Fix bug #413289

2 files changed, 43 insertions, 585 deletions

diff --git a/xml/hardened-debugging.xml b/xml/hardened-debugging.xml
index 21a0fc9..0a648a9 100644
--- a/xml/hardened-debugging.xml
+++ b/xml/hardened-debugging.xml
@@ -5,7 +5,7 @@
 <guide link="/proj/en/hardened/hardenedfaq.xml" lang="en">
 <title>Gentoo Hardened debugging</title>
 <author title="Author">
-  <mail link="klondike@xiscosoft.es">klondike</mail>
+  <mail link="klondike"/>
 </author>
 <author title="Contributor">
   <!-- Via bugs #341889 and 265693 -->
@@ -21,8 +21,8 @@ hardened kernel and toolcahin with PaX/Grsec, PIE and SSP.
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>1.0</version>
-<date>2010-10-26</date>
+<version>2</version>
+<date>2012-04-28</date>
 
 <chapter>
 <title>Solving the '??' issue.</title>
@@ -214,10 +214,12 @@ available breakpoints.
 <p>
 After debugging you may want to restore the system to its normal state, if you
 used <c>paxctl</c> you can reset the flags to default using the <c>-z</c> flag.
+Since the -z flags will zero all the flags also want to keep trampoline
+emulation disabled. This is done with the <c>-e</c> flag.
 </p>
 
-<pre caption="Reseting the flags back to its defaults.">
-# <i>paxctl -z binary</i>
+<pre caption="Reseting the flags back to its defaults. Keep  trampoline emulation disabled">
+# <i>paxctl -ze binary</i>
 </pre>
 
 </body>
diff --git a/xml/revdep-pax.xml b/xml/revdep-pax.xml
index ba9f822..cbf3181 100644
--- a/xml/revdep-pax.xml
+++ b/xml/revdep-pax.xml
@@ -23,7 +23,10 @@ requiring RWX memory in order to process JIT code.
 <date>2012-02-19</date>
 
 <chapter>
-<title>What's <c>revdep-pax</c> about?</title>
+<title>What's revdep-pax about?</title>
+
+<section>
+<body>
 
 <p by="Geroge Orwell">
 Since the early days of PaX it was known that all programs were equal although
@@ -33,6 +36,9 @@ allowing system administrators and users telling the system which binaries
 needed this lessened environment the PaX marks were created.
 </p>
 
+</body>
+</section>
+
 <section>
 <title>A quick introduction to PaX markings.</title>
 <body>
@@ -106,7 +112,7 @@ called. In order to solve this issue we have created <c>revdep-pax</c>.
 </body>
 </section>
 <section>
-<title>What's <c>revdep-pax</c>?</title>
+<title>What's revdep-pax?</title>
 <body>
 
 <p>
@@ -134,7 +140,10 @@ libraries linked by an object and backwards to the objects linked by a library.
 </chapter>
 
 <chapter>
-<title>Using <c>revdep-pax</c></title>
+<title>Using revdep-pax</title>
+
+<section>
+<body>
 
 <p by="The Emperor">
 In order to witness the firepower of this fully ARMED and OPERATIONAL tool
@@ -142,6 +151,9 @@ you'll first need to learn how to use it, once you are done, you'll be
 able to fire at will.
 </p>
 
+</body>
+</section>
+    
 <section>
 <title>Propagating PaX marks backwards from a library to objects that link at it
 </title>
@@ -149,592 +161,36 @@ able to fire at will.
 
