| 1 |
On Wed, Sep 11, 2013 at 11:44:07PM +0300, Balint Szente wrote: |
| 2 |
> On Wed, 11 Sep 2013 19:55:13 +0200 |
| 3 |
> Amadeusz Sławiński <amade@××××××.net> wrote: |
| 4 |
> |
| 5 |
> > [...] |
| 6 |
> > > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR=y |
| 7 |
> > > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="or" |
| 8 |
> > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR: |
| 9 |
> > This method is incompatible with binary only modules but |
| 10 |
> > has a lower runtime overhead. |
| 11 |
> > |
| 12 |
> > Try using bts |
| 13 |
> |
| 14 |
> Yes, of course! Stupid me. This was it... thank you very much. |
| 15 |
> |
| 16 |
> Now there is another issue: |
| 17 |
> kernel: grsec: denied RWX mmap of /usr/lib64/opengl/nvidia/lib/libGL.so.325.15 |
| 18 |
> on pretty much everything, but it is a known issue: |
| 19 |
> <https://bugs.gentoo.org/show_bug.cgi?id=433121> |
| 20 |
> |
| 21 |
> So I disabled CONFIG_PAX_MPROTECT for the moment. |
| 22 |
|
| 23 |
I'd rather paxctl(-ng) -m the offenders and keep CONFIG_PAX_MPROTECT=y- that way you'd have mprotect for at |
| 24 |
least everything else. You can also use blueness revdep-pax to make the process |
| 25 |
easier... |
| 26 |
|
| 27 |
WKR |
| 28 |
Hinnerk |
Archives