux-base-policy (only for the first time) as the portage SELinux features require both policycoreutils and selinux-base-policy otherwise portage will fail. +</p></td></tr></table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Choose the policy type</p> +<p> +New in 2006.1, users now have the choice between the strict policy and the +targeted policy. +</p> +<p> +In the strict policy, all processes are confined. +If you are familiar with pre 2006.1 Gentoo SELinux policy, that policy was a strict policy. +Strict policy is suggested for servers. +Gentoo does not support the strict policy on desktops. +</p> +<p> +The targeted policy differs with strict, as only network-facing services are +confined and local users are unconfined. Gentoo only supports desktops with +the targeted policy. This policy can also be used on servers. +</p> +<p> +Edit the /etc/selinux/config file to set the policy type. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: /etc/selinux/config contents</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# This file controls the state of SELinux on the system on boot. + +# SELINUX can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=permissive <span class="code-comment">(This should be set permissive for the remainder of the install)</span> + +# SELINUXTYPE can take one of these two values: +# targeted - Only targeted network daemons are protected. +# strict - Full SELinux protection. +SELINUXTYPE=strict <span class="code-comment">(Set this as strict or targeted)</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Merge SELinux-patched packages</p> +<p> + There are several system packages that have SELinux patches. These patches + provide a variety of additional SELinux functionality, such as displaying + file contexts. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Remerge Packages</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">emerge -1 sysvinit pam coreutils findutils openssh procps psmisc shadow util-linux python-selinux</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> + If you find that you can't use portage due to a errors like these: + !!! 'module' object has no attribute 'secure_rename' or + AttributeError: 'module' object has no attribute 'getcontext', this is + a portage bug, where it can't handle a missing python-selinux. Merge it + with "FEATURES=-selinux emerge python-selinux" to fix the problem. See + bug <a href="http://bugs.gentoo.org/show_bug.cgi?id=122517">#122517</a> + for more information. +</p></td></tr></table> +<p>There are other packages that have SELinux patches, but are optional. These +should be remerged if they are already installed, so the SELinux patches are +applied:</p> +<ul> +<li>app-admin/logrotate</li> +<li>sys-apps/fcron</li> +<li>sys-apps/vixie-cron</li> +<li>sys-fs/device-mapper</li> +<li>sys-fs/udev</li> +<li>sys-libs/pwdb</li> +</ul> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> + Fcron and Vixie-cron are the only crons with SELinux support. +</p></td></tr></table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>The above packages are NOT an exhaustive list; they are only the most +common ones. In general, any package installed on the system which has the +selinux USE flag should be remerged. To see which packages may need to be +merged, you can: +emerge -upDN world + +Since changing to the selinux profile has changed your USE flags, the above +will get everything that is listening to the selinux USE flag. It will +probably also get some other stuff as well. To actually remerge everything, +simply remove the 'p', or manually specify the packages you want to remerge. +</p></td></tr></table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Merge Application Policies</p> +<p> + In future, when merging a package, the policy will be set as a dependency so + that it is merged first; however, since the system is being converted, policy + for currently installed packages must be merged. The selinux-base-policy + already covers most packages in the system profile. +</p> +<p> + Look in the <span class="code" dir="ltr">/usr/portage/sec-policy</span>, it has several entries, each which + represent a policy. The naming scheme is selinux-PKGNAME, where PKGNAME is + the name of the package that the policy is associated. For example, the + selinux-apache package is the SELinux policy package for net-www/apache. + Merge each of the needed policy packages and then load the policy. + If you are converting a desktop, make sure to include the selinux-desktop policy package. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example Merge of Apache and BIND policies</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">ls /usr/portage/sec-policy</span> +<span class="code-comment">(many directories listed)</span> + +# <span class="code-input">emerge -1 selinux-apache selinux-bind</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Label Filesystems</p> +<p> + Before you can relabel the rest of the filesystems, you need to first relabel + /dev. Strictly speaking, this is only necessary if you aren't using a static + /dev. However, as the vast majority of current and new systems are going to + be built with udev, this probably means you are using udev as well. There + are a lot of different ways to get at this problem, but the steps below are + easy to do and work. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel /dev</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-input"># mkdir /mnt/gentoo +# mount -o bind / /mnt/gentoo +# setfiles -r /mnt/gentoo /etc/selinux/{strict,targeted}/contexts/files/file_contexts /mnt/gentoo/dev +# umount /mnt/gentoo +</span> + </pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>Remember to select one of {strict,targeted} above based on your + enforcement mode.</p></td></tr></table> +<p> + Now label the filesystems. This gives each of the files in the filesystems + a security label. Keeping these labels consistent is important. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Label filesystems</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg -a -r</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b> + There is a known issue with older versions of GRUB + not being able to read symlinks that have been labeled. + Please make sure you have at least GRUB 0.94 installed. + Also rerun GRUB and reinstall it into the MBR to ensure + the updated code is in use. + You do have a LiveCD handy, right? +</p></td></tr></table> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Reinstall GRUB on the MBR (GRUB users only)</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">grub</span> + +grub> root (hd0,0) <span class="code-comment">(Your boot partition)</span> +grub> setup (hd0) <span class="code-comment">(Where the boot record is installed; here, it is the MBR)</span> +</pre></td></tr> +</table> +<p> + If you've installed Gentoo using the hardened sources, then you'll need to + tell SELinux that you are using the hardened tool-chain with ssp. You do + this by setting an SELinux global boolean +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux global_ssp</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-input">setsebool -P global_ssp on</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>Make sure you use the -P flag, or the setting won't survive the reboot, +and you'll likely see a lot of errors relating to /dev/null and /dev/random +</p></td></tr></table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Final reboot</p> +<p>Reboot. Log in, then relabel again to ensure all files +are labeled correctly (some files may have been created during shutdown and +reboot)</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg -a -r</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> + It is strongly suggested to <a href="http://www.gentoo.org/main/en/lists.xml">subscribe</a> + to the gentoo-hardened mail list. It is generally a low traffic list, and + SELinux announcements are made there. +</p></td></tr></table> +<p> + SELinux is now installed! +</p> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated December 15, 2009</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-selinux-faq.html b/html/selinux/hb-selinux-faq.html new file mode 100644 index 0000000..668610f --- /dev/null +++ b/html/selinux/hb-selinux-faq.html @@ -0,0 +1,148 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>SELinux features</p> +<p class="secthead"><a name="doc_chap1_sect1">Does SELinux enforce resource limits?</a></p> +<p> + No, resource limits are outside the scope of an access control system. If you + are looking for this type of support, GRSecurity and RSBAC are better choices. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>SELinux and other hardened projects</p> +<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux and GRSecurity (and PaX)?</a></p> +<p> + Yes, SELinux can be used with GRSecurity and/or PaX with no problems; however, + it is suggested that GRACL should not be used, since it would be redundant + to SELinux's access control. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux and the hardened compiler (PIE-SSP)?</a></p> +<p> + Yes. It is also suggested that PaX be used to take full advantage + of the PIE features of the compiler. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux and RSBAC?</a></p> +<p> + Unknown. Please report your results if you try this combination. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>SELinux and filesystems</p> +<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux with my primary filesystems?</a></p> +<p> + SELinux can be used with ext2, ext3, JFS, and XFS. Reiserfs (Reiser3) has + extended attributes, but the support was never complete, and has been broken + since 2.6.14. Reiser4 is not supported. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux with my ancillary filesystems?</a></p> +<p> + Yes, SELinux can mount ancillary filesystems, such as vfat and iso9660 + filesystems, with an important caveat. All files in each filesystem will + have the same SELinux type, since the filesystems do not support extended + attributes. Tmpfs is the only ancillary filesystem with complete extended + attribute support, which allows it to behave like a primary filesystem. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux with my network filesystems?</a></p> +<p> + Yes, SELinux can mount network filesystems, such as NFS and CIFS + filesystems, with an important caveat. All files in each filesystem will + have the same SELinux type, since the filesystems do not support extended + attributes. In the future, hopefully network filesystems will begin to + support extended attributes, then they will work like a primary filesystem. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Portage error messages</p> +<p class="secthead"><a name="doc_chap1_sect1">I get a missing SELinux module error when using emerge:</a></p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Portage message</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +!!! SELinux module not found. Please verify that it was installed. +</pre></td></tr> +</table> +<p> + This indicates that the portage SELinux module is missing or damaged. + Also python may have been upgraded to a new version which requires + python-selinux to be recompiled. Remerge dev-python/python-selinux. + If packages have been merged under this condition, they must be relabed + after fixing this condition. If the packages needing to be remerged cannot + be determined, a full relabel may be required. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>SELinux kernel error messages</p> +<p class="secthead"><a name="doc_chap1_sect1">I get a register_security error message when booting:</a></p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Kernel message</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +There is already a security framework initialized, register_security failed. +Failure registering capabilities with the kernel +selinux_register_security: Registering secondary module capability +Capability LSM initialized +</pre></td></tr> +</table> +<p> + This means that the Capability LSM module couldn't register as the primary + module, since SELinux is the primary module. The third message means that it + registers with SELinux as a secondary module. This is normal. