Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more
creideiki+gentoo-hardened at ferretporn
Dec 13, 2014, 3:52 PM
Post #1 of 16 (5704 views)
Permalink
Hi list,

I seem to have at least three problems related to PaX markings simultaneously,
and since it's after midnight here and I need to write down some notes anyway
so I know how to continue tomorrow, I might as well send them out to the world
and see if someone else solves my problems for me while I'm asleep.

It all started when I couldn't upgrade from my existing dev-
java/icedtea-7.2.4.5. Building dev-java/icedtea-7.2.5.3 failed, with the
following messages at the bottom of the log:


if [ -x /usr/sbin/paxmark.sh ] ; then \
if [ -w /export/portage/portage/dev-
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java ] ; then \
/usr/sbin/paxmark.sh -m /export/portage/portage/dev-
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java ; \
fi ; \
fi
/usr/sbin/paxmark.sh: line 82: elog: command not found
Makefile:124: recipe for target '/export/portage/portage/dev-
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-
boot/classes/javax/management/
remote/rmi/RMIConnectionImpl_Stub.class' failed


That's problem number one: paxmark.sh (from sys-apps/elfix-0.9.0) tries to
call elog and fails.

That code was introduced in 0.9.0 (actually, commit 41a91c04), but I've
obviously managed to build icedtea before, so let's downgrade to 0.8.4 and try
again. The build dies in the same location, but without the line complaining
about elog. So paxmark.sh from 0.8.4 still fails, it's just silent about it:


# /usr/sbin/paxmark.sh -m /export/portage/portage/dev-
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java

# echo $?
1

# paxctl-ng -v /export/portage/portage/dev-
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java
/export/portage/portage/dev-
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java:
PT_PAX : -em--
XATTR_PAX : not found


So it's managed to set PT_PAX flags, but not XATTR_PAX. Looking at the code,
paxmark.sh first tries to set PT_PAX, then XATTR_PAX, and if either fails, the
entire thing returns failure. Unless PAX_MARKINGS is set, in which case that
controls which type of markings is used. It isn't set on this machine.

Problem number two: that's not what the docs say should happen. Acording to
https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart:

"If you decide on PaX marking method, you should adjust PAX_MARKINGS variable
in your /etc/portage/make.conf with either XT (for extended attributes) or PT
(for program header marking). You can set both XT PT if you wish. Default is
PT."

But why isn't XATTR_PAX working? I thought I completed that transition ages
ago.


# paxctl-ng -v /bin/ls
/bin/ls:
PT_PAX : -e---
XATTR_PAX : not found


Obviously not. Maybe I forgot this machine. Would it work?


# paxctl-ng -F /bin/ls

# paxctl-ng -v /bin/ls
/bin/ls:
PT_PAX : -e---
XATTR_PAX : -e---


Yes. So why couldn't paxmark.sh set XATTR_PAX?


# paxctl-ng -d /bin/ls

# paxctl-ng -v /bin/ls
/bin/ls:
PT_PAX : -e---
XATTR_PAX : not found

# cp /bin/ls $PORTAGE_TMPDIR

# paxctl-ng -v $PORTAGE_TMPDIR/ls
/export/portage/ls:
PT_PAX : -e---
XATTR_PAX : not found

# paxctl-ng -F $PORTAGE_TMPDIR/ls

# echo $?
1

# paxctl-ng -v $PORTAGE_TMPDIR/ls
/export/portage/ls:
PT_PAX : -e---
XATTR_PAX : not found

# strace paxctl-ng -F $PORTAGE_TMPDIR/ls 2>&1 | grep user.pax
fsetxattr(3, "user.pax.flags", "e", 1, 0) = -1 EOPNOTSUPP (Operation not
supported)


OK, so XATTR_PAX works in /bin, but gets EOPNOTSUPP in $PORTAGE_TMPDIR.
They're on different mounts, so that's not unreasonable. But where do they
differ?


# di -h /bin
Filesystem Mount Size Used Avail %Used fs Type
/dev/root / 75,0G 56,7G 14,5G 81% ext4

# di -h $PORTAGE_TMPDIR
Filesystem Mount Size Used Avail %Used fs Type
/dev/mapper/crypt- /export 2,5T 2,2T 258,8G 90% ext3

# grep -E ' (/|/export) ' /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / ext4 rw,relatime,data=ordered 0 0
/dev/mapper/crypt-export /export ext3
rw,noatime,errors=continue,barrier=1,data=ordered 0 0

# tune2fs -l /dev/root | grep ext_attr
Filesystem features: has_journal ext_attr resize_inode dir_index filetype
needs_recovery extent sparse_super large_file uninit_bg

# tune2fs -l /dev/mapper/crypt-export | grep ext_attr
Filesystem features: has_journal ext_attr resize_inode dir_index filetype
needs_recovery sparse_super large_file


So it works on ext4, but not ext3, even though both have the ext_attr flag on
disk. Any difference in kernel support?


