grsecurity forums

[GBit]

* grsecurity / PaX: Custom GRKERNSEC

Non-executable kernel pages: Disabled
Prevent userspace pointer deref: Disabled
Prevent kobject refcount overflow: Enabled
Bounds check heap object copies: Enabled
Disable writing to kmem/mem/port: Enabled
Disable privileged I/O: Disabled
Harden module auto-loading: Enabled
Hide kernel symbols: Enabled

I'm on Ubuntu 12.04 and I believe I did enable both of those.

Checksec confirms I'm using PaX ASLR and other features are enabled. But those two don't seem to be despite my configuration enabling them.

edit: I'm assumign it's uderef actually - I don't see that in my PaX configuration at all. Maybe it's referring to refcount.

[spender]

Hi,

checksec.sh looks for a kernel config which it uses to determine whether a given feature is enabled or not. It's not really the most accurate way to detect the existence of various features (for instance, UDEREF can be enabled via config but disabled at boot-time, which it doesn't detect). It also hasn't been updated for the new automatic configuration methods.

It uses the first kernel config it finds from the following list:
/proc/config.gz
/boot/config-`uname -r`
/usr/src/linux/.config

Thus if you had a stale /boot/config-3.5.1-grsec file and no /proc/config.gz support, you'd be getting stale results about the running kernel.

-Brad

[GBit]

Is there a more accurate way to test these settings?