by siti » Sun Jan 11, 2004 3:58 am
by PaX Team » Sun Jan 11, 2004 6:52 am
can you please post your .config and the XFree86 logs (and maybe any relevant kernel logs from grsec/PaX)?mikeeusa wrote:I aquired my new laptop, installed debian, installed X 4.3, worked great, had a wholy insecure kernel, needed to be hardened... So i put 2.4.24 on tha down-low and then kicked up my server's kernel config into the machiene, disabled the diablining of privledged IO and disabled enforcing non-executable stacks....
[...]
still no go, X complains of some symbols in its files... and then tells me it cant find any screens.
by PaX Team » Sun Jan 11, 2004 8:11 pm
for a start, disable CONFIG_GRKERNSEC_KMEM and it will hopefully work. but before you do that, could you run a strace -e trace=open,close,old_mmap,mmap2,munmap,mprotect on your server binary directly? it seems that your server wants to map the video BIOS in some unexpected way, would be nice to see the exact numbers.mikeeusa wrote:https://cat2.ath.cx/cat2/kernconfig.txt
https://cat2.ath.cx/cat2/xerrors.txt
https://cat2.ath.cx/cat2/kernlog.txt
by PaX Team » Mon Jan 12, 2004 6:09 am
thanks but i really need it on the server binary itself, /etc/X11/X is normally a symlink to it or try /usr/X11/bin/XFree86 (or try strace -f on xinit). you will know you got the right one when you'll see a failed old_mmap request towards the end of the trace (that would be the video BIOS mapping attempt).mikeeusa wrote::) Here's the strace output (on xinit)
no, this is really the /dev/mem restrictions that you ran into, your X server wanted to mmap the physical memory range of the video BIOS for writing - that's a no-no at least until we know what that range is exactly and can grant an explicit exception, hence my need for the strace outputcan i chpax X to something to make it work (what would i have to chpax it to, which binaries do you think? just xinit?)
.by PaX Team » Sun Jan 18, 2004 10:36 am
is this the full trace? it doesn't look like it ever got to mapping any of the X drivers or the failed mmap() of the video BIOS...mikeeusa wrote:[...]
open("/etc/libsafe.exclude", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/X11/Xwrapper.config", O_RDONLY) = 3
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x495b2000
close(3) = 0
munmap(0x495b2000, 4096) = 0
by PaX Team » Thu Jan 22, 2004 11:32 am
chpax flags don't matter as long as X doesn't get killed which is your case i think. so just exit from X and do the strace then.mikeeusa wrote:OOo, does it need to be run withou the -pm flags?
I did it in an X term so it didnt have perm to open fully.
Should i get a trace regular, or without the protections disabled via chpax?