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Setfiles error messages</p> +<p class="secthead"><a name="doc_chap1_sect1">When I try to relabel, it fails with invalid contexts:</a></p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Invalid contexts example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# make relabel +/usr/sbin/setfiles file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'` +/usr/sbin/setfiles: read 559 specifications +/usr/sbin/setfiles: invalid context system_u:object_r:default_t on line number 39 +/usr/sbin/setfiles: invalid context system_u:object_r:urandom_device_t on line number 120 +/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 377 +/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 378 +/usr/sbin/setfiles: invalid context system_u:object_r:krb5_conf_t on line number 445 +/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 478 +/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 479 +/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 492 +/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 493 +/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 494 +Exiting after 10 errors. +make: *** [relabel] Error 1 +</pre></td></tr> +</table> +<p> + First ensure that /selinux is mounted. If selinuxfs is not mounted, setfiles + cannot validate any contexts, causing it to believe all contexts are + invalid. If /selinux is mounted, then most likely there is new policy that + has not yet been loaded; therefore, the contexts have not yet become valid. +</p> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2006</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-selinux-howto.html b/html/selinux/hb-selinux-howto.html new file mode 100644 index 0000000..83d25aa --- /dev/null +++ b/html/selinux/hb-selinux-howto.html @@ -0,0 +1,287 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Load policy into a running SELinux kernel</p> +<p> + This requires you to be in the <span class="code" dir="ltr">sysadm_r</span> role. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Semodule command</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semodule -B</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Change roles</p> +<p> + This requires your user have access to the target role. This example + is for changing to the <span class="code" dir="ltr">sysadm_r</span> role. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Newrole</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">newrole -r sysadm_r</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Specify available roles for a user</p> +<p> + There is a mapping of linux users to SELinux identities. The policy has + generic SELinux users for relevant configurations of roles. For example, to + map the user <span class="code" dir="ltr">pebenito</span> to the SELinux identity <span class="code" dir="ltr">staff_u</span>, run: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Map pebenito to staff_u</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semanage login -a -s staff_u pebenito</span> +</pre></td></tr> +</table> +<p> + The policy does not need to be reloaded. If the user is logged in, it + must log out and log in again to take effect. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Relabel filesystems</p> +<p> + This requires you to be in the <span class="code" dir="ltr">sysadm_r</span> role. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg -a</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Relabel an individual package</p> +<p> + In addition to relabeling entire filesystems, individual portage packages + can be relabeled. This requires you to be in the <span class="code" dir="ltr">sysadm_r</span> role. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: rlpkg example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg shadow sash</span> +</pre></td></tr> +</table> +<p> + The script rlpkg is used, and any number of packages can be specified + on the command line. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Scan for libraries with text relocations</p> +<p> + SELinux has improved memory protections. One feature supported is + the permission for ELF text relocations. The libraries with text relocations + have a special label, and the <span class="code" dir="ltr">rlpkg</span> tool has an option to scan for + these libraries. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: TEXTREL Scan</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg -t</span> +</pre></td></tr> +</table> +<p> + This will also be done by automatically after a full relabel. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Start daemons in the correct domain</p> +<p> + Controlling daemons that have init scripts in /etc/init.d is slightly + different in SELinux. The <span class="code" dir="ltr">run_init</span> command must be used to run + the scripts, to ensure they are ran in the correct domain. The command + can be ran normally, except the command is prefixed with <span class="code" dir="ltr">run_init</span>. + This requires you to be in the <span class="code" dir="ltr">sysadm_r</span> role. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: run_init examples</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">run_init /etc/init.d/ntpd start</span> +# <span class="code-input">run_init /etc/init.d/apache2 restart</span> +# <span class="code-input">run_init /etc/init.d/named stop</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap1_sect1">Gentoo run_init integration</a></p> +<p> + <span class="code" dir="ltr">run_init</span> has been integrated into Gentoo's init script system. With + SELinux installed, services can be started and stopped as usual, but will + now authenticate the user. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Integrated run_init example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">/etc/init.d/sshd restart</span> +Authenticating root. +Password: + * Stopping sshd... [ ok ] + * Starting sshd... [ ok ] +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Switch between enforcing and permissive modes</p> +<p> + Switching between modes in SELinux is very simple. Write a 1 for + enforcing, or 0 for permissive to /selinux/enforce to set the mode. + The current mode can be queried by reading /selinux/enforce; 0 means + permissive mode, and 1 means enforcing mode. If the kernel option + "NSA SELinux Development Support" is turned off, the system will always + be in enforcing mode, and cannot be switched to permissive mode. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">Query current mode</span> +# <span class="code-input">cat /selinux/enforce</span> +<span class="code-comment">Switch to enforcing mode</span> +# <span class="code-input">echo 1 > /selinux/enforce</span> +<span class="code-comment">Switch to permissive mode</span> +# <span class="code-input">echo 0 > /selinux/enforce</span> +</pre></td></tr> +</table> +<p> + A machine with development support turned on can be started in enforcing + mode by adding <span class="code" dir="ltr">enforcing=1</span> to the kernel command line, in the + bootloader (GRUB, lilo, etc). +</p> +<p class="secthead"><a name="doc_chap1_sect1">Managed policy</a></p> +<p> + In addition to the above kernel options, the mode at boot can be + set by the <span class="code" dir="ltr">/etc/selinux/config</span> file. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: /etc/selinux/config</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# SELINUX can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=<span class="code-comment">permissive</span> +</pre></td></tr> +</table> +<p> + The setting in this file will be overridden by the kernel command line + options described above. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Understand sestatus output</p> +<p> + The <span class="code" dir="ltr">sestatus</span> tool can be used to determine detailed SELinux-specific + status information about the system. The <span class="code" dir="ltr">-v</span> option provides extra + detail about the context of processes and files. The output will be + divided into four sections. Sestatus only provides complete information + for a user logged in as root (or su/sudo), in the <span class="code" dir="ltr">sysadm_r</span> role. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Status example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +SELinux status: enabled +SELinuxfs mount: /selinux +Current mode: enforcing +Policy version: 18 +</pre></td></tr> +</table> +<p> + The main status information is provided in the first section. The first + line shows if SELinux kernel functions exists and are enabled. If the + status is disabled, either the kernel does not have SELinux support, or + the policy is not loaded. The second line shows the mount point for + the SELinux filesystem. During the normal use, the filesystem should be + mounted at the default location of <span class="code" dir="ltr">/selinux</span>. The third line + shows the current SELinux mode, either enforcing or permissive. The fourth + line shows the policy database version supported by the currently running + kernel. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Booleans example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +Policy booleans: +secure_mode inactive +ssh_sysadm_login inactive +user_ping inactive +</pre></td></tr> +</table> +<p> + The second section displays the status of the conditional policy booleans. The + left column is the name of boolean. The right column is the status of the + boolean, either active, or inactive. This section will not be shown on + policy version 15 kernels, as they do not support conditional policy. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Process context example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +Process contexts: +Current context: pebenito:sysadm_r:sysadm_t +Init context: system_u:system_r:init_t +/sbin/agetty system_u:system_r:getty_t +/usr/sbin/sshd system_u:system_r:sshd_t +</pre></td></tr> +</table> +<p> + The third section displays the context of the current process, and of several + key processes. If a process is running in the incorrect context, it will not + function correctly. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: File context example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +File contexts: +Controlling term: pebenito:object_r:sysadm_devpts_t +/sbin/init system_u:object_r:init_exec_t +/sbin/agetty system_u:object_r:getty_exec_t +/bin/login system_u:object_r:login_exec_t +/sbin/rc system_u:object_r:initrc_exec_t +/sbin/runscript.sh system_u:object_r:initrc_exec_t +/usr/sbin/sshd system_u:object_r:sshd_exec_t +/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t +/etc/passwd system_u:object_r:etc_t +/etc/shadow system_u:object_r:shadow_t +/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t +/bin/bash system_u:object_r:shell_exec_t +/bin/sash system_u:object_r:shell_exec_t +/usr/bin/newrole system_u:object_r:newrole_exec_t +/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t +/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:shlib_t +</pre></td></tr> +</table> +<p> + The fourth section displays the context of the current process's controlling + terminal, and of several key files. For symbolic links, the context of + the link and then the context of the link target is displayed. If a file has + an incorrect context, the file may be inaccessable or have incorrect + permissions for a particular process. +</p> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated October 14, 2006</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-selinux-initpol.html b/html/selinux/hb-selinux-initpol.html new file mode 100644 index 0000000..cd4f3d0 --- /dev/null +++ b/html/selinux/hb-selinux-initpol.html @@ -0,0 +1,72 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Verify Available Policy</p> +<p> + You must be in <span class="code" dir="ltr">sysadm_r</span> to perform this action. +</p> +<p> + A binary policy must be available in + /etc/selinux/{strict,targeted}/policy. If it is missing, then install + the policy. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Install policy</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semodule -n -B</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Verify Init Can Load the Policy</p> +<p> + The final check is to ensure init can load the policy. Run <span class="code" dir="ltr">ldd</span> on + init, and if libselinux is not in the output, remerge sysvinit. