Package Details: linux-pax-flags 2.0.18-4

Git Clone URL: https://aur.archlinux.org/linux-pax-flags.git (read-only)
Package Base: linux-pax-flags
Description: Deactivates PaX flags for several binaries to work with PaX enabled kernels.
Upstream URL: https://github.com/nning/linux-pax-flags
Keywords: grsecurity linux pax security
Licenses: GPL3
Submitter: phects
Maintainer: phects
Last Packager: phects
Votes: 18
Popularity: 0.041356
First Submitted: 2012-01-12 18:16
Last Updated: 2015-12-15 12:27

Dependencies (3)

Required by (1)

Sources (18)

  • android.conf
  • browsers.conf
  • clamav.conf
  • games.conf
  • imagemagick.conf
  • java.conf
  • kde.conf
  • linux-pax-flags.8
  • linux-pax-flags.rb
  • linux-pax-flags.sh
  • polkit.conf
  • qemu.conf
  • ruby.conf
  • simple.conf
  • skype.conf
  • steam.conf
  • valgrind.conf
  • wine.conf

Latest Comments

thestinger commented on 2014-12-11 19:29

The new version of paxd can now apply per-user exceptions via a user service. It automatically updates them when executables are updated/created so there is no need to manually run a script when Steam updates / installs a game and so on.

tancrackers commented on 2014-09-12 02:56

PSmXER:
/usr/share/spotify/spotify-client/Data/SpotifyHelper
/usr/bin/quassel

tancrackers commented on 2014-09-12 02:56

PsmXER:
/usr/share/spotify/spotify-client/Data/SpotifyHelper
/usr/bin/quassel

tancrackers commented on 2014-09-09 09:36

PsmXER:
/usr/share/spotify/spotify-client/Data/SpotifyHelper
/usr/bin/spotify

This is how I got Spotify to work (with music too!)

tancrackers commented on 2014-09-09 09:14

Also, steamui.so cannot load, even with these flags set

tancrackers commented on 2014-09-09 08:05

Does anyone have PAX flags to get Spotify working?

tancrackers commented on 2014-09-01 16:48

Does anyone have PAX fags to get Spotify working?

thestinger commented on 2014-05-31 01:40

In order to work around the lack of Pacman hooks, I wrote a trivial daemon to watch for Pacman transactions and re-apply exceptions. I've included some more exceptions and removed many of the no longer needed RANDMMAP cases (SpiderMonkey used to require it).

https://github.com/thestinger/paxd

You'll still need linux-pax-flags for files in home directories because it wouldn't be sane for a daemon running as root to be attempting to set those.

thestinger commented on 2014-04-21 02:19

Never mind what I said earlier here. The linux-grsec package can start using a permissive default-on RBAC policy to set these exceptions. This package will still be required for linux-pax, which I don't personally have an interest in.

thestinger commented on 2014-04-18 00:04

It would be nice to have this changed to using only extended attributes rather than paxctl. The extended attributes always work and leave the binaries untouched, along with not requiring an extra tool (just setfattr/getfattr).

Of course, you'll need to remove all the existing paxctl flags as long as linux-grsec is compiled with PaX ELF support.

malet commented on 2014-01-03 16:43

tor-browser-en (From AUR): PEmRSX ~/.tor-browser-en/INSTALL/Browser/firefox

probably the same with the other langugage versions

test0 commented on 2014-01-02 03:14

steam: ~/.local/share/Steam/ubuntu12_32/gameoverlayui

test0 commented on 2013-12-22 19:32

steam: ~/.local/share/Steam/SteamApps/common/Monaco/Monaco.bin.x86

test0 commented on 2013-12-03 04:50

jdk7-openjdk: /usr/lib/jvm/java-7-openjdk/bin/jar

test0 commented on 2013-11-22 23:04

steam: ~/.local/share/Steam/SteamApps/common/FTL\ Faster\ Than\ Light/data/amd64/bin/FTL

test0 commented on 2013-10-24 20:12

epiphany: paxctl -cPemRSX /usr/bin/epiphany

test0 commented on 2013-10-24 19:31

epiphany: paxctl -cPemRSX /usr/lib/webkitgtk/WebKitWebProcess

phects commented on 2013-10-17 16:24

2.0.12-1:

I added many suggested flag configurations from your comments. Thanks very much! The package is now hosted on GitHub [0], so we can also use the issue tracker over there for PaX flags and other issues.

