Gentoo Archives: gentoo-user

From: Alexander Skwar <listen@×××××××××××××××.name>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Hardened Kernel (PaX): How to allow Text Relocations for *ONE* executable, while disallowing it for *EVERY* *OTHER* executable?
Date: Sun, 16 Apr 2006 09:23:07
Message-Id: 44420C32.3080205@mid.email-server.info
1 Hello!
2
3 I'm using a Hardened Kernel and set "Disallow ELF text relocations"
4 (CONFIG_PAX_NOELFRELOCS=y). Because of that, I'm unable to run
5 nxagent from nxserver-freenx package. It fails with the following
6 error message:
7
8 /usr/NX/bin/nxagent: error while loading shared libraries:
9 /usr/NX/lib/libXcompext.so.1: cannot make segment writable for relocation:
10 Permission denied
11
12 According to the Gentoo Hardened FAQ at
13 <http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#paxnoelf>,
14 that's okay - ie. the kernel setting causes the error message.
15
16 Now, how do I allow text relocations for just ONE binary, while
17 keeping it disallowed for every other executable (the ones which
18 already exist and the ones, which are to come in the future)?
19
20 I now would like to disable this error and allow my program to
21 be run. How do I do that? The FAQ states, that there's a
22 PaX feature called MPROTECT which is to be used and that
23 MPROTECT must be disallowed on the executable which fails to
24 get executed.
25
26 How do I do that?
27
28 I thought that I could do this with "chpax -m $binary" (replacing
29 $binary by the path to the executable, of course. In this case,
30 /usr/NX/bin/nxagent). But, I did this, and I still get the error
31 message.
32
33 How do I disallow MPROTECT on just one binary? What is "chpax
34 -m" doing?
35
36 Thanks,
37
38 Alexander Skwar
39 --
40 printk(KERN_DEBUG "%s: BUG... transmitter died. Kicking it.\n",...)
41 linux-2.6.6/drivers/net/acenic.c
42 --
43 gentoo-user@g.o mailing list

Replies