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">ldd /sbin/init</span> + linux-gate.so.1 => (0xffffe000) + <span class="code-comment">libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</span> + libc.so.6 => /lib/libc.so.6 (0x40035000) + /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) +</pre></td></tr> +</table> +<p> + Now reboot so init gains the correct context, and loads the policy. +</p> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated November 16, 2004</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-selinux-libsemanage.html b/html/selinux/hb-selinux-libsemanage.html new file mode 100644 index 0000000..5e6c05b --- /dev/null +++ b/html/selinux/hb-selinux-libsemanage.html @@ -0,0 +1,275 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>SELinux Management Infrastructure</p> +<p> + The SElinux management infrastructure manages several aspects of SELinux + policy. These management tools are based on the core library libsemanage. + There are several management programs to to various tasks, including + <span class="code" dir="ltr">semanage</span> and <span class="code" dir="ltr">semodule</span>. They allow you to configure aspects + of the policy without requiring the policy sources. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>SELinux Policy Module Management</p> +<p class="secthead"><a name="doc_chap1_sect1">What is a policy module?</a></p> +<p> + SELinux supports a modular policy. This means several pieces of policy + are brought together to form one complete policy to be loaded in the + kernel. This is a similar structure as the kernel itself and kernel modules. + There is a main kernel image that is loaded, and various kernel modules can + be added (assuming their dependencies are met) and removed on a running + system without restarting. Similarly each policy has a base module and + zero or more policy modules, all used to create a policy. + Modules are built by compiling a piece of policy, and creating a policy + package (*.pp) with that compiled policy, and optionally file contexts. +</p> +<p> + The base module policy package (base.pp) contains the basic requirements of + the policy. All modular policies must have a base module at minimum. + In Gentoo we have these plus policies for all parts of the system profile. + This is contained in the selinux-base-policy ebuild. The other policy ebuilds + in portage have one or more policy modules. +</p> +<p> + For more information on writing a policy module, in particular for managing + your local customizations to the policy, please see the + <a href="selinux-handbook.xml?part=3&chap=5">policy module guide</a>. +</p> +<p class="secthead"><a name="doc_chap1_sect1">The SELinux module store</a></p> +<p> + When a policy module is inserted or removed, modules are copied into or + removed from the module store. This repository has a copy of the + modules that were used to create the current policy, in addition to several + auxilliary files. This repository is stored in the + /etc/selinux/{strict,targeted}/modules. You should never need to directly + access the contents of the module store. A libsemanage-based tool should be + used instead. +</p> +<p> + Libsemanage handles the module store transactionally. This means that if + a set of operations (a transaction) is performed on the store and one part + fails, the entire transaction is aborted. This keeps the store in a + consistent state. +</p> +<p> + Managing the module store is accomplished with the <span class="code" dir="ltr">semodule</span> command. + Listing the contents of the module store is done with the <span class="code" dir="ltr">-l</span> option. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# semodule -l +distcc 1.1.1 +</pre></td></tr> +</table> +<p> + Since the base module is required in all cases, and is not versioned, it will + not be shown in the list. All other modules will be listed, along with their + versions. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Inserting a policy module</a></p> +<p> + The module should be referenced by its file name. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semodule -i module.pp</span> +</pre></td></tr> +</table> +<p> + This will insert the module into module store for the currently configured + policy as specified in /etc/selinux/config. If the insert succeeds, the + policy will be loaded, unless the <span class="code" dir="ltr">-n</span> option is used. To insert the + module into an alternate module store, the <span class="code" dir="ltr">-s</span> option. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semodule -s targeted -i module.pp</span> +</pre></td></tr> +</table> +<p> + Since this refers to an alternate module store, the policy will not be loaded. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Removing a policy module</a></p> +<p> + The module is referenced by its name in the module store. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semodule -r module</span> +</pre></td></tr> +</table> +<p> + This will remove the module into module store for the currently configured + policy as specified in /etc/selinux/config. If the remove succeeds, the + policy will be loaded, unless the <span class="code" dir="ltr">-n</span> option is used. The remove + command also respects the <span class="code" dir="ltr">-s</span> option. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Configuring User Login Mappings</p> +<p> + The current method of assigning sets of roles to a user is by setting + up a mapping between linux users and SELinux identities. When a user + logs in, the login program will set the SELinux identity based on the + this map. If there is no explicit map, the <span class="code" dir="ltr">__default__</span> map is + used. +</p> +<p> + Managing the SELinux user login map is accomplished with the <span class="code" dir="ltr">semanage</span> + tool. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux login user map</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semanage login -l</span> +Login Name SELinux User + +__default__ user_u +root root +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap1_sect1">Add a user login mapping</a></p> +<p> + To map the linux user <span class="code" dir="ltr">pebenito</span> to the SELinux identity <span class="code" dir="ltr">staff_u</span>: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semanage login -a -s staff_u pebenito</span> +</pre></td></tr> +</table> +<p> + For descriptions on the available SELinux identities, see the + <a href="selinux-handbook.xml?part=3&chap=1#doc_chap3">SELinux Overview</a>. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Remove a user login mapping</a></p> +<p> + To remove a login map for the linux user <span class="code" dir="ltr">pebenito</span>: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semanage login -d pebenito</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> + User login maps specified by the policy (not by the management infrastructure) + cannot be removed. +</p></td></tr></table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Configuring Initial Boolean States</p> +<p> + The <span class="code" dir="ltr">setsebool</span> program is now a libsemanage tool. This tool's basic + function is to set the state of a Boolean. However, if the machine is + restarted, the Booelans will be set using the initial state as specified in + the policy. To set the Boolean state, and make that the new initial state + in the policy, the <span class="code" dir="ltr">-P</span> option of <span class="code" dir="ltr">setsebool</span> is used. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Set Boolean default state</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">setsebool -P fcron_crond 1</span> +</pre></td></tr> +</table> +<p> + This will set the fcron_crond Boolean to true and also make the initial state + for the Boolean true. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Configuring SELinux Identities</p> +<p> + Generally SELinux identities need not be added to the policy, as user + login mappings are sufficient. However, one reason to add them is for + improved auditing, since the SELinux identity is part of the scontext of a + denial message. +</p> +<p> + Managing the SELinux identities is accomplished with the <span class="code" dir="ltr">semanage</span> tool. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux identity list</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semanage user -l</span> +SELinux User SELinux Roles + +root sysadm_r staff_r +staff_u sysadm_r staff_r +sysadm_u sysadm_r +system_u system_r +user_u user_r +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap1_sect1">Add a SELinux identity</a></p> +<p> + In addition to specifying the roles for an identity, a prefix must + also be specified. This prefix should match a role, for example + <span class="code" dir="ltr">staff</span> or <span class="code" dir="ltr">sysadm</span>, and it is used for home directory + entries. So if <span class="code" dir="ltr">staff</span> is used for the prefix, linux users that + are mapped to this identity will have their home directory labeled + <span class="code" dir="ltr">staff_home_dir_t</span>. +</p> +<p> + To add the <span class="code" dir="ltr">test_u</span> identity with the roles <span class="code" dir="ltr">staff_r</span> and + <span class="code" dir="ltr">sysadm_r</span> with the prefix <span class="code" dir="ltr">staff</span>: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semanage user -a -R 'staff_r sysadm_r' -P staff test_u</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> + To use the SELinux identity, a user login map still must be added. +</p></td></tr></table> +<p class="secthead"><a name="doc_chap1_sect1">Remove a SELinux user identity</a></p> +<p> + To remove the test_u SELinux identity: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semanage user -d test_u</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> + SELinux identities specified by the policy (not by the management + infrastructure) cannot be removed. +</p></td></tr></table> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated October 15, 2006</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-selinux-localmod.html b/html/selinux/hb-selinux-localmod.html new file mode 100644 index 0000000..9246a43 --- /dev/null +++ b/html/selinux/hb-selinux-localmod.html @@ -0,0 +1,158 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction</p> +<p> + This guide discusses how to set up a policy module for local additions + of rules to the policy. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Preparation</p> +<p> + Copy the example Makefile from the selinux-base-policy doc directory to the + directory that will be used for building the policy. It is suggested that + /root be used. The places that the <span class="code" dir="ltr">semodule</span> tool can read policy + modules includes sysadm home directories. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">zcat /usr/share/doc/selinux-base-policy-20061008/Makefile.example.gz > /root/Makefile</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Write a TE file</p> +<p> + In a policy module, most policy statements are usable in modules. + There are a few extra statements that must be added for proper operation. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example local.te</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +policy_module(local,1.0) + +require { + type sysadm_su_t, newrole_t; +} +allow sysadm_su_t newrole_t:process sigchld; +</pre></td></tr> +</table> +<p> + In addition to the basic allow rule, it has a couple statements required + by policy modules. The first is a policy_module() macro that has the + name of the module, and the module's version. It also has a require + block. This block specifies all types that are required for this module + to function. All types used in the module must either be declared in the + module or required by this module. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Write a FC File (optional)</p> +<p> + The file contexts file is optional and has the same syntax as as always. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example local.fc</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +/opt/myprogs/mybin -- system_u:object_r:bin_t +</pre></td></tr> +</table> +<p> + Types used in the file context file should be required or declared in + the TE file. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Compile Policy Modules</p> +<p> + Simply run <span class="code" dir="ltr">make</span> to build all modules in the directory. The module + will be compiled for the current policy as specified by /etc/selinux/config. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">make</span> +Compiling strict local module +/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp +/usr/bin/checkmodule: policy configuration loaded +/usr/bin/checkmodule: writing binary representation (version 6) to tmp/local.mod +Creating strict local.pp policy package +</pre></td></tr> +</table> +<p> + To build the module for a policy other than the configured policy, use the + <span class="code" dir="ltr">NAME=</span> option. