1 |
Hi all, |
2 |
Tried to push grsec&PaX settings to the limits. Used quite all settings from quickstart-guide and got this with paxtest-0.9.5: |
3 |
...BEGIN CUT ... |
4 |
PaXtest - Copyright(c) 2003 by Peter Busser <peter@×××××××××.org> |
5 |
Released under the GNU Public Licence version 2 or later |
6 |
|
7 |
It may take a while for the tests to complete |
8 |
Test results: |
9 |
PaXtest - Copyright(c) 2003 by Peter Busser <peter@×××××××××.org> |
10 |
Released under the GNU Public Licence version 2 or later |
11 |
|
12 |
Executable anonymous mapping : Killed |
13 |
Executable bss : Killed |
14 |
Executable data : Killed |
15 |
Executable heap : Killed |
16 |
Executable stack : Killed |
17 |
Executable anonymous mapping (mprotect) : Killed |
18 |
Executable bss (mprotect) : Killed |
19 |
Executable data (mprotect) : Killed |
20 |
Executable heap (mprotect) : Killed |
21 |
Executable shared library bss (mprotect) : Killed |
22 |
Executable shared library data (mprotect): Killed |
23 |
Executable stack (mprotect) : Killed |
24 |
Anonymous mapping randomisation test : 16 bits (guessed) |
25 |
Heap randomisation test (ET_EXEC) : 25 bits (guessed) |
26 |
Heap randomisation test (ET_DYN) : 25 bits (guessed) |
27 |
Main executable randomisation (ET_EXEC) : 17 bits (guessed) |
28 |
Main executable randomisation (ET_DYN) : 17 bits (guessed) |
29 |
Shared library randomisation test : 16 bits (guessed) |
30 |
Stack randomisation test (SEGMEXEC) : 23 bits (guessed) |
31 |
Stack randomisation test (PAGEEXEC) : 23 bits (guessed) |
32 |
Return to function (strcpy) : Vulnerable |
33 |
Return to function (strcpy, RANDEXEC) : Vulnerable |
34 |
Return to function (memcpy) : Vulnerable |
35 |
Return to function (memcpy, RANDEXEC) : Vulnerable |
36 |
Executable shared library bss : Killed |
37 |
Executable shared library data : Killed |
38 |
Writable text segments : Killed |
39 |
... END CUT ... |
40 |
1.Could something be done about this 4 'Vuln.' left? |
41 |
PS: can't use ACL for now as i'm on reiserfs3, so no easy acl support still. Am i wrong? |
42 |
2.Also managed to get xorg-X11-6.7.0-r1 to work using these settings, compiled it with USE="static -hardened" so no modules loading (thanks to forums.grsecurity.net). But can't get it to work with the binary-nvidia driver 'nvidia' works only with 2-D 'nv' driver, but for now it's enough for me. Nvidia-kernel module is loaded, so maybe it's something to do with loading kernel-glx module and xorg-x11 being'static'. Suggestions? |
43 |
3.Problems with paxtest-0.9.6 (still not in portage). Took it from adamantix.org project page. Can't compile it some error there: |
44 |
..BEGIN CUT... |
45 |
make gentoo |
46 |
make -f Makefile.Gentoo |
47 |
make[1]: Entering directory `/home/gentoo/src/paxtest-0.9.6' |
48 |
gcc -specs=dumpspecs -o anonmap body.o anonmap.o |
49 |
body.o(.text+0x131): In function `main': |
50 |
: undefined reference to `pthread_create' |
51 |
body.o(.text+0x14a): In function `main': |
52 |
: undefined reference to `pthread_kill' |
53 |
collect2: ld returned 1 exit status |
54 |
make[1]: *** [anonmap] Error 1 |
55 |
make[1]: Leaving directory `/home/gentoo/src/paxtest-0.9.6' |
56 |
make: *** [gentoo] Error 2 |
57 |
...END CUT... |
58 |
i'm compiling with grsec turned ON and GCC-3.3.3-r6 (hardened i think). |
59 |
paxtest-0.9.5 compiles OK. |
60 |
TIA. |
61 |
Rumen |