grsecurity forums

Hi,
I'm having some problems trying to install kernel 2.6.11 patched with grsec on my Fedora Core 3 box.
This is what I get when I try to "make"

fs/binfmt_elf.c: In function `pax_parse_elf_flags':
fs/binfmt_elf.c:736: error: structure has no member named `flags'
make[1]: *** [fs/binfmt_elf.o] Error 1
make: *** [fs] Error 2

Anyone that knows howto fix this prob?
Thanks in advance,

Genghis

I have the same problem as you with RSBAC and PaX, so I guess it's something with PaX.
Since no one else reported this problem, I guess it's something with our config.

Genghis wrote:fs/binfmt_elf.c: In function `pax_parse_elf_flags':
fs/binfmt_elf.c:736: error: structure has no member named `flags'
make[1]: *** [fs/binfmt_elf.o] Error 1
make: *** [fs] Error 2

you must have enabled one of the ELF header marking support features but nothing of NOEXEC/ASLR. if you don't want to use PaX at all, don't enable any marking support.

From the PAX_NOEXEC help:

This will also break programs that rely on the old behaviour and
expect that dynamically allocated memory via the malloc() family
of functions is executable (which it is not). Notable examples
are the XFree86 4.x server, the java runtime and wine.

I use all three of the cited programs on some machines, does this mean I need to disable header marking altogether on those?

I decided to give a kernel a spin with NOEXEC enabled just to see what happens, and I can't even login. I guess that renders my question about X et al rather moot

letrout wrote:From the PAX_NOEXEC help:

This will also break programs that rely on the old behaviour and
expect that dynamically allocated memory via the malloc() family
of functions is executable (which it is not). Notable examples
are the XFree86 4.x server, the java runtime and wine.

I use all three of the cited programs on some machines, does this mean I need to disable header marking altogether on those?

you can't disable header marking support on a per app basis, it's a kernel config option rather. what you can disable per app is the PaX flags, that's what you have to do on the above mentioned (and not mentioned) apps. chpax/paxctl is your friend. specifically for XFree86, the xorg server can these days be compiled with (working) dlloader support (or alternatively as a static server), that will work with all PaX enforcements.