Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Balint Szente <balint@×××××××××.ro>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] nvidia.ko with Grsecurity & PaX kernel
Date: Sat, 21 Sep 2013 16:55:53
Message-Id: 20130921195540.270c8e89@inspiro
In Reply to: Re: [gentoo-hardened] nvidia.ko with Grsecurity & PaX kernel by "Anthony G. Basile"
1 Hello Anthony!
2
3
4 pypaxctl itself works, but I found the way to reproduce the issue:
5
6 1. Set the PT flags for the nvidia GL library:
7
8 # paxctl -c /usr/lib/opengl/nvidia/lib/libGL.so.325.15
9 # paxctl-ng -em /usr/lib/opengl/nvidia/lib/libGL.so.325.15
10 # paxctl-ng -v /usr/lib/opengl/nvidia/lib/libGL.so.325.15
11 /usr/lib/opengl/nvidia/lib/libGL.so.325.15:
12 PT_PAX : -em--
13 XATTR_PAX : -em--
14
15 2. Delete the XT_ATTR PAX flags (because I don't use XT):
16
17 # pypaxctl -d /usr/lib/opengl/nvidia/lib/libGL.so.325.15
18 # paxctl-ng -v /usr/lib/opengl/nvidia/lib/libGL.so.325.15
19 /usr/lib/opengl/nvidia/lib/libGL.so.325.15:
20 PT_PAX : -em--
21 XATTR_PAX : not found
22
23 3. Run revdep-pax:
24
25 # paxctl-ng -v /usr/bin/glxgears
26 /usr/bin/glxgears:
27 PT_PAX : -e---
28 XATTR_PAX : not found
29 # revdep-pax -m -l /usr/lib/libGL.so
30 libGL.so.1 /usr/lib64/opengl/nvidia/lib/libGL.so.325.15 :X86_64 (-em--)
31
32 /usr/bin/glxgears ( -e--- )
33 [...]
34
35 Will mark elf with -em--
36
37 Set flags for /usr/bin/glxgears (y/n): y
38
39 /usr/bin/glxgears ( ----- )
40 # paxctl-ng -v /usr/bin/glxgears
41 /usr/bin/glxgears:
42 PT_PAX : -----
43 XATTR_PAX : -----
44
45 Step 2. is the trigger for the problem. If I don't delete the XT_ATTR
46 PAX flags from the GL library, then the revdep-pax script works well.
47
48 So as a conclusion, I think the issue appears when the library has only
49 PT marks.
50
51 Regards,
52 Balint
53
54 On Fri, 20 Sep 2013 06:31:03 -0400
55 "Anthony G. Basile" <basile@××××××××××××××.edu> wrote:
56 >
57 > I wrote that script but I've never seen this before. I suspect
58 > there's something wrong with the pypax python module. Can you test
59 > using pypaxctl to set some pax flags on a non-critical elf binary and
60 > see if it works.
61 >

Replies

Subject Author
Re: [gentoo-hardened] nvidia.ko with Grsecurity & PaX kernel Hinnerk van Bruinehsen <h.v.bruinehsen@×××××××××.de>
Re: [gentoo-hardened] nvidia.ko with Grsecurity & PaX kernel Balint Szente <balint@×××××××××.ro>
Report Message
Find on MARC Find on Google Groups