On 14 Feb 2012 at 20:36, Alex Efros wrote:
> I've just converted my system from x86 to amd64 (Core i7), and one of
> things which become broken because of this is vmware. When I start any
> guest my host immediately reset, and after booting I didn't see anything
> in logs - neither in kernel nor i
On 28 Jan 2012 at 15:23, Alex Efros wrote:
> On Sat, Jan 28, 2012 at 02:12:19PM +0200, pagee...@freemail.hu wrote:
> > > $ dumpcap
> > > dumpcap: Can't get list of interfaces: Can't open /sys/class/net:
> > > Permission denied
> >
> > i think it's GRKERNSEC_SYSFS_RESTRICT that could cause this, d
On 28 Jan 2012 at 20:24, 7v5w7go9ub0o wrote:
> No joy. hardened-sources-3.2.2-r1.ebuild still fails for me.
what's dmesg say? and what's 'readelf -eW'' say on the module that was loaded
at the time?
On 28 Jan 2012 at 4:10, Alex Efros wrote:
> $ dumpcap
> dumpcap: Can't get list of interfaces: Can't open /sys/class/net: Permission
> denied
i think it's GRKERNSEC_SYSFS_RESTRICT that could cause this, do you have it
enabled?
On 28 Jan 2012 at 4:28, Alex Efros wrote:
> Hi!
>
> But... as far as I see, it was just _one_ attempt to access NULL pointer
> because of very usual bug. The questions is, why is that triggered
> CONFIG_GRKERNSEC_BRUTE? Isn't word "brute" suppose many similar incidents
> happened in short period o
On 28 Jan 2012 at 4:35, Alex Efros wrote:
> > $ dumpcap
> > Segmentation fault
> > $ ls -l core
> > ls: cannot access core: No such file or directory
>
> And one more questions - why core wasn't dumped here?
check /proc/sys/fs/suid_dumpable
On 28 Jan 2012 at 2:11, Alex Efros wrote:
> Hi!
>
> On Sat, Jan 28, 2012 at 01:07:43AM +0200, pagee...@freemail.hu wrote:
> > > Program received signal SIGSEGV, Segmentation fault.
> > > 0xb75fd152 in readdir64 () from /lib/libc.so.6
> > x/16i $pc
> > x/16x $sp
gosh i knew i'd forgot something:
On 28 Jan 2012 at 1:15, Alex Efros wrote:
> $ gdb dumpcap --batch --quiet -ex 'run' -ex 'thread apply all bt full' -ex
> quit
>
> What's next? Recompile glibc with same CFLAGS/FEATURES and try again?
having debug info for glibc won't hurt for sure ;).
> Program received signal SIGSEGV, Segment
On 27 Jan 2012 at 22:19, Alex Efros wrote:
> Hi!
>
> Two small notes related to security level defaults:
>
> 1) On my system vmware reboot host OS when starting guest OS if any one
> (or both) of these are enabled:
>
> CONFIG_PAX_KERNEXEC (enabled by default on workstation security lev
On 27 Jan 2012 at 16:25, Kevin Chadwick wrote:
> Thanks for the info. In a discussion about malloc flags, it was
> mentioned on the OpenBSD list that clearing the memory
> immediately brought little in security as it would be cleared before
> re-use and if anything could increase the chances of an
On 24 Jan 2012 at 2:35, Francesco R.(vivo) wrote:
> BTW this in "vanilla" gentoo does not work because of the permission of the
> su
> file:
> ls -l /usr/bin/su
> -rws--x--x 1 root root 36776 18 gen 21.31 /usr/bin/su
>
> readelf cannot read the address, but there can be other ways to access the
On 5 Jan 2012 at 19:13, Andrea Zuccherelli wrote:
> zrouter aufs # cat kernel-aufs3-no-const-grsec.patch
> --- /usr/src/linux/include/linux/fsnotify_backend.h
> +++ /usr/src/linux/include/linux/fsnotify_backend.h
> @@ -105,6 +105,7 @@ struct fsnotify_ops {
> void (*freeing_mark)(struct fsn
On 5 Jan 2012 at 17:21, Andrea Zuccherelli wrote:
> > now if some code needs writable ops structure variables it has 3 options
> > under
> > the plugin approach:
> >
> > 1. add __no_const to the structure declaration
> >
> > 2. typedef a __no_const version of the constified structure type
> >
> >
On 3 Jan 2012 at 22:10, Andrea Zuccherelli wrote:
> The switch I was referring to is
> '-fplugin-arg-constify_plugin-no-constify' gcc option.
