after reading and rereading the papers on pax.grsecurity.net im going to put pax back. im going to use openpax too. it seems that pax is needed for complete security. it complements selinux very nicely actually. the only problem is noexec and objc and gnustep. it is not friendly to nexec. i wonder if somebody is working on fixing it. it can wait until i can run enforcing mode.

selinux is working nicely. i have ported busybox to the new api. just a quick and dirty hack. ps lists security contexts by default when selinux is enabled. i can run shell scripts in the proper contexts too. i need to add proper error handling though. still not finished with the ramfs xattr stuff. when thats finished i can start customizing the policy so i can go to enforcing mode.

im not sure if i want to port the ssp patches to the gcc version im using. everybody else seem to be working on that first. its a trade off for me. i think i will rely on an audit to catch overflows.