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">make NAME=targeted</span> +Compiling targeted local module +/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp +/usr/bin/checkmodule: policy configuration loaded +/usr/bin/checkmodule: writing binary representation (version 6) to tmp/local.mod +Creating targeted local.pp policy package +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Load the Modules</p> +<p> + The modules can be loaded into the currently configured policy simply + by using the load target of the Makefile. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">make load</span> +</pre></td></tr> +</table> +<p> + The load target also respects the <span class="code" dir="ltr">NAME=</span> option. Alternatively, + the <span class="code" dir="ltr">semodule</span> command can be used to load individual modules. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semodule -i local.pp</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Building Reference Policy Modules</p> +<p> +The new Gentoo policy is based on the <a href="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</a>. +For more information on building a complete Reference Policy module, see the +<a href="http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted">Reference Policy Wiki</a>. +</p> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated October 15, 2006</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-selinux-loglocal.html b/html/selinux/hb-selinux-loglocal.html new file mode 100644 index 0000000..b74dc3b --- /dev/null +++ b/html/selinux/hb-selinux-loglocal.html @@ -0,0 +1,212 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Begin Here</p> +<p> + You must be in <span class="code" dir="ltr">sysadm_r</span> to perform these actions. +</p> +<p> + Run <span class="code" dir="ltr">sestatus -v</span>. Click the first context that doesn't match: +</p> +<table class="ntable"> +<tr> +<td class="infohead"><b>Process</b></td> +<td class="infohead"><b>Context</b></td> +</tr> +<tr> +<td class="tableinfo">Init context</td> +<td class="tableinfo"><a href="#doc_chap2">system_u:system_r:init_t</a></td> +</tr> +<tr> +<td class="tableinfo">/sbin/agetty</td> +<td class="tableinfo"><a href="#doc_chap3">system_u:system_r:getty_t</a></td> +</tr> +<tr> +<td class="infohead"><b>File</b></td> +<td class="infohead"><b>Context</b></td> +</tr> +<tr> +<td class="tableinfo">/bin/login</td> +<td class="tableinfo"><a href="#doc_chap4">system_u:object_r:login_exec_t</a></td> +</tr> +<tr> +<td class="tableinfo">/sbin/unix_chkpwd</td> +<td class="tableinfo"><a href="#doc_chap5">system_u:object_r:chkpwd_exec_t</a></td> +</tr> +<tr> +<td class="tableinfo">/etc/passwd</td> +<td class="tableinfo"><a href="#doc_chap6">system_u:object_r:etc_t</a></td> +</tr> +<tr> +<td class="tableinfo">/etc/shadow</td> +<td class="tableinfo"><a href="#doc_chap6">system_u:object_r:shadow_t</a></td> +</tr> +<tr> +<td class="tableinfo">/bin/bash</td> +<td class="tableinfo"><a href="#doc_chap7">system_u:object_r:shell_exec_t</a></td> +</tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Incorrect Init Context</p> +<p class="secthead"><a name="doc_chap1_sect1">Verify Init Label</a></p> +<p> + There are several possible reasons why init may have the wrong context. + First, verify that init is labeled correctly, refer to the sestatus's output + for /sbin/init. If it is not <span class="code" dir="ltr">system_u:object_r:init_exec_t</span>, relabel sysvinit. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Fix init context</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg sysvinit</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap1_sect1">Verify Available Policy</a></p> +<p> + You must be in <span class="code" dir="ltr">sysadm_r</span> to perform this action. +</p> +<p> + A binary policy must be available in /etc/selinux/{strict,targeted}/policy. + If it is missing, then install the policy. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Install binary policy</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semodule -n -B</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap1_sect1">Verify Init Can Load the Policy</a></p> +<p> + The final check is to ensure init can load the policy. Run <span class="code" dir="ltr">ldd</span> on + init, and if libselinux is not in the output, remerge sysvinit. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Check init linking</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">ldd /sbin/init</span> + linux-gate.so.1 => (0xffffe000) + <span class="code-comment">libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</span> + libc.so.6 => /lib/libc.so.6 (0x40035000) + /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) +</pre></td></tr> +</table> +<p> + Now reboot so init gains the correct context, and loads the policy. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Incorrect agetty Context</p> +<p> + Verify that agetty is labeled correctly. Refer to the sestatus's output + for /sbin/agetty. If it is not <span class="code" dir="ltr">system_u:object_r:getty_exec_t</span>, relabel + util-linux. Then restart all gettys. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Fix agetty context</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg util-linux</span> +# <span class="code-input">killall agetty</span> <span class="code-comment">(they will respawn)</span> +</pre></td></tr> +</table> +<p> + All of the agettys should now be in the correct <span class="code" dir="ltr">system_u:object_r:getty_exec_t</span> + context. Try logging in again. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Incorrect Login Context</p> +<p> + The login program (/bin/login) is not labeled correctly. Relabel shadow. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel shadow</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg shadow</span> +</pre></td></tr> +</table> +<p> + /bin/login should now be <span class="code" dir="ltr">system_u:object_r:login_exec_t</span>. + Try logging in again. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Incorrect PAM Context</p> +<p> + Sshd must be able to use PAM for authenticating the user. The PAM password + checking program (/sbin/unix_chkpwd) must be labeled correctly so + sshd can transition to the password checking context. Relabel PAM. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Fix unix_chkpwd context</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg pam</span> +</pre></td></tr> +</table> +<p> + The password checking program should now be <span class="code" dir="ltr">system_u:object_r:chkpwd_exec_t</span>. + Try loggin in again. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Incorrect Password File Contexts</p> +<p> + The password file (/etc/passwd), and the shadow file (/etc/shadow) must + be labeled correctly, otherwise PAM will not be able to + authenticate your user. Relabel the files. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Fix shadow context</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">restorecon /etc/passwd /etc/shadow</span> +</pre></td></tr> +</table> +<p> + The password and shadow files should now be <span class="code" dir="ltr">system_u:object_r:etc_t</span> + and <span class="code" dir="ltr">system_u:object_r:shadow_t</span>, respectively. Try logging in again. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Incorrect Bash File Context</p> +<p> + Bash must be labeled correctly so the user can transition into the user + domain when logging in. Relabel bash. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Fix bash context</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg bash</span> +</pre></td></tr> +</table> +<p> + Bash (/bin/bash) should now be <span class="code" dir="ltr">system_u:object_r:shell_exec_t</span>. + Try logging in again. +</p> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated November 16, 2004</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-selinux-logremote.html b/html/selinux/hb-selinux-logremote.html new file mode 100644 index 0000000..a99b408 --- /dev/null +++ b/html/selinux/hb-selinux-logremote.html @@ -0,0 +1,228 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Begin Here</p> +<p> + You must be in <span class="code" dir="ltr">sysadm_r</span> to perform these actions. +</p> +<p> + Run <span class="code" dir="ltr">sestatus -v</span>. Click the first context that doesn't match: +</p> +<table class="ntable"> +<tr> +<td class="infohead"><b>Process</b></td> +<td class="infohead"><b>Context</b></td> +</tr> +<tr> +<td class="tableinfo">Init context</td> +<td class="tableinfo"><a href="#doc_chap2">system_u:system_r:init_t</a></td> +</tr> +<tr> +<td class="tableinfo">/usr/sbin/sshd</td> +<td class="tableinfo"><a href="#doc_chap3">system_u:system_r:sshd_t</a></td> +</tr> +<tr> +<td class="infohead"><b>File</b></td> +<td class="infohead"><b>Context</b></td> +</tr> +<tr> +<td class="tableinfo">/sbin/unix_chkpwd</td> +<td class="tableinfo"><a href="#doc_chap4">system_u:object_r:chkpwd_exec_t</a></td> +</tr> +<tr> +<td class="tableinfo">/etc/passwd</td> +<td class="tableinfo"><a href="#doc_chap5">system_u:object_r:etc_t</a></td> +</tr> +<tr> +<td class="tableinfo">/etc/shadow</td> +<td class="tableinfo"><a href="#doc_chap5">system_u:object_r:shadow_t</a></td> +</tr> +<tr> +<td class="tableinfo">/bin/bash</td> +<td class="tableinfo"><a href="#doc_chap6">system_u:object_r:shell_exec_t</a></td> +</tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Incorrect Init Context</p> +<p class="secthead"><a name="doc_chap1_sect1">Verify Init Label</a></p> +<p> + There are several possible reasons why init may have the wrong context. + First, verify that init is labeled correctly, refer to the sestatus's output + for /sbin/init. If it is not <span class="code" dir="ltr">system_u:object_r:init_exec_t</span>, relabel sysvinit. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg sysvinit</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap1_sect1">Verify Available Policy</a></p> +<p> + You must be in <span class="code" dir="ltr">sysadm_r</span> to perform this action. +</p> +<p> + A binary policy must be available in + /etc/selinux/{strict,targeted}/policy. If it is missing, then install + the policy. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Install policy</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">semodule -n -B</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap1_sect1">Verify Init Can Load the Policy</a></p> +<p> + The final check is to ensure init can load the policy. Run <span class="code" dir="ltr">ldd</span> on + init, and if libselinux is not in the output, remerge sysvinit. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">ldd /sbin/init</span> + linux-gate.so.1 => (0xffffe000) + <span class="code-comment">libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</span> + libc.so.6 => /lib/libc.so.6 (0x40035000) + /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) +</pre></td></tr> +</table> +<p> + Now reboot so init gains the correct context, and loads the policy. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Incorrect sshd Context</p> +<p> + Another possibility is sshd is not labeled correctly, meaning it is not running + in the right context. Relabel openssh, then restart sshd. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg openssh</span> +# <span class="code-input">/etc/init.d/sshd restart</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Incorrect PAM Context</p> +<p> + Sshd must be able to use PAM for authenticating the user. The PAM password + checking program (/sbin/unix_chkpwd) must be labeled correctly so + sshd can transition to the password checking context. Relabel PAM. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg pam</span> +</pre></td></tr> +</table> +<p> + The password checking program should now be <span class="code" dir="ltr">system_u:object_r:chkpwd_exec_t</span>. + Try loggin in again. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Incorrect Password File Contexts</p> +<p> + The password file (/etc/passwd), and the shadow file (/etc/shadow) must + be labeled correctly, otherwise PAM will not be able to + authenticate your user. Relabel the files. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">restorecon /etc/passwd /etc/shadow</span> +</pre></td></tr> +</table> +<p> + The password and shadow files should now be <span class="code" dir="ltr">system_u:object_r:etc_t</span> + and <span class="code" dir="ltr">system_u:object_r:shadow_t</span>, respectively. Try logging in again. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Incorrect Bash File Context</p> +<p> + Bash must be labeled correctly so the user can transition into the user + domain when logging in. Relabel bash. