Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/html/hardenedxorg.html
blob: 7d2d9169875a9d96c7e0bb71c109997eecfd41a6 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
  Using Xorg on Hardened Gentoo</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<br><h1>Using Xorg on Hardened Gentoo</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
        <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Background</option>
<option value="#doc_chap2">2. Kernel Configuration options</option>
<option value="#doc_chap3">3. Installation</option>
<option value="#doc_chap4">4. Configuration</option>
<option value="#doc_chap5">5. Known Issues</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Background</p>
<p class="secthead"><a name="doc_chap1_sect1">What is different about running Xorg with Hardened Gentoo?</a></p>
<p>
PaX, a patch for the Linux kernel, is a central part of the Hardened Gentoo
project.  PaX provides various functionality such as ASLR and NX memory.  More
information is available at <a href="docs/pax-howto.html">http://www.gentoo.org/proj/en/hardened/docs/pax-howto.xml</a>
For the purposes of this document, it will be assumed that the reader has a general
understanding of how PaX works as well as the concept of Position Independent Executables (PIE).
</p>
<p>
The specific feature of PaX of interest in this article is MPROTECT, which 
guards against executable code in a program's address space.  One of the main features
of Hardened Gentoo is the ability to run PaX effectively because of the ET_DYN/PIE base.
The eventual goal for Xorg is to have the binary itself built as ET_DYN/PIE to remove text
relocations from it and randomize the base address without the EX_EXEC performance hit.
</p>
<p>
At this point, compiling Xorg with PIC code sounds like an obvious, logical choice.  Hardened
Gentoo offers hardened gcc for this purpose, which provides transparent PIE/SSP compiling.  This
is where you begin to run into problems with Xorg.  Xorg currently uses elfloader to handle loading
the modules it needs, however elfloader is unable to resolve various types of relocatable symbols that are
always generated by PIC code.  Most importantly, the elfloader has no support for Global Offset
Table (GOT) or Procedure Linkage Table (PLT) type symbols which are both essential for shared libraries.
</p>
<p>
So if elfloader won't work then what will?  Luckily there is already a fully operational, well tested,
mature dynamic loader installed on your system.  It is ld-linux.so which is provided by glibc.  The obvious idea
that occurs at this point, is that ideally there would be a programmatic interface to the glibc loader, and the
X loader could be modified to use that instead of home-brewing its own loader.  Turns out that such an interface
exists - dlopen(3) et. al. - and this is exactly what the dlloader uses.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>Starting with Xorg 7.0, dlloader is the default module loader for X.</p></td></tr></table>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
            </span>Kernel Configuration options</p>
<p class="secthead"><a name="doc_chap2_sect1">CONFIG_PAX_KERNEXEC</a></p>
<p>
The option 'CONFIG_PAX_KERNEXEC' is the kernel land equivalent of PAGEEXEC and MPROTECT. By enabling this option, it will get
harder to inject and execute 'foreign' code in kernel memory itself. This option may also give you some strange experiences on
a hardened Xorg setup (being the Mouse pointer being stuck on the left side of the screen). 
Suggestion therefore is, to turn this option off by deselecting it in your config.
</p>
<p class="secthead"><a name="doc_chap2_sect2">CONFIG_GRKERNSEC_IO</a></p>
<p>
Enabling this option will result in all ioperm(2) and iopl(2) calls returning an error message. ioperm(2) and iopl(2) might be
used to modify the running kernel. As you wish to run a Xorg server on top of your hardened kernel (mostly GRsecurity), you'll
have to disable this config option, in order to get the XServer up and running.
</p>
<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
            </span>Installation</p>
<p class="secthead"><a name="doc_chap3_sect1">Current Install Options</a></p>
<p>
Since Xorg 7.0 and up uses the dlloader instead of the elfloader by default, there is no need to do anything special to get Xorg
compiling and working on a hardened profile.
</p>
<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
            </span>Configuration</p>
<p class="secthead"><a name="doc_chap4_sect1">/etc/X11/xorg.conf</a></p>
<p>
You can setup your Xorg configuration file using The X Server
Configuration HOWTO found at:
<a href="http://www.gentoo.org/doc/en/xorg-config.xml">http://www.gentoo.org/doc/en/xorg-config.xml</a>
</p>
<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
            </span>Known Issues</p>
<p class="secthead"><a name="doc_chap5_sect1">The dlloader Experiences</a></p>
<p>
Hardened Gentoo makes the default link strategy to resolve all symbols at load time, and enforces
this on all shared libraries when they are built.  Normally the loader uses "lazy" resolution if requested,
whereby symbols are resolved as and when they are used.  Unfortunately some Xorg modules have mutual
dependencies and other issues that mean they cannot load unless lazy symbol resolution is enabled.  To work
around this issue, currently Gentoo compiles the Xorg modules and the server itself with the -nonow gcc flag.
This fixes the "dlopen: undefined symbol" errors so previous methods of manually detecting and loading modules are
no longer needed.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
Please report all issues to bugs.gentoo.org with full attached
logs and configs.
</p></td></tr></table>
<p class="secthead"><a name="doc_chap5_sect2">Binary Drivers</a></p>
<p>
Binary drivers are currently not supported on the hardened profile and you are encouraged to use the
opensource drivers instead.
</p>
<p class="secthead"><a name="doc_chap5_sect3">PaX Flags</a></p>
<p>
The PaX flags -P (PAGEEXEC), -S (SEGMEXEC), -M (MPROTECT) as well as -R (RANDMMAP) now work with Xorg. 
</p>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="hardenedxorg.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="alttext">Updated December 23, 2006</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
How to install and use Xorg on Hardened Gentoo
</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext">
  Adam Mondl
<br><i>Author</i><br><br>
  <a href="mailto:g2@kevquinn.com" class="altlink"><b>Kevin Quinn</b></a>
<br><i>Contributor</i><br><br>
  <a href="mailto:solar@gentoo.org" class="altlink"><b>Ned Ludd</b></a>
<br><i>Contributor</i><br><br>
  <a href="mailto:christian.heim@uni-greifswald.de" class="altlink"><b>Christian Heim</b></a>
<br><i>Contributor</i><br><br>
  <a href="mailto:zaid_a@users.sourceforge.net" class="altlink"><b>Zaid A.</b></a>
<br><i>Contributor</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
        </p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>