1 |
pageexec@××××××××.hu wrote: |
2 |
> On 14 Feb 2007 at 17:09, "Tino Müller" wrote: |
3 |
> |
4 |
>> # |
5 |
>> # Non-executable pages |
6 |
>> # |
7 |
>> CONFIG_PAX_NOEXEC=y |
8 |
> |
9 |
> maybe if you actually enabled any of the non-exec implementations... ;-) |
10 |
> |
11 |
|
12 |
Unfortunately I can't, because the config options are gone. |
13 |
|
14 |
With ACCEPT_KEYWORDS=x86 the kernel version 2.6.18 is installed. Then I find after running "make menuconfig": |
15 |
|
16 |
Security options ---> |
17 |
PaX ---> |
18 |
[*] Enable various PaX features |
19 |
PaX Control ---> |
20 |
[*] Use ELF program header marking |
21 |
Non-executable pages ---> |
22 |
[*] Enforce non-executable pages |
23 |
[*] Paging based non-executable pages |
24 |
[*] Segmentation based non-executable pages |
25 |
Default non-executable page method (SEGMEXEC) ---> |
26 |
[*] Emulate trampolines |
27 |
[*] Restrict mprotect() |
28 |
[*] Disallow ELF text relocations |
29 |
[*] Enforce non-executable kernel pages |
30 |
|
31 |
With ACCEPT_KEYWORDS=~x86 the kernel version 2.6.19-r6 is installed. Then I find: |
32 |
|
33 |
Security options ---> |
34 |
PaX ---> |
35 |
[*] Enable various PaX features |
36 |
PaX Control ---> |
37 |
[*] Use ELF program header marking |
38 |
Non-executable pages ---> |
39 |
[*] Enforce non-executable pages |
40 |
|
41 |
|
42 |
With hardened-sources-2.6.19-r6 I can't enable any of the non-exec implementations. |
43 |
I tried to enable them by adding the option in the .config file directly, but that didn't changed anything. |
44 |
|
45 |
When I enable Security Level High within the Grsecurity options, then the options are like this: |
46 |
|
47 |
Security options ---> |
48 |
PaX ---> |
49 |
[*] Enable various PaX features |
50 |
PaX Control ---> |
51 |
[*] Use ELF program header marking |
52 |
Non-executable pages ---> |
53 |
--- Enforce non-executable pages |
54 |
[*] Emulate trampolines |
55 |
--- Restrict mprotect() |
56 |
[*] Disallow ELF text relocations |
57 |
Grsecurity ---> |
58 |
[*] Grsecurity |
59 |
Security Level (High) ---> |
60 |
|
61 |
But a kernel with these settings don't boot, because init is prevented to start. |
62 |
|
63 |
|
64 |
I'm installing the system once again. This time with ACCEPT_KEYWORDS=x86 and hardened-sources-2.6.18. I will post the results. |
65 |
|
66 |
Tino |
67 |
-- |
68 |
gentoo-hardened@g.o mailing list |