grsecurity forums

I'm running Ubuntu 12.04 (just switched last week) and I've compiled my kernel with grsecurity and pax. It's the 3.4.4 kernel.

Checksec returns:
http://pastebin.com/PNtk4Qhx

paxtestie86 returns:
http://pastebin.com/P4LFK01D

And this is my config for the relevant areas:
http://pastebin.com/KQRzpzNB

I've got PAX ASLR=y and all of those options checked. Checksec.sh says it's not enabled and neither is heap randomization. The entropy seems really low (64bit system btw) and areas are disabled that I've enabled in my config.

Is this just Ubuntu's weak userspace? Is there any way around this?

Thanks.

EDIT:

I'm recompiling an dlooking for errors. found this.

CC kernel/module.o
make[2]: [grsecurity/grsec_hidesym.o] Error 1 (ignored)
make[2]: [grsecurity/grsec_hidesym.o] Error 1 (ignored)

since you have CONFIG_PAX_HAVE_ACL_FLAGS=y only, did you create an RBAC policy for all your userland or at least the paxtest binaries?

Nope, I did neither of those things. I hadn't realized that it had been set to Y either.

Shouldn't it be set to none?

GBit wrote:Shouldn't it be set to none?

it should be set to whatever control method you want to use on your system . in case you don't want to work with RBAC policies initially, you should probably set at least one of the other control methods (and do read the config help).

Oh, I've read it haha just clearly not well enough.

Thank you, I will read further into this. I'd assumed that if I had pax soft mode disabled that the system would use PaX. I didn't think I had to use PaXCTL or anything.

GBit wrote:I'd assumed that if I had pax soft mode disabled that the system would use PaX. I didn't think I had to use PaXCTL or anything.

actually due to a recent change the intention was to allow this marking-less setup to work in the enable-all-by-default mode but it seems i somehow screwed it up, will be fixed in the next patch and your config should produce the expected results then (the point about enabling/using RBAC still stands though).

Thanks very much.