On 19 Sep 2015 at 20:24, Alex Efros wrote: > On Sat, Sep 19, 2015 at 05:50:20PM +0200, PaX Team wrote: > > so there're two things left to do: > > 1. enable ELFRELOCS in your kernel config (and keep MPROTECT enforced > > on all binaries) > > Done. This works. I don't really like it, but let it be, at least for now.
well, disabling MPROTECT is much worse, this way you can at least control which binaries can map libaries with textrels. > At a glance only difference is few messages in kernel log: > > grsec: denied text relocation in > /usr/lib64/opengl/nvidia/lib/libGLdispatch.so.0, did you see only a single log per executable or two? i'm asking it because this method of runtime codegen would produce two messages (and the grsec log message is actually wrong as it's not a denial but rather the opposite, spender will fix it in the next patch ;). > RWX mprotect of /usr/lib64/opengl/nvidia/lib/libGL.so.355.11 by > /opt/bin/nvidia-settings this is probably another attempt at runtime codegen by the using mmap/mprotect, if this didn't cause app failure then it means that their libGL has some fallback path to cope with this. > > 2. perhaps ask nvidia if this textrel marking is intentional > > Can you do this, please? I'm afraid such a question sent to their L1 > support using default form on website by someone who don't really > understand what he is talking about have too small chance to get > meaningful answer from competent person. unfortunately we have no direct contact to nvidia guys (anyone with access there feel free to speak up ;) so i can't do more than what you described above. in any case, this is not critical information, would just satisfy my own curiosity ;). > As for /proc/pid/maps - I'm not sure what I should check there. > Here is /proc/$(pidof xxkb)/maps: > > 00000000-00000000 r-xp 00000000 08:05 1461946 > /usr/lib64/opengl/nvidia/lib/libGLdispatch.so.0 > 00000000-00000000 ---p 00000000 08:05 1461946 > /usr/lib64/opengl/nvidia/lib/libGLdispatch.so.0 > 00000000-00000000 rw-p 00000000 08:05 1461946 > /usr/lib64/opengl/nvidia/lib/libGLdispatch.so.0 the above shows that the r-x segment isn't split up which suggests that the whole textrel dance was done properly but then you should have seen two logs per executable...