> This should disable the constify_plugin but it is not checked on gcc
> callbacks when a 'no_const' attribute is found.
it doesn't exactly disable the plu
On 3 Jan 2012 at 20:47, Andrea Zuccherelli wrote:
please don't top post, it makes your responses hard to correlate to what
you're referring to. like right here:
> Ok, but this does not solve the gcc switch bug... ;)
what does 'this' refer to'? if you meant CONFIG_PAX_CONSTIFY_PLUGIN then
there s
On 3 Jan 2012 at 18:34, Andrea Zuccherelli wrote:
> hfsnotify.c:208:2: error: assignment of read-only member 'br_hfsn_ops'
>
> I found this to be caused by grsecurity constify_plugin.
> So i tried to disable it using
> '-fplugin-arg-constify_plugin-no-constify' switch.
newer kernels have CONFIG_
On 2 Jan 2012 at 10:56, Hinnerk van Bruinehsen wrote:
> - - with PAX_RANDKSTACK enabled I'm not able to sucessfully compile
> glibc-2.14.1-r2 and glibc-2.14.1-r1 (gcc-4.6.2). I get an oops
> (because auf the kernelstack - I think).
that's interesting, i'd need the oops message (enable kernel symb
On 30 Dec 2011 at 13:28, Sven Vermeulen wrote:
> Regarding the firefox issue, I don't know if a bug is already opened for
> that, but the solution is to paxmark -r (disable RANDMMAP) both xpcshell
> (you'll need to edit the ebuild to do so or do it before it starts in the
> install phase) and the
On 18 Dec 2011 at 23:48, Magnus Granberg wrote:
> [21:30:59] also, there is a new kernel feature for PaX
> [21:31:12] it will be related to the gcc plugin to constify kernel
> pointers
it's actually for KERNEXEC/amd64, not constification ;). what the KERNEXEC gcc
plugin does is
simple, it ens
On 17 Apr 2011 at 12:27, "Tóth Attila" wrote:
> 2011.Április 17.(V) 03:49 id"opontban Alex Efros ezt írta:
> > Hi!
> >
> > On Sun, Apr 17, 2011 at 02:17:21AM +0200, "Tóth Attila" wrote:
> >> Reverting to the old binary makes the problem go away.
> >
> > Any chance it's as trivial as somehow modifi
On 8 Mar 2011 at 15:55, Mike Frysinger wrote:
> On Tue, Mar 8, 2011 at 3:49 PM, Anthony G. Basile wrote:
> > Nothing to say that Mike hasn't already said. pipacs knows about this
> > but what can he do? Good luck with upstream glibc. Next time I speak
> > with pipacs I can bring it up, see if a
On 4 Mar 2011 at 12:49, Alex Efros wrote:
> Hi!
>
> Please take a look at http://bugs.gentoo.org/show_bug.cgi?id=347365
>
> Requiring PaX softmode while emerging mono sounds just plain wrong,
> there should be way to do same using paxctl for single binary.
how about CC'ing me on the bug next ti
On 2 Mar 2011 at 22:10, Peter Hjalmarsson wrote:
> > > KVM is a different story, and I do see slowdown for amd64.
> >
> > this means that the slowdown is truly specific to some kvm/uderef
> > interaction,
> > not that i have an idea where to look still...
>
> Are you missing anything you need
On 1 Mar 2011 at 18:28, Anthony G. Basile wrote:
> > in HVM mode
> > i386 should be fine, amd64 should be dead slow.
