path: root/html/hardenedfaq.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
  Gentoo Hardened Frequently Asked Questions</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<br><h1>Gentoo Hardened Frequently Asked Questions</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
        <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Questions</option>
<option value="#doc_chap2">2. General Questions</option>
<option value="#doc_chap3">3. PaX Questions</option>
<option value="#doc_chap4">4. Grsecurity Questions</option>
<option value="#doc_chap5">5. SELinux Questions</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Questions</p>
<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
<p>
The following is a collection of questions collected from #gentoo-hardened IRC
channel and the gentoo-hardened mailing list. As such, is geared towards
answering fast and concisely rather than providing a whole insight on the
technologies behind Gentoo Hardened. It is advisable reading the rest of the
documentation on the Gentoo Hardened Project page and that on  the projects'
home pages in order to get a better insight.
</p>
<p class="secthead">General Questions</p>
<ul>
<li><a href="#toolchain">What exactly is the "toolchain"?</a></li>
<li><a href="#whichisbetter">What should I use: Grsecurity's RBAC or SELinux?</a></li>
<li><a href="#aclall">Is it possible to use Grsecurity, SELinux and PaX all at the same
time?</a></li>
<li><a href="#hardenedcflags">Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on
hardened building?</a></li>
<li><a href="#hardenedcflagsoff">How do I turn off hardened building?</a></li>
<li><a href="#hardenedproject">I just found out about the hardened project; do I have to install
everything on the project page in order to install Hardened Gentoo?</a></li>
<li><a href="#Othreessp">Why don't my programs work when I use CFLAGS="-O3" and hardened
gcc?</a></li>
<li><a href="#hardenedprofile">How do I switch to the hardened profile?</a></li>
<li><a href="#hardeneddebug">How do I debug with gdb?</a></li>
<li><a href="#jitflag">Why is the jit flag disabled in the hardened profile?</a></li>
<li><a href="#enablejit">How do I enable the jit flag?</a></li>
</ul>
<p class="secthead">PaX Questions</p>
<ul>
<li><a href="#paxinformation">Where is the homepage for PaX?</a></li>
<li><a href="#paxgentoodoc">What Gentoo documentation exists about PaX?</a></li>
<li><a href="#paxmarkings">How do PaX markings work?</a></li>
<li><a href="#paxnoelf">I keep getting the message: "error while loading shared libraries: cannot
make segment writable for relocation: Permission denied."  What does this
mean?</a></li>
<li><a href="#paxjavajit">Ever since I started using PaX I can't get Java/JIT code working,
why?</a></li>
<li><a href="#paxbootparams">Can I disable PaX features at boot?</a></li>
</ul>
<p class="secthead">Grsecurity Questions</p>
<ul>
<li><a href="#grsecinformation">Where is the homepage for Grsecurity?</a></li>
<li><a href="#grsecgentoodoc">What Gentoo documentation exists about Grsecurity?</a></li>
<li><a href="#grsectpe">How does TPE work?</a></li>
<li><a href="#grsecnew">Can I use Grsecurity with a recent kernel not on the Gentoo main tree?
</a></li>
</ul>
<p class="secthead">SELinux Questions</p>
<ul><li><a href="#selinuxfaq">Where can I find SELinux related frequently asked questions?</a></li></ul>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
            </span>General Questions</p>
<p class="secthead"><a name="toolchain"></a><a name="doc_chap2_sect1">What exactly is the "toolchain"?</a></p>
<p>
The term "toolchain" refers to the combination of software packages commonly
used to build and develop for a particular architecture.  The toolchain you may
hear referred to in the gentoo-hardened IRC channel consists of the GNU Compiler
Collection (GCC), binutils, and the GNU C library (glibc).
</p>
<p class="secthead"><a name="whichisbetter"></a><a name="doc_chap2_sect2">What should I use: Grsecurity's RBAC or SELinux?</a></p>
<p>
The answer to this question is highly subjective, and very dependent on your
requisites so the hardened Gentoo project simply tries to lay out each
technology and leave the choice up to the user. This decision requires a lot of
research that we have hopefully provided clearly in the hardened documentation.