[0] https://github.com/nning/linux-pax-flags

test0 commented on 2013-10-17 14:23

imagemagick: paxctl -cPemRSX /usr/bin/import

I guess that there are quite a few more binaries affected by this.

test0 commented on 2013-10-13 21:45

emacs: paxctl -cPemRSX /usr/bin/emacs-24.3
steam: paxctl -cPemRSX /usr/lib32/ld-2.18.so

test0 commented on 2013-10-13 19:17

v8-dev (found in AUR): paxctl -cPemRSX /usr/bin/d8

Ahmad24 commented on 2013-10-09 04:31

/etc/pax-flags/custom.conf
# MPROTECT off
PSmXER:
- /usr/bin/goldendict
- /usr/lib/kde4/libexec/kwin_opengl_test
- /usr/bin/akonadi_sendlater_agent
- /usr/bin/akonadi_archivemail_agent
- /usr/bin/akonadi_mailfilter_agent
- /usr/bin/knotify4
- /usr/lib/kde4/libexec/drkonqi
- /usr/bin/gpartedbin
- /usr/bin/avidemux2_qt4
- /usr/bin/viewnior
- /usr/bin/wxHexEditor
- /usr/bin/gdk-pixbuf-query-loaders
- /usr/bin/akregator
- /usr/lib/vlc/vlc-cache-gen
- /usr/bin/dolphin
- /usr/bin/gtk-query-immodules-3.0
# All off
pemrxs:
- /usr/bin/bsdtar
- /usr/bin/virtuoso-t
- /usr/bin/wine64
- /usr/bin/wine64-preloader
- /usr/bin/winebuild
- /usr/bin/winecpp
- /usr/bin/winedump
- /usr/bin/wineserver
- /usr/lib/AntiVir/guard/savapi:
header: create

test0 commented on 2013-10-02 12:04

chromium-dev (found in AUR): paxctl -cPemRSX /usr/lib/chromium-dev/chromium
firefox-aurora (found in AUR): paxctl -cPemRSX /opt/firefox-aurora/firefox

echoblack commented on 2013-09-30 04:05

paxctl -cPEmRXS

grsec: denied RWX mmap of <anonymous mapping> by

/usr/bin/blogilo
/usr/bin/akonadiconsole
/usr/bin/knode
/usr/bin/kontact
/usr/bin/obex-data-server

echoblack commented on 2013-09-28 13:14

paxctl -cPEmrXS /usr/lib/kde4/libexec/kscreenlocker_greet

NOTE: Whenever you get some program that gets stuck in a crash loop, but there are no logs, 99% chance you just need to disable RANDMMAP

echoblack commented on 2013-09-28 13:13

paxctl -PEmrXS /usr/lib/kde4/libexec/kscreenlocker_greet

NOTE: Whenever you get some program that gets stuck in a crash loop, but there are no logs, 99% chance you just need to disable RANDMMAP

Ahmad24 commented on 2013-09-27 10:57

goldendict: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Operation not permitted

paxctl -cPEmRXS /usr/bin/goldendict

test0 commented on 2013-09-27 08:39

aura requires a paxctl setting as well:

paxctl -cPerMS /usr/bin/aura

test0 commented on 2013-09-27 08:28

paxctl also has the problem of not working when binaries are in use. To my knowledge, setfattr has no such problem since the binary itself remains untouched.

test0 commented on 2013-09-26 01:36

For python-powerline-git to work, MPROTECT has to be disabled for /usr/bin/python:

paxctl -cPemRSX /usr/bin/python

kernel.grsecurity.tpe_restrict_all needs to be disabled as well. orcexec might need that setting, too.

test0 commented on 2013-09-25 23:12

The Steam config should somehow go through all users' home directories and adjust the PaX flags there. I needed to use:

HOME=/home/test0 linux-pax-flags

…to get Steam to work.

test0 commented on 2013-09-25 22:22

Dropbox can be made to work like this:

paxctl -cPemRSX /opt/dropbox/dropbox

test0 commented on 2013-09-25 22:04

Using xattrs throughout would also have the advantage of not tripping off checksum-based security measures like IMA, tripwire etc.

test0 commented on 2013-09-25 22:02

Skype cannot be modified, so I had to set the appropriate xattr like this:

setfattr -n user.pax.flags -v PemRS /usr/lib*/skype/skype

(-X and -x are not honored anymore, anyway.)

Trampoline emulation (-E) is actually unnecessary! I also was able to disable it for the vim line below, which should now read:

paxctl -cPemRSX `which vim`

test0 commented on 2013-09-25 20:16

I had to use

paxctl -cPEmRXS `which vim`

to be able to use vim again, possibly because I have recompiled it with +mzscheme.

