search

subgraph / paxrat

paxrat is a utility to set PaX flags on a set of binaries.
GNU General Public License v3.0
34 stars 9 forks source link

Two different pax flags on /usr/sbin/grub-probe #17

Closed psivesely closed 7 years ago

psivesely commented 7 years ago

In paxrat.conf you currently have two entries for /usr/sbin/grub-probe. Firstly, this should be both caught by paxrat -t paxrat.conf, and logged as an error when applied at runtime.

Since you have PAX_EMUTRAMP=y set in your latest kernel conffig, I believe you'll want to go with just the E flag (see https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Grub).

The other weird thing I noticed is that the flags that actually result from applying this config are me instead of mE as one might expect.

psivesely commented 7 years ago

Resolved via 121745eee6bccf2359ee0da6272553e92865eec2.