However, if you have any specific questions about the security model that each
provides, feel free to question the relevant developer in our IRC channel or on
the mailing list.
</p>
<p class="secthead"><a name="aclall"></a><a name="doc_chap2_sect3">Is it possible to use Grsecurity, SELinux and PaX all at the same
time?</a></p>
<p>
Yes, this combination is quite possible as PaX and some of Grsecurity's features
work with Grsecurity's RBAC and SELinux. The only conflict that arises is you
can only use one access control system (be it RBAC or SELinux).
</p>
<p class="secthead"><a name="hardenedcflags"></a><a name="doc_chap2_sect4">Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on
hardened building?</a></p>
<p>
No, the current toolchain implements the equivalent of <span class="code" dir="ltr">CFLAGS="-fPIE
-fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"</span>
automatically through GCC's built-in spec and using the specfiles to disable
them which is a more proper solution. For older hardened-gcc users the best
approach is switch to the hardened profile and then upgrade following the steps
on the <a href="#hardenedprofile">How to switch to Gentoo Hardened question
</a>
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
Manually enabling the hardening flags it is not recommended at all.
</p></td></tr></table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
Sending a -fno... flag will disable the flag, also -fstack-protector-all and
-fstack-protector may interfere when passed directly.
</p></td></tr></table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
Gentoo patches its GCCs to allow specfiles to be passed through an environment
variable.  Currently several sets of specfiles are installed on Gentoo systems
that allow users on supported architectures to easily switch the functionality
off and on of the toolchain. To access the specs as the end user you can use the
<span class="code" dir="ltr">gcc-config</span> utility.
</p></td></tr></table>
<p class="secthead"><a name="hardenedcflagsoff"></a><a name="doc_chap2_sect5">How do I turn off hardened building?</a></p>
<p>
You can use <span class="code" dir="ltr">gcc-config</span> to accomplish this:
</p>
<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Example gcc-config output</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">gcc-config -l</span>
 [1] x86_64-pc-linux-gnu-4.4.4 *
 [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie
 [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
 [4] x86_64-pc-linux-gnu-4.4.4-hardenednossp
 [5] x86_64-pc-linux-gnu-4.4.4-vanilla
 
<span class="code-comment">To turn off PIE building switch to the hardenednopie profile:</span>
# <span class="code-input">gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopie</span>
<span class="code-comment">To turn off SSP building switch to the hardenednossp profile:</span>
# <span class="code-input">gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednossp</span>
<span class="code-comment">To turn off SSP and PIE building switch to the hardenednopiessp profile:</span>
# <span class="code-input">gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopiessp</span>
<span class="code-comment">To turn off all hardened building switch to the vanilla profile:</span>
# <span class="code-input">gcc-config x86_64-pc-linux-gnu-4.4.4-vanilla</span>
<span class="code-comment">You need to run this on the active sessions to set the changes</span>
# <span class="code-input">source /etc/profile</span>
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
The previous output will vary according to the gcc version and architecture you
use, also the commands required to disable things will vary depending on the
output of the first command.
</p></td></tr></table>
<p>
Alternatively you can achieve the same by changing your CFLAGS:
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
Disabling flags manually is not recommended by the team and thus an unsupported
option, do this at your own risk.
</p></td></tr></table>
<p>
To turn off default SSP building when using the hardened toolchain, append
<span class="code" dir="ltr">-fno-stack-protector</span> to your CFLAGS.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
On gcc 3.4 releases you need to use <span class="code" dir="ltr">-fno-stack-protector-all
-fno-stack-protector</span>
</p></td></tr></table>
<p>
If you want to turn off default PIE building then append <span class="code" dir="ltr">-nopie</span> to your
<span class="code" dir="ltr">CFLAGS</span> and your <span class="code" dir="ltr">LDFLAGS</span> (as LDFLAGS is used with no CFLAGS when
using gcc to link thre object files).
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
The flag <span class="code" dir="ltr">-fno-pic</span> should not be used as it will specifically enable
non-PIC code.  Using <span class="code" dir="ltr">-nopie</span> instead will revert back to vanilla GCC
behavior which should be the intended result.
