Page 1 of 1

mprotect and vitual machines

PostPosted: Sat Aug 31, 2013 11:52 pm
by dunker
I am wondering about the feasibility of running a virtual machine on a Gentoo-Hardened kernel with grsec/pax compiled into it, and one possibility for the virtualization would be to use VirtualBox. I found on this website, https://www.virtualbox.org/manual/ch12.html#idp15732128, where it states: "Linux kernels including the grsec patch (see http://www.grsecurity.net/) and derivates have to disable PAX_MPROTECT for the VBox binaries to be able to start a VM. The reason is that VBox has to create executable code on anonymous memory." Additionally, when I run "paxtest blackhat", I see these results concerning mprotect:

Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed

It is not clear to me whether all of these protected points affect VirtualBox or whether I could even turn off part of them only, while leaving unaffected parts alone. Also, if I wanted to consider turning off the affected part by mprotect, would it entail recompiling the kernel or could it be toggled with a command line switch of some sort?

Finally, I would like to know whether anyone here has been able to run a virtual machine without having to turn off mprotect, possibly using a different means from VirtualBox? Any feedback would be welcome.

Re: mprotect and vitual machines

PostPosted: Mon Sep 02, 2013 7:48 pm
by GBit
You either get all of the mprotect restrictions or none as far as I know.

Download paxctl and run:

paxctl -c /path/to/virtualbox
paxctl -m /path/to/virtualbox