>
> In my experience, both are fine. I run hardened x86, hardened amd64 and
> hardened amd64 nomultilib as domU. The host is OpenSuse 11.3. I have
> both KERNEXEC and UDEREF on,
On 1 Mar 2011 at 16:52, Marcel Meyer wrote:
> On Sunday 27 February 2011 17:20:25 Pavel Labushev wrote:
> > 27.02.2011 22:32, "Tóth Attila" :
> > http://grsecurity.net/pipermail/grsecurity/2010-April/001024.html - from
> here:
>
> So if I understand pageexec's mail correctly, using a 32-bit harden
On 28 Feb 2011 at 15:39, Daniel Reidy wrote:
> On Sun, Feb 27, 2011 at 5:58 PM, wrote:
> > that's actually not the intended use of the PIC USE flag, we wanted it
> > originally
> > to enable configuring/compiling position independent code for packages
> > where one
> > wanted to make a tradeof
On 27 Feb 2011 at 9:53, Anthony G. Basile wrote:
> >> Most of the asm code is in libs and on amd64 it need to be PIC friendly
> >> from
> >> the start. We don't need to disable asm code. We do that most times with
> >> the
> >> pic use flag on hardened profile.
> >>
> >> /Magnus
that's actually n
On 16 Feb 2011 at 18:50, Alex Efros wrote:
> pidgin: error while loading shared libraries: libGL.so.1: failed to
> map segment from shared object: Operation not permitted
>
> While this can be solved by same `paxctl -m`, I don't like to relax PaX
> for pidgin. Instead, I'd like to stop pi
On 13 Jan 2011 at 20:38, "Tóth Attila" wrote:
> Compiling the recent hardened-sources results in the following error
> message, when irda is enabled:
>
> CC net/irda/af_irda.o
> net/irda/af_irda.c: In function `__irda_getsockopt´:
> net/irda/af_irda.c:2289:4: error: label `out´ used but not
On 8 Jan 2011 at 13:22, Anthony G. Basile wrote:
> pipacs, was this the same as the python bug?
>
>http://bugs.gentoo.org/show_bug.cgi?id=329499
no, the python bug is due MPROTECT having become more strict,
the net related issues were due to the recent tightening of
UDEREF/i386 and a small o
On 7 Jan 2011 at 23:57, Michael Orlitzky wrote:
> I was able to figure out my new apache problem. It seems that
> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
> sometimes:
this one should have already been fixed in one of this week's patches,
but i'm not sure if it's in any
On 6 Jan 2011 at 10:57, ungift-ed wrote:
> Jan 5 21:36:57 gate kernel: PAX: suspicious general protection fault:
> [#1]
can you please follow http://en.wikibooks.org/wiki/Grsecurity/Reporting_Bugs ?
also try the latest grsec or PaX patch directly as we've fixed some bugs since
-r6 or even
On 4 Jan 2011 at 19:38, "Tóth Attila" wrote:
> Would it be possible that the CPU itself is actually failing (opcode )?
not in this case, always look at the first problem, everything else may very
well be just collateral damage. and that's a BUG_ON so it's the kernel that
detects some bad cond
On 4 Jan 2011 at 14:52, "Tóth Attila" wrote:
> No errors were found after 12 hours of memtest.
>
> However some serious crashes still occur.
>
> I attach snippets of kern.log.
>
> Is it still suggests a hardware error?
when i said memory corruption, i didn't mean a hw error but a sw one
that caus
On 4 Jan 2011 at 14:52, "Tóth Attila" wrote:
> Forgotten attachment
ok, i think it's time to try vanilla if you can as this seems to be
a problem in code we don't really touch directly...
On 30 Dec 2010 at 20:29, "Tóth Attila" wrote:
> There were two screen shots attached. The older one was outdated related
> to 2.6.32 kernel.
>
> But the other was a recent panic.
unfortunately this one had the first oops scroll away already, so i can't tell
much about it...
> So here is another
On 27 Dec 2010 at 1:05, klondike wrote:
> looking at ./Documentation/kernel-parameters.txt only found these:
> pax_nouderef[X86-32] disables UDEREF. Most likely needed under
> certain
> virtualization environments that don't cope well with
> the
>
On 26 Dec 2010 at 19:59, "Tóth Attila" wrote:
> I don't know if it is related or not. I don't use ext4 and have no
> symptoms of disappearing root. I attach a photo taken using a recent
> kernel. The latest crashes I've experienced for the past few months
> prevented syncing, so didn't get logged.
