grsecurity forums

I am having trouble getting PAX to work on kernel 2.6.2. I have the new stable kernel release, the original from the kernel.org sources. I grabbed the PAX patch for 2.6.2 and applied it. My system is an Athlon with standard PC components, IDE drives, NVidia graphics, etc. Here are the relevant PAX options I enabled in the kernel config:

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_RANDEXEC is not set

I'm not really sure what I've missed, everything built cleanly and the new kernel runs just fine. But none of the PAX functions seem to work. When I ran paxtest 0.9.5, it came back and reported everything as vulnerable and no randomization.

Any ideas what I've done wrong? Any suggestions (even pointing me to the doc I should have read but missed)? Thanks!

same Problem here.

pax-linux-2.6.2-200402050020.patc with vanilla 2.6.2 from kernel.org

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
# CONFIG_PAX_PT_PAX_FLAGS is not set
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_RANDEXEC is not set
# CONFIG_SECURITY is not set

paxtest returns this:
Executable anonymous mapping : Vulnerable
Executable bss : Vulnerable
Executable data : Vulnerable
Executable heap : Vulnerable
Executable stack : Vulnerable
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect) : Vulnerable
Anonymous mapping randomisation test : No randomisation
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 13 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : No randomisation
Shared library randomisation test : No randomisation
Stack randomisation test (SEGMEXEC) : 9 bits (guessed)
Stack randomisation test (PAGEEXEC) : 9 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Vulnerable
Executable shared library data : Vulnerable
Writable text segments : Vulnerable

thx, cu

uberslakr wrote:# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y

Any ideas what I've done wrong? Any suggestions (even pointing me to the doc I should have read but missed)? Thanks!

yes, you should have read the help on the above two options . what happened in the last release is that i introduced a better PaX flag control system, the details are in the help, the short story is that as long as you rely on ELF header markings (vs. doing everything via ACLs) you must enable at least one of the two options above. since your system has most likely not been prepared for PT_PAX_FLAGS yet, enable EI_PAX which is what you had before and everything will be back to normal. i'll probably modify the configure system so that it will enforce this.

Yeah, I misread the help pages and chose the wrong option. Thanks for the help.