Also, if possible, setting flags via extended attributes instead of modifying the content of executables would be welcomed.

echoblack commented on 2013-09-12 03:38

paxctl -cPEmRXS /usr/bin/btsync

phects commented on 2013-05-03 11:20

s1gma:

Thanks for your help and sorry for my lag. I wanted to integrate your changes when I saw, that - at least for now - go binaries come with a PT_PAX_FLAGS header and MPROTECT, RANDEXEC and EMUTRAMP off. For me it seems, there are currently no changes necessary.

It is a little odd, that space indentation does not work in YAML but it is - at least in the YAML specs - desired behaviour. I did a workaround for spaces to work in another project and I will look into it. This would make config editing a little more user-friendly.

Anonymous comment on 2013-03-29 07:15

Hello,

Here is a (partial) config file for the go compiler. Some other binaries might need to be added though:

# MPROTECT off
PSmXER:
- /usr/bin/go
- /usr/lib/go/pkg/tool/linux_amd64/cgo

As a side note, the configuration parsing fails if tabs are replaced by spaces (before the '-' for example):

/usr/share/linux-pax-flags/go.conf: did not find expected key while parsing a block mapping at line 2 column 1

Not sure if it is the desired behavior, as a lot of people religiously replace tabs by spaces :-)

Cheers.

echoblack commented on 2013-03-24 04:23

phects: Well I use to have a CentOS server. however I found a new VPS host that is KVM based. I now use Archlinux on my VPS, Home server, and laptop. I see now though that binaries being located in different locations on different distros is where all the work would be anyway.

Ya, I filed a bug report on bugs.freedesktop.org about polkitd. They didn't understand what I was saying and closed the but without fixing it. It is major problem. Polkitd has had memory exploits reported. This daemon is also responsible for security settings arg. On the plus side, it dose seem to run as the logged in user.

phects commented on 2013-03-23 18:15

You're right. I made sudo optional. The old behaviour is used, if PAX_FLAGS_SUDO is set.

s4ndman commented on 2013-03-22 07:31

I agree with s1gma, i dont use sudo and had to manually modify the script to get it work.

Anonymous comment on 2013-03-22 06:40

Hello,

Why use 'sudo' in linux-pax-flags, as it will anyway usually run as root (in the linux-grsec.install script) ?

Or, you could add 'sudo' as a dependency (as some of use do not have it installed), but it seems a little overkill.

Thanks for your package !

phects commented on 2013-03-19 10:33

echoblack:
That's good to hear! Do you use linux-pax-flags on another distribution? On Arch Linux at least polkitd needs flags set on a PaX kernel (which is not exactly ideal).

echoblack commented on 2013-03-19 10:19

The problem with Freemind "may" be a result of the disabling of JIT. "Just In time Compiling" with java. JIT makes java programs run much faster but is a very dangerous thing. There is no way to verify that the code is not modified before execution. However, I thought I read that what happens is the JIT simply dose not work and the java program is run by the JVM like normal i.e. it should not brake anything. BUT, maybe with that program it dose? Or maybe this has nothing to do with it. In any case you could disable it. I think it is in the "Miscellaneous Hardening" options.

As for the suspend... Strange, I use KDE and I have KDE set to do nothing. Then SystemD dose the suspend when I close my laptop lid (by default) and it works fine.

phects: Meh, I no longer have any issue with the ruby. Ruby as it turns out is only 3MB. The main thing was that I didn't want to install ruby on my servers, but it turns out that basically no server software needs any PaX flags anyway. Non that I have run at least.

Anonymous comment on 2013-03-10 02:28

Thanks for the answers,much appreciated

1)About Java, I do have jre7-openjdk. Tried re-installing pax flags but its the same. If I open Freemind in Terminal it says:
ERROR: Your Java VM is not a complete implementation,
=======================================
FREEMIND WILL MOST PROBABLY *NOT* WORK,
=======================================
define JAVACMD, JAVA_BINDIR, JAVA_HOME or PATH in order
to point to such a VM. See the manpage of freemind(1) for details.
Error occurred during initialization of VM

Doesn't happen on default kernel (arch)

2)System Monitor does work as you said
3)Another thing, Gradm, doesn't enable, it says:
Duplicate subject found for "/sbin/shutdown" in role shutdown, on line 287 of /etc/grsec/policy.
"/sbin/shutdown" references the same object as "/sbin/halt" specified on an earlier line.
The RBAC system will not load until this error is fixed.
4)Last thing...Can't hibernate/suspend in Xfce4, going by logout>suspend it's just grayed out. And mounting USB devices it won't let me either.

