Dear Sir/Madam,

I have successfully applied gre/pax patch 3.2.55 to 3.2.55 Kernel , then compiled it and then installed the patched kernel on Debian wheezy 7.4.0.

When i boot to this new kernel then everything works normally, except ice-weasel or Firefox is not opening

but when i boot to incorporated kernel 3.2.0-4-686-pae both ice-weasel and Firefox execute normally.

I have selected:

1) DEFAULT GRE/PAX SECURITY (NOT PERFORMANCE) settings for desktop.

2) REMOVED IPV6 from kernel

and 3) REMOVED most of the EXPERIMENTAL ENTRIES FROM THE KERNEL (WHICH WERE SAFE WITH PROPER DEPENDENCIES)

PLEASE CAN anybody guess what went wrong??!!

Thanks in advance.

No, I can't guess that. Maybe some of the clairvoyant form members can ;-p
- You should list which kernel features, experimental or not, Grsecurity / PAX relies on, if any.
- You're using two different kernel versions which makes things less easy to compare,
- you're not posting the actual profile for Firefox / Iceweasel,
- you haven't told us if the profile for Firefox / Iceweasel was obtained from running Grsecurity learning mode or not,
- you're not posting any logged errors or strace output of running Firefox / Iceweasel (may require debug mode of sorts).

*BTW you probably didn't mean to say "GRE" but "Grsecurity", right?
**Note its ages since I ran Grsecurity so anyone with more recent practical experience feel free to chip in.

1) There was no Experimental entries in Grsecurity/Pax , I simply selected default>desktop>security
(most of the experimental entries were in drivers section) had no dependencies with Grsecurity/Pax.

2) how do i log errors or strace output of running Firefox / Iceweasel
(that may require debug mode of sorts).

3) i think profiles are needed in selinux or apparmor but grsecurity/pax profiles?? How do i implement them (if any)

4) I have downloaded firefox.tar.bz2 and unzipped to run it (in both root and default user) but its not responding there is no error message or response from even when executed from terminal.

Most of these are questions fundamental to using PaX / Grsecurity so you should IMHO start with http://en.wikibooks.org/wiki/Grsecurity .

I searched online & found it may be related to mprotect.

Here are grsecurity & pax settings of the compiled kernel.

Memory Protections --->
[*] Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port

[ ] Restrict VM86 mode [ ] Disable privileged I/O[*] Disable unprivileged PERF_EVENTS usage by default [*] Insert random gaps between thread stacks [*] Harden ASLR against information leaks and entropy reduction
[*] Deter exploit bruteforcing[*] Harden module auto-loading[*] Hide kernel symbols[*] Randomize layout of sensitive kernel structures
[ ] Use cacheline-aware structure randomization [*] Active kernel exploit response


Role Based Access Control Options --->


[ ] Disable RBAC system [ ] Hide kernel processes (3) Maximum tries before password lockout
(30) Time to wait after max password tries, in seconds
Filesystem Protections --->
[*] Proc restrictions [ ] Restrict /proc to user only[*] Allow special group
(1001) GID for special group [*] Additional restrictions [*] Linking restrictions [ ] Kernel-enforced SymlinksIfOwnerMatch [*] FIFO restrictions [ ] Sysfs/debugfs restriction [ ] Runtime read-only mount protection [*] Eliminate stat/notify-based device sidechannels [*] Chroot jail restrictions[*] Deny mounts[*] Deny double-chroots[*] Deny pivot_root in chroot[*] Enforce chdir("/") on all chroots
[*] Deny (f)chmod +s[*] Deny fchdir out of chroot[*] Deny mknod[*] Deny shmat() out of chroot
[*] Deny access to abstract AF_UNIX sockets out of chroot [*] Protect outside processes[*] Restrict priority changes[*] Deny sysctl writes[*] Capability restrictions[*] Exempt initrd tasks from restrictions


Kernel Auditing --->



[ ] Single group for auditing

Single group for auditing [ ] Exec logging[*] Resource logging [ ] Log execs within chroot [ ] Ptrace logging [ ] Chdir logging [ ] (Un)Mount logging[*] Signal logging [ ] Fork failure logging[*] Time change logging[*] /proc/<pid>/ipaddr support[*] Denied RWX mmap/mprotect logging


Executable Protections --->
[*] Dmesg(8) restriction[*] Deter ptrace-based process snooping [*] Require read access to ptrace sensitive binaries [*] Enforce consistent multithreaded privileges [*] Disallow access to overly-permissive IPC objects
[ ] Trusted Path Execution (TPE)


Network Protections --->

[*] Larger entropy pools[*] TCP/UDP blackhole and LAST_ACK DoS prevention [*] Disable TCP Simultaneous Connect
[ ] Socket restrictions
Physical Protections --->

[*] Deny new USB connections after toggle
[ ] Reject all USB devices not connected at boot
Sysctl Support --->

[*] Sysctl support[*] Turn on features by default
Logging Options --->

(10) Seconds in between log messages (minimum)
(6) Number of messages in a burst (maximum)
PaX --->


PaX Control --->


[ ] Support soft mode [*] Use legacy ELF header marking [*] Use ELF program header marking [*] Use filesystem extended attributes marking
MAC system integration (direct) --->

Non-executable pages --->
[*] Enforce non-executable pages [*] Paging based non-executable pages [*] Segmentation based non-executable pages [*] Emulate trampolines[*] Restrict mprotect()[*] Use legacy/compat protection demoting (read help)

[ ] Allow ELF text relocations (read help) [*] Enforce non-executable kernel pages

(12) Minimum amount of memory reserved for module code


Address Space Layout Randomization --->

[*] Address Space Layout Randomization [*] Randomize kernel stack base [*] Randomize user stack base[*] Randomize mmap() base
Miscellaneous hardening features --->

[*] Sanitize all freed memory[*] Sanitize kernel stack[*] Forcibly initialize local variables copied to userland
[*] Prevent invalid userland pointer dereference [*] Prevent various kernel object reference counter overflows
[*] Harden heap object copies between kernel and userland [*] Automatically constify eligible structures [*] Prevent various integer overflows in function size parameters
[*] Generate some entropy during boot and runtime Can anyone PLEASE deduce the problem related to above settings (if any) or I need to read the full guide??