grsecurity forums

You want to grab "chpax" from pax.grsecurity.net (or if debian includes a package for it?).

Then on the programs that have problems you can do a "chpax -s PROGRAM" to stop enforcing no exec pages on it so then the offending program will work but not have the protection unfornotly. Also to see all the options with chpax you can run "chpax -h". Although there is not point disabling options that are not included in your kernel

mikeeusa wrote:I aquired my new laptop, installed debian, installed X 4.3, worked great, had a wholy insecure kernel, needed to be hardened... So i put 2.4.24 on tha down-low and then kicked up my server's kernel config into the machiene, disabled the diablining of privledged IO and disabled enforcing non-executable stacks....
[...]
still no go, X complains of some symbols in its files... and then tells me it cant find any screens.

can you please post your .config and the XFree86 logs (and maybe any relevant kernel logs from grsec/PaX)?

mikeeusa wrote:https://cat2.ath.cx/cat2/kernconfig.txt
https://cat2.ath.cx/cat2/xerrors.txt
https://cat2.ath.cx/cat2/kernlog.txt

for a start, disable CONFIG_GRKERNSEC_KMEM and it will hopefully work. but before you do that, could you run a strace -e trace=open,close,old_mmap,mmap2,munmap,mprotect on your server binary directly? it seems that your server wants to map the video BIOS in some unexpected way, would be nice to see the exact numbers.

mikeeusa wrote::) Here's the strace output (on xinit)

thanks but i really need it on the server binary itself, /etc/X11/X is normally a symlink to it or try /usr/X11/bin/XFree86 (or try strace -f on xinit). you will know you got the right one when you'll see a failed old_mmap request towards the end of the trace (that would be the video BIOS mapping attempt).

can i chpax X to something to make it work (what would i have to chpax it to, which binaries do you think? just xinit?)

no, this is really the /dev/mem restrictions that you ran into, your X server wanted to mmap the physical memory range of the video BIOS for writing - that's a no-no at least until we know what that range is exactly and can grant an explicit exception, hence my need for the strace output .

mikeeusa wrote:[...]
open("/etc/libsafe.exclude", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/X11/Xwrapper.config", O_RDONLY) = 3
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x495b2000
close(3) = 0
munmap(0x495b2000, 4096) = 0

is this the full trace? it doesn't look like it ever got to mapping any of the X drivers or the failed mmap() of the video BIOS...

mikeeusa wrote:OOo, does it need to be run withou the -pm flags?
I did it in an X term so it didnt have perm to open fully.
Should i get a trace regular, or without the protections disabled via chpax?

chpax flags don't matter as long as X doesn't get killed which is your case i think. so just exit from X and do the strace then.