citypw
commented
6 years ago Hi, we've been using pax-bites on Debian and Linux Mint a few years since we figured that XATTR is the stuff we need:
https://github.com/hardenedlinux/hardenedlinux_profiles/tree/master/debian
paxctld is an option indeed.
Hi all,
I'm probably missing something here but why don't you use paxctld ? https://packages.debian.org/stretch/admin/paxctld
CONFIG_PAX_XATTR_PAX_FLAGS=y
CONFIG_PAX_PT_PAX_FLAGS is not set
No more PT_GNU_STACK overwriting, it reads flags from /etc/paxctld.conf and use xattr... in case you might want to update your binaries.
Cheers