grsecurity forums

Hi,

I have the following situation: I run a mostly out-of-the-box debian woody
with the usual standard packages installed. I have installed the patched
binutils to add the PT_PAX_FLAGS-header to programs compiled by myself.
Now i want to run GRSecurity in safe mode, only enabling the PAX features
for testet binaries. However, I can not do this for the standard debian
binaries, because PT_PAX_FLAGS is missing.
Is there an easy way to add the PT_PAX_FLAGS-header to ELF-binaries
without having to recompile/relink them (eg. via ELFsh or a similar tool)?
This is something I would really like to perform a seamless transition to
a grsecurity-hardened system...
Thanks for your attention,
Pkunk

pkunk wrote:Now i want to run GRSecurity in safe mode, only enabling the PAX features for testet binaries. However, I can not do this for the standard debian binaries, because PT_PAX_FLAGS is missing.
Is there an easy way to add the PT_PAX_FLAGS-header to ELF-binaries
without having to recompile/relink them (eg. via ELFsh or a similar tool)?

unfortunately adding a new program header is not easy, even with helper tools like ELFsh. it would be easy however to convert an existing program header to PT_PAX_FLAGS, provided your binaries have something that you can 'recycle' this way (e.g., PT_GNU_STACK or maybe PT_NOTE). i think execstack from the prelink package does it for its own purposes, take a look at that code.