phects commented on 2013-03-09 09:36

More Answer,

gnome-system-monitor works well with PaX but collides with /proc and /sys access restriction of grsec. The "Resources" tab needs access to /proc/vmstat, which is granted only for users in the proc-trusted group. After adding your user to the group and relogin, the tab should work. Network statistics won't work without root privileges.

phects commented on 2013-03-09 09:26

Answer,

it possibly does. linux-pax-flags takes care of PaX flags for java. Which VM are you using? I would recommend jdk7-openjdk. Flags for gnome-system-monitor aren't included, yet. I will look into it and include them, if neccessary.

Anonymous comment on 2013-03-09 05:34

Question,

If I can't open Freemind(mindmap program, runs on java) in a grsec,pax kernel, does that mean it's because some sort of pax flag?

Can't open gnome-system-monitor too.

duncant commented on 2013-02-28 04:33

Disregard that last comment, I see that it's already in the package. I need to learn to actually check things before commenting.

duncant commented on 2013-02-27 23:02

From the package android-sdk-platform-tools, /opt/android-sdk/platform-tools/adb needs MPROTECT off

phects commented on 2013-02-22 08:29

The package is not on github, because I operate my own git server since some time and can not really part with it. The repositories URL is "git://git.orgizm.net/linux-pax-flags.git".

Why do you want to rewrite linux-pax-flags? I started in bash and came to the conclusion, that integrating advanced features (like configuration overrides, e.g.) is way to painful with shellscripting. (I thought about using Python for a rewrite, but learning the language not really fascinated me, so I used Ruby.)

I thought of at least seperating the PKGBUILD from the code in the near future. The idea of a website for collecting flags is very good, but I do not think, we need it right now, because there were not that many flag reportings, yet.

An Hardened Arch Linux project or community would be a good starting point for raising our efforts, I think.

Do we maybe want to discuss this further in the bbs?

echoblack commented on 2013-02-22 02:29

Is this package on GitHub or something? I would like to rewrite the front end in Bash. However, I don't want to maintain my own list of programs and the pax-flags they need; nor would it be a good idea for me to do that.

You know what I think would be really cool. Is if I like made a website all about hosting a repository of .conf files for PaX flags. Like make it easy for people to upload new flags and comment on flags... maybe email up-stream notifying them of improper memory usage, so someone can fix it upstream.... I need flesh out that idea.

Then end result is that anyone on any distro could write the equivalent of your linux-pax-flags program and/or modify their package manager to auto-set pax-flags.

phects commented on 2013-02-19 22:16

2.0.6-3:

MPROTECT off for Steam games:
- Anomaly: Warzone Earth
- Bastion
- Closure
- Darwinia
- Rochard
- Shank 2
- The Book Of Unwritten Tales
- Zen Bound 2

Added linux-pax-flags(8) man page.

Possibility to skip flags for certain paths via config in /etc/pax-flags.

Better config for adb.

phects commented on 2013-02-13 23:42

2.0.3: MPROTECT off for kscreenlocker_greet, own config file for KDE.

+ /usr/lib/kde4/libexec/kscreenlocker_greet

phects commented on 2013-02-13 23:42

2.0.2: Better handling of MPROTECT off for ruby.

+ ~/.rvm/rubies/ruby-1.9.3-p*/bin/ruby
+ /usr/bin/ruby

duncant commented on 2013-02-13 19:17

/usr/lib/kde4/libexec/kscreenlocker_greet needs MPROTECT off, otherwise KDE freezes when resuming from sleep.

phects commented on 2013-02-08 14:38

I uploaded the in Ruby rewritten tool as 2.0.1-1.

phects commented on 2013-01-22 09:29

1.0.31-8: MPROTECT off for Dolphin Emulator, Rochard, The Journey Down, Torchlight and VLC.

+ ~/Steam/SteamApps/common/The Journey Down/JourneyDown1
+ /opt/Rochard/Rochard
+ /opt/Torchlight/Torchlight.bin.x86*
+ /usr/bin/dolphin-emu
+ /usr/bin/vlc

phects commented on 2013-01-16 13:47

1.0.31-7: MPROTECT off for Dolphin Emulator, Rochard, The Journey Down and Torchlight.

+ /opt/Rochard/Rochard
+ ~/Steam/SteamApps/common/The Journey Down/JourneyDown1
+ /opt/Torchlight/Torchlight.bin.x86*
+ /usr/bin/dolphin-emu

phects commented on 2013-01-12 23:45

1.0.31-6: MPROTECT off for Rochard, The Journey Down and Torchlight.

