PIC libraries
4 posts
• Page 1 of 1
PIC libraries
by torne » Mon Oct 27, 2003 8:36 pm
Is it possible to tell whether a library is PIC or not? Debian policy dictates that all shared libraries be PIC and all static libraries be non-PIC, which should be sufficient to allow setting NOELFRELOCS; however, it would be nice if there was some way to check.
- torne
- Posts: 54
- Joined: Mon Aug 12, 2002 12:52 pm
Re: PIC libraries
by PaX Team » Tue Oct 28, 2003 4:57 am
a readelf -d /path/to/library | grep TEXTREL will show you whether a given library (or any ELF file for that matter) needs text relocations (which is what matters for NOELFRELOCS and also implies that the library in question has been compiled with -fPIC). note that we have already run into weird things on non-i386 archs, like some normal executables having text relocations on alpha and others.torne wrote:Is it possible to tell whether a library is PIC or not? Debian policy dictates that all shared libraries be PIC and all static libraries be non-PIC, which should be sufficient to allow setting NOELFRELOCS; however, it would be nice if there was some way to check.
also check the http://adamantix.org and http://www.gentoo.org/proj/en/hardened/index.xml projects which have already converted their distro (more or less) to an ET_DYN userland and the grsecurity mailing list archives for more info on this topic.
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
by torne » Tue Oct 28, 2003 6:49 am
Aha! That's exactly what I was looking for, thanks. I've looked at Adamantix but am not sure it's suitable for me; I'm mostly happy with Debian atm. =)
I have only built my daemons (and the processes they invoke) as ET_DYN because that seems sufficient for my purposes. All local users are both moderately trusted and moderately restricted (with ACLs..etc) already, so I'm not too bothered =)
Has any work been done using the newish ld feature that allows you to request that relocation information be left in ET_EXEC binaries?
I have only built my daemons (and the processes they invoke) as ET_DYN because that seems sufficient for my purposes. All local users are both moderately trusted and moderately restricted (with ACLs..etc) already, so I'm not too bothered =)
Has any work been done using the newish ld feature that allows you to request that relocation information be left in ET_EXEC binaries?
- torne
- Posts: 54
- Joined: Mon Aug 12, 2002 12:52 pm
by PaX Team » Tue Oct 28, 2003 3:07 pm
even better, a few months ago RedHat began work on a new feature called Position Independent Executable (-pie is the ld command line switch) which does what my earlier attempts at ET_DYN executables did, only in a cleaner/explicit form that will be supported throughout the toolchain (including -fpie/-fPIE switches in gcc eventually). i think the above mentioned Hardened Gentoo project already makes use of it when available (right now only the very latest binutils test versions have it in a usable form).torne wrote:Has any work been done using the newish ld feature that allows you to request that relocation information be left in ET_EXEC binaries?
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
4 posts
• Page 1 of 1