Bug#605090: linux-grsec testing
Hi. After testing the kernel X doesn't boot because restrict mprotect is enabled. Are there plans to integrate a PaX exception list so mprotect can be enabled system wide while common software can still work?
Bug#605090: linux-grsec testing
On dim., 2015-12-20 at 00:32 +, ban...@openmailbox.org wrote: > Hi. After testing the kernel X doesn't boot because restrict mprotect is > enabled. Hi, it's most likely because you're using nvidia/nouveau or amd/radeon graphic card, and the userland driver uses LLVMpipe which in turns uses JIT code. I don't have the issue with my intel graphic card. > Are there plans to integrate a PaX exception list so mprotect > can be enabled system wide while common software can still work? I don't have any, I'm mostly interested in the kernel part right now. Also the exceptions are really system-specific, and you don't want them if you don't really need them. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#605090: linux-grsec testing
On dim., 2015-12-20 at 19:28 +, ban...@openmailbox.org wrote: > Agreed but there are many major software packages especially on the > desktop that need exceptions to work for example Iceweasel and by > extension Tor Browser. Sure. I'm just not interested in maintaining that list myself. > > For these you can just use paxd.conf that's maintained by Arch but the > list will need some tweaking for binary paths and package name > differences between them and Debian. Please see: > > https://wiki.archlinux.org/index.php/PaX#User_exceptions > https://github.com/thestinger/paxd/blob/master/paxd.conf If you're volunteering to package paxd for Debian, feel free :) Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#605090: linux-grsec testing
On 2015-12-20 09:51, Yves-Alexis Perez wrote: On dim., 2015-12-20 at 00:32 +, ban...@openmailbox.org wrote: Hi. After testing the kernel X doesn't boot because restrict mprotect is enabled. Hi, it's most likely because you're using nvidia/nouveau or amd/radeon graphic card, and the userland driver uses LLVMpipe which in turns uses JIT code. I don't have the issue with my intel graphic card. I see. In a KVM guest there is a similar conflict situation with the QXL driver too. Are there plans to integrate a PaX exception list so mprotect can be enabled system wide while common software can still work? I don't have any, I'm mostly interested in the kernel part right now. Also the exceptions are really system-specific, and you don't want them if you don't really need them. Agreed but there are many major software packages especially on the desktop that need exceptions to work for example Iceweasel and by extension Tor Browser. For these you can just use paxd.conf that's maintained by Arch but the list will need some tweaking for binary paths and package name differences between them and Debian. Please see: https://wiki.archlinux.org/index.php/PaX#User_exceptions https://github.com/thestinger/paxd/blob/master/paxd.conf Great work. I look forward to testing more releases in the future. Regards,