</p></td></tr></table>
<p>
If you want to turn off default now binding append <span class="code" dir="ltr">-z,lazy</span> to your
<span class="code" dir="ltr">LDFLAGS</span>.
</p>
<p>
If you want to turn off default relro binding append <span class="code" dir="ltr">-z,norelro</span> to your
<span class="code" dir="ltr">LDFLAGS</span>.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
Relro is default on binutils so be sure that you want to disable it before doing
so.
</p></td></tr></table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
If you are interested in using per-package CFLAGS with Portage currently then
you may be interested in reading about <a href="http://article.gmane.org/gmane.linux.gentoo.hardened/1204">the script
solar has developed to deal with this</a>
</p></td></tr></table>
<p class="secthead"><a name="hardenedproject"></a><a name="doc_chap2_sect6">I just found out about the hardened project; do I have to install
everything on the project page in order to install Hardened Gentoo?</a></p>
<p>
No, the Hardened Gentoo Project is a collection of subprojects that all have
common security minded goals.  While many of these projects can be installed
alongside one another, some conflict as well such as several of the ACL
implementations that Hardened Gentoo offers.
</p>
<p class="secthead"><a name="Othreessp"></a><a name="doc_chap2_sect7">Why don't my programs work when I use CFLAGS="-O3" and hardened
gcc?</a></p>
<p>
Using the gcc optimization flag <span class="code" dir="ltr">-O3</span> has been known to be problematic with
stack-smashing protector (SSP) and on vanilla builds in some situations. This
optimization flag is not officially supported and is, therefore, discouraged by
the hardened team. Compile issues where a user uses <span class="code" dir="ltr">CFLAGS="-O3"</span> may be
closed as INVALID/CANTFIX and/or ignored.
</p>
<p class="secthead"><a name="hardenedprofile"></a><a name="doc_chap2_sect8">How do I switch to the hardened profile?</a></p>
<p>
To change your profile use eselect to choose it.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
Reading part 1 chapter 6 "Installing the Gentoo BaseSystem" on the
<a href="http://www.gentoo.org/doc/en/handbook/">Gentoo Handbook</a> is recommended for better
instructions on how to change your profile.
</p></td></tr></table>
<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Set make.profile</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">eselect profile list</span>
[1]   default/linux/amd64/10.0
[2]   default/linux/amd64/10.0/desktop
[3]   default/linux/amd64/10.0/desktop/gnome *
[4]   default/linux/amd64/10.0/desktop/kde
[5]   default/linux/amd64/10.0/developer
[6]   default/linux/amd64/10.0/no-multilib
[7]   default/linux/amd64/10.0/server
[8]   hardened/linux/amd64
[9]   hardened/linux/amd64/no-multilib
[10]  selinux/2007.0/amd64
[11]  selinux/2007.0/amd64/hardened
[12]  selinux/v2refpolicy/amd64
[13]  selinux/v2refpolicy/amd64/desktop
[14]  selinux/v2refpolicy/amd64/developer
[15]  selinux/v2refpolicy/amd64/hardened
[16]  selinux/v2refpolicy/amd64/server
# <span class="code-input">eselect profile set 8</span> <span class="code-comment">(replace 8 with the desired hardened profile)</span>
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
The previous output will vary according to the architecture you use, also the
commands required to choose the profile will vary depending on the output of the
first command.
</p></td></tr></table>
<p>
After setting up your profile, you should recompile your system using a hardened
toolchain so that you have a consistent base:
</p>
<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Switch to hardened toolchain</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">emerge --oneshot binutils gcc virtual/libc</span>
<span class="code-comment">Make sure the hardened toolchain is being used (gcc version may vary):</span>
# <span class="code-input">gcc-config -l</span>
 [1] x86_64-pc-linux-gnu-4.4.4 *
 [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie
 [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
 [4] x86_64-pc-linux-gnu-4.4.4-hardenednossp
 [5] x86_64-pc-linux-gnu-4.4.4-vanilla
<span class="code-comment">If the hardened version isn't chosen select it</span>
# <span class="code-input">gcc-config x86_64-pc-linux-gnu-4.4.4</span>
# <span class="code-input">source /etc/profile</span>
<span class="code-comment">Keep emerging the system</span>
# <span class="code-input">emerge -e --keep-going system</span>
# <span class="code-input">emerge -e --keep-going world</span>
</pre></td></tr>
</table>
<p>
The <span class="code" dir="ltr">--keep-going</span> option is added to ensure emerge won't stop in case any
package fails to build. 
