On 2015-12-20 09:51, Yves-Alexis Perez wrote:
On dim., 2015-12-20 at 00:32 +0000, bancfc@openmailbox.org wrote:Hi. After testing the kernel X doesn't boot because restrict mprotect isenabled.Hi,it's most likely because you're using nvidia/nouveau or amd/radeon graphic card, and the userland driver uses LLVMpipe which in turns uses JIT code. Idon't have the issue with my intel graphic card.
I see. In a KVM guest there is a similar conflict situation with the QXL driver too.
Are there plans to integrate a PaX exception list so mprotect can be enabled system wide while common software can still work?I don't have any, I'm mostly interested in the kernel part right now. Also the exceptions are really system-specific, and you don't want them if you don'treally need them.
Agreed but there are many major software packages especially on the desktop that need exceptions to work for example Iceweasel and by extension Tor Browser.
For these you can just use paxd.conf that's maintained by Arch but the list will need some tweaking for binary paths and package name differences between them and Debian. Please see:
https://wiki.archlinux.org/index.php/PaX#User_exceptions https://github.com/thestinger/paxd/blob/master/paxd.conf Great work. I look forward to testing more releases in the future.
Regards,