I know non-exec will kill java, but exec-shield don't kill java.
I enable exec-shield use:
echo 3 > /proc/sys/kernel/exec-shield
and I can run java correctly still.
why?
and How to let Grsec/PaX do same thing?
thanks
Why Grsec/PaX Kills java while exec-shield don't ?
4 posts
• Page 1 of 1
Why Grsec/PaX Kills java while exec-shield don't ?
by smtp » Sat Feb 19, 2005 5:43 am
- smtp
- Posts: 2
- Joined: Sat Feb 19, 2005 5:33 am
Re: Why Grsec/PaX Kills java while exec-shield don't ?
by PaX Team » Sat Feb 19, 2005 6:19 pm
first of all, i don't know what the '3' setting does, i thought you could have 0,1,2 only. in any case, Exec-Shield also has a per-file control mechanism based on the PT_GNU_STACK program header, in particular, if a file lacks it or has one with RWE rights (check readelf -l) then Exec-Shield will be automatically disabled on it, which i believe is the case for java.smtp wrote:I know non-exec will kill java, but exec-shield don't kill java.
I enable exec-shield use:
echo 3 > /proc/sys/kernel/exec-shield
and I can run java correctly still.
why?
chpax -spmr or you can use the RBAC/ACL system.and How to let Grsec/PaX do same thing?
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
by smtp » Sun Feb 20, 2005 5:00 am
(I echoed 1,2 to it, and got the same result before I echoed 3.)
I check the java header use readelf, and found java has no PT_GNU_STACK.
How to hack PaX code to let PaX support these:
1. If a file lacks the PT_GNU_STACK header, then PaX automatically disabled on it. (so the problem of 'PaX kill java' will be resolve)
2. Let PaX use PT_GNU_STACK instead of PT_PAX_FLAGS (this could be a other choise for those PaX user that dont want to recompile the file to add new header).
Could you help me?(The firse is the best regardful for me
)
thank you very much!!!
I check the java header use readelf, and found java has no PT_GNU_STACK.
How to hack PaX code to let PaX support these:
1. If a file lacks the PT_GNU_STACK header, then PaX automatically disabled on it. (so the problem of 'PaX kill java' will be resolve)
2. Let PaX use PT_GNU_STACK instead of PT_PAX_FLAGS (this could be a other choise for those PaX user that dont want to recompile the file to add new header).
Could you help me?(The firse is the best regardful for me
)
thank you very much!!!
- smtp
- Posts: 2
- Joined: Sat Feb 19, 2005 5:33 am
by PaX Team » Sun Feb 20, 2005 5:24 pm
use chpax as i said before. if you want PaX default off, then use softmode. if you want PaX default off only when PT_PAX_FLAGS is not present, then simply don't add EI_PAX support into the kernel. see below for PT_GNU_STACK.smtp wrote:1. If a file lacks the PT_GNU_STACK header, then PaX automatically disabled on it. (so the problem of 'PaX kill java' will be resolve)
it's not going to happen, my reasons are explained here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=132149#c8. what is possible is to convert PT_GNU_STACK (or something equally useless) into PT_PAX_FLAGS, i just don't have the time for this right now.2. Let PaX use PT_GNU_STACK instead of PT_PAX_FLAGS (this could be a other choise for those PaX user that dont want to recompile the file to add new header).
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
4 posts
• Page 1 of 1