On 26 Dec 2010 at 14:09, Michael Orlitzky wrote:
> Challenge accepted. I'm dressed, the car's cleaned off, and I'm
> recompiling with UDEREF=n.
passing pax_nouderef on the kernel cmdline should be enough ;)
On 26 Dec 2010 at 12:06, Michael Orlitzky wrote:
> I do have UDEREF enabled:
>
> # grep UDEREF .config
> CONFIG_PAX_MEMORY_UDEREF=y
>
> I can try disabling it when I'd be willing to drive to work and reboot
> the thing.
ok, in this case don't worry about it as i'm sure it's a known bug.
if
On 26 Dec 2010 at 1:59, Michael Orlitzky wrote:
> I've got (at least) two servers that lose their root partition after
> this upgrade. One of them has an HP cciss SCSI RAID controller; the
> other has a single IDE hard drive. Assuming the problem is something
> common, I'll stick to describing the
On 3 Nov 2010 at 18:24, Ed W wrote:
> Up until now I have also been running kernels with the grsec patches,
> but merging those with linux-vserver is relatively complex since there
> is some overlap. Additionally it would appear that linux-vservers offer
> a large chunk of the protection that
On 23 Oct 2010 at 15:21, Alex Efros wrote:
> This just happens again: after upgrade from 2.6.32-hardened-r9 to
> 2.6.32-hardened-r22 kernel hangs after "Freeing unused kernel memory:".
> With init=/bin/bash it boots ok (bash flags: ---x-e--).
> With init=/sbin/runit-init it hangs (with flags:
On 22 Sep 2010 at 14:45, Grant wrote:
> makemkv segfaults after I switched from 2.6.34-hardened-r2 to
> 2.6.34-hardened-r6. paxctl -m and softmode have no affect, but
> compiling all "Security" out of my kernel does. I noticed the
> Grsecurity profiles changed during this kernel upgrade. Could
On 17 Sep 2010 at 19:56, Radoslaw Madej wrote:
> Zorry - which version of gcc/glibc do you want to get to work on arm? I'd be
> more than happy to help with some testing if needed! My N900 screams for
> hardened...! ;))
maybe look at http://natisbad.org/N900/n900-custom-kernel.html ? ;)
On 3 Sep 2010 at 11:56, Daniel Kuehn wrote:
> The randomisation bit was particularily interesting because as far as I
> understand that is one of the better security measures we can use.
actually, if you ask me, ASLR is the least useful security feature :P. it's not
even really security, it's me
On 9 Jul 2010 at 2:04, Alex Efros wrote:
> On Fri, Jul 09, 2010 at 12:15:36AM +0200, pagee...@freemail.hu wrote:
> > so in general .32+ should work, as far as this problem is concerned.
> > unfortunately
> > i couldn't find a working ebuild for vmware 7 yet, so i can't tell if
> > there're more
On 8 Jul 2010 at 21:36, Alex Efros wrote:
> Hi!
>
> While discussing inability to run 64-bit VMware guests on 32-bit Gentoo
> Hardened host I got reply: it's because of GrSec/Pax bug related to
>
> "way that vmap(..., VM_PAGE_KERNEL_EXEC) may map a page as
> non-executable, despite the f
On 28 May 2010 at 14:16, Thomas Sachau wrote:
> Since this is a conflict between aufs2 and pax/grsec patches, i would like to
> see the view of the
> pax team too. Below are the two mails from aufs2 upstream together with the
> latest patch, which does
> workaround the problem and contains some
On 15 May 2010 at 10:46, David Sommerseth wrote:
> On 15/05/10 02:15, pagee...@freemail.hu wrote:
> > i'd need the vmlinux image to tell for sure but it's most likely a false
> > positive
> > that has been fixed since in later kernels, so please try to use something
> > we actually
> > support (
On 13 May 2010 at 0:55, Alex Efros wrote:
> Server was rebooted, now everything is fine. Server software is nearly
> up-to-date x86 Gentoo (last update was 2-3 weeks ago), kernel is
> sys-kernel/hardened-sources-2.6.28-r9.