</p>
<p class="secthead"><a name="hardeneddebug"></a><a name="doc_chap2_sect9">How do I debug with gdb?</a></p>
<p>
We have written a <a href="hardened-debugging.html">document
on how to debug with Gentoo Hardened</a>, so following the recommendations
there should fix your problem.
</p>
<p class="secthead"><a name="jitflag"></a><a name="doc_chap2_sect10">Why is the jit flag disabled in the hardened profile?</a></p>
<p>
JIT means Just In Time Compilation and consist on taking some code meant to be
interpreted (like Java bytecode or JavaScript code) compile it into native
binary code in memory and then executing the compiled code. This means that the
program need a section of memory which has write and execution permissions to
write and then execute the code which is denied by PaX, unless the mprotect flag
is unset for the executable. As a result, we disabled the JIT use flag by
default to avoid complaints and security problems.
</p>
<p>
You should bear in mind that having a section which is written and then executed
can be a serious security  problem as the attacker needs to be able to exploit a
bug between the write and execute stages to write in that section in order to
execute any code it wants to.
</p>
<p class="secthead"><a name="enablejit"></a><a name="doc_chap2_sect11">How do I enable the jit flag?</a></p>
<p>
If you need it, we recommend enabling the flag in a per package basis using
<span class="code" dir="ltr">/etc/portage/package.use</span>
</p>
<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Example /etc/portage/package.use enabling JIT in some libraries</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
x11-libs/qt-core jit
x11-libs/qt-script jit
x11-libs/qt-webkit jit
</pre></td></tr>
</table>
<p>
Anyway, you can enable the use flag globally using <span class="code" dir="ltr">/etc/make.conf</span>
</p>
<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Example /etc/make.conf with JIT enabled</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
CFLAGS="-O2 -pipe -fomit-frame-pointer -march=native"
CXXFLAGS="${CFLAGS}"
# WARNING: Changing your CHOST is not something that should be done lightly.
# Please consult http://www.gentoo.org/doc/en/change-chost.xml before changing.
CHOST="x86_64-pc-linux-gnu"
# These are the USE flags that were used in addition to what is provided by the
# profile used for building.
<span class="code-comment">#If you have more uses adding jit to the end should suffice</span>
USE="jit"

MAKEOPTS="-j2"

GENTOO_MIRRORS="ftp://ftp.udc.es/gentoo/"

SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
Remember that if you enable JIT code on PaX you may need to disable mprotect on
the binaries using such code, either by them selves or through libraries. Check
the <a href="#paxjavajit">PaX question on Java and JIT to see how to do this
</a>
</p></td></tr></table>
<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
            </span>PaX Questions</p>
<p class="secthead"><a name="paxinformation"></a><a name="doc_chap3_sect1">Where is the homepage for PaX?</a></p>
<p>
That is <a href="http://pax.grsecurity.net">the homepage for PaX</a>.
</p>
<p class="secthead"><a name="paxgentoodoc"></a><a name="doc_chap3_sect2">What Gentoo documentation exists about PaX?</a></p>
<p>
Currently the only Gentoo documentation that exists about PaX is a <a href="pax-quickstart.html"> PaX quickstart guide</a>.
</p>
<p class="secthead"><a name="paxmarkings"></a><a name="doc_chap3_sect3">How do PaX markings work?</a></p>
<p>
PaX markings are a way to tell PaX which features should enable (or disable) for
a certain binary.
</p>
<p>
Features can either be enabled, disabled or not set. Enabling or disabling them
will supersede the kernel action, so a binary with a feature enabled will
always use the feature and one with a feature disabled won't ever used it.