# uname -r
3.16.5-hardened

# gunzip -c /proc/config.gz | grep XATTR
CONFIG_EXT3_FS_XATTR=y
CONFIG_TMPFS_XATTR=y
CONFIG_PAX_XATTR_PAX_FLAGS=y

# gunzip -c /proc/config.gz | grep EXT[34]
CONFIG_EXT3_FS=y
CONFIG_EXT3_DEFAULTS_TO_ORDERED=y
CONFIG_EXT3_FS_XATTR=y
# CONFIG_EXT3_FS_POSIX_ACL is not set
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS=y
CONFIG_EXT4_USE_FOR_EXT23=y
# CONFIG_EXT4_FS_POSIX_ACL is not set
CONFIG_EXT4_FS_SECURITY=y
# CONFIG_EXT4_DEBUG is not set


Not that I can see, especially with CONFIG_EXT4_USE_FOR_EXT23=y. And it should
be an automatic dependency anyway, since PAX_XATTR_PAX_FLAGS is set.

Which brings us to problem number three: why aren't xattrs working in
$PORTAGE_TMPDIR on ext3 when they are in /bin on ext4?

Problems one and two are clearly bugs, one in sys-apps/elfix and two in sys-
apps/elfix or the documentation. Should I file them in Bugzilla, or is this
mail enough?

Problem three seems to be unique to this machine. Does anyone know what's
going on?

--
Karl-Johan Karlsson

Attached Files:

Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
zerochaos at gentoo
Dec 13, 2014, 6:34 PM
Post #2 of 16 (5635 views)
Permalink
On 12/13/2014 06:52 PM, Karl-Johan Karlsson wrote:
> So it works on ext4, but not ext3, even though both have the ext_attr flag on
> disk. Any difference in kernel support?
>
>
> # uname -r
> 3.16.5-hardened
>
> # gunzip -c /proc/config.gz | grep XATTR
> CONFIG_EXT3_FS_XATTR=y
> CONFIG_TMPFS_XATTR=y
> CONFIG_PAX_XATTR_PAX_FLAGS=y
>
> # gunzip -c /proc/config.gz | grep EXT[34]
> CONFIG_EXT3_FS=y
> CONFIG_EXT3_DEFAULTS_TO_ORDERED=y
> CONFIG_EXT3_FS_XATTR=y
> # CONFIG_EXT3_FS_POSIX_ACL is not set
> CONFIG_EXT3_FS_SECURITY=y
> CONFIG_EXT4_FS=y
> CONFIG_EXT4_USE_FOR_EXT23=y
> # CONFIG_EXT4_FS_POSIX_ACL is not set
> CONFIG_EXT4_FS_SECURITY=y
> # CONFIG_EXT4_DEBUG is not set
>
>

just to narrow it down, can you remove the ext3 modules (or just build
it out of the kernel) and let the ext4 driver handle it? ext4
filesystem driver handles ext2 and ext3, typically with much better results.

-Zero

> Not that I can see, especially with CONFIG_EXT4_USE_FOR_EXT23=y. And it should
> be an automatic dependency anyway, since PAX_XATTR_PAX_FLAGS is set.
>
> Which brings us to problem number three: why aren't xattrs working in
> $PORTAGE_TMPDIR on ext3 when they are in /bin on ext4?
>
> Problems one and two are clearly bugs, one in sys-apps/elfix and two in sys-
> apps/elfix or the documentation. Should I file them in Bugzilla, or is this
> mail enough?
>
> Problem three seems to be unique to this machine. Does anyone know what's
> going on?
>

Attached Files:

Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
atoth at atoth
Dec 13, 2014, 7:18 PM
Post #3 of 16 (5636 views)
Permalink
I've made an observation long before, that although PT_PAX flags are
properly handled on my systems, the installed binaries and libraries lack
XATTR_PAX markings. This has been the situation for a long time now. I've
made a script scanning the system for inconsistent markings and issuing
paxctl-ng -F for those files, where it's necessary.
I have both PT and XT present in my make.conf for markings. I was told
before, that I should rather opt for only one of the two possibilities -
kernel-option wise and make.conf-marking-selection wise. Kinda both PT and
XT are not supported at the same time using the current utilities.
Moreover: there is the question if PT marking is present and XATTR is
missing at the same time: which one takes precedence? I suspect the system
tries to interpret the missing XATTR, falling back to apply the default
flags, while paying no attention to the PT flags present. Additionally, I
haven't mentioned any policy defined PAX flags.
Elfutils, paxutils and all other relevant packages are keyworded on my
systems.
So ordinary executables are installed with an inconsistent marking by
default. The new install mechanism is working on my systems. Strangely
enough, I see how html files are processed during install. Ordinary
binaries somehow slip through the mechanism.

