I am wondering about the feasibility of running a virtual machine on a Gentoo-Hardened kernel with grsec/pax compiled into it, and one possibility for the virtualization would be to use VirtualBox. I found on this website, https://www.virtualbox.org/manual/ch12.html#idp15732128, where it states: "Linux kernels including the grsec patch (see http://www.grsecurity.net/) and derivates have to disable PAX_MPROTECT for the VBox binaries to be able to start a VM. The reason is that VBox has to create executable code on anonymous memory." Additionally, when I run "paxtest blackhat", I see these results concerning mprotect:
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
It is not clear to me whether all of these protected points affect VirtualBox or whether I could even turn off part of them only, while leaving unaffected parts alone. Also, if I wanted to consider turning off the affected part by mprotect, would it entail recompiling the kernel or could it be toggled with a command line switch of some sort?
Finally, I would like to know whether anyone here has been able to run a virtual machine without having to turn off mprotect, possibly using a different means from VirtualBox? Any feedback would be welcome.
mprotect and vitual machines
2 posts
• Page 1 of 1
mprotect and vitual machines
by dunker » Sat Aug 31, 2013 11:52 pm
- dunker
- Posts: 14
- Joined: Sun Jul 07, 2013 3:45 pm
Re: mprotect and vitual machines
by GBit » Mon Sep 02, 2013 7:48 pm
You either get all of the mprotect restrictions or none as far as I know.
Download paxctl and run:
paxctl -c /path/to/virtualbox
paxctl -m /path/to/virtualbox
Download paxctl and run:
paxctl -c /path/to/virtualbox
paxctl -m /path/to/virtualbox
- GBit
- Posts: 81
- Joined: Mon Jun 04, 2012 3:31 pm
2 posts
• Page 1 of 1