Easiest way to get Grsecurity and Pax on Linux

Discussion in 'all things UNIX' started by kinder2, Sep 18, 2015.

  1. Michael371

    Michael371 Registered Member

    Joined:
    Oct 20, 2015
    Posts:
    7
    When you start compiling your kernel with menuconfig, or xconfig you can find the Grsecurity / Pax settings under security -> grsecurity.
    It's advised to use the Arch build system (ABS) for compilation as it will produce packages which can be managed with pacman. Pacman is a realy nice package manager, if you learn how to use it you won't regret :).

    This is the wiki page for pacman:

    https://wiki.archlinux.org/index.php/Pacman

    This is the Arch wiki page for ABS:

    https://wiki.archlinux.org/index.php/Arch_Build_System

    And this one is for compiling kernels with ABS:

    https://wiki.archlinux.org/index.php/Kernels/Arch_Build_System

    The documentation of Arch is realy the best you can find within the linux world, it's mostly up to date, and all the things you need are stated out very clearly. Good luck, and use DuckDuckGo or Google to find your answers.
     
  2. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    I presume you compiled the kernel without enabling PAX soft mode. With soft mode enabled, you will at least have a running X.
     
  3. Michael371

    Michael371 Registered Member

    Joined:
    Oct 20, 2015
    Posts:
    7
    Thats correct, i took a note not to disable it on Arch unless i know what the consequenses are. Thanks again.
     
  4. Michael371

    Michael371 Registered Member

    Joined:
    Oct 20, 2015
    Posts:
    7
    The problem with not being able to save documents in Libreoffice in Arch was related to the gtk3 engine, used by default. I switched it to gtk2, and the problems are gone now. However i'm not exactly sure what the relation to Pax or grsecurity is.
    You can switch Libreoffice to gtk2 by editing /etc/profile.d/libreoffice-fresh.sh (just uncomment the gtk2 line)
     
    Last edited: Oct 22, 2015
  5. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Softmode isn't required to have functioning X :thumb: Unless you compiled your own Kernel with "Restrict mprotect()" enabled (which you shouldn't anyway).
     
    Last edited: Oct 24, 2015
  6. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    By soft mode I meant PAGEEXEC, EMULTRAP, MPROTECT, RANDMMAP and SEGMEXEC turned off by default and enforced on a per ELF object basis. Of course all of these are not required to have a functioning X, only disabling MPROTECT will do; I was just talking in a broader context.
     
  7. Michael371

    Michael371 Registered Member

    Joined:
    Oct 20, 2015
    Posts:
    7
    Thanks for the clarification!

    Can somebody tell me how the sandboxing works with Grsecurity?
    Do you need to use chroot for that?
     
  8. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Thank you very much for this. I'm actually considering using this repo on Jessie, though I'm not sure who this guy really is. Does anyone have info on him?

    I'll wait to see if the MX community (which includes some Debian developers) can backport the entire grsec base to Jessie. Otherwise I'll use this Corsac repo.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.