It would be so good to see consistent markings on a system having both PT
and XT enabled. The kernel could also behave a bit differently. These
possibilities can potentially confuse some users, while I'm still fine
with my scripts and have some understanding of the background.

In the mean time I see some progress as well! Compile time markings
definitely seem to work fine on my systems for awhile. Emerging icedtea
goes flawlessly, since markings are performed in a proper fashion - even
for PT & XT combo setup. I understand that compile time marking in an
ebuild is a separate mechanism compared to normal ebuild file install, but
I still see some room for improvements. And possibly fix this scenario.
Not for me, because I think I understand the situation and I believe I
know what I'm doing (just like when trying to change the multcount value
for a hard drive in smartctl). But n00bs or newcomers might have a benefit
from.

Thanks:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2014.December 14.(V) 00:52 időpontban Karl-Johan Karlsson ezt írta:
> Hi list,
>
> I seem to have at least three problems related to PaX markings
> simultaneously,
> and since it's after midnight here and I need to write down some notes
> anyway
> so I know how to continue tomorrow, I might as well send them out to the
> world
> and see if someone else solves my problems for me while I'm asleep.
>
> It all started when I couldn't upgrade from my existing dev-
> java/icedtea-7.2.4.5. Building dev-java/icedtea-7.2.5.3 failed, with the
> following messages at the bottom of the log:
>
>
> if [ -x /usr/sbin/paxmark.sh ] ; then \
> if [ -w /export/portage/portage/dev-
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java ] ;
> then \
> /usr/sbin/paxmark.sh -m /export/portage/portage/dev-
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java ; \
> fi ; \
> fi
> /usr/sbin/paxmark.sh: line 82: elog: command not found
> Makefile:124: recipe for target '/export/portage/portage/dev-
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-
> boot/classes/javax/management/
> remote/rmi/RMIConnectionImpl_Stub.class' failed
>
>
> That's problem number one: paxmark.sh (from sys-apps/elfix-0.9.0) tries to
> call elog and fails.
>
> That code was introduced in 0.9.0 (actually, commit 41a91c04), but I've
> obviously managed to build icedtea before, so let's downgrade to 0.8.4 and
> try
> again. The build dies in the same location, but without the line
> complaining
> about elog. So paxmark.sh from 0.8.4 still fails, it's just silent about
> it:
>
>
> # /usr/sbin/paxmark.sh -m /export/portage/portage/dev-
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java
>
> # echo $?
> 1
>
> # paxctl-ng -v /export/portage/portage/dev-
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java
> /export/portage/portage/dev-
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java:
> PT_PAX : -em--
> XATTR_PAX : not found
>
>
> So it's managed to set PT_PAX flags, but not XATTR_PAX. Looking at the
> code,
> paxmark.sh first tries to set PT_PAX, then XATTR_PAX, and if either fails,
> the
> entire thing returns failure. Unless PAX_MARKINGS is set, in which case
> that
> controls which type of markings is used. It isn't set on this machine.
>
> Problem number two: that's not what the docs say should happen. Acording
> to
> https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart:
>
> "If you decide on PaX marking method, you should adjust PAX_MARKINGS
> variable
> in your /etc/portage/make.conf with either XT (for extended attributes) or
> PT
> (for program header marking). You can set both XT PT if you wish. Default
> is
> PT."
>
> But why isn't XATTR_PAX working? I thought I completed that transition
> ages
> ago.
>
>
> # paxctl-ng -v /bin/ls
> /bin/ls:
> PT_PAX : -e---
> XATTR_PAX : not found
>
>
> Obviously not. Maybe I forgot this machine. Would it work?
>
>
> # paxctl-ng -F /bin/ls
>
> # paxctl-ng -v /bin/ls
> /bin/ls:
> PT_PAX : -e---
> XATTR_PAX : -e---
>
>
> Yes. So why couldn't paxmark.sh set XATTR_PAX?
>
>
> # paxctl-ng -d /bin/ls
>
> # paxctl-ng -v /bin/ls
> /bin/ls:
> PT_PAX : -e---
> XATTR_PAX : not found
>
> # cp /bin/ls $PORTAGE_TMPDIR
>
> # paxctl-ng -v $PORTAGE_TMPDIR/ls
> /export/portage/ls:
> PT_PAX : -e---
> XATTR_PAX : not found
>
> # paxctl-ng -F $PORTAGE_TMPDIR/ls
>
> # echo $?
> 1
>
> # paxctl-ng -v $PORTAGE_TMPDIR/ls
> /export/portage/ls:
> PT_PAX : -e---
> XATTR_PAX : not found
>
> # strace paxctl-ng -F $PORTAGE_TMPDIR/ls 2>&1 | grep user.pax
