grsecurity forums

My setup is as follows:

XEN 4.3.0 64-bit Dom0 with Linux kernel 3.2.48-grsec #2 SMP Thu Jul 18 02:29:18 EEST 2013 x86_64 GNU/Linux (32-bit emulation enabled CONFIG_IA32_EMULATION=y)

XEN guest is Debian 7.0 32-bit and uses Linux kernel 2.6.32.61 with grsec

When I attempt to boot the guest with kernel that has PaX features enabled (specifically CONFIG_PAX_RANDMMAP), I will get the following kernel panic:

Failed to execute /sbin/init. - Kernel panic - not syncing: No init found. Try passing init= option to kernel.

I was able to reproduce the issue to PaX CONFIG_PAX_RANDMMAP. When I disable all PaX features from guest kernel, the kernel boots normally. /sbin/init happen to be dynamically linked executable and I guess that's the issue. Anyway is there a way to fix this so I could use PaX features for my 32-bit guest using a custom grsec kernel?

can you send me your kernel configs (host/guest) please?

PaX Team wrote:can you send me your kernel configs (host/guest) please?

I forgot to mention that Dom0 is running the kernel for the guest. ie. kernel="/home/servers/xen/kernels/vmlinuz-2.6.32.61-INTEL-SMP-grsec"

Dom0: Linux nix 3.2.48-grsec #2 SMP Thu Jul 18 02:29:18 EEST 2013 x86_64 GNU/Linux
Config: http://myproxylists.com/config_3.2.48-grsec

Guest: Linux gameframe.net 2.6.32.61-grsec #14 SMP Fri Jul 26 01:46:42 EEST 2013 x86_64 GNU/Linux
Config: http://myproxylists.com/config_2.6.32.61-grsec

I was able to overcome this issue by running a VM in HVM mode. However using the latest grsec on XEN PV guest, the issue described above still exists when running the kernel with grsec outside of the guest. So to debug this you're going to need root access to XEN 4.3.1 Dom0 and PV guest with a custom kernel that is run outside of the guest. I know this may sound too complicated to debug but I just wanted to let you guys know.

XEN PV config

builder="generic"
vcpus=4
memory=4096
name="127.0.0.1"

kernel="/home/servers/xen/kernels/vmlinuz-2.6.32.61-INTEL-SMP-grsec"

#ramdisk=""
extra="root=/dev/xvda1 xencons=tty1 earlyprintk=xen"

vif = ["ip=127.0.0.1,mac=00:16:3E:24:C9:B8,bridge=br0,rate=100Mb/s"]
disk = [ "raw:/xen/images/127.0.0.1.img,ioemu:xvda,w" ]
vfb = [ "type=vnc,vnclisten=127.0.0.1,vncdisplay=14,vncpasswd=pn48M6jUexwK" ]

serial="pty"
boot = "c"

sdl=0
monitor=1
localtime=0
xen_platform_pci=1
stdvga=1
videoram=16
gfx_passthru=0

on_poweroff="destroy"
on_reboot="restart"
on_crash="restart"

do you have the same problem with the 3.2/3.11 series as well? i'm just wondering if it's something we fixed already and didn't backport to 2.6.32 (that doesn't get many updates these days).

Yesterday just after I posted I realized that grsecurity-2.9.1-3.2.52-201311182331.patch has vserver patch. When configuring a kernel for XEN PV guest with the following options:

Virtualization Type (Guest)
Virtualization Hardware (First-gen/No Hardware Virtualization)
Virtualization Software (Xen)

That fixed the issue stated above. I've also verified everything works good also with XEN HVM linux guest. Good work on fixing!