| 1 |
Matt Poletiek wrote: |
| 2 |
> Hello all, I just finished installing hardened gentoo on an i686 dual |
| 3 |
> p3 system and have some questions. I used the 2006.1 install CD and |
| 4 |
> the stage3-hardened-2007.0 tarball. After configuring the kernel and |
| 5 |
> recompiling the toolchain (binutils, gcc, virtual/libc) I did an |
| 6 |
> 'emerge -e world'. This is my first hardened profile install but I |
| 7 |
> have used the grsec patches on a kernel before (an amd64 system) and |
| 8 |
> after rebuilding the toolchain then userland paxtest was killed on all |
| 9 |
> but one or two types of stack execution. |
| 10 |
>=20 |
| 11 |
> However, this time (on the dual p3 system) paxtest is still able to do = |
| 12 |
a |
| 13 |
> lot.... |
| 14 |
|
| 15 |
I'm not a hardened dev, but AMD64 systems would have hardware support |
| 16 |
for non-executable pages, and thus software NX (by Pax) wouldn't be |
| 17 |
required. See http://en.wikipedia.org/wiki/NX_bit |
| 18 |
|
| 19 |
> Is this expected? Did I skip a step? Here is my kernel config. |
| 20 |
|
| 21 |
> # Non-executable pages |
| 22 |
> # |
| 23 |
> CONFIG_PAX_NOEXEC=3Dy |
| 24 |
|
| 25 |
I don't have a x86 system handy to compare this to, but don't you need |
| 26 |
to select either page or segment-based NX? |
| 27 |
|
| 28 |
Cheers |
| 29 |
|
| 30 |
Andrew |
Archives