grsecurity forums

[Dwokfur]

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2092
http://bugs.gentoo.org/show_bug.cgi?id=326199

https://wwws.clamav.net/bugzilla/show_b ... d=2092#c39
It raises two questions:
1. What is the neat way of detecting PaX running on a system?
2. Edwin Török says PaX allows RWX mapping and kills the program after that.

I wonder if PaXTeam could comment on these...

Regards:
Dw.

[spender]

The latest version of the grsecurity patches will deny an RWX mapping instead of demoting it to RW. This should allow clamav to fall back to interpreter mode as it currently does with SELinux when execmem is revoked, without needing any special PaX detection.

-Brad

[spender]

So then the choice for the user becomes:
Do I want JIT? chpax -m if so
Am I OK with the performance of interpreter mode? leave binary as-is

-Brad

[edwin]

The latest version of the grsecurity patches will deny an RWX mapping instead of demoting it to RW. This should allow clamav to fall back to interpreter mode as it currently does with SELinux when execmem is revoked, without needing any special PaX detection.

-Brad

What can be done for older versions of grsecurity? There are quite a few users complaining that ClamAV crashes under PaX.

Is there a way to detect whether PaX is running, and it would deny execmem / demote RWX mapping?

[spender]

In /proc/self/status there's a line beginning with "PaX:" that could be used to check for the existence of PaX and what options are enabled on the particular binary.

-Brad

[edwin]

Thanks, I wrote a patch that detects PaX and fallbacks to interpreter if MPROTECT is enabled:
https://wwws.clamav.net/bugzilla/attachment.cgi?id=1391