grsecurity forums

What are the best settings to get LLVM to work? It's needed for mesa with Gallium 3D.
LLVM does JIT compilation code for the video card to accelerate OpenGL.
I'm using the latest kernel.

Do you want "the best settings" from security perspective?
You could consider not using any program using a JIT

Using a JIT will require disabling mprotect making your security settings suboptimal.

Code: Select all

paxctl -cm /usr/bin/<whatever>

specs wrote:Do you want "the best settings" from security perspective?
You could consider not using any program using a JIT

Using a JIT will require disabling mprotect making your security settings suboptimal.

Code: Select all

paxctl -cm /usr/bin/<whatever>

Not using LLVM (which does JIT) is not an option since it's used for 3D acceleration now.
What I'm asking is what's the next best option?

Is the only option to -MPROTECT on every executable that uses LLVM?

konst wrote:Not using LLVM (which does JIT) is not an option since it's used for 3D acceleration now.
What I'm asking is what's the next best option?

It's your choice to decide what's your best option.

konst wrote:Is the only option to -MPROTECT on every executable that uses LLVM?

Just try every program you can think of and watch your dmesg.
If you have an error and a program does not start, you can use paxctl get the program working again.

You should not remove all security settings a priori.
If I'm correct X will be one of the few programs affected.

konst wrote:Is the only option to -MPROTECT on every executable that uses LLVM?

yes. you either allow runtime code generation or you don't, it's a binary decision.

PaX Team wrote:

konst wrote:Is the only option to -MPROTECT on every executable that uses LLVM?

yes. you either allow runtime code generation or you don't, it's a binary decision.

I thought there might have been a way to only allow it on just the part that LLVM uses like a library file or something. That way I only need to trust that library and don't have to enable it on every program thereby making the trusted computing base (TCB) smaller.

I don't suppose PAX works that way does it? For example where you have chain of a program and libraries but only the one library that actually does the JIT is the one that needs -MPROTECT and all the others can have full protection?

Also would using the compatibility mode of RWX be better? I'm assuming not all the programs that ask for RWX actually need X so they won't automatically get denied and crash. Is that the only difference between the compatibility mode of RWX and the new mode?

P.S. On second thought maybe PAX can't do that cause the program and libraries would be/are in the same address space?

konst wrote:P.S. On second thought maybe PAX can't do that cause the program and libraries would be/are in the same address space?

exactly, /proc/pid/maps is your friend .

konst wrote:Also would using the compatibility mode of RWX be better? I'm assuming not all the programs that ask for RWX actually need X so they won't automatically get denied and crash. Is that the only difference between the compatibility mode of RWX and the new mode?

Optimally the RWX compat option should be avoided if possible.
It is only usefull if you can't use your system without programs/libraries with the problem.
The RWX-problem is a problem that should be fixed upstream.

The complete story (written before the RWX compatibility mode was introduced):
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611195