+ /opt/Rochard/Rochard
+ ~/Steam/SteamApps/common/The Journey Down/JourneyDown1
+ /opt/Torchlight/Torchlight.bin.x86*

phects commented on 2013-01-11 14:27

1.0.31: MPROTECT off for dosbox, gendesk, mumble and python2.

+ /usr/bin/dosbox
+ /usr/bin/gendesk
+ /usr/bin/mumble
+ /usr/bin/python2

phects commented on 2013-01-09 14:47

1.0.31: MPROTECT off for gendesk, mumble and python2.

+ /usr/bin/gendesk
+ /usr/bin/mumble
+ /usr/bin/python2

phects commented on 2013-01-09 10:55

I have rewritten linux-pax-flags in Ruby, because it makes a cleaner configuation and funny things like stopping and starting a daemon before and after changing the flags of it's binary possible.

I want to wait here for comments some time before releasing the rewritten version.

You can look at the code in "git://git.orgizm.net/linux-pax-flags.git".

phects commented on 2013-01-04 15:52

1.0.31: MPROTECT off for gendesk and python2.

+ /usr/bin/gendesk
+ /usr/bin/python2

ShadowKyogre commented on 2013-01-04 00:19

/usr/bin/python2 should also be added to the MPROTECT off section. Kupfer (which depends on python2) won't run with it on because it exits with a memory error.

ShadowKyogre commented on 2013-01-03 05:41

Please add /usr/bin/gendesk to the MPROTECT off section. It can't run when grsecurity is up.

(>< sorry to the maintainer of linux-grsec. I managed to post the comment meant for here twice in a row before coming here...)

phects commented on 2012-12-09 17:46

1.0.30-3: Several steam games.

+ Amnesia: The Dark Descent
+ Cogs
+ Osmos
+ Space Pirates and Zombies
+ Superbrothers: Sword & Sworcery
+ Trine 2
+ Uplink
+ World of Goo

phects commented on 2012-12-09 17:43

1.0.29: Yes option (-y) to override questions for non-interactive usage.

phects commented on 2012-12-03 17:31

1.0.28: MPROTECT and RANDMMAP off for gnome-shell.

+ /usr/bin/gnome-shell

phects commented on 2012-11-21 12:05

1.0.27: MPROTECT off for Team Fortess 2 from Steam (any hl2_linux executable) and wine-silverlight (for netflix-desktop). Skype removed.

+ ~/Steam/SteamApps/*/*/hl2_linux
+ /opt/wine-silverlight/bin/wine-preloader

- /usr/bin/skype

echoblack commented on 2012-11-21 05:52

Okay, netflix-desktop and wine-silverlight seems to have stabilized now, and is working very, very well.

MPROTECT off for /opt/wine-silverlight/bin/wine-preloader

echoblack commented on 2012-11-19 05:17

For netflix-desktop-bin :) !!!!
Really for wine-compholio-bin

MPROTECT off for /opt/wine-compholio/bin/wine-preloader

It seems these packages were removed from the AUR in less then 24hr's?
However, I have uploaded the compiled packages to my server
https://bbs.archlinux.org/viewtopic.php?pid=1195417#p1195417

echoblack commented on 2012-11-19 03:50

For netflix-desktop-bin :) !!!!
Really for wine-compholio-bin
However, it seems these packages were removed from the AUR? I'm glad I downloaded them while I could and put them in my package cache :)

MPROTECT off for /opt/wine-compholio/bin/wine-preloader

phects commented on 2012-11-08 20:34

1.0.26: MPROTECT off for mono and steam beta client.

+ ~/Steam/ubuntu12_32/steam
+ /usr/bin/mono

phects commented on 2012-11-03 12:19

1.0.25: MPROTECT off for kdenlive.

+ /usr/bin/kdenlive

phects commented on 2012-11-03 12:16

1.0.24: MPROTECT and RANDMMAP off for polkitd.

+ /usr/lib/polkit-1/polkitd

echoblack commented on 2012-11-03 00:15

OKAY :) boy this took me like 20hr's of work to figure out. I guess RANDMMAP problems show no errors in my logs.

