Memory Protection Affecting Boot Process
Posted: Thu Nov 10, 2011 2:49 pm
Title:
Memory Protection Affecting Boot on Xen Host
Hey guys,
I'm thinking that certain Grsecurity and/or PaX kernel config options related to memory protection are affecting the boot process on Xen hosts. Below I've linked to two "Security options" config menus. The first one results in a malfunctioning boot process, but the second one works ok. This is for latest Gentoo hardened-sources on Linode, running today.
Original (malfunctions): http://pastebin.com/TBNTNiWp
New (works ok): http://pastebin.com/rh1j9xzW
I've scanned through both myself, and posted the differences below.
Grsecurity Options - diffd
PaX Options - diffd
When I booted with the first config, this is what happened:
Could anyone guess which config option(s) would lead to this behavior?
Memory Protection Affecting Boot on Xen Host
Hey guys,
I'm thinking that certain Grsecurity and/or PaX kernel config options related to memory protection are affecting the boot process on Xen hosts. Below I've linked to two "Security options" config menus. The first one results in a malfunctioning boot process, but the second one works ok. This is for latest Gentoo hardened-sources on Linode, running today.
Original (malfunctions): http://pastebin.com/TBNTNiWp
New (works ok): http://pastebin.com/rh1j9xzW
I've scanned through both myself, and posted the differences below.
Grsecurity Options - diffd
- Code: Select all
From: Security Level (Hardened Gentoo [server])
To: Security Level (Custom)
From: -*- Disable privileged I/O
To: [ ] Disable privileged I/O
From: -*- Hide kernel symbols
To: [ ] Hide kernel symbols
From: [*] Log execs within chroot
To: [ ] Log execs within chroot
From: [*] Ptrace logging
To: [ ] Ptrace logging
From: [*] Chdir logging
To: [ ] Chdir logging
From: -*- (Un)Mount logging
To: [ ] (Un)Mount logging
From: -*- Time change logging
To: [ ] Time change logging
From: -*- Sysctl support && -*- Turn on features by default
To: [ ] Sysctl support
From: (6) Number of messages in a burst (maximum)
To: (4) Number of messages in a burst (maximum)
PaX Options - diffd
- Code: Select all
From: MAC system integration (none)
To: MAC system integration (direct)
From: [*] Emulate trampolines
To: [ ] Emulate trampolines
From: [*] Sanitize kernel stack
To: [ ] Sanitize kernel stack
From: -*- Prevent various kernel object reference counter overflows
To: [ ] Prevent various kernel object reference counter overflows
When I booted with the first config, this is what happened:
Could anyone guess which config option(s) would lead to this behavior?