</p>
<p>
When the feature status is not set the kernel will choose whether to enable or
disable it. By default, the hardened kernel will enable those features with only
two exceptions, the feature is not supported by the architecture/kernel or PaX
is running in Soft Mode. In those two cases, it will be disabled.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
In order to have Soft Mode, your kernel should have that feature enabled and
you should enable it either passing <span class="code" dir="ltr">pax_softmode=1</span> in the kernel cmdline
or setting to 1 the option in <span class="code" dir="ltr">/proc/sys/kernel/pax/softmode</span>.
</p></td></tr></table>
<p class="secthead"><a name="paxnoelf"></a><a name="doc_chap3_sect4">I keep getting the message: "error while loading shared libraries: cannot
make segment writable for relocation: Permission denied."  What does this
mean?</a></p>
<p>
Text relocations are a way in which references in the executable code to
addresses not known at link time are solved. Basically they just write the
appropriate address at runtime marking the code segment writable in order to
change the address then unmarking it. This can be a problem as an attacker could
try to exploit a bug when the text relocation happens in order to be able to
write arbitrary code in the text segment which would be executed. As this also
means that code will be loaded on fixed addresses (not be position independent)
this can also be exploited to pass over the randomization features provided by
PaX.</p>
<p>
As this can be triggered for example by adding a library with text
relocations to the ones loaded by the executable, PaX offers the option
CONFIG_PAX_NOELFRELOCS in order to avoid them. This option is enabled like this:
</p>
<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Menuconfig Options</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-&gt; Security options
  -&gt; PaX
    -&gt; Enable various PaX features
      -&gt; Non-executable pages
        [*] Restrict mprotect()
        [*]   Allow ELF text relocations
</pre></td></tr>
</table>
<p>
If you are using the gentoo hardened toolchain, typically compiling your
programs will create PIC ELF libraries that do not contain text relocations.
However, certain libraries still contain text relocations for various reasons
(often ones that contain assembly that is handled incorrectly).  This can be a
security vulnerability as an attacker can use non-PIC libraries to execute his
shellcode.  Non-PIC libraries are also bad for memory consumption as they defeat
the code sharing purpose of shared libraries.
</p>
<p>
To disable this error and allow your program to run, you must sacrifice security
and allow runtime code generation for that program.  The PaX feature that allows
you to do that is called MPROTECT.  You must disable MPROTECT on whatever
executable is using the non-PIC library.
</p>
<p>
To check your system for textrels, you can use the program <span class="code" dir="ltr">scanelf</span> from
<span class="code" dir="ltr">app-misc/pax-utils</span>. For information on how to use the <span class="code" dir="ltr">pax-utils</span>
package please consult the <a href="pax-utils.html">Gentoo 
PaX Utilities Guide</a>.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
Recent versions of <span class="code" dir="ltr">sys-apps/portage</span>(&gt;=2.0.53) scan for text relocations
and print a warning or even abort the merge process, depending on the
<span class="code" dir="ltr">FEATURES</span> you have set in your <span class="path" dir="ltr">/etc/make.conf</span>.
</p></td></tr></table>
<p class="secthead"><a name="paxjavajit"></a><a name="doc_chap3_sect5">Ever since I started using PaX I can't get Java/JIT code working,
why?</a></p>
<p>
As part of its design, the Java virtual machine creates a considerable amount of
code at runtime which does not make PaX happy. Although, with current versions
of portage and java, portage will mark the binaries automatically, you still
need to enable PaX marking so PaX can do an exception with them and have paxctl
installed so the markings can be applied to the binaries (an reemerge them so
they are applied).
</p>
<p>
This of course can't be applied to all packages linking with libraries with JIT
code, so if it doesn't, there are two ways to correct this problem:
</p>
<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: Enable the marking on your kernel</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-&gt; Security options
  -&gt; PaX
    -&gt; Enable various PaX features
      -&gt; PaX Control
        [*] Use ELF program header marking
</pre></td></tr>
</table>
<a name="doc_chap3_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.3: Install paxctl</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">emerge paxctl</span>
</pre></td></tr>
</table>
<p>
When you already have <span class="code" dir="ltr">paxctl</span> emerged you can do:
</p>
<a name="doc_chap3_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.4: Disable PaX for the binary</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">paxctl -pemrxs /path/to/binary</span>
</pre></td></tr>
</table>
<p>
This option will slightly modify the ELF header in order to correctly
set the PAX flags on the binaries.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
If you are running PaX in conjunction with an additional security implementation
such as Grsecurity's RBAC, or SELinux you should manage PaX using the kernel
hooks provided for each implementation.
