On 19 Mar 2009 at 12:46, John Eckhart wrote: > It seems like we have a multiway catch22 as the fix for the kernel was > correct from both a security and a "trueness to specification" standpoint > and the fix for glibc will likely be a long time in coming. Based on that, I > would think that the best "gentoo" fix is to put the execstack call into the > ebuild (conditionally run on the hardened use flag). However, execstack is > part of the prelink, which, by nature, is not compatible with hardened. Any > suggestions how to proceed?
prelink is compatible with PaX/ASLR as the mmap address hint is simply ignored there. in any case, playing the GNU_STACK games has only one logical end that i've advocated since the beginning: ignore it for good. for glibc in this case that means moving __stack_prot out of RELRO.
