grsecurity forums

[inflextau]

Hi, I'm new to Grsecurity so this may seem dumb. My distro is Arch Linux and I've installed linux-grsec and installed paxd to enable PaX but I'm continually needing to add em exceptions to pax.conf to deal with breakages due to executable that link to /usr/lib/mesa/libGL.so.1.2.0 . The grsecurity log messages are in the form of:

Code: Select all

 grsec: denied RWX mmap of /usr/lib/mesa/libGL.so.1.2.0 by /usr/lib/xfce4/notifyd/xfce4-notifyd[xfce4-notifyd:644] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/dbus-daemon[dbus-daemon:643] uid/euid:1000/1000 gid/egid:1000/1000


Adding an exception to pax.conf of the form "em <path to executable>" fixes the problem for just that executable but there always
seems to be another breakage that involves another executable. At this rate I'll need to create "em" exceptions for
all graphical programs installed or disable MPROTECT, which in my mind kinda negates much of the use of PaX. Is there a better way of going about this .

Is there any way to create an exception for libGL.so.1.2.0?

Thanks

[PaX Team]

PaX flags are enforced on a per process (address space) basis and there's no practical way to enforce separate rules for parts of the address space. the best solution would be to modify mesa and other JIT compilers to do safe runtime codegen but that's a big undertaking.