On Apr 28, 2011, at 10:34 AM, Vincent wrote: > Le 26 avr. 2011 à 16:15, Jeff Johnson a écrit : > >> And I'm still patiently waiting to see Lion "sandboxing" on my lappie ... > > In the man page of ld, I see this: > > -pie This makes a special kind of main executable that is position > independent (PIE). On Mac OS X 10.5 and later, the OS the OS will load a PIE > at a random address each time it is executed. You cannot create a PIE from > .o files compiled with -mdynamic-no-pic. That means the codegen is less > optimal, but the address randomization adds some security. When targeting Mac > OS X 10.7 or later PIE is the default for x86_64 main executables. >
Yes ... but ... In ELF, recent (4 or more years ago) changes for PIE executable have made certain voo-doo rearrangements of loader sections so that hardware enforced PROT_READ memory mappings can prevent some very subtle buffer overrun exploits across executable sections. I haven't a clue whether mach-o != elf has any benefit from PIE executables though. Meanwhile sandboxing -- the latest Newer! Better! Bestest! BUZZ! BUZZ! BUZZ! -- is usually a different and more complex implementation. PIE per-se provides no isolation whatsoever, merely stirs the bit soup so that additional data becomes read-only. > I don't know if it helps… > > 73 from Vince (was f5rcs) ;-) 73 de Jeff
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ macports-dev mailing list [email protected] http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
