grsecurity forums

[Dodger]

Hi,

can you shed some light on this feature ?

Its not working , kernel is not booting, but i think noexec pages in kernel space is definitly a DO

[PaX Team]

can you shed some light on this feature ?

it's what it says, (on i386) it ensures that in kernel mode (ring-0) only the kernel's code is actually executable, and it also makes the code and read-only data, well, read-only. it is not as incircumventible as the userland equivalent, but there're some measures that at least make it not that trivial (basically a kernel bug and corresponding exploit would have to modify page table entries to circumvent the read-only feature or force somehow the reloading of the GDTR/CR3 registers with attacker supplied values). as i said, this is not that trivial, but certainly possible, and closing down this venue is what sealed kernel pages and the compiler change to verify control flow were going to fix (i just had no time for this so far).

Its not working , kernel is not booting

first of all, read http://grsecurity.net/pipermail/grsecurity/2005-November/000616.html, if you haven't yet (the only news is that spender put this into grsec already). next, if you can help debugging your problem, i'd like to see your kernel .config (email it please), the exact symptom (at which stage the kernel crashes, what's last printed, etc, if you can catch it).

but i think noexec pages in kernel space is definitly a DO

it's been available for 2.5 years, just without module support.

[Steve3d]

I have just tried this, it runs fine on my Laptop, so I decided to go to my samba server, after I set CONFIG_PAX_KERNEXEC, my server hangs on loading some modules, so , I can not get my server up.

I'm using gentoo, A fresh new install with gcc 3.4.4, hardened system, No selinux.

After I remove KERNEXEC, my server startup fine.

the both computer run at same config, I tared the system on my laptop to my server, both use P4 cpu.

and the stopped module is related to USB and IEEE1394.

I also try to disable the USB and IEEE1394 in BIOS, I found that these modules was killed by PAX .

[PaX Team]

I have just tried this, it runs fine on my Laptop, so I decided to go to my samba server, after I set CONFIG_PAX_KERNEXEC, my server hangs on loading some modules, so , I can not get my server up.

just as an experiment, what happens if you compile those modules into the kernel instead? if the system works, you can do a binary search to find the module that triggers the problem.

and the stopped module is related to USB and IEEE1394.

I also try to disable the USB and IEEE1394 in BIOS, I found that these modules was killed by PAX .

do you know which exact module it is? and do you have any error messages/logs/screenshot/etc?

[ralphy]

i patched with the latest grsecurity patch but i'm not seeing CONFIG_GRKERNSEC_PAX_KERNEXEC
anywhere? am i missing something? 2.4.32 release 3

[PaX Team]

i patched with the latest grsecurity patch but i'm not seeing CONFIG_GRKERNSEC_PAX_KERNEXEC
anywhere? am i missing something? 2.4.32 release 3

you have to set the PCI access method to 'direct', the PCI BIOS is not supported under KERNEXEC.

[ralphy]

i apologize for bringing this back up but unfortunately i'm still unable to set KERNEXEC in the config. i set the PCI method to direct as you said but i'm still missing PAX_KERNEXEC.

CONFIG_PCI=y
# CONFIG_PCI_GOBIOS is not set
CONFIG_PCI_GODIRECT=y
# CONFIG_PCI_GOANY is not set
CONFIG_PCI_DIRECT=y

Edit: after checking Config.in in grsecurity/ i see why