The PaX quick start is useful to getting PaX set-up, however if CONFIG_COMPAT_VDSO is set, then some of the PaX options are unavailable. So I feel it might be useful to comment on mentioning to unset this option. Reproducible: Always Steps to Reproduce: 1. Follow guide 2. Enable all the kernel options it informs you to 3. Discover that you cannot find all the kernel options due to VDSO being enabled. Actual Results: Some of the PaX options are hidden. Expected Results: To be able to follow the guide and enable all the options it suggests. See this: http://forums.grsecurity.net/viewtopic.php?t=1647
Please attach a diff of the .xml file with your clarifications. http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml?content-type=text/plain
Created attachment 122638 [details] Diff of XML This is an addition paragraph and kernel example to ensure that all the PaX options show when they step onto the PaX kernel configuration. PAX_PAGEEXEC > depends on !COMPAT_VDSO PAX_SEGMEXEC > depends on !COMPAT_VDSO
Created attachment 122639 [details] Unified Diff Sorry ignore last diff
The docs definitely need some love, but I am not sure this particular update is needed anymore since it is now impossible to select COMPAT_VDSO. I think it would be distraction/noise as the user would go to check and make sure they didn't have it enabled... only to look and look and no longer be able to find the option. Kerin, what do you think?
Re: Comment 4 Agreed. Not only is it impossible to enable the kconfig option in 2.6.23-r9 (which is stable), it's impossible to enable it at runtime via sysctl as of 2.6.24. In view of these recent changes, and with due respect to the reporter for raising a perfectly valid concern, I recommend closing as FIXED (or, being pedantic, INVALID).