i'd need the vmlinux image to tell for sure but it's most likely a false
On 25 Mar 2010 at 20:12, Rob Kendrick wrote:
> On Thu, 25 Mar 2010 19:50:23 +0200
> pagee...@freemail.hu wrote:
>
> > > it goes to extraordinary lengths to make sure the entropy that is
> > > injected into your pool can't be sniffed before it gets there,
> >
> > out of curiosity, what's that
On 25 Mar 2010 at 13:10, Rob Kendrick wrote:
> it goes to extraordinary lengths to make sure the entropy that is
> injected into your pool can't be sniffed before it gets there,
out of curiosity, what's that mean exactly?
On 29 Jan 2010 at 11:21, Shinkan wrote:
> I tried to "revdep-rebuild" (after emerge -uDNa world && emerge --depclean),
> but it locks at 74% with no information.
when it stops, find the process id of the script and look at /proc//fd/,
you'll probably see which file it was accessing last and that
On 27 Jan 2010 at 13:56, Dariem Pérez Herrera wrote:
> Thanks for your reply. I haven't looked for PaX issues yet (I suppose
> it'd be at runtime), I'd like to achieve firstly a successful
> compilation using PIC. I've played a little with the inline asm code and
> I think it can be done. Did you
On 27 Jan 2010 at 1:58, Dariem Pérez Herrera wrote:
> Hello,
> I'm new in this list. Let me introduce myself: my name is Dariem, and
> I'm part of a team that is trying to create a distro based on project
> Gentoo Hardened. We want to collaborate with you in everything we can.
> My first email wi
On 22 Jan 2010 at 19:43, Michael Edenfield wrote:
> dmake: Error code 1, while making '../../unxlngx6.pro/lib/libofficebean.so'
>
> and a corresponding kernel error:
>
> checkdll[6600]: segfault at 2c02baf83d80 ip 2c02bad6ce79 sp
> 72408b6dbe90 error 7 in ld-2.11.so[2c02bad66000+1e000]
On 21 Dec 2009 at 9:38, basile wrote:
> Tobias Klein from trapkit.de was kind enough to allow us to bundle his
> checksec.sh script which tests system binaries or running processes for
> relro, ssp, nx, pie and aslr. Every binary shows these hardening
> features enabled except X and evolution whi
On 16 Oct 2009 at 15:50, Jeff Rooney wrote:
> Whenever I run tripwire in a check mode I get the following output:
>
> *** glibc detected *** tripwire: free(): invalid pointer: 0x7fffd5d8
> ***
that looks like a stack pointer, i.e., tripwire somewhere stored a local
variable
address (of
On 22 May 2009 at 13:32, basile wrote:
> Paxtest doesn't cover everything, but it covers important checks and if
> any fail there is definitely reason for concern.
just a sidenote, the ssp tests in paxtest were written to FAIL, not to
succeed, since pax doesn't prevent overflows per se. if you wa
On 8 May 2009 at 9:30, Grant wrote:
> I've been able to run Windows apps via wine since executing 'paxctl -m
> /usr/bin/wine-preloader', but there is one app which won't run unless
> I enable softmode. The error I get in dmesg is:
>
> grsec: signal 11 sent to /usr/bin/wine-preloader[DVDAExplorer
On 21 Apr 2009 at 6:46, Peter Hjalmarsson wrote:
> Thanks for the information.
> This time I ran
> strace -ff -o ~/fah6-strace ./fah6
>
> The part I ran previously was just the core which is run by fah6 after
> ensuring there is a workunit and all that. fah6-strace.795 seems to be
> the log for t
On 20 Apr 2009 at 22:38, Peter Hjalmarsson wrote:
> strace ./FahCore_a0.exe -dir work/ -suffix 01 -checkpoint 15 -verbose
> -version 602 > ~/fah6-stdout 2> ~/fah6-stderr
try strace -f, it seems the app is forking and that's probably where something
goes wrong. -ff -o are also useful switches for
On 20 Apr 2009 at 21:53, Peter Hjalmarsson wrote:
> I find nothing in ay logs from pax what ever I try, the reason I tried
> with PAX-permissions was a hounch.
