building a kernel with CONFIG_GRKERNSEC_PAX_NOEXEC=y CONFIG_GRKERNSEC_PAX_SEGMEXEC=y (not sure about CONFIG_GRKERNSEC_PAX_PAGEEXEC) (PAX enabled) results in busybox being unable to complete the pivot root stage: [...] STEP 5c: redirect console STEP 6: pivot_root and exec/chroot real init PAX: terminating task: /bin/[([):<random pid>, uid/euid: 0/0 EIP: [...] EID: [...] PAX: bytes at EIP: [...] grsec: attempted resource overstep by reqeusting 4096 for RLIMIT_CORE against limit 0 by ([:<random pid>) UID(0) EUID(0), parent:(linuxrc:1) UID(0) EUID(0) Killed PAX: terminating task: /bin/[([):<random pid>, uid/euid: 0/0 EIP: [...] EID: [...] PAX: bytes at EIP: [...] grsec: attempted resource overstep by reqeusting 4096 for RLIMIT_CORE against limit 0 by ([:<random pid>) UID(0) EUID(0), parent:(linuxrc:1) UID(0) EUID(0) Killed PAX: terminating task: /bin/chroot(chroot):1, uid/euid: 0/0 EIP: [...] EID: [...] PAX: bytes at EIP: [...] grsec: attempted resource overstep by reqeusting 4096 for RLIMIT_CORE against limit 0 by (chroot:1) UID(0) EUID(0), parent:(swapper:0) UID(0) EUID(0) Kernel panic: Atemmpted to kill init! Solution is to chpax -ps the necessary binaries in busybox so that PAX does not shut them down, however I couldn't figure out how to do this.
where does this 'chpax' information get stored? is chpax going to need to be in the initrd? Or can this be done when the initrd is created ?? also, most executables are hardlinks to the busybox binary, so does only the busybox executable need to be chpax'd or all hardlinks too ? -Brad
closing this as need info been a few days, no response