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">rlpkg bash</span> +</pre></td></tr> +</table> +<p> + Bash (/bin/bash) should now be <span class="code" dir="ltr">system_u:object_r:shell_exec_t</span>. + Try logging in again. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Other sshd Issues</p> +<p class="secthead"><a name="doc_chap1_sect1">Valid Shell</a></p> +<p> + First, make sure the user has a valid shell. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">grep</span> <span class="code-comment">username</span> <span class="code-input">/etc/passwd | cut -d: -f7</span> +/bin/bash <span class="code-comment">(or your shell of choice)</span> +</pre></td></tr> +</table> +<p> + If the above command does not return anything, or the shell is wrong, + set the user's shell. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">usermod -s /bin/bash</span> <span class="code-comment">username</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap1_sect1">PAM enabled</a></p> +<p> + PAM also must be enabled in sshd. Make sure this line + in <span class="code" dir="ltr">/etc/ssh/sshd_config</span> is uncommented: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +UsePAM yes +</pre></td></tr> +</table> +<p> + SELinux currently only allows PAM and a select few programs direct access + to <span class="code" dir="ltr">/etc/shadow</span>; therefore, openssh must now + use PAM for password authentication (public key still works). +</p> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated November 16, 2004</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-selinux-overview.html b/html/selinux/hb-selinux-overview.html new file mode 100644 index 0000000..038b0ad --- /dev/null +++ b/html/selinux/hb-selinux-overview.html @@ -0,0 +1,552 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>SELinux Types</p> +<p> + A type is a security attribute given to objects such as files, and network + ports, etc. The type of a process is commonly referred to as its domain. + The SELinux policy is primarily composed of type enforcement rules, which + describe how domains are allowed to interact with objects, and how domains + are allowed to interact with other domains. A type is generally suffixed + with a '_t', such as <span class="code" dir="ltr">sysadm_t</span>. This is the most important + attribute for a process or object, as most policy decisions are based on + the source and target types. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>SELinux Roles</p> +<p> + SELinux is type enforcement, so the SELinux role is not the same as those + in a role-based access control system. Permissions are not given to roles. + A role describes the set of types a user can use. For example, a system + administrator that is using the system for regular user tasks should be + in the <span class="code" dir="ltr">staff_r</span> role. If they need to administrate the system, then + a role change to <span class="code" dir="ltr">sysadm_r</span> is required. In SELinux terms, the + domains that a user can be in is determined by their role. If a role is not + allowed to have a certain domain, a transition to that domain will be denied, + even if the type enforcement rules allow the domain transition. A role is + generally suffixed with a '_r', such as <span class="code" dir="ltr">system_r</span>. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>SELinux Identities</p> +<p class="secthead"><a name="doc_chap1_sect1">What is a SELinux Identity?</a></p> +<p> + The SELinux identity is similar to a Linux username. The change of identity + should be limited to very specific cases, since the role-based access control + relies on the SELinux identity. Therfore, in general, a user’s SELinux + identity will not change during a session. The user ID in Linux can be + changed by set(e)uid, making it inappropriate for a SELinux identity. + If a user is given a SELinux identity, it must match the Linux username. Each + SELinux identity is allowed a set of roles. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Configure SELinux Identity Mapping</a></p> +<p> + The SELinux policy has several generic SELinux identities that should + be sufficient for all users. This mapping only needs to be configured + on the strict policy. The identity mapping for the targeted policy + need not be configured, as the default identity (user_u) is sufficient + in all cases. +</p> +<p> + When a user logs in, the SELinux identity used is determined by this mapping. +</p> +<table class="ntable"> +<tr> +<td class="infohead"><b>SELinux Identity</b></td> + <td class="infohead"><b>Roles</b></td> + <td class="infohead"><b>Description</b></td> +</tr> +<tr> +<td class="tableinfo">system_u</td> + <td class="tableinfo">system_r</td> + <td class="tableinfo">System (non-interactive) processes. Should not be used on users.</td> +</tr> +<tr> +<td class="tableinfo">user_u</td> + <td class="tableinfo">user_r</td> + <td class="tableinfo">Generic unprivileged users. The default identity mapping.</td> +</tr> +<tr> +<td class="tableinfo">staff_u</td> + <td class="tableinfo">staff_r, sysadm_r</td> + <td class="tableinfo">System administrators that also log in to do regular user activties.</td> +</tr> +<tr> +<td class="tableinfo">sysadm_u</td> + <td class="tableinfo">sysadm_r</td> + <td class="tableinfo">System administrators that only log in to do administrative tasks. It is not suggested that this identity is used.</td> +</tr> +<tr> +<td class="tableinfo">root</td> + <td class="tableinfo">staff_r, sysadm_r</td> + <td class="tableinfo">Special identity for root. Other users should use staff_u instead.</td> +</tr> +</table> +<p> + See the <a href="selinux-handbook.xml?part=3&chap=2#doc_chap3">SELinux HOWTO</a> + for semanage syntax for configuring SELinux identity mappings. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>SELinux Contexts</p> +<p> + Using the above three security models together is called a SELinux + context. A context takes the form <span class="code" dir="ltr">identity</span>:<span class="code" dir="ltr">role</span>:<span class="code" dir="ltr">type</span>. + The SELinux context is the most important value for determining access. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Object Contexts</a></p> +<p> + A typical <span class="code" dir="ltr">ls -Z</span> may have an output similar to this: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example ls -Z output</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +drwxr-xr-x root root system_u:object_r:bin_t bin +drwxr-xr-x root root system_u:object_r:boot_t boot +drwxr-xr-x root root system_u:object_r:device_t dev +drwxr-xr-x root root system_u:object_r:etc_t etc +</pre></td></tr> +</table> +<p> + The first three columns are the typical linux permissions, user and group. + The fourth column is the file or directory's security context. Objects + are given the generic <span class="code" dir="ltr">object_r</span> role. From the other two fields of + the context, it can be seen that the files are in the system identity, + and have four different types, <span class="code" dir="ltr">bin_t</span>, <span class="code" dir="ltr">boot_t</span>, <span class="code" dir="ltr">device_t</span>, + and <span class="code" dir="ltr">etc_t</span>. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Process Contexts</a></p> +<p> + A typical <span class="code" dir="ltr">ps ax -Z</span> may have an output similar to this: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example ps ax -Z output</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> + PID CONTEXT COMMAND + 1 system_u:system_r:init_t [init] + 2 system_u:system_r:kernel_t [keventd] + 3 system_u:system_r:kernel_t [ksoftirqd_CPU0] + 4 system_u:system_r:kernel_t [kswapd] + 5 system_u:system_r:kernel_t [bdflush] + 6 system_u:system_r:kernel_t [kupdated] + 706 system_u:system_r:syslogd_t [syslog-ng] + 712 system_u:system_r:httpd_t [apache] + 791 system_u:system_r:sshd_t [sshd] + 814 system_u:system_r:crond_t [cron] + 826 system_u:system_r:getty_t [agetty] + 827 system_u:system_r:getty_t [agetty] + 828 system_u:system_r:getty_t [agetty] + 829 system_u:system_r:getty_t [agetty] + 830 system_u:system_r:getty_t [agetty] + 831 system_u:system_r:httpd_t [apache] + 832 system_u:system_r:httpd_t [apache] + 833 system_u:system_r:httpd_t [apache] +23093 system_u:system_r:sshd_t [sshd] +23095 user_u:user_r:user_t [bash] +23124 system_u:system_r:sshd_t [sshd] +23126 user_u:user_r:user_t [bash] +23198 system_u:system_r:sshd_t [sshd] +23204 user_u:user_r:user_t [bash] +23274 system_u:system_r:sshd_t [sshd] +23275 pebenito:staff_r:staff_t [bash] +23290 pebenito:staff_r:staff_t ps ax -Z +</pre></td></tr> +</table> +<p> + In this example, the typical process information is displayed, in addition + to the process's context. By inspection, all of the system's kernel + processes and daemons run under the <span class="code" dir="ltr">system_u</span> identity, and + <span class="code" dir="ltr">system_r</span> role. The individual domains depend on the program. + There are a few users logged in over ssh, using the generic <span class="code" dir="ltr">user_u</span> + identity. Finally there is a user with the identity <span class="code" dir="ltr">pebenito</span> logged in + with the <span class="code" dir="ltr">staff_r</span> role, running in the <span class="code" dir="ltr">staff_t</span> domain. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>SELinux Policy Files</p> +<p> + The SELinux policy source files are no longer installed onto the system. + In the <span class="code" dir="ltr">/usr/share/selinux/{strict,targeted}</span> directory there are a + collection of policy packages and headers for building local modules. + The policy files are processed by m4, and then the policy compiler <span class="code" dir="ltr">checkmodule</span> + verifies that there are no syntactic errors, and a policy module is created. + Then a policy package is created with with the <span class="code" dir="ltr">semodule_package</span> + program, using the policy module and the module file contexts. + The policy packaged then can be loaded into a running SELinux kernel + by inserting it into the module store. +</p> +<p class="secthead"><a name="doc_chap1_sect1">*.pp</a></p> +<p> + Policy packages for this policy. These must be inserted into the module + store so they can be loaded into the policy. Inside the package + there is a loadable policy module, and optionally a file context file. +</p> +<p class="secthead"><a name="doc_chap1_sect1">include/</a></p> +<p> + Policy headers for this policy. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Binary Policy Versions</p> +<p> + When compiling the policy, the resultant binary policy is versioned. + The first version that was merged into 2.6 was version 15. + The version number is only incremented generally when new features are added that require changes to the structure of the compiled policy. + For example, in 2.6.5, conditional policy extensions were added. + This required the policy version to be incremented to version 16. +</p> +<p class="secthead"><a name="doc_chap1_sect1">What Policy Version Does My Kernel Use?</a></p> +<p> + The policy version of a running kernel can be determined by executing + <span class="code" dir="ltr">sestatus</span> or <span class="code" dir="ltr">policyvers</span>. Current kernels can load + the previous version policy for compatibility. For example a version 17 + kernel can also load a version 16 policy. However, this compatibility + code may be removed in the future. +</p> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> + The policy management infrastructure (libsemanage) will automatically + create and use the correct version policies. No extra steps need be taken. +</p></td></tr></table> +<p class="secthead"><a name="doc_chap1_sect1">Policy Versions</a></p> +<p> + The following table contains the policy versions in 2.6 kernels. +</p> +<table class="ntable"> +<tr> +<td class="infohead"><b>Version</b></td> + <td class="infohead"><b>Description</b></td> + <td class="infohead"><b>Kernel Versions</b></td> +</tr> +<tr> +<td class="tableinfo">12</td> + <td class="tableinfo">"Old API" SELinux (deprecated).</td> +</tr> +<tr> +<td class="tableinfo">15</td> + <td class="tableinfo">"New API" SELinux merged into 2.6.</td> + <td class="tableinfo">2.6.0 - 2.6.4</td> +</tr> +<tr> +<td class="tableinfo">16</td> + <td class="tableinfo">Conditional policy extensions added.</td> + <td class="tableinfo">2.6.5</td> +</tr> +<tr> +<td class="tableinfo">17</td> + <td class="tableinfo">IPV6 support added.