FS#33149 - [ruby] Set PaX flags after installation.
Attached to Project:
Arch Linux
Opened by henning mueller (phects) - Friday, 21 December 2012, 11:30 GMT
Last edited by Thomas Dziedzic (tomd123) - Sunday, 30 December 2012, 01:15 GMT
Opened by henning mueller (phects) - Friday, 21 December 2012, 11:30 GMT
Last edited by Thomas Dziedzic (tomd123) - Sunday, 30 December 2012, 01:15 GMT
|
Details
Description:
On kernels patched with grsecurity (which includes PaX patches), a program can not execute parts of memory as code easily, which were written by the program itself. PaX calls this MPROTECT. Some executables, however, need to do this. For this case, PaX flags are deactivatable through an alternative elf header. Binaries with this header do run seamlessly on systems without grsecurity. In gentoo, for example, the PaX flags are stored in the packages themselves and are set after a package installation on a hardened kernel. For Arch Linux I'm maintaining PaX flags for various binaries in an extra package. Currently the script which sets this flags is written in Shellscript. I did a ruby rewrite but this ends up in the chicken or the egg dilemma. The ruby script to set flags can not be run, because flags have to be set on the ruby binary. So I wondered, if the .install file of the ruby PKGBUILD could set MPROTECT off for the ruby binary, if the "paxctl" utility for setting PaX flags exists on the system. The post_install() und post_upgrade() functions for example could look like this: mprotect_off() { [ -x "$(which paxctl)" ] && paxctl -cm /usr/bin/ruby # Or simply: paxctl -cm /usr/bin/ruby 2>/dev/null } post_install() { mprotect_off print_gem_default_target } post_upgrade() { mprotect_off if [ "$(vercmp $2 1.9.3_p125-4)" -lt 0 ]; then print_gem_default_target fi } Additional info: This problem is not version specific. (In an older version of ruby, setting MPROTECT off was not neccessary unless for example a JavaScript engine (like V8) had to be used.) General information about grsecurity: http://en.wikipedia.org/wiki/Grsecurity General information about PaX: http://en.wikipedia.org/wiki/PaX More info on MPROTECT: http://en.wikipedia.org/wiki/PaX#Restricted_mprotect.28.29 |
This task depends upon
Closed by Thomas Dziedzic (tomd123)
Sunday, 30 December 2012, 01:15 GMT
Reason for closing: Won't implement
Additional comments about closing: op is happy with the current state
Sunday, 30 December 2012, 01:15 GMT
Reason for closing: Won't implement
Additional comments about closing: op is happy with the current state
Can you point out the logic where gentoo or any other distro disables this flag for ruby?
I tried but had no luck searching the official packages for fedora and gentoo.
Also, I tried googling the need to turn off the mprotect flag off on ruby and found nothing except the one link you mentioned which was needed for including v8:
https://github.com/cowboyd/therubyracer/issues/118
Essentially, I'm asking for any sort of references.
Since I don't use the grsecurity kernel I can't test any of this.
When the ruby binary has a PaX header with MPROTECT on, it does not work. If it has a PT_GNU_STACK, it works despite the fact, that MPROTECT should be turned on by default.
For V8 it still will be neccessary to turn off MPROTECT on the ruby binary but the linux-pax-flags script can take care of that.
So I'm happy with this, the issue could be closed for all I care. Thanks for looking into this!
The gentoo folks do not change PaX flags for ruby but an example for a PKGBUILD with changed PaX flags would be firefox (especially look at line 291):
http://gentoo-portage.com/AJAX/Ebuild/406725/View