With KDE at least...,

MPROTECT & RANDMMAP off for polkitd
MPROTECT off for upowerd

paxctl -cPSmXEr /usr/lib/polkit-1/polkitd
paxctl -cPSmXER /usr/lib/upower/upowerd

phects commented on 2012-11-01 20:05

echoblack:
Thank you _very_ much for you efforts. This saved me a lot of time repairing my system after updating and finally rebooting.
MPROTECT off for /usr/lib/polkit-1/polkitd and uninstalling the consolekit package did the trick for me.

phects commented on 2012-11-01 20:02

1.0.24: MPROTECT off for polkitd.

+ /usr/lib/polkit-1/polkitd

echoblack commented on 2012-11-01 06:01

With polkit-0.107-4
paxctl -cPEmRXS /usr/lib/polkit-1/polkitd

However, grsec + pax kernel still will not work. Problems with systemd-logind being used instead of consolekit
D-Bus errors like
Failed to activate service 'org.freedesktop.ConsoleKit': timedout
Failed to activate service 'org.freedesktop.PolicyKit1': timedout

..hum maybe you need to make sure to remove the consolekit package, however everything works fine with -ARCH kernel

NOTE: The Bug report is the new requirement to disable MPROTECT on polkitd. Please confirm so we can have them fix the code.

echoblack commented on 2012-11-01 04:28

Bug report
https://bugs.freedesktop.org/show_bug.cgi?id=56628

echoblack commented on 2012-11-01 03:32

upgrading to polkit (0.105-1 -> 0.107-4) Many problems with PaX, arg...

Setting -cPEmPRXS /usr/lib/polkit-1/polkitd # Dose NOT solve the problem, Only fixes the RWX line

grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/polkit-1/polkitd[polkitd:1588] uid/euid:102/102 gid/egid:102/102, parent /usr/lib/systemd/systemd[systemd:1]
grsec: Segmentation fault occurred at 0000000000000010 in /usr/lib/polkit-1/polkitd[polkitd:1588]
grsec: bruteforce prevention initiated against uid 102, banning for 15 minutes
systemd[1]: Failed to start Authorization Manager.

dbus-daemon[406]: dbus[406]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
dbus[406]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
dbus-daemon[406]: dbus[406]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
dbus[406]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out

phects commented on 2012-10-05 12:56

1.0.23: MPROTECT off for KDE4 systemsettings, MPROTECT and RANDMMAP off for elinks.

+ /usr/bin/elinks
+ /usr/bin/systemsettings

echoblack commented on 2012-10-04 07:06

/usr/bin/systemsettings needs MPROTECT off (kde4) otherwise desktop effects don't work

echoblack commented on 2012-10-04 07:05

/usr/bin/systemsettings needs MPROTECT off

duncant commented on 2012-09-29 21:40

/usr/bin/elinks needs MPROTECT and RANDMAP off (package elinks in community)

phects commented on 2012-09-26 10:42

1.0.22-2: MPROTECT off for mit-scheme.

+ /usr/bin/scheme

duncant commented on 2012-09-20 17:40

/usr/bin/scheme needs MPROTECT off (package mit-scheme in AUR)

phects commented on 2012-09-15 14:31

1.0.22: PAGEEXEC, MPROTECT, EMUTRAMP and RANDMMAP off for Steel Bank Common Lisp.

+ /usr/bin/sbcl

duncant commented on 2012-09-11 17:17

/usr/bin/sbcl needs PAGEXEC, MPROTECT, EMUTRAMP, and RANDMMAP off.

duncant commented on 2012-09-06 17:17

phects:
Hmm... I'm on x86_64 as well (running linux-ck-pax). Just running `sudo paxctl -Cm /usr/lib32/skype/skype` works for me. Did you reinstall the skype package before rewriting the header?

phects commented on 2012-09-06 16:47

duncant:
Just running "paxctl -Cm /usr/lib32/skype/skype" does not work for me (on x86_64).

duncant commented on 2012-09-06 16:40

Skype does some sort of weird self-check that fails if its header is converted. You have to add a new header with the capital C flag instead of converting the existing header with small c. It just needs MPROTECT off, BTW.

phects commented on 2012-09-06 16:28

duncant:
You got skype running? It's got a PT_GNU_STACK header now, which is convertible but skype crashes on start even without any PaX flags enabled.

duncant commented on 2012-09-06 16:01

The Skype binary has moved from /usr/bin/skype to /usr/lib32/skype/skype

phects commented on 2012-09-06 09:27

1.0.21-4: MPROTECT off for vbetool, darwinia, liferea:

+ /usr/bin/liferea
+ /usr/sbin/vbetool
+ /usr/share/darwinia/darwinia.bin.x86
+ /usr/share/darwinia/darwinia.bin.x86_64

phects commented on 2012-08-21 14:22

1.0.21-3: MPROTECT off for vbetool and darwinia:

+ /usr/sbin/vbetool
+ /usr/share/darwinia/darwinia.bin.x86
+ /usr/share/darwinia/darwinia.bin.x86_64

phects commented on 2012-08-20 08:46

1.0.21-2: MPROTECT off for vbetool.