> fsetxattr(3, "user.pax.flags", "e", 1, 0) = -1 EOPNOTSUPP (Operation not
> supported)
>
>
> OK, so XATTR_PAX works in /bin, but gets EOPNOTSUPP in $PORTAGE_TMPDIR.
> They're on different mounts, so that's not unreasonable. But where do they
> differ?
>
>
> # di -h /bin
> Filesystem Mount Size Used Avail %Used fs
> Type
> /dev/root / 75,0G 56,7G 14,5G 81% ext4
>
> # di -h $PORTAGE_TMPDIR
> Filesystem Mount Size Used Avail %Used fs
> Type
> /dev/mapper/crypt- /export 2,5T 2,2T 258,8G 90% ext3
>
> # grep -E ' (/|/export) ' /proc/mounts
> rootfs / rootfs rw 0 0
> /dev/root / ext4 rw,relatime,data=ordered 0 0
> /dev/mapper/crypt-export /export ext3
> rw,noatime,errors=continue,barrier=1,data=ordered 0 0
>
> # tune2fs -l /dev/root | grep ext_attr
> Filesystem features: has_journal ext_attr resize_inode dir_index
> filetype
> needs_recovery extent sparse_super large_file uninit_bg
>
> # tune2fs -l /dev/mapper/crypt-export | grep ext_attr
> Filesystem features: has_journal ext_attr resize_inode dir_index
> filetype
> needs_recovery sparse_super large_file
>
>
> So it works on ext4, but not ext3, even though both have the ext_attr flag
> on
> disk. Any difference in kernel support?
>
>
> # uname -r
> 3.16.5-hardened
>
> # gunzip -c /proc/config.gz | grep XATTR
> CONFIG_EXT3_FS_XATTR=y
> CONFIG_TMPFS_XATTR=y
> CONFIG_PAX_XATTR_PAX_FLAGS=y
>
> # gunzip -c /proc/config.gz | grep EXT[34]
> CONFIG_EXT3_FS=y
> CONFIG_EXT3_DEFAULTS_TO_ORDERED=y
> CONFIG_EXT3_FS_XATTR=y
> # CONFIG_EXT3_FS_POSIX_ACL is not set
> CONFIG_EXT3_FS_SECURITY=y
> CONFIG_EXT4_FS=y
> CONFIG_EXT4_USE_FOR_EXT23=y
> # CONFIG_EXT4_FS_POSIX_ACL is not set
> CONFIG_EXT4_FS_SECURITY=y
> # CONFIG_EXT4_DEBUG is not set
>
>
> Not that I can see, especially with CONFIG_EXT4_USE_FOR_EXT23=y. And it
> should
> be an automatic dependency anyway, since PAX_XATTR_PAX_FLAGS is set.
>
> Which brings us to problem number three: why aren't xattrs working in
> $PORTAGE_TMPDIR on ext3 when they are in /bin on ext4?
>
> Problems one and two are clearly bugs, one in sys-apps/elfix and two in
> sys-
> apps/elfix or the documentation. Should I file them in Bugzilla, or is
> this
> mail enough?
>
> Problem three seems to be unique to this machine. Does anyone know what's
> going on?
>
> --
> Karl-Johan Karlsson
Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
atoth at atoth
Dec 13, 2014, 7:20 PM
Post #4 of 16 (5631 views)
Permalink
+1 for omitting EXT3. Karl-Johan: you can safely remove that, IMHO.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2014.December 14.(V) 03:34 időpontban Rick \"Zero_Chaos\" Farina ezt írta:
> On 12/13/2014 06:52 PM, Karl-Johan Karlsson wrote:
>> So it works on ext4, but not ext3, even though both have the ext_attr
>> flag on
>> disk. Any difference in kernel support?
>>
>>
>> # uname -r
>> 3.16.5-hardened
>>
>> # gunzip -c /proc/config.gz | grep XATTR
>> CONFIG_EXT3_FS_XATTR=y
>> CONFIG_TMPFS_XATTR=y
>> CONFIG_PAX_XATTR_PAX_FLAGS=y
>>
>> # gunzip -c /proc/config.gz | grep EXT[34]
>> CONFIG_EXT3_FS=y
>> CONFIG_EXT3_DEFAULTS_TO_ORDERED=y
>> CONFIG_EXT3_FS_XATTR=y
>> # CONFIG_EXT3_FS_POSIX_ACL is not set
>> CONFIG_EXT3_FS_SECURITY=y
>> CONFIG_EXT4_FS=y
>> CONFIG_EXT4_USE_FOR_EXT23=y
>> # CONFIG_EXT4_FS_POSIX_ACL is not set
>> CONFIG_EXT4_FS_SECURITY=y
>> # CONFIG_EXT4_DEBUG is not set
>>
>>
>
> just to narrow it down, can you remove the ext3 modules (or just build
> it out of the kernel) and let the ext4 driver handle it? ext4
> filesystem driver handles ext2 and ext3, typically with much better
> results.
>
> -Zero
>
>> Not that I can see, especially with CONFIG_EXT4_USE_FOR_EXT23=y. And it
>> should
>> be an automatic dependency anyway, since PAX_XATTR_PAX_FLAGS is set.
>>
>> Which brings us to problem number three: why aren't xattrs working in
>> $PORTAGE_TMPDIR on ext3 when they are in /bin on ext4?
>>
>> Problems one and two are clearly bugs, one in sys-apps/elfix and two in
>> sys-
>> apps/elfix or the documentation. Should I file them in Bugzilla, or is
>> this
>> mail enough?
>>
>> Problem three seems to be unique to this machine. Does anyone know
>> what's
>> going on?
>>
>
>
>
Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
creideiki+gentoo-hardened at ferretporn
Dec 14, 2014, 7:09 AM
Post #5 of 16 (5645 views)
Permalink
On Sat 13 Dec 2014 21.34.58 Rick Zero_Chaos Farina wrote:
> just to narrow it down, can you remove the ext3 modules (or just build
> it out of the kernel) and let the ext4 driver handle it? ext4
> filesystem driver handles ext2 and ext3, typically with much better results.