> Only disable mprotect does not change anything.
ok, can you try to strace one of the failing processes and send me the logs?
> I cann
On 20 Apr 2009 at 21:03, Peter Hjalmarsson wrote:
> I realised earlier today that foldingathome (installed with the help of
> portage) had not started a new WU since 5 of april, and when I started
> to investigate I found out that the "cores" had problem running.
>
> cd /opt/foldingathome &&
> p
On 5 Apr 2009 at 8:54, Grant wrote:
> > in that case you have to use paxctl on the python interpreter, not
> > the script. but before that it's better to find out why it crashes,
> > so you should produce a coredump and analyze it.
>
> Thank you, I ran 'paxctl -m /usr/bin/python' and now miro sta
On 3 Apr 2009 at 13:08, Grant wrote:
> I use a program called miro a lot, but since upgrading to gcc-4.3.3,
> it segfaults if I don't issue:
what's the package name? or what ebuild do you use?
> grsec: signal 11 sent to /usr/bin/miro.real[miro.real:19177]
> uid/euid:1000/1000 gid/egid:100/100, p
On 3 Apr 2009 at 2:04, Alex Efros wrote:
> I think best way to find out what happens - add debug prints into PaX code
> which executes while starting process N1.
ok, can you add a printk into mm/mmap.c:mmap_region and print out all the
arguments? that will show us at least what the kernel intende
ted? i've never seen
such a failure mode ;).
> > btw, why are you using SEGMEXEC on your core2?
>
> Hmm. You think I should use PAGEEXEC instead? According to help in linux
> kernel SEGMEXEC looks more suitable for Core2Duo and Xeon E5310...
>
> In help for PAGEEXE
On 2 Apr 2009 at 18:29, Alex Efros wrote:
> Hi!
>
> switching off CONFIG_PAX_MPROTECT solve this issue
>
> Now I'll try to paxctl -m for /bin/bash and /sbin/runit-init (with
> switched on CONFIG_PAX_MPROTECT, of course)... yeah, that solves this
> issue too.
can you strace bash/etc to see what
On 19 Mar 2009 at 12:46, John Eckhart wrote:
> It seems like we have a multiway catch22 as the fix for the kernel was
> correct from both a security and a "trueness to specification" standpoint
> and the fix for glibc will likely be a long time in coming. Based on that, I
> would think that the be
On 7 Mar 2009 at 1:46, Alex Efros wrote:
> Hi!
>
> On Fri, Mar 06, 2009 at 03:25:16PM -0800, Ned Ludd wrote:
> > FYI.. PaX Team maintains the PaX kernel and has little control over what
> > fixes go into the "next" hardened-sources. Also seems to me a little
> > strange that the PaX Team would ha
On 8 Mar 2009 at 22:42, basile wrote:
> > hmm, that used to be ok, can you try 2.19.x just in case?
> >
> >
> Okay tested vanilla binutils-2.19.1 Same behaviour.
>
> I'll test hardened 2.6.28 tomorrow. Too tired tonight.
