Hardened Gentoo PaX Quickstart
What is Hardened Gentoo?
Hardened Gentoo is a project interested in the hardening of a Gentoo system.
Several different solutions are supported by us and there is a fair bit of
flexibility to create your own setup. At the heart of Hardened Gentoo is
What is PaX?
PaX is a patch to the Linux kernel that provides hardening in two ways.
The first, ASLR (Address Space Layout Randomization) provides a means to
randomize the addressing scheme of all data loaded into memory. When an
application is built as a PIE (Position Independent Executable), PaX is
able to also randomize the addresses of the application base in addition.
The second protection provided by PaX is non-executable memory. This prevents a
common form of attack where executable code is inserted into memory by an
attacker. More information on PaX can be found throughout this guide, but the
homepage can be found at http://pax.grsecurity.net.
An Introduction to PIE and SSP
As mentioned above, PaX is complemented by PIE. This method of building
executables stores information needed to relocate parts of the executable in
memory, hence the name Position Independent.
SSP (Stack Smashing Protector) is a second complementary technology we
introduce at executable build time. SSP was originally introduced by IBM under
the name ProPolice. It modifies the C compiler to insert initialization
code into functions that create a buffer in memory.
In newer versions of SSP, it is possible to apply SSP to all functions,
adding protection to functions whose buffer would normally be below the size
limit for SSP. This is enabled via the CFLAG -fstack-protector-all.
At run time, when a buffer is created, SSP adds a secret random value, the
canary, to the end of the buffer. When the function returns, SSP makes sure
that the canary is still intact. If an attacker were to perform a buffer
overflow, he would overwrite this value and trigger that stack smashing
handler. Currently this kills the target process.
Further reading on
Building a PaX-enabled Kernel
Several Gentoo kernel trees are already patched with PaX.
For 2.4 based machines, the recommended kernels are hardened-sources or
grsec-sources. For 2.6 machines, hardened-dev-sources are
Grab one of the recommended source trees, or apply the appropriate patch from
http://pax.grsecurity.net to your own tree and configure it as you
normally would for the target machine.
In Security Options -> PaX, apply the options as shown below.
Code Listing 4.1: Kernel configuration
[*] Enable various PaX features
PaX Control ->
[ ] Support soft mode
[*] Use legacy ELF header marking
[*] Use ELF program header marking
MAC system integration (none) --->
Non-executable page ->
[*] Enforce non-executable pages
[*] Paging based non-executable pages
[*] Segmentation based non-executable pages
[*] Emulate trampolines
[*] Restrict mprotect()
[ ] Disallow ELF text relocations
Address Space Layout Randomization ->
[*] Address Space Layout Randomization
[*] Randomize kernel stack base
[*] Randomize user stack base
[*] Randomize mmap() base
[*] Randomize ET_EXEC base
Build this kernel as you normally would and install it to /boot.
Building a PIE/SSP Enabled Userland
Hardened Gentoo has added support for transparent PIE/SSP building via GCC's
specfile. This means that any users upgrading an older Hardened install should
remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the
hardened-gcc package is now deprecated and should be unmerged
(version 5.0 is a dummy package). To get the current GCC, add
USE="hardened" to /etc/make.conf.
To maintain a consistant toolchain, first emerge binutils gcc glibc.
Next, rebuild the entire system with emerge -e world. All future packages
will be built with PIE/SSP.
Both PIE and SSP are known to cause issues with some packages. If you come
across a package that fails to compile, please file a bug report including a log
of the failed compile and the output of emerge info to
When Things Misbehave (PaX Control)
Some legitimate applications will attempt to generate code at run time which is
executed out of memory. Naturally, PaX does not allow this and it will promptly
kill the offending application.
The most notable of these applications are XFree, mplayer and multimedia tools
based on xine-lib. The easiest way around these problems are to disable PaX
Luckily there is a utility to toggle protections on a per-executable basis,
paxctl. As with any other package in Gentoo, install paxctl with the
command emerge paxctl. Usage is show by paxctl -h.
If you have an older version of binutils, you will need to use chpax,
which edits the old-style PaX markings. Usage of chpax is largely the same as
paxctl. This also requires legacy marking support built into your kernel.
Code Listing 6.1: paxctl -h
usage: paxctl <options> <files>
-p: disable PAGEEXEC -P: enable PAGEEXEC
-e: disable EMUTRMAP -E: enable EMUTRMAP
-m: disable MPROTECT -M: enable MPROTECT
-r: disable RANDMMAP -R: enable RANDMMAP
-x: disable RANDEXEC -X: enable RANDEXEC
-s: disable SEGMEXEC -S: enable SEGMEXEC
-v: view flags -z: restore default flags
-q: suppress error messages -Q: report flags in short format flags
The first option we will note is -v, which can display flags set on a
Code Listing 6.2: paxctl -v
y0shi brandon # paxctl -v /usr/X11R6/bin/XFree86
PaX control v0.2
Copyright 2004 PaX Team <firstname.lastname@example.org>
- PaX flags: -p-sM--x-eR- [/usr/X11R6/bin/XFree86]
PAGEEXEC is disabled
SEGMEXEC is disabled
MPROTECT is enabled
RANDEXEC is disabled
EMUTRAMP is disabled
RANDMMAP is enabled
This shows an XFree binary with all protections disabled.
To set flags on a binary, the -z flag is useful as it restores the
To disable protections on XFree, run
paxctl -zpeMRxs /usr/X11R6/bin/XFree86.
Play around with disabling/enabling protections to see what is the least needed
The contents of this document, unless otherwise expressly stated, are licensed under the CC-BY-SA-2.5 license. The Gentoo Name and Logo Usage Guidelines apply.