Package Details: linux-pax 4.1.6-1

Git Clone URL: https://aur.archlinux.org/linux-pax.git (read-only)
Package Base: linux-pax
Description: The Linux Kernel and modules with PaX patches
Upstream URL: http://grsecurity.net/~paxguy1/
Keywords: linux pax security
Licenses: GPL2
Groups: base
Conflicts: kernel26-pax
Provides: kernel26-pax
Replaces: kernel26-pax
Submitter: phects
Maintainer: phects
Last Packager: phects
Votes: 8
Popularity: 0.000000
First Submitted: 2012-01-02 14:23
Last Updated: 2015-08-19 06:34

Latest Comments

gim commented on 2014-11-24 14:00

By the way, you may want to add signatures to the 'source' so makepkg could check them automatically before build.

http://www.kernel.org/pub/linux/kernel/v3.x/linux-3.17.tar.xz.sign
http://www.kernel.org/pub/linux/kernel/v3.x/patch-3.17.4.xz.sign

phects commented on 2014-08-29 06:36

Yes, it builds; I forgot to upload the AURball.

clfarron4 commented on 2014-08-28 21:34

https://grsecurity.net/~paxguy1/pax-linux-3.16.1-test2.patch

This should hopefully fix the compilation problems.

clfarron4 commented on 2014-08-17 18:46

Hi, is anyone able to build this? Whenever I try, it stops at:

CC arch/x86/kernel/probe_roms.o
CC arch/x86/kernel/sys_x86_64.o
CC arch/x86/kernel/x8664_ksyms_64.o
AS arch/x86/kernel/mcount_64.o
arch/x86/kernel/mcount_64.S: Assembler messages:
arch/x86/kernel/mcount_64.S:27: Error: no such instruction: `pax_force_retaddr'
arch/x86/kernel/mcount_64.S:70: Error: no such instruction: `pax_force_retaddr'
arch/x86/kernel/mcount_64.S:203: Error: no such instruction: `pax_force_retaddr'
arch/x86/kernel/mcount_64.S:221: Error: no such instruction: `pax_force_fptr %rdi'
scripts/Makefile.build:293: recipe for target 'arch/x86/kernel/mcount_64.o' failed
make[2]: *** [arch/x86/kernel/mcount_64.o] Error 1
scripts/Makefile.build:404: recipe for target 'arch/x86/kernel' failed
make[1]: *** [arch/x86/kernel] Error 2
Makefile:961: recipe for target 'arch/x86' failed
make: *** [arch/x86] Error 2
==> ERROR: A failure occurred in build().
Aborting...

I also have this with my linux-ck-pax package at the same point.

clfarron4 commented on 2014-08-17 18:46

Hi, is anyone able to build this? Whenever I try, it stops at:

CC arch/x86/kernel/probe_roms.o
CC arch/x86/kernel/sys_x86_64.o
CC arch/x86/kernel/x8664_ksyms_64.o
AS arch/x86/kernel/mcount_64.o
arch/x86/kernel/mcount_64.S: Assembler messages:
arch/x86/kernel/mcount_64.S:27: Error: no such instruction: `pax_force_retaddr'
arch/x86/kernel/mcount_64.S:70: Error: no such instruction: `pax_force_retaddr'
arch/x86/kernel/mcount_64.S:203: Error: no such instruction: `pax_force_retaddr'
arch/x86/kernel/mcount_64.S:221: Error: no such instruction: `pax_force_fptr %rdi'
scripts/Makefile.build:293: recipe for target 'arch/x86/kernel/mcount_64.o' failed
make[2]: *** [arch/x86/kernel/mcount_64.o] Error 1
scripts/Makefile.build:404: recipe for target 'arch/x86/kernel' failed
make[1]: *** [arch/x86/kernel] Error 2
Makefile:961: recipe for target 'arch/x86' failed
make: *** [arch/x86] Error 2
==> ERROR: A failure occurred in build().
Aborting...

phects commented on 2013-11-17 21:12

Nice tip, thanks very much.

Det commented on 2013-11-17 21:04

For when that happens it'd be better to preserve the latest working patch and just put that in the $srcdir instead of simply breaking the whole thing - even if not by your fault.