+ /usr/sbin/vbetool

phects commented on 2012-08-18 11:03

1.0.21: MPROTECT off for "Amnesia: The Dark Descent".

+ /usr/share/games/amnesia-tdd/Amnesia.bin
+ /usr/share/games/amnesia-tdd/Amnesia.bin64
+ /usr/share/games/amnesia-tdd/Launcher.bin
+ /usr/share/games/amnesia-tdd/Launcher.bin64

phects commented on 2012-08-16 10:17

1.0.20: MPROTECT off for Doom 3, Quake 4 and Bastion.

+ /opt/doom3/doom.x86
+ /opt/games/Bastion/Bastion.bin.x86
+ /opt/games/Bastion/Bastion.bin.x86_64
+ /opt/quake4/q4ded.x86
+ /opt/quake4/quake4.x86
+ /opt/quake4/quake4smp.x86

duncant commented on 2012-08-14 21:49

From the nspluginwrapper package:

MPROTECT off for /usr/lib/nspluginwrapper/i386/linux/npviewer.bin

phects commented on 2012-08-12 15:39

1.0.19: MPROTECT, RANDMMAP off for 0 A.D.

+ /usr/bin/pyrogenesis

Anonymous comment on 2012-08-07 22:03

You could also do them as pSmXEr instead of pSmXER, just tested, and whether it's r or R doesn't change anything on my end.
So guess that the other user you were refering to didn't have PAGEEXEC or SEGEXEC (that would proberbly make it psmXEr, if you take SEGEXEC into account too) enabled then ?

As far as I could see from bug reports on other distro's it's needed so that the grub binaries can execute it's own stack.

phects commented on 2012-08-07 18:30

1.0.18: Skype, Java 7, glxspheres, okular (thanks to duncant).

+ /opt/java/bin/java
+ /opt/java/bin/javac
+ /usr/bin/okular
+ /usr/bin/glxspheres
+ /usr/bin/skype

duncant commented on 2012-08-07 01:51

And another binary...

/usr/bin/skype needs to have `paxctl -Cm` run on it. It has to be the capital C flag. (I know skype's ludicrously insecure and closed-source and whatnot, but I figured I'd mention it)

duncant commented on 2012-08-07 01:44

The AUR packages jre and jdk install java to /opt/java.

I've also discovered that the KDE application /usr/bin/okular (the PDF reader) requires MPROTECT off. Also, /usr/bin/glxspheres requires MPROTECT off

phects commented on 2012-08-06 09:54

1.0.17: MPROTECT off for KDE binaries.

+ /usr/bin/kdeinit4
+ /usr/bin/kmail
+ /usr/bin/kwin

phects commented on 2012-08-06 09:53

duncant:
Thanks very much! I added the KDE executables for now. Which Java packages install to "/opt/java"?

duncant commented on 2012-08-04 22:11

Also, java and javac can sometimes be found at /opt/java/bin/java and /opt/java/bin/javac so you might want to add those.

duncant commented on 2012-08-04 07:41

/usr/bin/kmail needs MPROTECT off (but can have RANDEXEC on)
/usr/bin/kwin needs MPROTECT off
/usr/bin/kdeinit4 needs MPROTECT off

All the other KDE programs that I've tried seem to work well.

phects commented on 2012-08-02 11:37

niki:
Thanks for your help! Unfortunately I could not test the flags for grub by myself. I'm careful, because someone reported other flags for /usr/bin/grub-script-check (RANDMMAP off) and /usr/sbin/grub-probe (MPROTECT off).

phects commented on 2012-08-02 11:34

1.0.16: MPROTECT off for ghc.

+ /usr/lib/ghc-*/ghc

Anonymous comment on 2012-07-29 17:55

I have to use these to get grub-bios to work correctly

pSmXER /usr/sbin/grub-bios-setup
pSmXER /usr/sbin/grub-probe
pSmXER /usr/bin/grub-script-check

phects commented on 2012-06-13 10:57

1.0.15: MPROTECT of for various clamav binaries.

+ /usr/bin/clamscan
+ /usr/bin/freshclam
+ /usr/sbin/clamd

phects commented on 2012-06-13 08:55

1.0.14: New Firefox and Thunderbird binary paths; MPROTECT off for Braid.

