grsecurity forums


https://forums.grsecurity.net./

open CONFIG_PAX_MPROTECT run java failed(openjdk)

https://forums.grsecurity.net./viewtopic.php?f=3&t=4190

Page 1 of 1

open CONFIG_PAX_MPROTECT run java failed(openjdk)

PostPosted: Mon Apr 13, 2015 11:27 pm
by lynliuyan
when I open pax mprotect, run java -version failed

root@debian7:~/java-pax-test# java -version
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00003fff7c000000, 2097152, 1) failed; error='Operation not permitted' (errno=1)




Analysis code found in the function do_mmap_pgoff(mm/mmap.c),

#ifdef CONFIG_PAX_MPROTECT
if (mm->pax_flags & MF_PAX_MPROTECT) {
if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))

#ifdef CONFIG_PAX_EMUPLT
vm_flags &= ~VM_EXEC;
#else
return -EPERM;
#endif

EMUPLT undefined, so return an error value,but I did not fount the definition CONFIG_PAX_EMUPLT?

Re: open CONFIG_PAX_MPROTECT run java failed(openjdk)

PostPosted: Tue Apr 14, 2015 3:34 am
by PaX Team
you should read the config help about MPROTECT as it describes what restrictions it adds on top of the non-exec page feature. in your case it prevents one of the first steps of runtime code generation, the allocation of rwx memory. as for EMUPLT, it's in the usual place (security/Kconfig) and it doesn't apply to your architecture, that's why it doesn't show up in menuconfig.
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/