E: Actually it seems at least some of these are stockpiled in http://grsecurity.net/~paxguy1/. Might also be a better place to get the patch from because I don't know where are you getting the current link from in the new site.

Det commented on 2013-11-17 20:56

For when that happens it'd be better to preserve the latest working patch and just put that in the $srcdir instead of simply breaking the whole thing - even if not by your fault.

phects commented on 2013-09-17 15:09

3.11-test7 is still not booting, do not upgrade, yet.

phects commented on 2013-09-06 10:58

3.11-test2 did not boot at all, 3.11-test3 did but both on x86_64 and i686 hardware and vms, very much errors showed up at boot. I uploaded the current PKGBUILD, but be warned.

phects commented on 2013-09-06 08:43

3.11-test2 did not boot at all, 3.11-test3 did but on my hardware, very much 'refcount overflow' errors showed up at boot. I upload the current PKGBUILD, but be warned.

Anonymous comment on 2013-03-11 22:39

SOLVED - Binary kernel from arsch for the Kontact Portion.
Note Kile is still seg faulting. Notes at bottom.

[daipengg@gurka ~]$ valgrind kontact
==761== Memcheck, a memory error detector
==761== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==761== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==761== Command: kontact
==761==
QDBusConnection: session D-Bus connection created before QCoreApplication. Application may misbehave.
QDBusConnection: session D-Bus connection created before QCoreApplication. Application may misbehave.
==762== Warning: set address range perms: large range [0x3d20f000, 0x7d211000) (defined)
kontact(762)/kdecore (KConfigSkeleton) KCoreConfigSkeleton::writeConfig:
==761==
==761== HEAP SUMMARY:
==761== in use at exit: 77,827 bytes in 171 blocks
==761== total heap usage: 4,501 allocs, 4,330 frees, 330,021 bytes allocated
==761==
==761== LEAK SUMMARY:
==761== definitely lost: 0 bytes in 0 blocks
==761== indirectly lost: 0 bytes in 0 blocks
==761== possibly lost: 0 bytes in 0 blocks
==761== still reachable: 77,827 bytes in 171 blocks
==761== suppressed: 0 bytes in 0 blocks
==761== Rerun with --leak-check=full to see details of leaked memory
==761==
==761== For counts of detected and suppressed errors, rerun with: -v
==761== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2)



Application: Kile (kile), signal: Segmentation fault
Using host libthread_db library "/usr/lib/libthread_db.so.1".
[Current thread is 1 (Thread 0x742390c06780 (LWP 877))]

Thread 3 (Thread 0x74237aaf6700 (LWP 878)):
#0 0x000074238e0ab810 in pthread_getspecific () from /usr/lib/libpthread.so.0
#1 0x0000742387d82880 in g_thread_self () from /usr/lib/libglib-2.0.so.0
#2 0x0000742387d5ec25 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#3 0x000074238e461b86 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#4 0x000074238e4323ff in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#5 0x000074238e432688 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#6 0x000074238e3338a0 in QThread::exec() () from /usr/lib/libQtCore.so.4
#7 0x000074238e412bbf in ?? () from /usr/lib/libQtCore.so.4
#8 0x000074238e33687c in ?? () from /usr/lib/libQtCore.so.4
#9 0x000074238e0a6e0f in start_thread () from /usr/lib/libpthread.so.0
#10 0x000074238c9a4efd in clone () from /usr/lib/libc.so.6

Thread 2 (Thread 0x742378857700 (LWP 885)):
#0 0x000074238e0aa954 in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1 0x000074238ac137a7 in ?? () from /usr/lib/libQtScript.so.4
#2 0x000074238ac137d9 in ?? () from /usr/lib/libQtScript.so.4
#3 0x000074238e0a6e0f in start_thread () from /usr/lib/libpthread.so.0
#4 0x000074238c9a4efd in clone () from /usr/lib/libc.so.6

