1 |
On Wed, Sep 11, 2013 at 11:44:07PM +0300, Balint Szente wrote: |
2 |
> On Wed, 11 Sep 2013 19:55:13 +0200 |
3 |
> Amadeusz Sławiński <amade@××××××.net> wrote: |
4 |
> |
5 |
> > [...] |
6 |
> > > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR=y |
7 |
> > > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="or" |
8 |
> > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR: |
9 |
> > This method is incompatible with binary only modules but |
10 |
> > has a lower runtime overhead. |
11 |
> > |
12 |
> > Try using bts |
13 |
> |
14 |
> Yes, of course! Stupid me. This was it... thank you very much. |
15 |
> |
16 |
> Now there is another issue: |
17 |
> kernel: grsec: denied RWX mmap of /usr/lib64/opengl/nvidia/lib/libGL.so.325.15 |
18 |
> on pretty much everything, but it is a known issue: |
19 |
> <https://bugs.gentoo.org/show_bug.cgi?id=433121> |
20 |
> |
21 |
> So I disabled CONFIG_PAX_MPROTECT for the moment. |
22 |
|
23 |
I'd rather paxctl(-ng) -m the offenders and keep CONFIG_PAX_MPROTECT=y- that way you'd have mprotect for at |
24 |
least everything else. You can also use blueness revdep-pax to make the process |
25 |
easier... |
26 |
|
27 |
WKR |
28 |
Hinnerk |