grsecurity forums

[Lox]

2.6.39.2

patches:

http://www.kernel.org/pub/linux/securit ... 2.6.39.tgz
pax-linux-2.6.39.1-test16.patch

Result: PaX doesn't work, Kernel (and AA) work fine.

Code: Select all

# pspax
USER     PID    PAX    MAPS ETYPE      NAME             CAPS ATTR 
root     1      pemrs  w^x  ET_DYN     init             =ep cap_setpcap-e unconfined 
root     93     pemrs  w^x  ET_DYN     udevd            =ep  unconfined 


Code: Select all

CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_ELFRELOCS is not set
# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_STACKLEAK is not set
CONFIG_PAX_MEMORY_UDEREF=y
# CONFIG_PAX_REFCOUNT is not set
CONFIG_PAX_USERCOPY=y



[specs]

Why should it work?

https://wiki.ubuntu.com/AppArmor
"AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. ..."

If you look up LSM on the GrSecurity site you find under "Papers" a link to "Official grsecurity statement regarding LSM". Since the first introduction in the 2.6-kernels LSM has been kicked out of the kernel since no open source project used it. Lately it seems to have been reintroduced (2.6.38 if I'm correct). I have seen no new statement regarding LSM from GrSecurity so I'd guess it still is incompatible.
http://grsecurity.net/lsm.php

[PaX Team]

Code: Select all

# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y

did you read the related config help and make sure your userland binaries are properly marked?

[Lox]

Ha, thanks for catching that. I did the config in a hurry, sorry for wasting your time. Seems to work fine for now - switched to PAX_EI_PAX

[spender]

BTW if you used the grsec patch instead, that wouldn't have been a problem I use default-on for PT_PAX_FLAGS now that paxctl has the -C option.

-Brad

[Lox]

BTW if you used the grsec patch instead, that wouldn't have been a problem I use default-on for PT_PAX_FLAGS now that paxctl has the -C option.

-Brad

Didn't know this worked too. Tried it out with 2.6.39.3 and it seems to work fine with AA. Disabled TPE and the RBAC, enabled a good chunk of the -gr options for testing. Are there any caveats or so I need to be aware of when doing this instead of going the PaX+AA only route?

[spender]

grsecurity can be used in addition to SELinux or Apparmor or anything else. Since it doesn't use LSM it doesn't conflict with any of them.

-Brad