INTRODUCTION

Currently there are two ways to perform pax markings, one is by EI_PAX and
the other by PT_PAX.  The former is a legacy marking which uses bytes 14
and 15 of the ehdr.e_ident[] field of an ELF binary.  These are in a reserved
area of the ELF header and could be allocated to a different official use by some
future standard [1].   As of glibc commit 04f2902d9fadb2b8221162247412fb2c4667d95e
on Mar 18 2010, this way of marking  is broken [2] and needs to be deprecated.

The second method introduces a new program header called PAX_FLAGS which hosts
the markings.  While this avoids hijacking a reserved area of an ELF binary,
it introduces the problem of pre-compiled binaries which do not have a PT_PAX
program header.  Binaries compiled on a Gentoo system automatically have a
PT_PAX header because of patched binutils [3].  However binaries compiled on
other systems do not necessarily have such a section.  This can be remedied by
either adding a PT_PAX header or converting a GNU_STACK header.  However both
of these are problematic.  In the case of self-checking elf binaries, adding
a PT_PAX header will cause a failure of the check.  Alternatively, converting
a GNU_STACK header can cause the binary to fail to execute correctly.

Here, we propose a third possibility is being proposed.  The pax markings can
be put in the Extended File Attributes, much like selinux labels.  This is not
without its difficulties because not all filesystems are capable of supporting
xattrs.  However, work on making filesystems, like tmpfs, and archiving tools,
like tar, aware of xattrs is maturing and migrating pax markings to xattrs is
now a design possibility [4].  We will call these markings XATTR_PAX.


PURPOSAL

To avoid ambiguity in Hardened Gentoo and to smooth the transition to a
future, we propose the following standards to how pax markings are treated:

1) The kernel.  All legacy EI_PAX refrences will be removed from the kernel,
and ehdr.e_ident[] bytes 14 and 15 will not be considered for any PaX decisions.
The kernel will be patched to force respect of XATTR_PAX markings first, and only
if these are missing, revert to PT_PAX.  If both markings are missing, then the
kernel will revert to enforcing maximum protection, meaning

	PAGEEXEC enabled
	SEGMEXEC enabled
	MPROTECT enabled
	EMUTRAMP disabled
	RANDMMAP enabled

Setting the kernel options for PaX will automatically set XATTR support
on whatever filesystems are configured and support them.

2) Userland utility.  A new userland utility will be required to ensure
consistency between the two types of pax markings.  It will return the
XATTR_PAX markings if found, and only if these are missing, revert to PT_PAX.

This utility will not attempt to convert or add any program header to the
ELF binary.



REFERENCE

[1] http://refspecs.freestandards.org/elf/
[2] https://bugs.gentoo.org/show_bug.cgi?id=387459
[3] As of this writing, PT_PAX support is provided by 
    patch 63_all_binutils-2.21.1-pt-pax-flags-20110918.patch
    which can be obtained from the patch bundles found at
    http://dev.gentoo.org/~vapier/dist/
[4] https://bugs.gentoo.org/show_bug.cgi?id=382067