 <p>
 This is going to be probably the main way in which you are going to use this
-utility. What it does is check all the libraries linked statically 
-The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> package.
-With this application you can print out information specific to the ELF
-structure of a binary. The following table sums up the various options.
-</p>
-
-<table>
-<tr>
-  <th>Option</th>
-  <th>Long Option</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>-p</ti>
-  <ti>--path</ti>
-  <ti>Scan all directories in PATH environment</ti>
-</tr>
-<tr>
-  <ti>-l</ti>
-  <ti>--ldpath</ti>
-  <ti>Scan all directories in /etc/ld.so.conf</ti>
-</tr>
-<tr>
-  <ti>-R</ti>
-  <ti>--recursive</ti>
-  <ti>Scan directories recursively</ti>
-</tr>
-<tr>
-  <ti>-m</ti>
-  <ti>--mount</ti>
-  <ti>Don't recursively cross mount points</ti>
-</tr>
-<tr>
-  <ti>-y</ti>
-  <ti>--symlink</ti>
-  <ti>Don't scan symlinks</ti>
-</tr>
-<tr>
-  <ti>-A</ti>
-  <ti>--archives</ti>
-  <ti>Scan archives (.a files)</ti>
-</tr>
-<tr>
-  <ti>-L</ti>
-  <ti>--ldcache</ti>
-  <ti>Utilize ld.so.cache information (use with -r/-n)</ti>
-</tr>
-<tr>
-  <ti>-X</ti>
-  <ti>--fix</ti>
-  <ti>Try and 'fix' bad things (use with -r/-e)</ti>
-</tr>
-<tr>
-  <ti>-z [arg]</ti>
-  <ti>--setpax [arg]</ti>
-  <ti>Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</ti>
-</tr>
-<tr>
-  <th>Option</th>
-  <th>Long Option</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>-x</ti>
-  <ti>--pax</ti>
-  <ti>Print PaX markings</ti>
-</tr>
-<tr>
-  <ti>-e</ti>
-  <ti>--header</ti>
-  <ti>Print GNU_STACK/PT_LOAD markings</ti>
-</tr>
-<tr>
-  <ti>-t</ti>
-  <ti>--textrel</ti>
-  <ti>Print TEXTREL information</ti>
-</tr>
-<tr>
-  <ti>-r</ti>
-  <ti>--rpath</ti>
-  <ti>Print RPATH information</ti>
-</tr>
-<tr>
-  <ti>-n</ti>
-  <ti>--needed</ti>
-  <ti>Print NEEDED information</ti>
-</tr>
-<tr>
-  <ti>-i</ti>
-  <ti>--interp</ti>
-  <ti>Print INTERP information</ti>
-</tr>
-<tr>
-  <ti>-b</ti>
-  <ti>--bind</ti>
-  <ti>Print BIND information</ti>
-</tr>
-<tr>
-  <ti>-S</ti>
-  <ti>--soname</ti>
-  <ti>Print SONAME information</ti>
-</tr>
-<tr>
-  <ti>-s [arg]</ti>
-  <ti>--symbol [arg]</ti>
-  <ti>Find a specified symbol</ti>
-</tr>
-<tr>
-  <ti>-k [arg]</ti>
-  <ti>--section [arg]</ti>
-  <ti>Find a specified section</ti>
-</tr>
-<tr>
-  <ti>-N [arg]</ti>
-  <ti>--lib [arg]</ti>
-  <ti>Find a specified library</ti>
-</tr>
-<tr>
-  <ti>-g</ti>
-  <ti>--gmatch</ti>
-  <ti>Use strncmp to match libraries. (use with -N)</ti>
-</tr>
-<tr>
-  <ti>-T</ti>
-  <ti>--textrels</ti>
-  <ti>Locate cause of TEXTREL</ti>
-</tr>
-<tr>
-  <ti>-E [arg]</ti>
-  <ti>--etype [arg]</ti>
-  <ti>Print only ELF files matching etype ET_DYN,ET_EXEC ...</ti>
-</tr>
-<tr>
-  <ti>-M [arg]</ti>
-  <ti>--bits [arg]</ti>
-  <ti>Print only ELF files matching numeric bits</ti>
-</tr>
-<tr>
-  <ti>-a</ti>
-  <ti>--all</ti>
-  <ti>Print all scanned info (-x -e -t -r -b)</ti>
-</tr>
-<tr>
-  <th>Option</th>
-  <th>Long Option</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>-q</ti>
-  <ti>--quiet</ti>
-  <ti>Only output 'bad' things</ti>
-</tr>
-<tr>
-  <ti>-v</ti>
-  <ti>--verbose</ti>
-  <ti>Be verbose (can be specified more than once)</ti>
-</tr>
-<tr>
-  <ti>-F [arg]</ti>
-  <ti>--format [arg]</ti>
-  <ti>Use specified format for output</ti>
-</tr>
-<tr>
-  <ti>-f [arg]</ti>
-  <ti>--from [arg]</ti>
-  <ti>Read input stream from a filename</ti>
-</tr>
-<tr>
-  <ti>-o [arg]</ti>
-  <ti>--file [arg]</ti>
-  <ti>Write output stream to a filename</ti>
-</tr>
-<tr>
-  <ti>-B</ti>
-  <ti>--nobanner</ti>
-  <ti>Don't display the header</ti>
-</tr>
-<tr>
-  <ti>-h</ti>
-  <ti>--help</ti>
-  <ti>Print this help and exit</ti>
-</tr>
-<tr>
-  <ti>-V</ti>
-  <ti>--version</ti>
-  <ti>Print version and exit</ti>
-</tr>
-</table>
-
-<p>
-The format specifiers for the <c>-F</c> option are given in the following table.
-Prefix each specifier with <c>%</c> (verbose) or <c>#</c> (silent) accordingly.
-</p>
-
-<table>
-<tr>
-  <th>Specifier</th>
-  <th>Full Name</th>
-  <th>Specifier</th>
-  <th>Full Name</th>
-</tr>
-<tr>
-  <ti>F</ti>
-  <ti>Filename</ti>
-  <ti>x</ti>
-  <ti>PaX Flags</ti>
-</tr>
-<tr>
-  <ti>e</ti>
-  <ti>STACK/RELRO</ti>
-  <ti>t</ti>
-  <ti>TEXTREL</ti>
-</tr>
-<tr>
-  <ti>r</ti>
-  <ti>RPATH</ti>
-  <ti>n</ti>
-  <ti>NEEDED</ti>
-</tr>
-<tr>
-  <ti>i</ti>
-  <ti>INTERP</ti>
-  <ti>b</ti>
-  <ti>BIND</ti>
-</tr>
-<tr>
-  <ti>s</ti>
-  <ti>Symbol</ti>
-  <ti>N</ti>
-  <ti>Library</ti>
-</tr>
-<tr>
-  <ti>o</ti>
-  <ti>Type</ti>
-  <ti>p</ti>
-  <ti>File name</ti>
-</tr>
-<tr>
-  <ti>f</ti>
-  <ti>Base file name</ti>
-  <ti>k</ti>
-  <ti>Section</ti>
-</tr>
-<tr>
-  <ti>a</ti>
-  <ti>ARCH/e_machine</ti>