Would you look at that - that actually solved the problem. I can now set
XATTR_PAX flags markings on files in $PORTAGE_TMPDIR. Thanks!

I'll try to get around to setting up a VM with a bleeding-edge kernel to see
if this behaviour is still present, and if so report it as a bug.

One weird thing I noticed was that even though (some of) the binaries have
XATTR_PAX markings while in $PORTAGE_TMPDIR, none do after being merged to /:


# find /usr/lib64/icedtea7 -type f -name java | xargs -l paxctl-ng -v
/usr/lib64/icedtea7/bin/java:
PT_PAX : -em--
XATTR_PAX : not found

/usr/lib64/icedtea7/jre/bin/java:
PT_PAX : -em--
XATTR_PAX : not found


# cd $PORTAGE_TMPDIR && find . -type f -name java | xargs -l paxctl-ng -v
./dev-java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/j2re-
image/bin/java:
PT_PAX : -em--
XATTR_PAX : not found

./dev-java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java:
PT_PAX : -em--
XATTR_PAX : -em--

./dev-java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/j2sdk-server-
image/bin/java:
PT_PAX : -em--
XATTR_PAX : not found

./dev-java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/j2sdk-server-
image/jre/bin/java:
PT_PAX : -em--
XATTR_PAX : not found

./dev-java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/j2sdk-
image/bin/java:
open(O_RDWR) failed: cannot change PT_PAX flags
PT_PAX : -em--
XATTR_PAX : -em--

./dev-java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/j2sdk-
image/jre/bin/java:
PT_PAX : -em--
XATTR_PAX : -em--

./dev-java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build/bin/java:
PT_PAX : -em--
XATTR_PAX : -em--

--
Karl-Johan Karlsson

Attached Files:

Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
basile at opensource
Dec 18, 2014, 4:58 PM
Post #6 of 16 (5612 views)
Permalink
On 12/13/14 18:52, Karl-Johan Karlsson wrote:

>
> That's problem number one: paxmark.sh (from sys-apps/elfix-0.9.0) tries to
> call elog and fails.

I'll fix this. I missed it when I copied from the eclass where we do
want elog.

>
> about elog. So paxmark.sh from 0.8.4 still fails, it's just silent about it:
>
>
> # /usr/sbin/paxmark.sh -m /export/portage/portage/dev-
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java
>
> # echo $?
> 1

I intentionally left off diagnostics because in the middle of a build
system you will know where it failed. make will stop on shell false.

>
>
> So it's managed to set PT_PAX flags, but not XATTR_PAX. Looking at the code,
> paxmark.sh first tries to set PT_PAX, then XATTR_PAX, and if either fails, the
> entire thing returns failure. Unless PAX_MARKINGS is set, in which case that
> controls which type of markings is used. It isn't set on this machine.

That is the correct behavior. If you want for both PT and XATTR_PAX
flags to be set and either fail (or both) you want ret=1.

>
> Problem number two: that's not what the docs say should happen. Acording to
> https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart:
>
> "If you decide on PaX marking method, you should adjust PAX_MARKINGS variable
> in your /etc/portage/make.conf with either XT (for extended attributes) or PT
> (for program header marking). You can set both XT PT if you wish. Default is
> PT."

So the real bug is that PAX_MARKINGS is not inherited in that
environment. It is set according to that logic in the eclass which is
inherited by the icedtea ebuild and should percolate down but apparently
doesn't. Thanks that would have been hard to catch except in the wild.