Thread 1 (Thread 0x742390c06780 (LWP 877)):
[KCrash Handler]
#5 0x000074238ab3008e in ?? () from /usr/lib/libQtScript.so.4
#6 0x000074238abb4d99 in ?? () from /usr/lib/libQtScript.so.4
#7 0x000074238abb555c in ?? () from /usr/lib/libQtScript.so.4
#8 0x000074238ac55ce0 in ?? () from /usr/lib/libQtScript.so.4
#9 0x000074238ac56cd6 in QScriptEngine::QScriptEngine() () from /usr/lib/libQtScript.so.4
#10 0x000074237b7bf44a in ?? () from /usr/lib/libkatepartinterfaces.so.4
#11 0x000074237b7bfd99 in ?? () from /usr/lib/libkatepartinterfaces.so.4
#12 0x000074237b7c0fec in ?? () from /usr/lib/libkatepartinterfaces.so.4
#13 0x000074237b7c7213 in ?? () from /usr/lib/libkatepartinterfaces.so.4
#14 0x000074237b7c793c in ?? () from /usr/lib/libkatepartinterfaces.so.4
#15 0x000074237b828689 in KateView::setupActions() () from /usr/lib/libkatepartinterfaces.so.4
#16 0x000074237b82cce2 in KateView::KateView(KateDocument*, QWidget*) () from /usr/lib/libkatepartinterfaces.so.4
#17 0x000074237b79d8b9 in KateDocument::createView(QWidget*) () from /usr/lib/libkatepartinterfaces.so.4
#18 0x0000000000501f4e in ?? ()
#19 0x000000000059bd90 in ?? ()
#20 0x000000000059027a in ?? ()
#21 0x00000000004c8826 in _start ()

Anonymous comment on 2013-03-11 13:50

This problem started right after installing the current pax kernel.

System: Host: gurka Kernel: 3.8.2-5-pax x86_64 (64 bit, gcc: 4.7.2)
Desktop: KDE 4.10.1 (Qt 4.8.4) info: plasma-desktop dm: kdm Distro: Arch Linux
Machine: Mobo: Gigabyte model: GA-880GM-D2H version: x.x Bios: Award version: F6 date: 08/31/2010
CPU: Quad core AMD Phenom II X4 840 (-MCP-) cache: 2048 KB flags: (lm nx sse sse2 sse3 sse4a svm) bmips: 25727
Clock Speeds: 1: 800.00 MHz 2: 3200.00 MHz 3: 3200.00 MHz 4: 800.00 MHz
Graphics: Card: Advanced Micro Devices [AMD] nee ATI RS880 [Radeon HD 4250] bus-ID: 01:05.0 chip-ID: 1002:9715
X.Org: 1.13.3 drivers: ati,radeon (unloaded: fbdev) Resolution: 1440x900@59.9hz
GLX Renderer: Gallium 0.4 on AMD RS880 GLX Version: 3.0 Mesa 9.1 Direct Rendering: Yes
Audio: Card-1: Advanced Micro Devices [AMD] nee ATI RS880 HDMI Audio [Radeon HD 4200 Series]
driver: snd_hda_intel bus-ID: 01:05.1 chip-ID: 1002:970f
Card-2: Advanced Micro Devices [AMD] nee ATI SBx00 Azalia (Intel HDA)
driver: snd_hda_intel bus-ID: 00:14.2 chip-ID: 1002:4383
Sound: Advanced Linux Sound Architecture ver: k3.8.2-5-pax

Kontact by Command Line

[daipengg@gurka ~]$ kontact
QDBusConnection: session D-Bus connection created before QCoreApplication. Application may misbehave.
QDBusConnection: session D-Bus connection created before QCoreApplication. Application may misbehave.
*** Error in `kontact': malloc(): memory corruption: 0x0000000003370970 ***
KCrash: Application '' crashing...
unnamed app(44478): Communication problem with "kontact" , it probably crashed.
Error message was: "org.freedesktop.DBus.Error.NoReply" : " "Message did not receive a reply (timeout by message bus)" "