no worries, i already reproduced it with latest PaX and everything an
On 8 Mar 2009 at 20:47, basile wrote:
> pagee...@freemail.hu wrote:
> > On 8 Mar 2009 at 20:10, basile wrote:
> >
> >
> >> I built a grub ISO with two kernels, identical in every respect except
> >> CONFIG_PAX_KERNEXEC is set for the first kernel which gives the triple
> >> fault, and not set f
On 8 Mar 2009 at 20:10, basile wrote:
> I built a grub ISO with two kernels, identical in every respect except
> CONFIG_PAX_KERNEXEC is set for the first kernel which gives the triple
> fault, and not set for the second which boots fine. Here's the ISO and
> qemu.log:
>
> http://opensource.dyc.e
On 8 Mar 2009 at 18:51, basile wrote:
> >> # qemu -cdrom th-i686-20090307-RC3.iso
> >> qemu: fatal: triple fault
> >> EAX=00ff EBX=0153cac0 ECX=0013a2d1 EDX=0013a2d1
> >> ESI=0024c000 EDI=0140 EBP=01541a20 ESP=01541a10
> >> EIP=0153a2d0 EFL=0002 [---] CPL=0 II=0 A20=1 SMM=0 HLT=0
>
On 7 Mar 2009 at 18:39, basile wrote:
> Hi guys,
>
> I'm encountering a reproduceable problem with hardened 2.6.26-r9 and
> 2.6.27-r8 that wasn't there with 2.6.25-r13 on i686, and isn't there
> with amd64 using approximately the same kernel configuration in every
> case. I've been able to repro
On 6 Mar 2009 at 23:51, Alex Efros wrote:
> When I run apache for the first time after reboot - without strace/core,
> just to see is it crash - I got this in kernel log:
>
> 2009-03-06_20:48:56.60108 kern.info: apache2[4621]: segfault at
> 4d554ed0 ip 4d541399 sp 594130d0 error 7 in ld-2
On 6 Mar 2009 at 17:13, Alex Efros wrote:
> Two questions:
> 1) Is "2.6.28.7 and PaX alone" mean hardened-sources-2.6.28 with
> everything except PaX switched off, or vanilla-sources-2.6.28.7 manually
> patched with latests PaX?
it's always the latter ;), i need to make sure it's a PaX problem.
On 6 Mar 2009 at 5:57, Alex Efros wrote:
> First issue: many perl scripts (including FastCGI servers) failed to start
> with segmentation fault. See http://bugs.gentoo.org/show_bug.cgi?id=261357
> for details and ugly workarounds.
>
> Second issue: apache failed to start with segmentation fault.
On 10 Feb 2009 at 13:17, basile wrote:
> Hi everyone,
>
> I noticed a new option in configuring PaX in the kernel with version
> 2.6.26. It says:
>
> Prevent various kernel object reference counter overflows
>
> The description says that it "prevents overflowing various (but not all)
> ki
On 24 Jan 2009 at 10:48, Grant wrote:
> >> Nope, you guys are absolutely right. It falls back to peMRS whether
> >> or not I enable PAGEEXEC since I don't have the nx flag.
> >
> > ok, so coming back to your original problem, are you saying that you
> > h
On 22 Jan 2009 at 19:28, basile wrote:
> Thanks Gordon. On another note, I am wondering if you and the other
> team members
> have any thoughts about PaX/Grsecurity possibly being dropped
> upstream. I hate
> to see harndened gentoo without it, but there may be no choice.
http://grsecurity.net/
On 25 Jan 2009 at 7:12, Grant wrote:
> I'm getting:
>
> grsec: denied resource overstep by requesting 135168 for
> RLIMIT_MEMLOCK against limit 32768 for
> /usr/bin/miro.real[miro.real:12965] uid/euid:1000/1000
> gid/egid:100/100, parent /usr/bin/miro[miro:12964] uid/euid:1000/1000
> gid/egid:100
On 24 Jan 2009 at 8:51, Grant wrote:
> Nope, you guys are absolutely right. It falls back to peMRS whether
> or not I enable PAGEEXEC since I don't have the nx flag.
ok, so coming back to your original problem, are you saying that you
had an observable slowdown due to SEGMEXEC? if s
If so, I suppose the best thing to do would be to
> upgrade the CPU?
if both PAGEEXEC and SEGMEXEC are enabled, PaX uses one of them by default,
depending on whether your CPU and kernel config supports the NX bit or not
(yes, you need to enable PAE support in the kernel in order to actually be
abl
features did you enable?
>
> I enabled the grsecurity "Gentoo (server)" profile in the hardened
> kernel.
ok, is PAGEEXEC enabled (and SEGMEXEC isn't) and is your cpu some P4 variant
without NX support? that's about the only situation where you should see an
observable
On 22 Jan 2009 at 20:37, Grant wrote:
> My website seems a bit slower since I enabled grsecurity on that
> system. Is that typical? Is it most likely due to MPROTECT, or
> something else?
can you quantify this slowdown? and what grsec/pax features did you enable?
