PAX protection

deadlinx · 06-01-2007, 11:01 AM

hi,

I've built the vanilla with the GRSecurity patch many times in the past,
nowadays the last stable and testing patch,
with the same "custom" configuration I'm used to choose,
seem not to really apply PAX protections: OpenOffice starts,
this means the stack is executable as also paxtest output put in evidence!

Please, i don't know what to do, internet is not really helpful about this
problem.

deadlinx

slimm609 · 06-01-2007, 01:36 PM

can you post your .config from the build? if you can post it as a link and not in the code box. Its a big file to code box

deadlinx · 06-02-2007, 05:04 AM

Hi,

The .config, the part inherent to PAX and GRSecurity is
avalilable in this post:
http://forums.grsecurity.net/viewtopic.php?t=1745

It's not my post but it includes the same .config I have
and the "writer" has the same PAX problem I have with the
same 2.6.19.2 patch.

I'm used to apply, successfully, this patch
so I know how to configure it, I used the official documentation,
so it's probably a bug and not a kernel misconfiguration;
in the past PAX has always been working as paxtest reveals,
in fact all programs needing an executable stack needed tuning
for working.

I found the problem also in the last "test patch".
Testing code is not stable, so it's normal it could be buggy,
but a soo big bug in a "security kernel patch",
released since months it's surely a serious problem.

It's paradoxical: you want to increase security,
you use a security stable patch and you rebuild the kernel
and all external driver (boring work on a desktop)
then you get a no-protected kernel,
quite frustrating, don't you?

Changing configuration increasing GRsecurity level to custom
and tuning manually, gives me a kernel oops on reboot :-/

There's also SElinux, but it's not well supported in Feisty and
if you choose tuning like removing upstart and so on you'll get
problem anyway as I read.

Apparmor is not secure as GRSecurity and it gives some installing problems yet.

The only serious alternative is RSBAC, but it's too hard for
a desktop and it takes me too much time in configuring, at this
moment I only have basic protection :-/

deadlinx

unSpawn · 06-08-2007, 03:02 AM

Just to note http://forums.grsecurity.net/viewtopic.php?t=1745 got an immediate response from the PAX team which tells you to look at http://forums.grsecurity.net/viewtopic.php?t=1647.

Quote:

so I know how to configure it, I used the official documentation,
so it's probably a bug and not a kernel misconfiguration;

If you correctly determined it's a bug then you should have the GRSecurity developer confirm it.

slimm609 · 06-08-2007, 03:51 AM

Also have you verifed that every line of your pax and grsecurity kernel config is exact with the one on the page. The reason people ask for the stuff is so we can see if you might have missed something and saying "This is the same as mine" is not the same as saying "This is mine".

I am running the 2.6.19.2 on one of my machines and the 2.6.21.3 on 2 other machines of mine and pax is working fine.

Please post the pax and grsecurity section of the .config file so we can see it.