</td> + <td class="tableinfo">2.6.6 - 2.6.7</td> +</tr> +<tr> +<td class="tableinfo">18</td> + <td class="tableinfo">Fine-grained netlink socket support added.</td> + <td class="tableinfo">2.6.8 - 2.6.11</td> +</tr> +<tr> +<td class="tableinfo">19</td> + <td class="tableinfo">Enhanced multi-level security.</td> + <td class="tableinfo">2.6.12 - 2.6.13</td> +</tr> +<tr> +<td class="tableinfo">20</td> + <td class="tableinfo">Access vector table size optimizations.</td> + <td class="tableinfo">2.6.14 - 2.6.18</td> +</tr> +<tr> +<td class="tableinfo">21</td> + <td class="tableinfo">Object classes in range transitions.</td> + <td class="tableinfo">2.6.19 - 2.6.24</td> +</tr> +<tr> +<td class="tableinfo">22</td> + <td class="tableinfo">Policy capabilities (features).</td> + <td class="tableinfo">2.6.25</td> +</tr> +<tr> +<td class="tableinfo">23</td> + <td class="tableinfo">Per-domain permissive mode.</td> + <td class="tableinfo">2.6.26 - 2.6.27</td> +</tr> +<tr> +<td class="tableinfo">24</td> + <td class="tableinfo">Explicit hierarchy (type bounds).</td> + <td class="tableinfo">2.6.28 - current</td> +</tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Conditional Policy Extensions</p> +<p> + The conditional policy extensions allow the enabling and disabling of policy + rules at runtime, without loading a modified policy. Using policy booleans + and expressions, policy rules can be conditionally applied. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Determine Boolean Values</a></p> +<p> + The status of policy booleans in the current running policy can be determined + two ways. The first is by using <span class="code" dir="ltr">sestatus</span>. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example sestatus output</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# sestatus +SELinux status: enabled +SELinuxfs mount: /selinux +Current mode: enforcing +Policy version: 17 + +Policy booleans: +user_ping inactive +</pre></td></tr> +</table> +<p> + The second is <span class="code" dir="ltr">getsebool</span> which is a simple tool that displays + the status of policy booleans, and if a value change is pending. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example getsebool command</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# getsebool -a +user_ping --> active: 0 pending: 0 +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap1_sect1">Changing Boolean Values</a></p> +<p> + The value of a boolean can be toggled by using the <span class="code" dir="ltr">togglesebool</span> + command. Multiple booleans can be specified on the command line. The + new value of the boolean will be displayed. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example togglesebool command</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# togglesebool user_ping +user_ping: active +</pre></td></tr> +</table> +<p> + The value of a boolean can be set specifically by using the <span class="code" dir="ltr">setsebool</span> + command. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example setsebool command</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# setsebool user_ping 0 +</pre></td></tr> +</table> +<p> + To set the value of a boolean, and make it the devault value, use the <span class="code" dir="ltr">-P</span> option. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Change default value</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# setsebool -P user_ping 1 +</pre></td></tr> +</table> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Policy Kernel Messages</p> +<p> + While a system is running, a program or user may attempt to do something + that violates the security policy. If the system is enforcing the policy, + the access will be denied, and there will be a message in the kernel log. + If the system is not enforcing (permissive mode), the access will be allowed, + but there will still be a kernel message. +</p> +<p class="secthead"><a name="doc_chap1_sect1">AVC Messages</a></p> +<p> + Most kernel messages from SELinux come from the access vector cache (AVC). + Understanding denials is important to understand if an attack is happening, + or if the program is requiring unexpected accesses. An example denial + may look like this: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC Message</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +avc: denied { read write } for pid=3392 exe=/bin/mount dev=03:03 ino=65554 +scontext=pebenito:sysadm_r:mount_t tcontext=system_u:object_r:tmp_t tclass=file +</pre></td></tr> +</table> +<p> + While most AVC messages are denials, occasionally there might be an audit + message for an access that was granted: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC Message 2</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +avc: granted { load_policy } for pid=3385 exe=/usr/sbin/load_policy +scontext=pebenito:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security +</pre></td></tr> +</table> +<p> + In this case, the ability to load the policy was granted. This is a critical + security event, and thus is always audited. Another event that is always + audited is switching between enforcing and permissive modes. +</p> +<p> + SELinux will supress logging of denials if many are received in a short + amount of time. However, This does not always imply there is an attack + in progress. A program may be doing something that could cause + many denials in a short time, such as doing a stat() on device nodes in + /dev. To protect from filling up the system logs, SELinux has rate limiting + for its messages: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC Message 3</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +AVC: 12 messages suppressed. +</pre></td></tr> +</table> +<p> + The policy would have to be modified to not audit these accesses if they + are normal program behavior, but still need to be denied. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Other kernel messages</a></p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: inode_doinit_with_dentry</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +inode_doinit_with_dentry: context_to_sid(system_u:object_r:bar_t) returned 22 for dev=hda3 ino=517610 +</pre></td></tr> +</table> +<p> + This means that the file on /dev/hda3 with inode number 517610 has the context + system_u:object_r:bar_t, which is invalid. Objects with an invalid context + are treated as if they had the system_u:object_r:unlabeled_t context. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Dissecting a Denial</p> +<p> + Denials contain varying amounts of information, depending on the access type. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example Denials</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +avc: denied { lock } for pid=28341 exe=/sbin/agetty path=/var/log/wtmp dev=03:03 ino=475406 +scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file + +avc: denied { create } for pid=20909 exe=/bin/ls scontext=pebenito:sysadm_r:mkinitrd_t +tcontext=pebenito:sysadm_r:mkinitrd_t tclass=unix_stream_socket + +avc: denied { setuid } for pid=3170 exe=/usr/bin/ntpd capability=7 +scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=capability + +</pre></td></tr> +</table> +<p> + The most common denial relates to access of files. For better understanding, + the first denial message will be broken down: +</p> +<table class="ntable"> +<tr> +<td class="infohead"><b>Component</b></td> +<td class="infohead"><b>Description</b></td> +</tr> +<tr> +<td class="tableinfo">avc: denied</td> + <td class="tableinfo">SELinux has denied this access.</td> +</tr> +<tr> +<td class="tableinfo">{ lock }</td> + <td class="tableinfo">The attempted access is a lock.</td> +</tr> +<tr> +<td class="tableinfo">pid=28341</td> + <td class="tableinfo">The process ID performing this access is 28341.</td> +</tr> +<tr> +<td class="tableinfo">exec=/sbin/agetty</td> + <td class="tableinfo">The full path and name of the process's executable is /sbin/agetty.</td> +</tr> +<tr> +<td class="tableinfo">path=/var/log/wtmp</td> + <td class="tableinfo">The path and name of the target object is /var/log/wtmp. Note: a complete + path is not always available.</td> +</tr> +<tr> +<td class="tableinfo">dev=03:03</td> + <td class="tableinfo">The target object resides on device 03:03 (major:minor number). + On 2.6 kernels this may resolve to a name, hda3 in this example.</td> +</tr> +<tr> +<td class="tableinfo">ino=475406</td> + <td class="tableinfo">The inode number of the target object is 475406.</td> +</tr> +<tr> +<td class="tableinfo">scontext=system_u:system_r:getty_t</td> + <td class="tableinfo">The context of the program is system_u:system_r:getty_t.</td> +</tr> +<tr> +<td class="tableinfo">tcontext=system_u:object_r:var_log_t</td> + <td class="tableinfo">The context of the target object is system_u:object_r:var_log_t.</td> +</tr> +<tr> +<td class="tableinfo">tclass=file</td> + <td class="tableinfo">The target object is a normal file.</td> +</tr> +</table> +<p> + Not all AVC messages will have all of these fields, as shown in the other + two denials. The fields vary depending on the target object's class. + However, the most important fields: access type, source and target contexts, + and the target object's class will always be in an AVC message. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Understanding the Denial</a></p> +<p> + Denials can be very confusing since they can be triggered for several reasons. + The key to understanding what is happening is to know the behavior of the + program, and to correctly interpret the denial message. The target is not + limited to files; it could also be related to network sockets, + interprocess communications, or others. +</p> +<p> + In the above example, the agetty is denied locking of a file. The file's type + is var_log_t, therefore it is implied that the target file is in /var/log. + With the extra information from the path= field in the denial message, it is + confirmed to be the file /var/log/wtmp. If path information was unavailable, + this could be further confirmed by searching for the inode. Wtmp is a file that has + information about users currently logged in, and agetty handles logins on + ttys. It can be concluded that this is an expected access of agetty, for + updating wtmp. However, why is this access being denied? Is there a flaw + in the policy by not allowing agetty to update wtmp? It turns out that wtmp + has the incorrect context. It should be system_u:object_r:wtmp_t, rather + than system_u:object_r:var_log_t. +</p> +<p> + If this access was not understood, an administrator might mistakenly allow getty_t + read/write access to var_log_t files, which would be incorrect, since agetty + only needs to modify /var/log/wtmp. This underscores how critical keeping + file contexts consistent is. +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>References</p> +<p> + <a href="http://www.nsa.gov/selinux">U.S. National Security Agency</a>, + SELinux Policy README +</p> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated July 13, 2009</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/hb-selinux-references.html b/html/selinux/hb-selinux-references.html new file mode 100644 index 0000000..f32c791 --- /dev/null +++ b/html/selinux/hb-selinux-references.html @@ -0,0 +1,117 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/../../../css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/../../../favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Handbook Page +-- + </title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../../../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Background</p> +<ul> +<li> + <a href="http://www.nsa.gov/research/_files/selinux/papers/inevit-abs.shtml">The Inevitability of Failure: + The Flawed Assumption of Security in Modern Computing Environments</a> + explains the need for mandatory access controls.</li> +<li> + <a href="http://www.nsa.gov/research/_files/selinux/papers/flask-abs.shtml">The Flask Security Architecture: + System Support for Diverse Security Policies</a> + explains the security architecture of Flask, the architecture used by SELinux.</li> +<li> + <a href="http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml">Implementing SELinux as a Linux Security Module</a> + has specifics about SELinux access checks in the kernel.