grsecurity forums

Hello.

As already stated in this forum, patching a 2.6.13-4 kernel on a sparc64 - debian sarge with grsecurity-2.1.7-2.6.13.4-200510192227.patch with the Restrict mprotect() and automatically emulate ELF PLT (NEW) options set to on make the system go really slow. If I remove Restrict mprotect() everything works fine again.

For the PT_GNU_STACK "problem", chpaxing the apps works fine but execstacking -c the affected libraries is useless (tried on many different libraries).

cocobello wrote:As already stated in this forum, patching a 2.6.13-4 kernel on a sparc64 - debian sarge with grsecurity-2.1.7-2.6.13.4-200510192227.patch with the Restrict mprotect() and automatically emulate ELF PLT (NEW) options set to on make the system go really slow. If I remove Restrict mprotect() everything works fine again.

it doesn't depend on the kernel version but PaX only , and there's only so much we can do about it. there is recent development on the GNU toolchain to fix this in userland however, google for -msecure-plt, it already exists for alpha and powerpc. i don't know if there're plans for other archs as well, but you can ask the developers.

For the PT_GNU_STACK "problem", chpaxing the apps works fine but execstacking -c the affected libraries is useless (tried on many different libraries).

execstack is effective only if all libraries that an app uses (and the app itself) are properly marked, if only one of them is missing the mark then ld.so will want to make the stack executable.