grsecurity forums

Hi,

I have just got my new server up and working, it's an old HP Compaq DL360 G3. It has Dual Xeon's which are part of the P4 family.

Reading the PaX documetation, it states to not use PAGEEXEC on this platform because it causes a huge performance impact. So I have unticked this option in the kernel builds.

Then I read this post and now I'm wondering if I've done the right thing. Does this mean MPROTECT is now disabled?

pspax seems to indicate it's enabled still, but I'm not good enough to know if I can trust the output of that, plus the PaX Team's posting seems to indicate I should have enabled it for MPROTECT to work.

Am I right to think I can enable PAGEEXEC and it won't be used by default anyway as my system doesn't seem to support NX bit.

Thanks,

Tim

tjh wrote:Does this mean MPROTECT is now disabled?

that's easy to decide, grep MPROTECT .config

plus the PaX Team's posting seems to indicate I should have enabled it for MPROTECT to work.

uhm, i don't think i said that . what you have to have for MPROTECT is at least one NOEXEC method, either PAGEEXEC (on most archs) or SEGMEXEC (on i386).

Am I right to think I can enable PAGEEXEC and it won't be used by default anyway as my system doesn't seem to support NX bit.

it depends on whether SEGMEXEC is also enabled or not. but in general PAGEEXEC on i386 always does something, whether your CPU/kernel support the NX bit or not.

PaX Team wrote:PAGEEXEC is a config time selector for more code than mere non-exec pages, it also covers special reporting code, changing default access rights, etc, it's also a prerequisite for MPROTECT

It was reading that which caused me confusion. What you were saying though was PAGEEXEC (or SEGMEXEC) are a prereq for MPROTECT, yea?

I've done some testing on my Kernel and it seems that MPROTECT is working nicely.

Thanks for clarifying and I'm sorry, I didn't mean to appear to be putting words in your mouth. I was just a bit confused but understand now.

Cheers,
Tim