</li> +</ul> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Policy</p> +<ul> +<li> + <a href="http://www.nsa.gov/research/_files/selinux/papers/policy2-abs.shtml">Configuring the SELinux Policy</a> +</li> +<li> + <a href="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</a> +</li> +<li> + SELinux <a href="http://www.selinuxproject.org/page/ObjectClassesPerms">Object Classes and Permissions</a> + Overview</li> +</ul> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Books</p> +<ul> +<li> + <span class="code" dir="ltr">SELinux by Example: Using Security Enhanced Linux</span>, Frank Mayer, + Karl MacMillan, and David Caplan, Prentice Hall, 2006; ISBN 0131963694</li> +<li> + <span class="code" dir="ltr">SELinux: NSA's Open Source Security Enhanced Linux</span>, Bill McCarty, + O'Reilly Media, 2004; ISBN 0596007167</li> +</ul> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Meeting Notes</p> +<ul> +<li> + <a href="http://www.selinux-symposium.org/2006/summit.php">March 3rd, 2006 SELinux Developer Summit</a> +</li> +<li> + <a href="http://www.selinux-symposium.org/meeting.php">May 6th, 2004 Informal Meeting</a> +</li> +</ul> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Presentations</p> +<p class="secthead"><a name="doc_chap1_sect1">2006 SELinux Symposium</a></p> +<ul> +<li> + <a href="http://www.nsa.gov/selinux/papers/selsymp2006-abs.cfm">SELinux Year in Review</a>, + Stephen Smalley, National Security Agency</li> +<li> + <a href="http://www.selinux-symposium.org/2006/slides/03-refpolicy-slides.pdf">Reference Policy for Security Enhanced Linux</a>, + Karl MacMillan, Tresys Technology (<a href="http://www.selinux-symposium.org/2006/papers/05-refpol.pdf">Paper</a>)</li> +</ul> +<p class="secthead"><a name="doc_chap1_sect1">2005 SELinux Symposium</a></p> +<ul> +<li> + <a href="http://www.nsa.gov/research/selinux/index.shtml">SELinux Overview</a>, + NSA</li> +<li> + <a href="http://www.selinux-symposium.org/2005/presentations/session3/3-2-macmillan.pdf">Core Policy Management Infrastructure for SELinux</a>, + Karl MacMillan, Tresys Technology</li> +<li> + <a href="http://www.selinux-symposium.org/2005/presentations/session4/4-1-walsh.pdf">Targeted vs. Strict Policy History and Strategy</a>, + Dan Walsh, Red Hat</li> +<li> + <a href="http://www.selinux-symposium.org/2005/presentations/session4/4-4-mayer.pdf">Tresys SETools: Tools and Libraries for Policy Analysis and Management</a>, + Frank Mayer, Tresys Technology</li> +<li> + <a href="http://www.selinux-symposium.org/2005/presentations/session5/5-3-macmillan.pdf">Information Flow Analysis for Type Enforcement Policies</a>, + Karl MacMillan, Tresys Technology</li> +<li> + <a href="http://www.selinux-symposium.org/2005/presentations/session6/6-2-mayer.pdf">SELinux Policy Analysis Concepts and Techniques</a>, + David Caplan, Frank Mayer, Tresys Technology</li> +</ul> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="alttext">Updated May 7, 2006</p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/index.html b/html/selinux/index.html new file mode 100644 index 0000000..22d6ada --- /dev/null +++ b/html/selinux/index.html @@ -0,0 +1,229 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Projects +-- + SELinux</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>SELinux</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Project Description</option> +<option value="#doc_chap2">2. Project Goals</option> +<option value="#doc_chap3">3. What is SELinux?</option> +<option value="#doc_chap4">4. Developers</option> +<option value="#doc_chap5">5. Subprojects</option> +<option value="#doc_chap6">6. Planned subprojects</option> +<option value="#doc_chap7">7. Resources</option> +<option value="#doc_chap8">8. How Do I Use This?</option> +<option value="#doc_chap9">9. I Want to Participate</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Project Description</p> +<p> + This project manages SELinux support in Gentoo. This includes providing + kernels with SELinux support, providing patches to userland utilities, writing + strong Gentoo-specific default profiles, and deploying policies from Portage. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Project Goals</p> +<p> + The intention of the project is to make SELinux available to more users, and + improving its integration. + Policy should be available for common daemons, and files merged in from Portage + should have the correct file context. Currently we only work on servers, but + desktops will be supported in the future. +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>What is SELinux?</p> +<p> + <a href="http://www.nsa.gov/selinux">Security-Enhanced Linux</a> (SELinux) + is a system of mandatory access control using type enforcement and role-based + access control. It is implemented as a + <a href="http://lsm.immunix.org/">Linux Security Module</a> (LSM). + In addition to the kernel portion, SELinux consists of a library (libselinux) + and userland utilities for compiling policy (checkpolicy), and loading policy + (policycoreutils), in addition to other user programs. +</p> +<p> + One common misconception is that SELinux is a complete security solution, + however, it is not. SELinux only provides one piece of a security + solution. It can work well with other Hardened projects, such as PaX, + for a more complete solution. +</p> +<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. + </span>Developers</p> +<table class="ntable"> + <tr> + <td class="infohead"><b>Developer</b></td> + <td class="infohead"><b>Nickname</b></td> + <td class="infohead"><b>Role</b></td> + </tr> + <tr> + <td class="tableinfo"></td> + <td class="tableinfo">pebenito</td> + <td class="tableinfo">Lead ( Policy, x86, AMD64 )</td> + </tr> + </table> +<p> + All developers can be reached by e-mail using <span class="code" dir="ltr">nickname@gentoo.org</span>. + </p> +<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. + </span>Subprojects</p> +<p>The SELinux + project has the following subprojects: + </p> +<table class="ntable"> + <tr> + <td class="infohead"><b>Project</b></td> + <td class="infohead"><b>Lead</b></td> + <td class="infohead"><b>Description</b></td> + </tr> + <tr> + <td class="tableinfo">Base Policy</td> + <td class="tableinfo">pebenito</td> + <td class="tableinfo"> + SELinux policy for the core system, including users, administrators, and + daemons in the system profile. +</td> + </tr> + <tr> + <td class="tableinfo">Daemon Policy</td> + <td class="tableinfo"></td> + <td class="tableinfo"> + SELinux policies for common daemons. +</td> + </tr> + <tr> + <td class="tableinfo">x86</td> + <td class="tableinfo">pebenito</td> + <td class="tableinfo"> + Support for the x86 architecture. +</td> + </tr> + <tr> + <td class="tableinfo">AMD64</td> + <td class="tableinfo">pebenito</td> + <td class="tableinfo"> + Support for the AMD64 (x86-64) architecture. +</td> + </tr> + </table> +<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. + </span>Planned subprojects</p> +<p>The SELinux + project has the following subprojects planned: + </p> +<table class="ntable"> + <tr> + <td class="infohead"><b>Project</b></td> + <td class="infohead"><b>Description</b></td> + </tr> + <tr> + <td class="tableinfo">non-x86 Support</td> + <td class="tableinfo"> + Profiles, installation guides, and support for non-x86 architectures. +</td> + </tr> + <tr> + <td class="tableinfo">Desktop</td> + <td class="tableinfo"> + SELinux support on destktops. This involves enhancements to XFree's + security, and accompanying policy. +</td> + </tr> + </table> +<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7. + </span>Resources</p> +<p>Resources offered by the + SELinux + project are:</p> +<ul> + <li> + <a href="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook</a> + </li> + </ul> +<p class="chaphead"><a name="doc_chap8"></a><span class="chapnum">8. + </span>How Do I Use This?</p> +<p> + SELinux can be installed on a new system by following the above install guide. +</p> +<p class="chaphead"><a name="doc_chap9"></a><span class="chapnum">9. + </span>I Want to Participate</p> +<p> + To participate in the SELinux project first join the mailing list at + <span class="code" dir="ltr">gentoo-hardened@gentoo.org</span>. Then ask if there are plans to support + something that you are interested in, propose a new subproject that you are + interested in or choose one of the planned subprojects to work on. You may talk + to the developers and users in the IRC channel <span class="code" dir="ltr">#gentoo-hardened</span> on + <span class="code" dir="ltr">irc.freenode.net</span> for more information or just to chat about the project + or any subprojects. If you don't have the ability to actively help by + contributing work we will always need testers to use and audit the SELinux + policies. All development, testing, feedback, and productive comments will + be greatly appreciated. +</p> +<p class="secthead"><a name="doc_chap9_sect2">Policy Submissions</a></p> +<p> + The critical component of a SELinux system is having a strong policy. The + team does its best to support as many daemons as possible. However, we cannot + create policies for daemons with which we are unfamiliar. But we are happy + to receive policy submissions for consideration. There are a few requirements: +</p> +<ul> +<li> + Make comments (in the policy and/or bug), so we can understand changes + from the NSA example policy. +</li> +<li> + The policy should cover common installations. Please do not submit policies + for odd or nonstandard daemon configurations. +</li> +<li> + We need to know if the policy is dependent on another policy (for example + rpcd is dependent on portmap) other than base-policy. +</li> +<li> + An ebuild for the policy can also be submitted to help the developers + integrate the policy into Portage more quickly, if it is accepted. + See current daemon policies in Portage for example uses of the + selinux-policy eclass. +</li> +</ul> +<p> + The policy should be submitted on <a href="http://bugs.gentoo.org/">bugzilla</a>. + Please attach the .te and .fc files separately to the bug, not as a tarball. + The bug should be assigned to <span class="code" dir="ltr">selinux@gentoo.org</span>. +</p> +<br><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="index.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>SELinux is a system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system.</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext">Gentoo Project<br><i>script generated</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux/selinux-handbook.html b/html/selinux/selinux-handbook.html new file mode 100644 index 0000000..db6ca21 --- /dev/null +++ b/html/selinux/selinux-handbook.html @@ -0,0 +1,171 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Gentoo SELinux Handbook</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<hr> +<p> + [ << ] + + [ < ] + + [ <a href="selinux-handbook.xml">Home</a> ] + + [ <a href="selinux-handbook.xml?part=1">></a> ] + + [ <a href="selinux-handbook.xml?part=1">>></a> ] + </p> +<hr> +<h1>Gentoo SELinux Handbook</h1> +<p>Content:</p> +<ul> +<li> +<b><a href="?part=1">Installing Gentoo SELinux</a></b><br> +In this part you learn how to install Gentoo SELinux on your system. +<ol><li> +<b><a href="?part=1&chap=1">Gentoo SELinux Installation</a></b><br> +How to do a fresh installation of Gentoo SELinux. +</li></ol> +</li> +<li> +<b><a href="?part=2">Converting to Gentoo SELinux</a></b><br> +SELinux alternatively can be installed on current Linux installations. This +Chapter deals with converting a prexisting Gentoo install to SELinux. +<ol> +<li> +<b><a href="?part=2&chap=1">Initial preparations</a></b><br> +A few preparations must be done before installing SELinux packages. +</li> +<li> +<b><a href="?part=2&chap=2">Boot SELinux Kernel</a></b><br> +Install and boot a SELinux kernel. +</li> +<li> +<b><a href="?part=2&chap=3">Install SELinux Userland</a></b><br> +Install SELinux packages and policy, and label filesystems. +</li> +</ol> +</li> +<li> +<b><a href="?part=3">Working with SELinux</a></b><br> +Learn how to work with SELinux +<ol> +<li> +<b><a href="?part=3&chap=1">SELinux Overview</a></b><br> +SELinux has many parts to understand. This chapter discusses SELinux's +important concepts and policy. +</li> +<li> +<b><a href="?part=3&chap=2">SELinux HOWTO</a></b><br> +This chapter deals with how to common operations in SELinux. +</li> +<li> +<b><a href="?part=3&chap=3">SELinux FAQ</a></b><br> +This chapter deals with frequently asked questions in SELinux. +</li> +<li> +<b><a href="?part=3&chap=4">SELinux Management Infrastructure</a></b><br> +The chapter deals with managing SELinux using the management infrastructure. +</li> +<li> +<b><a href="?part=3&chap=5">Local Policy Modules</a></b><br> +The chapter deals with adding rules and new modules to your policy. +</li> +<li> +<b><a href="?part=3&chap=6">SELinux Reference Materials</a></b><br> +This has a list of external references on SELinux. +</li> +</ol> +</li> +<li> +<b><a href="?part=4">Troubleshooting SELinux</a></b><br> +When encountering problems on a machine, SELinux can add extra difficulty +in fixing the problem. This chapter walks through fixing common problems. +<ol> +<li> +<b><a href="?part=4&chap=1">Policy Not Loaded on Boot</a></b><br> +This chapter deals with the problem of the policy not being loaded on boot. +</li> +<li> +<b><a href="?part=4&chap=2">Trouble Logging in Locally</a></b><br> +This chapter deals with problems logging in locally at the console. +</li> +<li> +<b><a href="?part=4&chap=3">Trouble Logging in Remotely</a></b><br> +This chapter deals with problems logging in remotely by ssh. +</li> +</ol> +</li> +</ul> +<hr> +<p> + [ << ] + + [ < ] + + [ <a href="selinux-handbook.xml">Home</a> ] + + [ <a href="selinux-handbook.xml?part=1">></a> ] + + [ <a href="selinux-handbook.xml?part=1">>></a> ] + </p> +<hr> +<p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-handbook.