| 1 |
René Rhéaume wrote: |
| 2 |
> On Fri, Jan 23, 2009 at 11:45 AM, Grant <emailgrant@×××××.com> wrote: |
| 3 |
>> Very close. PAGEEXEC is enabled, but so is SEGMEXEC. My CPU is a |
| 4 |
>> P4-2.8, and I'm not sure about NX support but these are the flags: |
| 5 |
>> |
| 6 |
>> fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 |
| 7 |
>> clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs bts |
| 8 |
>> pni monitor ds_cpl cid xtpr |
| 9 |
> |
| 10 |
> There is no "nx" in your cpuinfo flags. Therefore, your P4 does not |
| 11 |
> have the hardware NX bit (or XD bit in Intel wording) |
| 12 |
|
| 13 |
Hi all! |
| 14 |
|
| 15 |
I've been following this discussion a little bit. I do have a Pentium D |
| 16 |
processor which do have the "nx" flag available. |
| 17 |
|
| 18 |
I see I do have CONFIG_PAX_PAGEEXEC=y in the kernel config, but I do also |
| 19 |
see that all non-kernel processes do have peMRS in the PAX flags when |
| 20 |
checking with the pspax command. |
| 21 |
|
| 22 |
Should I strive to get the PAGEEXEC flag set on all processes, or should I |
| 23 |
not? |
| 24 |
|
| 25 |
Another thing ... I do not quite understand why processes are listed with |
| 26 |
peMRS when paxctl says something a little bit different. An example: |
| 27 |
|
| 28 |
pspax: |
| 29 |
root 11864 peMRS w^x ET_EXEC openvpn =ep cap_setpcap-ep |
| 30 |
|
| 31 |
paxctl -v /usr/sbin/openvpn: |
| 32 |
- PaX flags: -------x-e-- [/usr/sbin/openvpn] |
| 33 |
RANDEXEC is disabled |
| 34 |
EMUTRAMP is disabled |
| 35 |
|
| 36 |
I've scanned through the whole system with "qlist -ao|scanelf -f - -q -x" |
| 37 |
and can't say I find anything here which is of concern, it only finds |
| 38 |
those paxtest files in /usr/lib/paxtest ... so everything should be |
| 39 |
default on the file level. |
| 40 |
|
| 41 |
I was of that understanding that my current setup would give PAGEEXEC as |
| 42 |
default. |
| 43 |
|
| 44 |
|
| 45 |
kind regards, |
| 46 |
|
| 47 |
David Sommerseth |
Archives