grsecurity forums

Skip to content

PAGEEXEC breaks init on centos5 4GB dual core (32bit)

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

PAGEEXEC breaks init on centos5 4GB dual core (32bit)

Postby centosuser » Sun Apr 15, 2007 9:30 am

First off, thanks a lot for PaX+grsecurity! I fully expected that the new selinux support in centos5 would meet my security needs, but I soon found that PaX and grsec are still very much must-haves for any machines with local users who are trusted to varying degrees. Thank you very much!

I've managed to get grsec working on my centos 5 box by building a 2.6.19.7-grsec kernel based off of the stock centos 5 config and the grsec-2.1.10-2.6.19.2 release, with a couple of tweaks (PCI_GODIRECT, and DEBUG_RODATA mentioned in previous posts). SEGMEXEC support works fine on the system.

However, if I try to take advantage of the NX bit of my dual core cpu by turning on PAGEEXEC, I get a silent hang during boot. No log messages, but it appears to happen right around when init would normally start. The kernel is still responsive, and control-alt-delete reboots the box, but otherwise the boot is hung. For some reason setting init=/bin/bash doesn't seem to help this either.

The major details I presume are relevant is that I have 4GB of physical ram, and of course am on a 32bit SMP system (2 cores). My kernel config is at: http://pastebin.ca/441034
centosuser
 
Posts: 1
Joined: Sun Apr 15, 2007 8:33 am
Top

Postby slimm609 » Thu Apr 19, 2007 3:43 pm

I would try changing the high mem support to 64GB cause you are right on the limit of the 4 so its just safe to configure 64GB ram support.
slimm609
 
Posts: 12
Joined: Sun Apr 01, 2007 6:36 am
Top

Re: PAGEEXEC breaks init on centos5 4GB dual core (32bit)

Postby PaX Team » Fri Apr 20, 2007 8:40 am

centosuser wrote:First off, thanks a lot for PaX+grsecurity! I fully expected that the new selinux support in centos5 would meet my security needs, but I soon found that PaX and grsec are still very much must-haves for any machines with local users who are trusted to varying degrees. Thank you very much!
not to pour cold water on your hopes, but preventing untrusted users from owning your box is an unsolved problem in general. PaX/grsec do better than other solutions but we're still far from guarantees.
However, if I try to take advantage of the NX bit of my dual core cpu by turning on PAGEEXEC, I get a silent hang during boot.
note that PAGEEXEC does *not* (yet) use the NX bit under a 32 bit (i386) kernel, only under 64 bit (not to mention that NX exists only when you configure your kernel with PAE, that is, HIGHMEM64). this in turn means you're using the supervisor bit method which has a bad behaviour under the P4 core, although on 2.6 it should behave better due to some optimization i made there. one thing you could try is to turn off HIGHPTE, it may have a bad interaction with this old PAGEEXEC logic.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group