-  <ti>&nbsp;</ti>
-  <ti>&nbsp;</ti>
-</tr>
-</table>
-
-</body>
-</section>
-<section>
-<title>Using scanelf for Text Relocations</title>
-<body>
-
-<p>
-As an example, we will use <c>scanelf</c> to find binaries containing text
-relocations.
-</p>
-
-<p>
-A relocation is an operation that rewrites an address in a loaded segment. Such
-an address rewrite can happen when a segment has references to a shared object
-and that shared object is loaded in memory. In this case, the references are
-substituted with the real address values. Similar events can occur inside the 
-shared object itself.
-</p>
-
-<p>
-A text relocation is a relocation in the text segment. Since text segments
-contain executable code, system administrators might prefer not to have these
-segments writable. This is perfectly possible, but since text relocations
-actually write in the text segment, it is not always feasible. 
-</p>
-
-<p>
-If you want to eliminate text relocations, you will need to make sure
-that the application and shared object is built with <e>Position Independent
-Code</e> (PIC), making references obsolete. This not only increases security,
-but also increases the performance in case of shared objects (allowing writes in
-the text segment requires a swap space reservation and a private copy of the
-shared object for each application that uses it).
-</p>
-
-<p>
-The following example will search your library paths recursively, without
-leaving the mounted file system and ignoring symbolic links, for any ELF binary
-containing a text relocation:
-</p>
-
-<pre caption="Scanning the system for text relocation binaries">
-# <i>scanelf -lqtmyR</i>
-</pre>
-
-<p>
-If you want to scan your entire system for <e>any</e> file containing text
-relocations:
-</p>
-
-<pre caption="Scanning the entire system for text relocation files">
-# <i>scanelf -qtmyR /</i>
-</pre>
-
-</body>
-</section>
-<section>
-<title>Using scanelf for Specific Header</title>
-<body>
-
-<p>
-The scanelf util can be used to quickly identify files that contain a 
-given section header using the -k .section option.
-</p>
-
-<p>
-In this example we are looking for all files in /usr/lib/debug 
-recursively using a format modifier with quiet mode enabled that have been 
-stripped. A stripped elf will lack a .symtab entry, so we use the '!' 
-to invert the matching logic.
-</p>
-
-<pre caption="Scanning for stripped or non stripped executables">
-# <i>scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</i>
-</pre>
-
-</body>
-</section>
-<section>
-<title>Using scanelf for Specific Segment Markings</title>
-<body>
-
-<p>
-Each segment has specific flags assigned to it in the Program Header of the
-binary. One of those flags is the type of the segment. Interesting values are
-PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the
-segment contains dynamic linking information), PT_INTERP (the segment 
-contains the name of the program interpreter), PT_GNU_STACK (a GNU extension
-for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS
-(a PaX extension for the ELF format, used by the security-minded 
-<uri link="http://pax.grsecurity.net/">PaX Project</uri>.
-</p>
-
-<p>
-If we want to scan all executables in the current working directory, PATH
-environment and library paths and report those who have a writable and
-executable PT_LOAD or PT_GNU_STACK marking, you could use the following command:
-</p>
-
-<pre caption="Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK">
-# <i>scanelf -lpqe .</i>
-</pre>
-
-</body>
-</section>
-<section>
-<title>Using scanelf's Format Modifier Handler</title>
-<body>
-
-<p>
-A useful feature of the <c>scanelf</c> utility is the format modifier handler.  
-With this option you can control the output of <c>scanelf</c>, thereby 
-simplifying parsing the output with scripts.
-</p>
-
-<p>
-As an example, we will use <c>scanelf</c> to print the file names that contain
-text relocations:
-</p>
-
-<pre caption="Example of the scanelf format modifier handler">
-# <i>scanelf -l -p -R -q -F "%F #t"</i>
+utility. What it does is check all the libraries linked statically by the
+binaries using <c>ldd</c> and then smartly add the paxmarks of those libraries
+to generate the new set. As a result if <path>/usr/games/bin/armagetronad</path>
+links with <path>/usr/lib64/libGL.so.1</path> which has the <e>-m</e> PaX mark
+(allow RWX mappings) because you are using a llvm requiring graphics driver
+you'll get that binary marked with the <e>-m</e> PaX mark too since it needs it.
+Below you can see how to run it.
+</p>
+
+<pre caption="Propagating the PaX marks from the libraries">
+# <i>mv /etc/grsec/learning.roles /etc/grsec/policy</i>
+# <i>chmod 0600 /etc/grsec/policy</i>
 </pre>
 
