:: Re: [Dng] with pax flags, Java work…
Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Gravis
Fecha:  
A: dng@lists.dyne.org
Asunto: Re: [Dng] with pax flags, Java works fine - (was Hardened Devuan)
> Wouldn't this hit every program that does JIT compilation?

yes. the good news is that not a lot of programs use it because it's
a temperamental and architecture dependant technology.


> Or is execution from writable memory different?


JIT is one use of executing writable memory. the basic problem is
that programs that do this can obscure their true intent from our dumb
static program analyzers. therefore, you either have to true the
program or use an interpretation engine rather than a JIT
compiler/dynamic recompiler. since it's a speed hack, you will find
it in performant programs and since it obfuscates, you will find it in
malware.

- Gravis


On Sun, Mar 8, 2015 at 6:56 AM, Hendrik Boom <hendrik@???> wrote:
> On Sun, Mar 08, 2015 at 08:21:42AM +0200, Martijn Dekkers wrote:
>> > Just to clarify... *Java will run* with a grsecurity hardened kernel,
>> > with pax enabled. It just needs mprotect disabled for the specific programs
>> > that need it disabled. (and also many other things need this... python,
>> > kdeinit4, skype, kscreenlocker_greet, thunderbird, firefox,
>> > plugin-container, gdb, utox, grub-probe, etc. also firefox needs JIT
>> > disabled for optimal stability). For this you need some kernel features
>> > enabled; I recommend the one using xattrs because then the binaries don't
>> > need modifications (or backups, and modified binaries won't run properly in
>> > a non-grsec kernel, but they run fine with xattrs).
>> >
>> > Set the extended file system attribute with:
>> >
>> > setfattr -n user.pax.flags -v m /usr/lib*/jvm/java-*-openjdk-*/jre/bin/java
>> >
>> > (example path, may not be right for Debian openjdk)
>> >
>>
>> cool, thanks! I think it would be important that packages that have an
>> issue running under grsec all do what they need to do on installation to
>> make sure the correct configs are in place to actually work under grsec.
>> This is often left out, making proper security expensive and difficult to
>> track down.
>
> Wouldn't this hit every program that does JIT compilation? Or is
> execution from writable memory different?
>
> -- hendrik
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng