grsecurity forums

Hi all, I know its trivials question, i read but my english is not so well, i'll ask it simple

whats the difference between PAX and grsecurity ? i mean there is a kernel patch to 2.4.25 for PAX and i wish to install it, tho im not sure that the diff between PAX and grsecurity.

Thank you {;-)

conflict wrote:whats the difference between PAX and grsecurity ? i mean there is a kernel patch to 2.4.25 for PAX and i wish to install it, tho im not sure that the diff between PAX and grsecurity.

PaX provides protection against memory corruption bugs, grsecurity as a whole is a complete security system incorporating PaX (see the features pages on the grsec site for details). that is, in real life deployments you want grsec not PaX alone. there're also other systems now incorporating PaX, such as Adamantix (it provides RSBAC for access control) and Hardened Gentoo (comes with either grsec or very recently SElinux).

I applied grsecurity-1.9.13 to the 2.4.24 kernel and built it, but haven't configured much yet. Now I see some downloads on pax.grsecurity.net and I have some questions:

1) Do I need the PaX kernel patch or is this code included in the grsecurity patch?

2) For PaX, do I use the chpax-0.6 package or paxctl-0.2?

letrout wrote:1) Do I need the PaX kernel patch or is this code included in the grsecurity patch?

it's included.

2) For PaX, do I use the chpax-0.6 package or paxctl-0.2?

depends on what your userland supports. i take it you're not using the patched binutils therefore you'll need to enable the old CONFIG_PAX_EI_PAX marking support (which was the default for the past year) and use chpax.

Ok, that's what I thought. I'm currently running the 2.13 binutils (binary from my distro). I've downloaded the 2.14 source from GNU and the 2.14.90.0.8 patch, but clearly this is the wrong combo. Finally found the 2.14.90.0.8 source with some googling. I'm a bit surprised at how much hunting it took to find that.

Anyhoo, thanks for the clarifications.

letrout wrote:I've downloaded the 2.14 source from GNU and the 2.14.90.0.8 patch, but clearly this is the wrong combo. Finally found the 2.14.90.0.8 source with some googling. I'm a bit surprised at how much hunting it took to find that.

your one stop shop for binutils should be http://www.kernel.org/pub/linux/devel/binutils/

I have a question just to ensure that I don't get it all wrong:

If I only compile kernel with PT_PAX_FLAGS, all programs that haven't been built with patched binutils won't be protected by default? And actually they can not be protected under such kernel at all?

Is there any chance that upstream developers will accept binutils patch?

thomasko wrote:If I only compile kernel with PT_PAX_FLAGS, all programs that haven't been built with patched binutils won't be protected by default?

correct.

And actually they can not be protected under such kernel at all?

not until they get a PT_PAX_FLAGS marking or you also enable the old EI_PAX marking support. for the former, your current option is to recreate the apps with the patched binutils but work is in progress to directly inject this new program header into an ELF file so you can more easily migrate your userland. in my opinion the best migration plan (when you want to switch to PT_PAX_FLAGS at all, that is) is to enable both marking support and use the patched binutils for future compilations (that is, when you're building your userland yourself, it's much easier when a distribution does the work for you, like Hardened Gentoo and maybe Adamantix in the future).

Is there any chance that upstream developers will accept binutils patch?

i never asked but my bet is that it's out of question, this marking is highly specific to PaX. what distributions do is another question of course, i know that Gentoo has incorporated it already.

thanks for explanation!

Is there any chance that upstream developers will accept binutils patch?

i never asked but my bet is that it's out of question, this marking is highly specific to PaX. what distributions do is another question of course, i know that Gentoo has incorporated it already.

so i guess we don't have to be affraid that EI_PAX support will disappear soon. if it will disappear ever...

thomasko wrote:so i guess we don't have to be affraid that EI_PAX support will disappear soon. if it will disappear ever...

indeed, EI_PAX will stay, however future PaX features will be usable with PT_PAX_FLAGS only.

Do you plan to provide some migration tool that will allow injection of PT_PAX_FLAGS headers into software. I'd hate to start compile my 'java' binaries.... f.ex.

cmouse wrote:Do you plan to provide some migration tool that will allow injection of PT_PAX_FLAGS headers into software. I'd hate to start compile my 'java' binaries.... f.ex.

yes, someone's working on it but i don't know how far he got.