- /usr/lib/firefox/firefox-bin
- /usr/lib/thunderbird/thunderbird-bin

+ /usr/lib/firefox/firefox
+ /usr/lib/thunderbird/thunderbird
+ /opt/Braid/braid

phects commented on 2012-06-13 08:36

1.0.13: MPROTECT off for braid.

+ /opt/Braid/braid

phects commented on 2012-04-29 07:16

1.0.12: MPROTECT off for spicec.

+ /usr/bin/spicec

phects commented on 2012-04-17 21:55

1.0.11: MPROTECT off for blender and beam binaries (for erlang). Also better grub2 support.

+ /usr/bin/blender
+ /usr/bin/grub-script-check
+ /usr/lib/erlang/erts-5.8.5/bin/beam
+ /usr/lib/erlang/erts-5.8.5/bin/beam.smp

phects commented on 2012-03-27 13:18

1.0.9: MPROTECT off for ruby (neccessary if V8 has to be used) :(

+ /usr/bin/ruby

phects commented on 2012-03-23 10:42

1.0.8: Added jdk7-openjdk and javac for openjdk6.

+ /usr/lib/jvm/java-6-openjdk/bin/javac
+ /usr/lib/jvm/java-7-openjdk/bin/javac
+ /usr/lib/jvm/java-7-openjdk/jre/bin/java

phects commented on 2012-02-15 01:59

1.0.7: Added flags for grub2 (grub-probe) and tcc.

+ /usr/bin/tcc
+ /usr/sbin/grub-probe

phects commented on 2012-02-14 21:29

1.0.6: Added flags for grub2 (grub-probe).

+ /usr/sbin/grub-probe

phects commented on 2012-01-30 18:00

1.0.5: Added PaX flags for qemu(-kvm) and wine.

+ /usr/bin/qemu-* (without qemu-{ga,img,io,nbd})
+ /usr/bin/qemu-system-*
+ /usr/bin/wine
+ /usr/bin/wine-preloader

phects commented on 2012-01-29 18:27

1.0.2: Added absolute paths to openjdk6 java binaries. Browser applets with icedtea-web are working now.

- /usr/bin/java

+ /usr/lib/jvm/java-6-openjdk/bin/java
+ /usr/lib/jvm/java-6-openjdk/jre/bin/java

phects commented on 2012-01-13 13:56

Supported binaries (as of 1.0.1):

/opt/android-sdk/tools/emulator-arm
/opt/android-sdk/tools/emulator-x86
/opt/Osmos/Osmos.bin32
/opt/Osmos/Osmos.bin64
/opt/quake3/ioquake3.i386
/opt/quake3/ioquake3.x86_64
/usr/bin/glxdemo
/usr/bin/glxgears
/usr/bin/glxinfo
/usr/bin/java
/usr/bin/mplayer
/usr/bin/valgrind
/usr/lib/chromium/chromium
/usr/lib/firefox/firefox-bin
/usr/lib/firefox/plugin-container
/usr/lib/thunderbird/thunderbird-bin
/usr/lib/valgrind/cachegrind-amd64-linux
/usr/lib/valgrind/cachegrind-x86-linux
/usr/lib/valgrind/callgrind-amd64-linux
/usr/lib/valgrind/callgrind-x86-linux
/usr/lib/valgrind/drd-amd64-linux
/usr/lib/valgrind/drd-x86-linux
/usr/lib/valgrind/exp-bbv-amd64-linux
/usr/lib/valgrind/exp-bbv-x86-linux
/usr/lib/valgrind/exp-dhat-amd64-linux
/usr/lib/valgrind/exp-dhat-x86-linux
/usr/lib/valgrind/exp-sgcheck-amd64-linux
/usr/lib/valgrind/exp-sgcheck-x86-linux
/usr/lib/valgrind/helgrind-amd64-linux
/usr/lib/valgrind/helgrind-x86-linux
/usr/lib/valgrind/lackey-amd64-linux
/usr/lib/valgrind/lackey-x86-linux
/usr/lib/valgrind/massif-amd64-linux
/usr/lib/valgrind/massif-x86-linux
/usr/lib/valgrind/memcheck-amd64-linux
/usr/lib/valgrind/memcheck-x86-linux
/usr/lib/valgrind/none-amd64-linux
/usr/lib/valgrind/none-x86-linux
/usr/lib/xbmc/xbmc.bin
/usr/share/worldofgoo/WorldOfGoo.bin32
/usr/share/worldofgoo/WorldOfGoo.bin64