Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110629182505.GC14873@openwall.com>
Date: Wed, 29 Jun 2011 22:25:05 +0400
From: Solar Designer <solar@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: overview of PaX features

Vasiliy,

On Sun, Jun 26, 2011 at 10:33:21PM +0400, Vasiliy Kulikov wrote:
> PaXTeam said there is almost nothing I can do with userspace NX.
> Currently it is implemented as a "stack can be X unless GNU_STACK is
> enabled" instead of secure by default policy.  It's impossible to fix it
> not breaking the compatibility with old apps.  So, I'm skipping NOEXEC
> options.

Please do break compatibility with a handful of old apps - but as a
non-default option (which we're likely to make the default on Owl, just
like we had non-executable stack by default with 2.4.x-ow kernels).

With OpenVZ, it needs to be configurable per-container.

This is an important security hardening feature for us to have, so
please proceed to implement it sooner rather than later.

I'm sorry that I haven't reviewed the rest of your message yet (and am
in fact a bit late with this comment as well...)

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.