mprotect and vitual machines
Posted: Sat Aug 31, 2013 11:52 pm
I am wondering about the feasibility of running a virtual machine on a Gentoo-Hardened kernel with grsec/pax compiled into it, and one possibility for the virtualization would be to use VirtualBox. I found on this website, https://www.virtualbox.org/manual/ch12.html#idp15732128, where it states: "Linux kernels including the grsec patch (see http://www.grsecurity.net/) and derivates have to disable PAX_MPROTECT for the VBox binaries to be able to start a VM. The reason is that VBox has to create executable code on anonymous memory." Additionally, when I run "paxtest blackhat", I see these results concerning mprotect:
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
It is not clear to me whether all of these protected points affect VirtualBox or whether I could even turn off part of them only, while leaving unaffected parts alone. Also, if I wanted to consider turning off the affected part by mprotect, would it entail recompiling the kernel or could it be toggled with a command line switch of some sort?
Finally, I would like to know whether anyone here has been able to run a virtual machine without having to turn off mprotect, possibly using a different means from VirtualBox? Any feedback would be welcome.
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
It is not clear to me whether all of these protected points affect VirtualBox or whether I could even turn off part of them only, while leaving unaffected parts alone. Also, if I wanted to consider turning off the affected part by mprotect, would it entail recompiling the kernel or could it be toggled with a command line switch of some sort?
Finally, I would like to know whether anyone here has been able to run a virtual machine without having to turn off mprotect, possibly using a different means from VirtualBox? Any feedback would be welcome.