Re: Paxtest results with default Grsec2 aren't impressive

[Robert Tomsick <robert@tomsick.net>]

On Tue, 2011-09-13 at 22:47 +0200, Kees de Jong wrote:
> I've been running my Debian machines with Grsec2 (package:
> "linux-patch-grsecurity2") for a long time.
> I thought that would keep me rather save, but I've ran Paxtest today
> (which is in the Debian repository only available for i386...)
> and I wonder now if it could be better. 
> 
> Follow these steps if you want to test it too and don't have the i386
> architecture like me: 
> 
> 1) Download the source.
> # wget http://www.grsecurity.net/~paxguy1/paxtest-0.9.7-pre5.tar.gz
> 
> 2) Extract it:
> # tar xzvf paxtest-0.9.7-pre5.tar.gz 
> # cd paxtest-0.9.7-pre5
> 
> 3) Compile it:
> # make generic
> If generic doesn't work try this:
> # make adamantix
> 
> 4) Run these two tests:
> ./paxtest kiddie
> ./paxtest blackhat
> 
> 
> Below are my results, they are quite disappointing, I was expecting full
> protection. Why is that not enabled?
> Would that interfere with other applications and functionality? I guess
> a custom compiled kernel would be better with the Grsecurity settings at
> high.
> [... snip ...]

Is there a reason why you're using the Debian package instead of the
official grsecurity releases from grsecurity.net?

As far as whether "full" protection would interfere with things, the
answer is yes.  Both PaX and grsecurity have a number of settings that
absolutely can and will break a number of applications if simply
switched on.  They're not minor packages either: things like Java and
Iceweasel can have issues with various PaX settings.  I'm not familiar
with what defaults/settings the Debian package defaults to, but if it
doesn't pre-select all of the protections available, I suspect that's
why.

-Rob