</p></td></tr></table>
<p>
The other way is using your security implementation to do this using the kernel
hooks.
</p>
<p class="secthead"><a name="paxbootparams"></a><a name="doc_chap3_sect6">Can I disable PaX features at boot?</a></p>
<p>
Although this is not advised except when used to rescue the system or for
debugging purposes, it is possible to change a few of PaX behaviours on boot via
the kernel command line.
</p>
<p>
Passing <span class="code" dir="ltr">pax_nouderef</span> in the kernel cmdline will disable uderef which can
cause problems on certain virtualization environments and cause some bugs (at
times) at the expense  leaving the kernel unprotected against unwanted userspace
dereferences.
</p>
<p>
Passing <span class="code" dir="ltr">pax_softmode=1</span> in the kernel cmdline will enable the softmode
which can be useful when booting a not prepared system with a PaX kernel. In
soft mode PaX will disable most features by default unless told otherwise via
the markings. In a similar way, <span class="code" dir="ltr">pax_softmode=0</span> will disable the softmode
if it was enabled in the config.
</p>
<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
            </span>Grsecurity Questions</p>
<p class="secthead"><a name="grsecinformation"></a><a name="doc_chap4_sect1">Where is the homepage for Grsecurity?</a></p>
<p>
That is the <a href="http://www.grsecurity.net">homepage for Grsecurity</a>.
</p>
<p class="secthead"><a name="grsecgentoodoc"></a><a name="doc_chap4_sect2">What Gentoo documentation exists about Grsecurity?</a></p>
<p>
The most current documentation for Grsecurity is a <a href="grsecurity.html">Grsecurity2 quickstart guide</a>.
</p>
<p class="secthead"><a name="grsectpe"></a><a name="doc_chap4_sect3">How does TPE work?</a></p>
<p>
We have written a <a href="grsec-tpe.html">document with some
information on how TPE works in the different settings</a>.
</p>
<p class="secthead"><a name="grsecnew"></a><a name="doc_chap4_sect4">Can I use Grsecurity with a recent kernel not on the Gentoo main tree?
</a></p>
<p>
Usually we release a new version of hardened sources not long after a new
PaX/Grsecurity patch is released, so the best option is just waiting a bit for
the kernel team to adapt the patches and then test them. Remind that we won't
support kernel sources not coming from the portage tree.
</p>
<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
            </span>SELinux Questions</p>
<p class="secthead"><a name="selinuxfaq"></a><a name="doc_chap5_sect1">Where can I find SELinux related frequently asked questions?</a></p>
<p>
There is a <a href="selinux-faq.html"> SELinux specific FAQ
</a>.
</p>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="hardenedfaq.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="alttext">Updated 2011-3-27</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and
the gentoo-hardened mailing list.
</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext">
  Adam Mondl
<br><i>Author</i><br><br>
  <a href="mailto:solar@gentoo.org" class="altlink"><b>solar</b></a>
<br><i>Contributor</i><br><br>
  <a href="mailto:kang@insecure.ws" class="altlink"><b>Guillaume Destuynder</b></a>
<br><i>Contributor</i><br><br>
  <a href="mailto:pageexec@freemail.hu" class="altlink"><b>The PaX Team</b></a>
<br><i>Contributor</i><br><br>
  <a href="mailto:klondike@xiscosoft.es" class="altlink"><b>klondike</b></a>
<br><i>Contributor</i><br><br>
  <a href="mailto:zorry@gentoo.org" class="altlink"><b>Magnus Granberg</b></a>
<br><i>Contributor</i><br><br>
  <a href="mailto:blueness@gentoo.org" class="altlink"><b>Anthony G. Basile</b></a>
<br><i>Contributor</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
        </p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>