>
> But why isn't XATTR_PAX working? I thought I completed that transition ages
> ago.
>

> So it works on ext4, but not ext3, even though both have the ext_attr flag on
> disk. Any difference in kernel support?
>

Because on ext3 you need to add user_xattr to the mount options. Either
`mount -o user_xattr` or in fstab in column 4 like this

/dev/sdb5 /tmp ext3 user_xattr 0 1

Its automatic on ext4. `man mount` for more info. Please let me know
if this works for you. Is that in the Pax_Quickstart? If not we should
add it.


--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
creideiki+gentoo-hardened at ferretporn
Dec 18, 2014, 10:08 PM
Post #7 of 16 (5617 views)
Permalink
On Thu 18 Dec 2014 19.58.11 Anthony G. Basile wrote:
> On 12/13/14 18:52, Karl-Johan Karlsson wrote:
> > So it works on ext4, but not ext3, even though both have the ext_attr flag
> > on disk. Any difference in kernel support?
>
> Because on ext3 you need to add user_xattr to the mount options. Either
> `mount -o user_xattr` or in fstab in column 4 like this
>
> /dev/sdb5 /tmp ext3 user_xattr 0 1
>
> Its automatic on ext4. `man mount` for more info. Please let me know
> if this works for you.

Aha! I was unaware of that mount option. mount(8) documents it, but is unclear
on what the default value is. attr(5) says it's needed on ext2, ext3 and
reiserfs, but says nothing about ext4.

Unfortunately, the machine is in production, and since it works without that
option when using the ext4 code to read ext3, I would prefer to leave it alone
for now.

> Is that in the Pax_Quickstart? If not we should
> add it.

It is not in PaX_Quickstart. It is mentioned in passing in
<https://wiki.gentoo.org/wiki/Netflix/Pipelight>, which is not the first place
I would have thought to look :)

--
Karl-Johan Karlsson

Attached Files:

Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
james at jtaylor
Dec 18, 2014, 10:51 PM
Post #8 of 16 (5621 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 2014/12/19 17:08, Karl-Johan Karlsson wrote:
> On Thu 18 Dec 2014 19.58.11 Anthony G. Basile wrote:
>> On 12/13/14 18:52, Karl-Johan Karlsson wrote:
>>> So it works on ext4, but not ext3, even though both have the
ext_attr flag
>>> on disk. Any difference in kernel support?
>>
>> Because on ext3 you need to add user_xattr to the mount options. Either
>> `mount -o user_xattr` or in fstab in column 4 like this
>>
>> /dev/sdb5 /tmp ext3 user_xattr 0 1
>>
>> Its automatic on ext4. `man mount` for more info. Please let me know
>> if this works for you.
>
> Aha! I was unaware of that mount option. mount(8) documents it, but is
unclear
> on what the default value is. attr(5) says it's needed on ext2, ext3 and
> reiserfs, but says nothing about ext4.
>
> Unfortunately, the machine is in production, and since it works
without that
> option when using the ext4 code to read ext3, I would prefer to leave
it alone
> for now.
>
Would mount -oremount,user_xattr be an option? Or am I missing the point :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJUk8sJAAoJEHLy9B54fW4wGi8H/2eifOOUy8kkJAiUMALvOcUH
aPloeW0ck52Zh0ZZ9qiuXYHJm30E1tNR6ymIihNYY1P8Uiimghv5IbvroMiraTzo
bfjQEMXV/hcwNMsSTFLLNZWs2KDpIn36m/uJNjyUszZ5yUnrJVi4XrC7sMoiCcQb
DrK24IFLrSmgM5+w0IPe35olHFXlJwQrJT/F+IjrMZkfHuWfl/eWVBPPqYsohv48
OaxWWYO33S5M3Vqr1rtCTeWQ2A/+saThewX5aZTtjaA4n8ZIW2khQuidXeUz/2kU
/b8C9BN3ExtwUGHzmWV4W3dQVMdyGkfS/M0doF1TNo8IamfX2QPtKWc02siQ52k=
=7vr7
-----END PGP SIGNATURE-----
Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
james at jtaylor
Dec 18, 2014, 11:00 PM
Post #9 of 16 (5605 views)
Permalink
On 2014/12/19 17:08, Karl-Johan Karlsson wrote:
> On Thu 18 Dec 2014 19.58.11 Anthony G. Basile wrote:
>> On 12/13/14 18:52, Karl-Johan Karlsson wrote:
>>> So it works on ext4, but not ext3, even though both have the ext_attr flag
>>> on disk. Any difference in kernel support?
>>
>> Because on ext3 you need to add user_xattr to the mount options. Either
>> `mount -o user_xattr` or in fstab in column 4 like this
>>
>> /dev/sdb5 /tmp ext3 user_xattr 0 1
>>
>> Its automatic on ext4. `man mount` for more info. Please let me know
>> if this works for you.
>
> Aha! I was unaware of that mount option. mount(8) documents it, but is unclear
> on what the default value is. attr(5) says it's needed on ext2, ext3 and
> reiserfs, but says nothing about ext4.
>
> Unfortunately, the machine is in production, and since it works without that
> option when using the ext4 code to read ext3, I would prefer to leave it alone
> for now.

