0

When you try to run a program that uses OpenGL (for example glxgears/nvidia-settings) on a Linux kernel with grsecurity/pax, you will get error something like this 

[616429.431910] PAX: execution attempt in: /usr/lib/opengl/nvidia/lib/libGLcore.so.190.42, 50d3b000 50d81000 01019000 
[616429.431916] PAX: terminating task: /opt/googleearth/googleearth-bin(googleearth-bin):29736, uid/euid: 0/0, PC: 50d76aa0, SP: 5b9db39c
flag

2 Answers

0

The problem is that Nvidia runtime execution code in the shared libraries and drivers do not support Pax. So any program linked to it will cause the error and get killed by Pax.

Following Nvidia (http://www.nvnews.net/vbulletin/showpost.php?p=2044701&postcount=2), it's unlikely that they will be able to provide a special driver specifically for PAX/grsec systems. The work around for this is to disable the secure memory protections enforcement in PaX (NOMPROTECT) using chpax/paxctl for the apps

# paxctl -m /usr/bin/nvidia-settings
# paxctl -v /usr/bin/nvidia-settings
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>
- PaX flags: ----m--x-e-- [/usr/bin/nvidia-settings]
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled

In case the binary doesn't have PT_PAX_FLAGS header, you can use -c or -C switch with paxctl to create the new PT_PAX_FLAGS program header 

# paxctl -m /opt/googleearth/googleearth-bin 
file /opt/googleearth/googleearth-bin does not have a PT_PAX_FLAGS program header, try conversion
# paxctl -Cm /opt/googleearth/googleearth-bin
file /opt/googleearth/googleearth-bin got a new PT_PAX_FLAGS program header
# paxctl -v /opt/googleearth/googleearth-bin
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/opt/googleearth/googleearth-bin]
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled
link|flag
0

The work around for this is to disable the secure memory protections enforcement in PaX (NOMPROTECT) using chpax/paxctl for the apps

Does this mean we have to disable Pax mprotect for all the programs that link to nvidia lib? It should be quite a hassle to do so :-/ Or am I missing something here?

link|flag
You only need to disable MPROTECT in order to get it working, not everything. For example, in my laptop, only MPROTECT PaX feature is disable for googleearth. PaX flags: P-S--mX-E-R- [/opt/googleearth/googleearth-bin] PAGEEXEC is enabled | SEGMEXEC is enabled | MPROTECT is disabled | RANDEXEC is enabled | EMUTRAMP is enabled | RANDMMAP is enabled – RD Jan 8 at 18:53

Your Answer

Get an OpenID
or

Not the answer you're looking for? Browse other questions tagged or ask your own question.