grsecurity forums

The PaX Team and I are discussing making PAX_NOELFRELOCS a default-on feature of PAX_MPROTECT in combination with the new PAX_MPROTECT behavior that denies RWX mappings instead of silently demoting them to RW (so that apps like clamav can know that RWX mappings aren't allowed and implement a fallback mechanism, instead of requiring a chpax -m). We'll then combine the old PAX_MPROTECT behavior and perhaps !PAX_NOELFRELOCS and turn this into a PAX_COMPAT option, disabled by default.

So I'd like to do a little survey of those who are currently using PAX_NOELFRELOCS or have attempted to use it. If you're currently using it, could you report the distro and version it's worked for? If you've tried it and found some application incompatibilities, can you report the distro, version, and application? If there exist any current incompatibilities we can work together to resolve these upstream. If you want, you can also submit your responses to me privately at spender@grsecurity.net.

I'll start: Debian Lenny running X and sshd all works fine with PAX_NOELFRELOCS enabled.

-Brad

In developing Tin Hat, which is really just Hardened Gentoo plus some extra crypto on a Gnome Desktop, I have always selected PAX_NOELFRELOCS. I have never had problems. Here's a list of the packages included on amd64 and i686 systems:

http://opensource.dyc.edu/sites/default ... .amd64.txt

http://opensource.dyc.edu/sites/default ... a.i686.txt

Gentoo Linux x86_64

postgres
lighttpd
asterisk
dovecot
postfix
munin
openldap
puppet (testing, dunno if it can run bash code right now)

All of these work fine
Here are my use flags
caps acpi mmx sse sse2 sse3 sse4 alsa gnutls ncurses bashlogger lvm network parted pam tcpd sni ssl bash-completion clamav crypt cracklib ipv6 syslog php xml posix zip unicode gd truetype spell calendar curl curlwrappers hash hashlib imap ldap ldap-sasl mhash snmp soap threads xmlreader xmlrpc xpm fastcgi cgi sasl svg symlink vim-syntax uuid postgres postfix encode faac faad mp3 vorbis ogg aac wma flac lame xvid dbi -ssmtp -cups -X -mesa -opengl -xscreensaver -xv

I tried using PAX_NOELFRELOCS long ago on Debian unstable, but I ran into weird quirks (some vlc modules not working, sshd breaking on upgrade...) so I gave up on it.

I'm using it on hardened Gentoo X86/X86_64 and have never seen a problem I could attribute to this feature being enabled.

edit: Sorry, this statement is capable of being misunderstood: CONFIG_PAX_EMUTRAMP is not set and CONFIG_PAX_NOELFRELOCS is enabled in kernel config. So emulation of trampolin code is disabled while elf relocations are forbidden, and I never saw a problem I could relate to these conditions, for both ~x86 and ~amd64.

it's worrying that most replies here are for Gentoo, where this kind of support is easy to arrange. It would be really nice to hear if there are debian/redhat/centos/ubuntu etc. users that run NOELFRELOCS as well. I can try it on one ubuntu host but that is hardly conclusive. Defaulting this feature can break lots of things for people that do not spend days to compile their operating system and it's binaries. =)

When this discussion started I looked what my settings were.
I started disabling the ELFRELOCS somewhere during the old 2.6.32-patches (desktop, Debian i386, unstable).
I never saw problems from that configuration change.

On another pc NOELFRELOCS have been enabled for more than a year (Debian i386, stable).

However when I look at it I think the security settings in Debian are not nearly as complete as the settings in Gentoo (relro and such).

I am, potentially, going insane here:

micro:/tmp# grep -i PAX_NOELFRELOC grsecurity-2.2.0-2.6.35.6-201009262116.patch

Returns nothing. The option doesn't exist.

Are we talking about having PAX_ELFRELOC unselected?

If so, I have it unselected on a Debian5 system with no ill effects, but I don't run X on this machine, it's a server only.

Or am I missing something?

The survey isn't needed anymore. We inverted the NOELFRELOCS logic so everyone has it by default. Judging from the lack of angry posts, it seems to have been the right decision

-Brad

There were so many things written in this topic that I don't understand anything apart from first post. I've just built 2.6.36-grsec and I would like to know if NVIDIA driver and kdeinit will work with MPROTECT enabled or will not work because I'm not stupid village idiot to still run new kernels, build new NVIDIA modules and then revert to 2.6.32.11-grsec. Thanks!

After turning off MPROTECT for kdeinit I managed to run KDE on 2.6.32.25-grsec but it turned out that kdeinit is not the only piece of software that needs turning off MPROTECT, another example is Polish IM called Kadu. To be honest I no longer see any reason for using GrSecurity patch.

FFmpeg libraries on Debian i386 still contain text relocations. So that sucks for multimedia.

The latest patches have a compat mode for MPROTECT.

-Brad