On 2015-12-20 09:51, Yves-Alexis Perez wrote:
On dim., 2015-12-20 at 00:32 +0000, ban...@openmailbox.org wrote:
Hi. After testing the kernel X doesn't boot because restrict mprotect
isÂ
enabled.
Hi,
it's most likely because you're using nvidia/nouveau or amd/radeon
graphic
card, and the userland driver uses LLVMpipe which in turns uses JIT
code. I
don't have the issue with my intel graphic card.
I see. In a KVM guest there is a similar conflict situation with the QXL
driver too.
Are there plans to integrate a PaX exception list so mprotectÂ
can be enabled system wide while common software can still work?
I don't have any, I'm mostly interested in the kernel part right now.
Also the
exceptions are really system-specific, and you don't want them if you
don't
really need them.
Agreed but there are many major software packages especially on the
desktop that need exceptions to work for example Iceweasel and by
extension Tor Browser.
For these you can just use paxd.conf that's maintained by Arch but the
list will need some tweaking for binary paths and package name
differences between them and Debian. Please see:
https://wiki.archlinux.org/index.php/PaX#User_exceptions
https://github.com/thestinger/paxd/blob/master/paxd.conf
Great work. I look forward to testing more releases in the future.
Regards,