-</body>
-</section>
-</chapter>
-
-<chapter id="pspax">
-<title>Listing PaX Flags and Capabilities</title>
-<section>
-<title>About PaX</title>
-<body>
-
-<p>
-<uri link="http://pax.grsecurity.net">PaX</uri> is a project hosted by the <uri
-link="http://www.grsecurity.net">grsecurity</uri> project. Quoting the <uri
-link="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</uri>, its main 
-goal is "to research various defense mechanisms against the exploitation of 
-software bugs that give an attacker arbitrary read/write access to the 
-attacked task's address space. This class of bugs contains among others 
-various forms of buffer overflow bugs (be they stack or heap based), user
-supplied format string bugs, etc."
-</p>
-
-<p>
-To be able to benefit from these defense mechanisms, you need to run a Linux
-kernel patched with the latest PaX code. The <uri
-link="http://hardened.gentoo.org">Hardened Gentoo</uri> project supports PaX and
-its parent project, grsecurity. The supported kernel package is
-<c>sys-kernel/hardened-sources</c>.
-</p>
-
-<p>
-The Gentoo/Hardened project has a <uri
-link="/proj/en/hardened/pax-quickstart.xml">Gentoo PaX Quickstart Guide</uri>
-for your reading pleasure.
-</p>
-
-</body>
-</section>
-<section>
-<title>Flags and Capabilities</title>
-<body>
-
-<p>
-If your toolchain supports it, your binaries can have additional PaX flags in
-their Program Header. The following flags are supported:
-</p>
-
-<table>
-<tr>
-  <th>Flag</th>
-  <th>Name</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>P</ti>
-  <ti>PAGEEXEC</ti>
-  <ti>
-    Refuse code execution on writable pages based on the NX bit
-    (or emulated NX bit)
-  </ti>
-</tr>
-<tr>
-  <ti>S</ti>
-  <ti>SEGMEXEC</ti>
-  <ti>
-    Refuse code execution on writable pages based on the
-    segmentation logic of IA-32
-  </ti>
-</tr>
-<tr>
-  <ti>E</ti>
-  <ti>EMUTRAMP</ti>
-  <ti>
-    Allow known code execution sequences on writable pages that
-    should not cause any harm
-  </ti>
-</tr>
-<tr>
-  <ti>M</ti>
-  <ti>MPROTECT</ti>
-  <ti>
-    Prevent the creation of new executable code to the process
-    address space
-  </ti>
-</tr>
-<tr>
-  <ti>R</ti>
-  <ti>RANDMMAP</ti>
-  <ti>
-    Randomize the stack base to prevent certain stack overflow
-    attacks from being successful
-  </ti>
-</tr>
-<tr>
-  <ti>X</ti>
-  <ti>RANDEXEC</ti>
-  <ti>
-    Randomize the address where the application maps to prevent
-    certain attacks from being exploitable
-  </ti>
-</tr>
-</table>
-
-<p>
-The default Linux kernel also supports certain capabilities, grouped in the
-so-called <e>POSIX.1e Capabilities</e>. You can find a listing of those
-capabilities in our <uri
-link="/proj/en/hardened/capabilities.xml">POSIX Capabilities</uri> document.
-</p>
-
-</body>
-</section>
-<section>
-<title>Using pspax</title>
-<body>
-
-<p>
-The <c>pspax</c> application, part of the <c>pax-utils</c> package, displays the
-run-time capabilities of all programs you have permission for. On Linux kernels
-with additional support for extended attributes (such as SELinux) those
-attributes are shown as well.
-</p>
-
-<p>
-When ran, <c>pspax</c> shows the following information:
-</p>
-
-<table>
-<tr>
-  <th>Column</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>USER</ti>
-  <ti>Owner of the process</ti>
-</tr>
-<tr>
-  <ti>PID</ti>
-  <ti>Process id</ti>
-</tr>
-<tr>
-  <ti>PAX</ti>
-  <ti>Run-time PaX flags (if applicable)</ti>
-</tr>
-<tr>
-  <ti>MAPS</ti>
-  <ti>Write/eXecute markings for the process map</ti>
-</tr>
-<tr>
-  <ti>ELF_TYPE</ti>
-  <ti>Process executable type: ET_DYN or ET_EXEC</ti>
-</tr>
-<tr>
-  <ti>NAME</ti>
-  <ti>Name of the process</ti>
-</tr>
-<tr>
-  <ti>CAPS</ti>
-  <ti>POSIX.1e capabilities (see note)</ti>
-</tr>
-<tr>
-  <ti>ATTR</ti>
-  <ti>Extended attributes (if applicable)</ti>
-</tr>
-</table>
 
