| 1 |
Hello! |
| 2 |
|
| 3 |
|
| 4 |
Thank you Alex and Hinnerk for your answers. |
| 5 |
|
| 6 |
I understand and fully agree that CONFIG_PAX_MPROTECT is very important |
| 7 |
for security. However, I had to "-m" mark *a lot* of applications: |
| 8 |
|
| 9 |
Xorg, i3, i3bar, i3-nagbar and even "simple" GTK applications like |
| 10 |
claws-mail that has nothing with GLX (or maybe GTK has). |
| 11 |
|
| 12 |
I'm aware of the latest-stable ebuild issue with the pax-const.patch, |
| 13 |
but do you think it would make a difference from MPROTECT marking |
| 14 |
point of view? Is 319.49 behaving "more nicely" then 325.15? |
| 15 |
|
| 16 |
Thank you, |
| 17 |
Balint |
| 18 |
|
| 19 |
On Thu, 12 Sep 2013 00:24:59 +0300 |
| 20 |
Alex Efros <powerman@××××××××.name> wrote: |
| 21 |
|
| 22 |
> Hi! |
| 23 |
> |
| 24 |
> On Wed, Sep 11, 2013 at 11:44:07PM +0300, Balint Szente wrote: |
| 25 |
> > So I disabled CONFIG_PAX_MPROTECT for the moment. |
| 26 |
> |
| 27 |
> It's much better to `paxctl-ng -m /usr/bin/Xorg` instead. And |
| 28 |
> probably few other applications (mplayer, glxgears, etc.). |
| 29 |
> |
| 30 |
> |
| 31 |
> Also, you can install latest stable nvidia-drivers by simple removing |
| 32 |
> this line from ebuild (bug already reported): |
| 33 |
> |
| 34 |
> epatch "${FILESDIR}"/nvidia-drivers-pax-const.patch |
| 35 |
> |
| 36 |
> |
| 37 |
> Main issue with nvidia-drivers on hardened is what sometimes some race |
| 38 |
> condition happens and system just freezes. This may happens when |
| 39 |
> starting mplayer with hardware acceleration: |
| 40 |
> mplayer -vf-clr -vo vdpau -vc ffh264vdpau,ffmpeg12vdpau, … |
| 41 |
> or just in the middle of viewing video using flash in browser. |
| 42 |
> |
| 43 |
> Not sure about flash, but when this happens with mplayer I've tried to |
| 44 |
> analyse what's going on: system is working, but incredible slow, it |
| 45 |
> took about 10 minutes to switch to another virtual desktop, run top, |
| 46 |
> found mplayer process using 100% CPU, try to kill it (don't remember |
| 47 |
> is it was successful or not), but it won't fix anything - system |
| 48 |
> still was too slow. In all cases I've to press RESET because trying |
| 49 |
> to do normal shutdown procedure may took hours. |
| 50 |
> |
Archives