grsecurity forums

When I try to configure PAX in my kernel 2.6.11.12 I can see the following options:

Code: Select all

|       Non-executable pages  --->
|         [*] Enforce non-executable pages
|         [*]   Segmentation based non-executable pages
|         [ ] Emulate trampolines
|         [*] Restrict mprotect()
|         [ ]   Disallow ELF text relocations

However, from other screenshots I have seen I am missing an entry called "Paging based non-executable pages". Any idea why?

Carceru wrote:However, from other screenshots I have seen I am missing an entry called "Paging based non-executable pages". Any idea why?

what's your CPU type?

It's a VIA C3 Eden 600 MHz ("Processor family (CyrixIII/VIA-C3)" in the kernel configuration)

Carceru wrote:It's a VIA C3 Eden 600 MHz ("Processor family (CyrixIII/VIA-C3)" in the kernel configuration)

ok, that explains it. PAGEEXEC requires a certain TLB configuration that didn't use to hold for VIA (and others), so it's disabled in the config system. if you want to verify that PAGEEXEC does work on your CPU, then modify the PAGEEXEC 'depends' line in security/Kconfig and then enable PAGEEXEC (but not SEGMEXEC) and see if your system still works (if the TLB is not good enough you'll notice it right on boot as init will most likely hang). in the meantime i looked at some docs and it seems that at least in theory your CPU and a few later models from VIA/Centaur should support PAGEEXEC, so if anyone out there with such chips can check them, i'd appreciate feedback.

Okay thanks. When grsecurity for 2.6.12.2 is released I will try to recompile with PAGEEXEC and see if it works.