 <note>
-<c>pspax</c> only displays these capabilities when it is linked with
-the external capabilities library. This requires you to build <c>pax-utils</c>
-with -DWANT_SYSCAP.
+Due to the way in which <c>ldd</c> works you'll get all the libraries required
+at runtime, even those required by libraries you link to (and so on recursively)
+as a result <c>revdep-pax</c> will detect all dependencies in a single pass. If
+the behaviour of <c>ldd</c> changes so may change the behaviour of
+<c>revdep-pax</c>
 </note>
 
 <p>
-By default, <c>pspax</c> does not show any kernel processes. If you want those
-to be taken as well, use the <c>-a</c> switch.
-</p>
-
-</body>
-</section>
-</chapter>
-
-<chapter id="dumpelf">
-<title>Programming with ELF files</title>
-<section>
-<title>The dumpelf Utility</title>
-<body>
-
-<p>
-With the <c>dumpelf</c> utility you can convert a ELF file into human readable C
-code that defines a structure with the same image as the original ELF file.
+The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> package.
+With this application you can print out information specific to the ELF
+structure of a binary. The following table sums up the various options.
 </p>
 
-<pre caption="dumpelf example">
-$ <i>dumpelf /bin/hostname</i>
-#include &lt;elf.h&gt;
-
-<comment>/*
- * ELF dump of '/bin/hostname'
- *     10276 (0x2824) bytes
- */</comment>
-
-struct {
-        Elf32_Ehdr ehdr;
-        Elf32_Phdr phdrs[8];
-        Elf32_Shdr shdrs[26];
-} dumpedelf_0 = {
-
-.ehdr = {
-<comment>(... Output stripped ...)</comment>
-</pre>
-
 </body>
 </section>
 </chapter>
-</guide>
+</guide>
\ No newline at end of file