Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Hinnerk van Bruinehsen <h.v.bruinehsen@×××××××××.de>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] nvidia.ko with Grsecurity & PaX kernel
Date: Sat, 21 Sep 2013 18:02:09
Message-Id: 20130921180157.GB2556@TranscendTheRubicon.fritz.box
In Reply to: Re: [gentoo-hardened] nvidia.ko with Grsecurity & PaX kernel by Balint Szente
1 On Sat, Sep 21, 2013 at 07:55:40PM +0300, Balint Szente wrote:
2 > Hello Anthony!
3 >
4 >
5 > pypaxctl itself works, but I found the way to reproduce the issue:
6 >
7 > 1. Set the PT flags for the nvidia GL library:
8 >
9 > # paxctl -c /usr/lib/opengl/nvidia/lib/libGL.so.325.15
10 > # paxctl-ng -em /usr/lib/opengl/nvidia/lib/libGL.so.325.15
11 > # paxctl-ng -v /usr/lib/opengl/nvidia/lib/libGL.so.325.15
12 > /usr/lib/opengl/nvidia/lib/libGL.so.325.15:
13 > PT_PAX : -em--
14 > XATTR_PAX : -em--
15 >
16 > 2. Delete the XT_ATTR PAX flags (because I don't use XT):
17 >
18 > # pypaxctl -d /usr/lib/opengl/nvidia/lib/libGL.so.325.15
19 > # paxctl-ng -v /usr/lib/opengl/nvidia/lib/libGL.so.325.15
20 > /usr/lib/opengl/nvidia/lib/libGL.so.325.15:
21 > PT_PAX : -em--
22 > XATTR_PAX : not found
23 >
24 > 3. Run revdep-pax:
25 >
26 > # paxctl-ng -v /usr/bin/glxgears
27 > /usr/bin/glxgears:
28 > PT_PAX : -e---
29 > XATTR_PAX : not found
30 > # revdep-pax -m -l /usr/lib/libGL.so
31 > libGL.so.1 /usr/lib64/opengl/nvidia/lib/libGL.so.325.15 :X86_64 (-em--)
32 >
33 > /usr/bin/glxgears ( -e--- )
34 > [...]
35 >
36 > Will mark elf with -em--
37 >
38 > Set flags for /usr/bin/glxgears (y/n): y
39 >
40 > /usr/bin/glxgears ( ----- )
41 > # paxctl-ng -v /usr/bin/glxgears
42 > /usr/bin/glxgears:
43 > PT_PAX : -----
44 > XATTR_PAX : -----
45 >
46 > Step 2. is the trigger for the problem. If I don't delete the XT_ATTR
47 > PAX flags from the GL library, then the revdep-pax script works well.
48 >
49 > So as a conclusion, I think the issue appears when the library has only
50 > PT marks.
51 >
52 Why would you remove XT-pax flags anyways? It's just xattr (shouldn't cause
53 much overhead) and since PT-pax is going to be deprecated (iirc soon), you have
54 a backup with the XT-pax flags (so you don't have breakage when the switch
55 occurs).
56
57
58 WKR
59 Hinnerk

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-hardened] nvidia.ko with Grsecurity & PaX kernel Balint Szente <balint@×××××××××.ro>
Re: [gentoo-hardened] nvidia.ko with Grsecurity & PaX kernel "Tóth Attila" <atoth@××××××××××.hu>
Report Message
Find on MARC Find on Google Groups