Would mount -oremount,user_xattr be an option? Or am I missing the point :)

P.S. Sorry for my garbled reply earlier, seems I'd forgotten to set
Enigmail up properly.

Attached Files:

Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
basile at opensource
Dec 19, 2014, 3:12 AM
Post #10 of 16 (5625 views)
Permalink
On 12/19/14 01:51, James Taylor wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 2014/12/19 17:08, Karl-Johan Karlsson wrote:
>> On Thu 18 Dec 2014 19.58.11 Anthony G. Basile wrote:
>>> On 12/13/14 18:52, Karl-Johan Karlsson wrote:
>>>> So it works on ext4, but not ext3, even though both have the
> ext_attr flag
>>>> on disk. Any difference in kernel support?
>>>
>>> Because on ext3 you need to add user_xattr to the mount options. Either
>>> `mount -o user_xattr` or in fstab in column 4 like this
>>>
>>> /dev/sdb5 /tmp ext3 user_xattr 0 1
>>>
>>> Its automatic on ext4. `man mount` for more info. Please let me know
>>> if this works for you.
>>
>> Aha! I was unaware of that mount option. mount(8) documents it, but is
> unclear
>> on what the default value is. attr(5) says it's needed on ext2, ext3 and
>> reiserfs, but says nothing about ext4.
>>
>> Unfortunately, the machine is in production, and since it works
> without that
>> option when using the ext4 code to read ext3, I would prefer to leave
> it alone
>> for now.
>>

> Would mount -oremount,user_xattr be an option? Or am I missing the point :)'


This would probably work.


--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
creideiki+gentoo-hardened at ferretporn
Dec 19, 2014, 7:53 AM
Post #11 of 16 (5610 views)
Permalink
On Fri 19 Dec 2014 18.00.16 James Taylor wrote:
> On 2014/12/19 17:08, Karl-Johan Karlsson wrote:
> > Unfortunately, the machine is in production, and since it works without
> > that option when using the ext4 code to read ext3, I would prefer to
> > leave it alone for now.
>
> Would mount -oremount,user_xattr be an option? Or am I missing the point :)

The point you are missing is that, as I wrote upthread, I rebooted a week ago
to a kernel that runs ext3 mounts through the ext4 code, which does not
require this mount option. So since it's now working, and this is a rather
critical machine, I'd rather not reboot it again just to check.

--
Karl-Johan Karlsson

Attached Files:

Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
basile at opensource
Dec 21, 2014, 7:39 AM
Post #12 of 16 (5609 views)
Permalink
On 12/19/14 10:53, Karl-Johan Karlsson wrote:
> On Fri 19 Dec 2014 18.00.16 James Taylor wrote:
>> On 2014/12/19 17:08, Karl-Johan Karlsson wrote:
>>> Unfortunately, the machine is in production, and since it works without
>>> that option when using the ext4 code to read ext3, I would prefer to
>>> leave it alone for now.
>>
>> Would mount -oremount,user_xattr be an option? Or am I missing the point :)
>
> The point you are missing is that, as I wrote upthread, I rebooted a week ago
> to a kernel that runs ext3 mounts through the ext4 code, which does not
> require this mount option. So since it's now working, and this is a rather
> critical machine, I'd rather not reboot it again just to check.
>

Can you please test paxmark.sh from commit 84ca1170 and let me know.

Thanks for the report but if its not too much of a bother, can you open
a bug at bugs.gentoo.org next time because it makes it so much easier to
properly track bugs that way. You can always discuss bugs on the list
(or anywhere you can catch me like IRC) but having the report in
bugs.g.o leave behind a historical memory of what we did.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
creideiki+gentoo-hardened at ferretporn
Dec 21, 2014, 9:43 AM
Post #13 of 16 (5610 views)
Permalink
On Sun 21 Dec 2014 10.39.54 Anthony G. Basile wrote:
> Can you please test paxmark.sh from commit 84ca1170 and let me know.

Right now I'm away for Christmas vacation, but I'll take a look at it in
January when I'm back.

> Thanks for the report but if its not too much of a bother, can you open
> a bug at bugs.gentoo.org next time because it makes it so much easier to
> properly track bugs that way. You can always discuss bugs on the list
> (or anywhere you can catch me like IRC) but having the report in
> bugs.g.o leave behind a historical memory of what we did.

Right, sorry. I'm too used to certain other projects, where bug reports like
what I started this thread with would have been immediately rejected for
vagueness.

