| 1 |
PaX ---> |
| 2 |
Non-executable pages ---> |
| 3 |
[*] Enforce non-executable pages |
| 4 |
|
| 5 |
is the only option I see. I hope im blind :S |
| 6 |
|
| 7 |
On 5/20/07, Andrew Ross <aross@g.o> wrote: |
| 8 |
> > Hello all, I just finished installing hardened gentoo on an i686 dual |
| 9 |
> > p3 system and have some questions. I used the 2006.1 install CD and |
| 10 |
> > the stage3-hardened-2007.0 tarball. After configuring the kernel and |
| 11 |
> > recompiling the toolchain (binutils, gcc, virtual/libc) I did an |
| 12 |
> > 'emerge -e world'. This is my first hardened profile install but I |
| 13 |
> > have used the grsec patches on a kernel before (an amd64 system) and |
| 14 |
> > after rebuilding the toolchain then userland paxtest was killed on all |
| 15 |
> > but one or two types of stack execution. |
| 16 |
> >=20 |
| 17 |
> > However, this time (on the dual p3 system) paxtest is still able to do = |
| 18 |
> a |
| 19 |
> > lot.... |
| 20 |
> |
| 21 |
> I'm not a hardened dev, but AMD64 systems would have hardware support |
| 22 |
> for non-executable pages, and thus software NX (by Pax) wouldn't be |
| 23 |
> required. See http://en.wikipedia.org/wiki/NX_bit |
| 24 |
> |
| 25 |
> > Is this expected? Did I skip a step? Here is my kernel config. |
| 26 |
> |
| 27 |
> > # Non-executable pages |
| 28 |
> > # |
| 29 |
> > CONFIG_PAX_NOEXEC=3Dy |
| 30 |
> |
| 31 |
> I don't have a x86 system handy to compare this to, but don't you need |
| 32 |
> to select either page or segment-based NX? |
| 33 |
> |
| 34 |
> Cheers |
| 35 |
> |
| 36 |
> Andrew |
| 37 |
> |
| 38 |
> |
| 39 |
> |
| 40 |
|
| 41 |
|
| 42 |
-- |
| 43 |
Matthew Poletiek |
| 44 |
www.chill-fu.net |
| 45 |
-- |
| 46 |
gentoo-hardened@g.o mailing list |
Archives