grsecurity forums

I am build my kernel with Grsec, and open the softmode option,
when I boot this kernel I added "pax_softmode=1"

after system up, I found there are only 2 file in /proc/sys/kernel/pax:
aslr
softmode

I think "aslr" is abbreviation of "Address Space Layout Randomization"

but I want to control "Non-executable pages" options, there are no this in /proc/sys/kernel/pax

How to do?

thank you

Skywind wrote:but I want to control "Non-executable pages" options, there are no this in /proc/sys/kernel/pax

what do you want to control there exactly and why is softmode itself not good enough?

Sorry for my brusque

I want to disable these options temporary:

1.Paging based non-executable pages
2.Segmentation based non-executable pages
3.Restrict mprotect()

I known chpax could changs these on per file, but for some reasons I want to disable these on whole system temporary.

Thank you for your reply

Skywind wrote:I known chpax could changs these on per file, but for some reasons I want to disable these on whole system temporary.

well, that's what softmode does for all apps that have the PT_PAX_FLAGS program header or don't have any of these features explicitly enabled on them (which is the state that the PaX binutils patch creates by default). now doing this for the old EI_PAX marking is certainly feasible but as i'd like to get rid of EI_PAX, i'd rather not do this in my tree. in any case, feel free to hack yours, something like this:

Code: Select all

--- fs/binfmt_elf.c     2005-01-07 16:05:07.000000000 +0100
+++ fs/binfmt_elf.c.hacked      2005-01-21 05:14:47.000000000 +0100
@@ -587,6 +587,11 @@
 #endif

 #ifdef CONFIG_PAX_EI_PAX
+
+#ifdef CONFIG_PAX_SOFTMODE
+       if (!pax_softmode)
+#endif
+
        pax_flags = pax_parse_ei_pax(elf_ex);
 #endif