grsecurity forums

I'm just wondering why ET_EXEC doesn't seem to be enabled on any of my binaries by default with kernel version 2.6

Code: Select all

Linux rowlf 2.6.14.6-grsec #8 PREEMPT Mon Jan 23 14:39:05 NZDT 2006 i686 GNU/Linux

This is what I'm seeing:

Code: Select all

rowlf:/proc# chpax -v /bin/bash

----[ chpax 0.7 : Current flags for /bin/bash (PeMRxS) ]----

 * Paging based PAGE_EXEC       : enabled (overridden)
 * Trampolines                  : not emulated
 * mprotect()                   : restricted
 * mmap() base                  : randomized
 * ET_EXEC base                 : not randomized
 * Segmentation based PAGE_EXEC : enabled


It seems that ET_EXEC is disabled on my two v2.6 kernels. I can easily turn this option on with chpax, but I'm wondering if it's disabled by default under v2.6?

Here's the relevant PAX Config:

Code: Select all

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
# CONFIG_PAX_PT_PAX_FLAGS is not set
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_DEFAULT_PAGEEXEC is not set
CONFIG_PAX_DEFAULT_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
CONFIG_PAX_KERNEXEC=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_NOVSYSCALL=y


Thanks,
Tim

RANDEXEC has been removed from grsecurity for several releases now since it was originally written as a POC, was incompatible with certain applications, and made PaX more complex, increasing the time it took for the PaX team to port to newer versions of Linux. If you are able to, you should use PIE binaries.

-Brad

Thanks for the prompt reply Brad.