It's annoying when every project has its own rules and customs for
collaboration and tool use. Why can't everyone standardise? On my preferred
options, naturally :)

--
Karl-Johan Karlsson

Attached Files:

Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
pageexec at freemail
Dec 24, 2014, 1:28 AM
Post #14 of 16 (5591 views)
Permalink
On 18 Dec 2014 at 19:58, Anthony G. Basile wrote:

> > So it works on ext4, but not ext3, even though both have the ext_attr flag on
> > disk. Any difference in kernel support?
> >
>
> Because on ext3 you need to add user_xattr to the mount options. Either
> `mount -o user_xattr` or in fstab in column 4 like this
>
> /dev/sdb5 /tmp ext3 user_xattr 0 1
>
> Its automatic on ext4. `man mount` for more info. Please let me know
> if this works for you. Is that in the Pax_Quickstart? If not we should
> add it.

FYI, we now enable user xattr support on those filesystems where it wasn't
the default before (ext2/ext3/reiser), nouser_xattr still works of course.
Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
pageexec at freemail
Dec 24, 2014, 2:38 AM
Post #15 of 16 (5589 views)
Permalink
On 14 Dec 2014 at 4:18, "Tóth Attila" wrote:

> I've made an observation long before, that although PT_PAX flags are
> properly handled on my systems, the installed binaries and libraries lack
> XATTR_PAX markings.

first, PaX flags don't matter on libraries at all as only the executable
is used to determine the runtime flags. second, lack of xattrs means that
the secure defaults will be used (modulo what other control methods are
in play of course, see below).

> I have both PT and XT present in my make.conf for markings. I was told
> before, that I should rather opt for only one of the two possibilities -
> kernel-option wise and make.conf-marking-selection wise. Kinda both PT and
> XT are not supported at the same time using the current utilities.

what particular issues do you still have?

> Moreover: there is the question if PT marking is present and XATTR is
> missing at the same time: which one takes precedence? I suspect the system
> tries to interpret the missing XATTR, falling back to apply the default
> flags, while paying no attention to the PT flags present. Additionally, I
> haven't mentioned any policy defined PAX flags.

the general rule is that if a marking is missing (either from the kernel
config or the executable) then it won't participate in the decision making
process.

if both marks are present then they must be the same, otherwise the existing
mark will be used as is.

if neither mark exists then defaults will be used whose value depends on
softmode. in practice you'll get secure defaults in !softmode (this hierarchy
was introduced earlier this year, the defaults used to be not secure before
due to compatibility concerns for unmarked binaries, but i finally made the
switch).

for this reason these days you should really only set marks when you actually
want to deviate from the (now) secure defaults.

note that PT_PAX_FLAGS is special in that it's easier to create it at link
time than afterwards, so its presence is ok even if you don't change its
default value (which has always been secure for !softmode).
Re: XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more [ In reply to ]
atoth at atoth
Dec 24, 2014, 11:31 PM
Post #16 of 16 (5585 views)
Permalink
2014.December 24.(Sze) 11:38 időpontban PaX Team ezt írta:
>> I have both PT and XT present in my make.conf for markings. I was told
>> before, that I should rather opt for only one of the two possibilities -
>> kernel-option wise and make.conf-marking-selection wise. Kinda both PT
>> and
>> XT are not supported at the same time using the current utilities.
>
> what particular issues do you still have?

Things evolved, so I should test some combinations again. I missed as the
problems of the past have passed by.

>> Moreover: there is the question if PT marking is present and XATTR is
>> missing at the same time: which one takes precedence? I suspect the
>> system
>> tries to interpret the missing XATTR, falling back to apply the default
>> flags, while paying no attention to the PT flags present. Additionally,
>> I
>> haven't mentioned any policy defined PAX flags.
>
> the general rule is that if a marking is missing (either from the kernel
> config or the executable) then it won't participate in the decision making
> process.
>
> if both marks are present then they must be the same, otherwise the
> existing
> mark will be used as is.
>
> if neither mark exists then defaults will be used whose value depends on
> softmode. in practice you'll get secure defaults in !softmode (this
> hierarchy
> was introduced earlier this year, the defaults used to be not secure
> before
> due to compatibility concerns for unmarked binaries, but i finally made
> the
> switch).
>
> for this reason these days you should really only set marks when you
> actually
> want to deviate from the (now) secure defaults.
>
> note that PT_PAX_FLAGS is special in that it's easier to create it at link
> time than afterwards, so its presence is ok even if you don't change its
> default value (which has always been secure for !softmode).

As of 3.9.2 hardened applies a patch to make EMUTRAMP enabled by default.
I know that it's needed for python to work. The comments of the patch also
talks about the libffi library as a reason.

Thanks for clarifying the situation.

Boldog Karácsonyt:
Dw.

--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal