NX: List of apps that probably break with NX

From: John Richard Moser
Date: Sun Jul 11 2004 - 09:16:26 EST

Next message: Alberto Bertogli: "Re: Syncing a file's metadata in a portable way"
Previous message: Alan Stern: "Re: [Linux-usb-users] Genesys Logic and Kernel 2.4"
Next in thread: John Richard Moser: "Re: NX: List of apps that probably break with NX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi.

I've noticed you're pondering an NX technology in the kernel. I help
maintain a list of applications that break under PaX, an NX/ASLR patch,
used for a script which applies reduced restrictions to these binaries.
~ The result is that I have a handfull of unprotected apps; but
everything works. You either have to trade off the security for the
usability, or the usability for the security.

PaX uses two tools to set reduced restrictions: chpax and paxctl. The
chpax tool uses a free field in the ELF header; while paxctl uses a
special field set aside by a specially patched binutils. Binaries with
this extra field are natively compatible with vanilla Linux.

The different flags are as follows:

P PageExec (NX method) to supply functionality of NX marking of pages
S SegmExec (NX method) to supply functionality of NX marking of pages
E Emulate Trampolines
M Reduced mprotect() restrictions (basically fixes things wanting +X
stack)
R Random mmap() base
X Random ET_EXEC base

I supply these as shell patterns. Be familiar with bash, or try:

$ echo `exec <pattern>`

NX-Exempt (-psem)
~ Wine:
/usr/lib/wine/bin/{wine{,build,clipsrv,dump,gcc,server,wrap,-{k,p}thread},w{mc,rc,idl}}

~ Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*

OpenOffice.org:
/opt/OpenOffice.org*/program/soffice.bin

Misc:
/usr/X11R6/bin/XFree86
/usr/X11R6/bin/Xorg
/usr/bin/blender
/usr/bin/gxine
/usr/bin/xine
/usr/bin/totem
/usr/bin/acme
/usr/bin/gnome-sound-recorder
/usr/games/bin/bzflag
/usr/bin/xfce4-panel
/usr/bin/{g,}xine

Randmap Exempt (-r)
Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*

X:
/usr/X11R6/bin/XFree86
/usr/X11R6/bin/Xorg

mprotect() restriction exempt (-m)
Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*

Firefox:
/usr/lib/MozillaFirefox/firefox{,-bin}

xmms:
/usr/bin/xmms

RandExec Exempt (-x):
Java:
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*

X:
/usr/X11R6/bin/XFree86
/opt/*-{jdk-*/{,jre/},jre-*/}bin/*

The bug used to track changes in the scripts that supply the application
of reduced restrictions is at
http://bugs.gentoo.org/show_bug.cgi?id=40665 . This may prove
interesting, as I or someone else will need to update it as more
applications break, or as more begin to work.

- --John
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA8Ut0hDd4aOud5P8RAmPyAJ0abHDHZAvb+nyl5Fs0CDXYwX7ZDACgibwV
Ls2RB3CjkY8VHKUS1GAAcmE=
=ASsQ
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alberto Bertogli: "Re: Syncing a file's metadata in a portable way"
Previous message: Alan Stern: "Re: [Linux-usb-users] Genesys Logic and Kernel 2.4"
Next in thread: John Richard Moser: "Re: NX: List of apps that probably break with NX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]