Valgrind for Kontact

[daipengg@gurka ~]$ valgrind kontact
==46753==
==46753== Valgrind's memory management: out of memory:
==46753== newSuperblock's request for 4194304 bytes failed.
==46753== 69898240 bytes have already been allocated.
==46753== Valgrind cannot continue. Sorry.
==46753==
==46753== There are several possible reasons for this.
==46753== - You have some kind of memory limit in place. Look at the
==46753== output of 'ulimit -a'. Is there a limit on the size of
==46753== virtual memory or address space?
==46753== - You have run out of swap space.
==46753== - Valgrind has a bug. If you think this is the case or you are
==46753== not sure, please let us know and we'll try to fix it.
==46753== Please note that programs can take substantially more memory than
==46753== normal when running under Valgrind tools, eg. up to twice or
==46753== more, depending on the tool. On a 64-bit machine, Valgrind
==46753== should be able to make use of up 32GB memory. On a 32-bit
==46753== machine, Valgrind should be able to use all the memory available
==46753== to a single process, up to 4GB if that's how you have your
==46753== kernel configured. Most 32-bit Linux setups allow a maximum of
==46753== 3GB per process.
==46753==
==46753== Whatever the reason, Valgrind cannot continue. Sorry.



tail /etc/sysctl.conf

net.core.wmem_max=12582912
net.core.rmem_max=12582912

net.ipv4.tcp_rmem= 10240 87380 12582912
net.ipv4.tcp_wmem= 10240 87380 12582912

net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1

net.ipv4.tcp_no_metrics_save = 1
net.core.netdev_max_backlog = 5000

fs.file-max = 10000

tected_hardlinks = 1
fs.protected_symlinks = 1

# reuse/recycle time-wait sockets
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1


This may be related. Kate opens up fine for editing.

Application: Kile (kile), signal: Segmentation fault
Using host libthread_db library "/usr/lib/libthread_db.so.1".
[Current thread is 1 (Thread 0x724b9cd1b780 (LWP 44641))]

Thread 3 (Thread 0x724b86c0b700 (LWP 44644)):
#0 0x0000724b98ab0fad in poll () from /usr/lib/libc.so.6
#1 0x0000724b93e73b14 in ?? () from /usr/lib/libglib-2.0.so.0
#2 0x0000724b93e73c34 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#3 0x0000724b9a576b86 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#4 0x0000724b9a5473ff in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#5 0x0000724b9a547688 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#6 0x0000724b9a4488a0 in QThread::exec() () from /usr/lib/libQtCore.so.4
#7 0x0000724b9a527bbf in ?? () from /usr/lib/libQtCore.so.4
#8 0x0000724b9a44b87c in ?? () from /usr/lib/libQtCore.so.4
#9 0x0000724b9a1bbe0f in start_thread () from /usr/lib/libpthread.so.0
#10 0x0000724b98ab9efd in clone () from /usr/lib/libc.so.6

Thread 2 (Thread 0x724b8496c700 (LWP 44662)):
#0 0x0000724b9a1bf954 in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1 0x0000724b96d287a7 in ?? () from /usr/lib/libQtScript.so.4
#2 0x0000724b96d287d9 in ?? () from /usr/lib/libQtScript.so.4
#3 0x0000724b9a1bbe0f in start_thread () from /usr/lib/libpthread.so.0
#4 0x0000724b98ab9efd in clone () from /usr/lib/libc.so.6

Thread 1 (Thread 0x724b9cd1b780 (LWP 44641)):
[KCrash Handler]
#5 0x0000724b96c4508e in ?? () from /usr/lib/libQtScript.so.4
#6 0x0000724b96cc9d99 in ?? () from /usr/lib/libQtScript.so.4
#7 0x0000724b96cca55c in ?? () from /usr/lib/libQtScript.so.4
#8 0x0000724b96d6ace0 in ?? () from /usr/lib/libQtScript.so.4
#9 0x0000724b96d6bcd6 in QScriptEngine::QScriptEngine() () from /usr/lib/libQtScript.so.4
#10 0x0000724b878d444a in ?? () from /usr/lib/libkatepartinterfaces.so.4
#11 0x0000724b878d4d99 in ?? () from /usr/lib/libkatepartinterfaces.so.4
#12 0x0000724b878d5fec in ?? () from /usr/lib/libkatepartinterfaces.so.4
#13 0x0000724b878dc213 in ?? () from /usr/lib/libkatepartinterfaces.so.4
#14 0x0000724b878dc93c in ?? () from /usr/lib/libkatepartinterfaces.so.4
#15 0x0000724b8793d689 in KateView::setupActions() () from /usr/lib/libkatepartinterfaces.so.4
#16 0x0000724b87941ce2 in KateView::KateView(KateDocument*, QWidget*) () from /usr/lib/libkatepartinterfaces.so.4
#17 0x0000724b878b28b9 in KateDocument::createView(QWidget*) () from /usr/lib/libkatepartinterfaces.so.4
#18 0x0000000000501f4e in ?? ()
#19 0x000000000059bd90 in ?? ()
#20 0x000000000059027a in ?? ()
#21 0x00000000004c8826 in _start ()