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View all handbook in one page" class="altlink" href="selinux-handbook.xml?full=1">View all</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated October 15, 2006</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +This is the Gentoo SELinux Handbook. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:pebenito@gentoo.org" class="altlink"><b>Chris PeBenito</b></a> +<br><i>Author</i><br><br> + Chris Richards +<br><i>Author</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/toolchain-upgrade-guide.html b/html/toolchain-upgrade-guide.html new file mode 100644 index 0000000..8a44422 --- /dev/null +++ b/html/toolchain-upgrade-guide.html @@ -0,0 +1,280 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + GCC-4/GLIBC-2.5 Hardened Toolchain Overview and Upgrade Guide (EARLY DRAFT)</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b> + This document is a work in progress and should not be considered official yet. + </p></td></tr></table> +<br><h1>GCC-4/GLIBC-2.5 Hardened Toolchain Overview and Upgrade Guide (EARLY DRAFT)</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option> +<option value="#doc_chap2">2. Upgrade Guide</option> +<option value="#doc_chap3">3. References</option></select> +</form> +<p class="chaphead"><a name="Introduction"></a><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction</p> +<p class="secthead"><a name="Rationale"></a><a name="doc_chap1_sect1">Rationale for re-working the hardened toolchain.</a></p> +<p> +The gcc-3/glibc-2.3 toolchain has been working reasonably well for +<a href="http://www.gentoo.org/proj/en/hardened/">Hardened Gentoo</a> +for a few years now. However while it has gained in maturity, there are a +number of known issues that have proven unresolvable so far. Most issues are +relatively minor and only show up in rare circumstances, however it has become +increasingly clear that the Stack Smash Protector (SSP) implementation in gcc-3 +that was developed at IBM has some serious issues most especially with code +constructs of C++ (and also C, where gcc permits some C++ idioms to be used also +in C). +</p> +<p> +In gcc-4, Richard Henderson and others at RedHat +<a href="http://gcc.gnu.org/ml/gcc-patches/2005-05/msg01193.html">completely re-implemented</a> +the stack smash protector, making a number of improvements in the process. +Internally to GCC, the implementation is significantly different, although the +end result and the behaviour of the generated object code is much the same. +Unfortunately, the re-implementation did not retain binary compatibility with +the implementation we used previously, so we could not just simply bump our +patches to support the newer toolchain without doing some work. +</p> +<p> +It was also clear that migrating to gcc-4 was not going to be trivial for the +standard Gentoo product, let alone Hardened Gentoo. Other changes to gcc (the +reason it gained a major version number increment) highlighted much code that +worked on gcc-3 often for the wrong reasons, but failed with gcc-4. Thus it +seemed like the ideal opportunity to re-examine the hardened toolchain +modifications to see if it could be done better and more consistently, since it +was apparent it would be some time before gcc-4 could be considered practical. +While the overall concepts for the hardened toolchain are largely the same, a +significant amount of work has gone into this task leading to hopefully a more +reliable and maintainable product. Hopefully it was worth it! +</p> +<p class="secthead"><a name="overview"></a><a name="doc_chap1_sect2">Overview of the gcc-4/glibc-2.5/binutils-2.17 toolchain for Hardened Gentoo</a></p> +<p> +As mentioned above, the SSP implementation has changed substantially. Changes +to the interfaces used by gcc to handle stack overflows, and changes to the +semantics of the stack-protector compiler switches, have lead to modifications +of glibc so that it can support both the old and new interfaces, and +modifications to the way the SSP compiler switches are managed to avoid having +to modify ebuilds. +</p> +<p> +The other major plank of the hardened toolchain with respect to gcc, Position +Independent Executables (PIEs) has not changed; the support in gcc-4 is no +different from the support in gcc-3 which has been maintained upstram. However, +in order to support the default-PIE some changes have been made which should +mean that building executables will always use a consistent set of startfiles +and libraries. Previously there were occasions where odd results were observed; +particularly when building "-static". Static builds now result in a static/PIE +hybrid executable that should be stable on all architectures. +</p> +<p> +The other two elements of the hardened toolchain, RELRO and BIND_NOW, are +effectively no different than they were before. +</p> +<p> +In addition to the support changes necessary for SSP and the PIE cleanup, the +way compiler "specs" are handled ("specs" are configuration text used by the +compiler driver to control how the various components; the C compiler, C++ +compiler, linker, assembler etc are invoked) has been reworked. Previously we +patched the compiler driver code significantly to inject our altered default +specs, and did so repeatedly in various combinations to get us the several +variants of the hardened compiler that are provided. The new approach still +patches the compiler driver, but once only and much, much less intrusively, +adding "call-outs" to "mini-specs" that are by default defined to behave as the +vanilla compiler does, but can be easily overridden to achieve the hardened +toolchain behaviour we desire. The altered specs are managed by appending +re-definitions of these "mini-specs" to the standard specs, overriding the +defaults in a much less architecture-dependent way. +</p> +<p> +A detailed description of the new toolchain modifications can be found in the +<a href="hardened-toolchain.xml">Technical Description of the Gentoo Hardened Toolchain</a>. +</p> +<p class="chaphead"><a name="UpgradeGuide"></a><a name="doc_chap2"></a><span class="chapnum">2. + </span>Upgrade Guide</p> +<p class="secthead"><a name="Dependencies"></a><a name="doc_chap2_sect1">Dependencies</a></p> +<p> +There are a number of build and run-time dependencies between the various toolchain +elements. A brief elaboration of these will make it clear why the recommended +upgrade path is as it is. +</p> +<ul> +<li>Hardened gcc-4 requires glibc-2.5 for ssp support functions</li> +<li>The new reliable "static PIE" support means hardened glibc-2.5 must be built with hardened gcc-4</li> +<li>"static PIE" support requires binutils-2.17</li> +</ul> +<p> +Of particular note, is the circular dependency between hardened gcc-4 and hardened glibc-2.5. +Note that these dependencies are only relevant when hardened. +</p> +<p class="secthead"><a name="Sequence"></a><a name="doc_chap2_sect2">Upgrade Sequence</a></p> +<p> +The upgrade path is quite simple really. Upgrade to binutils-2.17 if necessary, +and ensure it is selected. Then, using the vanilla compiler, build both glibc +and gcc non-hardened - this installs all the support necessary to build them +hardened. Next, switch to the new compiler -hardened variant, rebuild glibc +and gcc. Ensure the hardened compiler is selected (reselect to be sure). +</p> +<p> +Switch off distcc and ccache if you're using them, to be sure you don't get mixed +results from previous compilations (especially if you have tried earlier versions +of the toolchain upgrade from overlays). +</p> +<p> +In detail, the steps are: +</p> +<p> +Ensure sys-devel/binutils-2.17 is installed: +</p> +<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Check binutils version</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +binutils-config -l +</pre></td></tr> +</table> +<p> +If the version selected (highlighted with '*') is 2.17, that's enough. If 2.17 is +installed but not selected, select it with <span class="code" dir="ltr">binutils-config</span> - otherwise merge it: +</p> +<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Merge binutils-2.17</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +emerge --oneshot =sys-devel/binutils-2.17 +</pre></td></tr> +</table> +<p> +and switch to it if necessary using <span class="code" dir="ltr">binutils-config</span>. Next, switch to the vanilla gcc: +</p> +<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Select vanilla gcc</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +gcc-config -l +gcc-config <current gcc>-vanilla +source /etc/profile +</pre></td></tr> +</table> +<p> +replacing <current gcc> with the current compiler name (or just choose the right number from the list). +</p> +<p> +Merge vanilla glibc-2.5 and gcc-4: +</p> +<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Merging vanilla toolchain</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +USE="-hardened" emerge --oneshot =sys-libs/glibc-2.5 +USE="-hardened" emerge --oneshot =sys-devel/gcc-4.1.2 +</pre></td></tr> +</table> +<p> +There are a number of known test failures with both glibc and gcc on a hardened +system. The glibc build will stop after the test failures. Complete the glibc +build either using ebuild (if you know what you're doing) or do the build again +with <span class="code" dir="ltr">FEATURES="-test"</span>. The gcc build will carry on regardless, it'll +install and merge despite the failures. Once both are installed, switch to +the hardened gcc: +</p> +<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Select hardened gcc</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +gcc-config -l +gcc-config <new gcc>-hardened +source /etc/profile +</pre></td></tr> +</table> +<p> +replacing <new gcc> with the new compiler name. +</p> +<p> +Merge hardened glibc-2.5 and gcc-4: +</p> +<a name="doc_chap2_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.6: 5: Merging hardened toolchain</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +emerge --oneshot =sys-libs/glibc-2.5 +emerge --oneshot =sys-devel/gcc-4.1.2 +</pre></td></tr> +</table> +<p> +Rebuild world with the new toochain: +</p> +<a name="doc_chap2_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.7: 6: Rebuilding world</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +emerge -e world +</pre></td></tr> +</table> +<p> +That last - rebuilding world - does not have to be done immediately; existing +binaries should continue to run correctly against the upgraded glibc, and +portage should have left your previous compile in place since it's a major +revision change. It is probably a good idea to rebuild binutils with the new +toolchain (repeat 2.2) at least. See also the standard +<a href="http://www.gentoo.org/doc/en/gcc-upgrading.xml">Gentoo GCC Upgrade Guide</a> +advice on common GCC upgrade pitfalls. +</p> +<p class="chaphead"><a name="references"></a><a name="doc_chap3"></a><span class="chapnum">3. + </span>References</p> +<p class="secthead"><a name="gentoorefs"></a><a name="doc_chap3_sect1">Other Gentoo Documentation</a></p> +<ul> +<li><a href="http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml"> +Technical Description of the Gentoo Hardened Toolchain</a></li> +<li><a href="http://www.gentoo.org/doc/en/gcc-upgrading.xml">Standard Gentoo GCC Upgrade Guide</a></li> +</ul> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated February 22, 2007</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +Guide for upgrading from hardened gcc-3/glibc-2.3/binutils-2.16 to gcc-4/glibc-2.5/binutils-2.17. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> +<a href="mailto:kevquinn@gentoo.org" class="altlink"><b>Kevin F. Quinn</b></a> +<br><i>Author</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> |