On 21 Jan 2009 at 0:21, Joseph Raymond wrote:
> not to crap on you're parade, but what does tinhat have to do with gentoo
> hardened? yes i know you based it off it.
that's more than enough reason to keep us informed.
On 18 Jan 2009 at 1:20, Manuel Leithner wrote:
> No, he's correct. He wanted to undo paxctl -m.
ah, undoing. it's still not correct for the reason i told you.
-zex is the base state, as the manpage says as well...
>
> Regards,
> Manuel Leithner
>
> On Sat, 17 Jan 2009 23:27:51 +0100, pagee...@
On 17 Jan 2009 at 11:06, Grant wrote:
> >> Does anyone know how to
> >> fix this? How can I undo what I did with the above paxctl command
> >> since it doesn't seem to be helping?
> >
> > man paxctl would tell you if you looked ;).
>
> Thanks, it's 'paxctl -M /usr/bin/mplayer'.
you mean -m, -M
On 15 Jan 2009 at 18:05, Grant wrote:
> I also noticed this in dmesg on a different system and I'm wondering about it:
>
> PAX: execution attempt in:
> /usr/lib64/opengl/nvidia/lib/libGLcore.so.177.82,
> 6b8d6f99-6b8d6fd2 00c1b000
> PAX: terminating task: /usr/bin/Xorg(X):14958, uid/euid:
On 15 Jan 2009 at 17:55, Grant wrote:
> One of my Blu-Ray rips won't play and there is a steady stream of
> "Error while decoding frame!" messages in mplayer's output when I try.
> I just noticed that each time I try to play the movie, I get another
> one of these in dmesg:
>
> grsec: denied res
On 14 Jan 2009 at 9:49, Grant wrote:
> >> Thanks Ned. I get the following but I've only ever issued paxctl
> >> referencing /usr/bin/wine-preloader. Can you tell me why the other
> >> files might be listed?
> >>
> >> # qlist -ao | scanelf -f - -q -x
> >> --mxe- /opt/emul-linux-x86-java-1.6.0.11
On 5 Dec 2008 at 18:21, Javier Martínez wrote:
> Have you said me that I'm obsoleted?, ok, I agreed with you... o:),
> but since I don't use xorg in servers... no problem. You still having
> the other problems I commented.
if you mean the /dev/mem issue, it's been solved to an extent in grsec
for
On 5 Dec 2008 at 9:48, Ned Ludd wrote:
> On Fri, 2008-12-05 at 17:29 +0200, [EMAIL PROTECTED] wrote:
> > On 25 Nov 2008 at 21:36, Javier Martínez wrote:
> >
> > > In my opinion getting X-window running is bad in security concerns, by
> > > this reasons:
> > > - First: PaX should be disable in mpro
On 25 Nov 2008 at 21:36, Javier Martínez wrote:
> In my opinion getting X-window running is bad in security concerns, by
> this reasons:
> - First: PaX should be disable in mprotect terms since Xorg needs it
> (with it refuse to run) .
- PaX flags: ---x-e-- [/usr/bin/Xorg]
and it works for m
On 12 Nov 2008 at 0:00, Kerin Millar wrote:
> This has been going on for a long time now. I had assumed that postfix
> was to blame and was intending to investigate further at some point
> (but, of course, I never did). If there is anything that I can do that
> may help to shed light on the matter
On 10 Nov 2008 at 7:24, Brian Kroth wrote:
> [EMAIL PROTECTED] <[EMAIL PROTECTED]> 2008-11-10 12:31:
> > I usually have some of these while I'm listening to music:
> > grsec: (atoth:U:/usr/bin/audacious) denied resource overstep by requesting
> > 135168 for RLIMIT_MEMLOCK against limit 32768 for
>
On 9 Nov 2008 at 0:06, [EMAIL PROTECTED] wrote:
> Some error messages like this shows up from time to time every twice months:
> "
> grsec: (root:U:/bin/rm) denied resource overstep by requesting 115310592
> for RLIMIT_STACK against limit 8388608 for /[rm:32461] uid/euid:0/0
> gid/egid:0/0, parent
1 - 100 of 283 matches
Mail list logo