vm.dirty_background_bytes = 4194304
vm.dirty_bytes = 4194304

net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1800

net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 5

net.ipv4.tcp_moderate_rcvbuf = 1
sys.net.ipv4.route.flush = 1

kernel.shmmax = 0x7fffffff



gkey

phects commented on 2013-03-09 11:18

I uploaded the new PKGBUILD a little hasty. The 3.8.2-test5 patch has problems with sysfs. Latest working patch is 3.8-test3 (linux-pax-3.8-3). It is current in arsch.orgizm.net and 619af646faa69e2a79c7982c0dd426cf56b9de80 in "git://git.orgizm.net/collective.git".

ShadowKyogre commented on 2013-01-04 00:17

@niki

I'm not sure what issue you're mentioning about the gcc plugin *.so files, but I have encountered problems loading those plugins when trying to build a virtualbox kernel module using linux-grsecurity (which I think has those pax additions).

Anonymous comment on 2012-08-30 17:34

Hi Phects.

The "issue" about the gcc plugin *.so files also applies to linux-pax :-)

duncant commented on 2012-08-22 22:37

pax -test19 for 3.5.2 is out

phects commented on 2012-08-09 10:39

Before blindly flagging this out of date, try compiling with current versions for yourself, please.

Binary packages could be obtained from the "arsch" Arch repository (at http://arsch.orgizm.net).

Please report new PaX flags here:
https://aur.archlinux.org/packages.php?ID=55760

phects commented on 2012-08-02 13:59

Finally, linux-pax compiles and boots again on x86_64 and i686 with current patches!

phects commented on 2012-06-19 16:08

linux-pax currently does not work on i686 for me. The last version which bootet on my notebook and in a vm was 3.3.7-test15. Be warned. Feedback would be very much appreciated.

phects commented on 2012-06-19 16:08

linux-pax currently does not work on i686 for me. The last version which bootet on my notebook and in a vm was 3.3.7-test15. Be warned.

phects commented on 2012-01-13 14:19

Before blindly flagging this out of date, try compiling with current versions for yourself, please.

If you do not want to compile the kernel, add the "arsch" Arch repository to your pacman.conf (it also includes linux-pax-headers (and some other nice packages)):

[arsch]
Server = http://arsch.orgizm.net/$arch

You can retrieve the original (split, non-AUR) version of this PKGBUILD which contains a package() function for the kernel headers from git://git.orgizm.net/collective.git (in "pkgbuilds/phects/linux-pax").

Please report new PaX flags here:
https://aur.archlinux.org/packages.php?ID=55760

phects commented on 2012-01-12 18:21

Please report new PaX flags here:
https://aur.archlinux.org/packages.php?ID=55760

phects commented on 2012-01-11 17:42

If you do not want to compile the kernel for yourself, add the "arsch" Arch repository to your pacman.conf (it also includes linux-pax-headers):

[arsch]
Server = http://arsch.orgizm.net/$arch

phects commented on 2012-01-04 00:53

Before blindly flagging this out of date, try compiling with current versions for yourself, please.

phects commented on 2012-01-02 14:36

You can retrieve the original (split, non-AUR) version of this PKGBUILD which contains a package() function for the kernel headers from git://git.orgizm.net/collective.git (in "pkgbuilds/phects/linux-pax").

phects commented on 2012-01-02 14:29

The .install file deactivates certain PaX features for a list of binaries (because otherwise they do not work). If this is not desired, Ctrl+c has to be pressed when promted for (deactivation of these PaX features). Unfortunately these features have to be disabled just for much endangered programs like firefox, chromium, mplayer and others.

If you want to manually change PaX features or review, please refer to _fix_permissions() in "linux-pax.install".