When trying to use the AdminCD to rescue another Linux installation, I was unable to run the necessary grub commands due to the grsecurity PaX hardening of the AdminCD kernel. When running grub in the chrooted environment, I simply recieved error message "grub: asmstub.c:170: grub_stage2: Assertion `ret == 0' failed." And using an strace I can clearly see the mprotect: "permission denied" message. There is seemingly no way around this because you can't disable PAX at boot because CONFIG_PAX_SOFTMODE isn't enabled. In my opionion, it would make the AdminCD image even more useful when using it to rescue systems. Reproducible: Always
I don't use the AdminCD so I need you to test. Can you try adding pax_softmode=1 to the kernel command line parameters and see if that fixes things.
I tried exactly that, but unfortunately it didn't work. Having read the Kernel docs, my understanding is that you need to enable CONFIG_PAX_SOFTMODE option before that works, hence this bug/request. For reference, here is the kernel option description: CONFIG_PAX_SOFTMODE: Enabling this option will allow you to run PaX in soft mode, that is, PaX features will not be enforced by default, only on executables marked explicitly. You must also enable PT_PAX_FLAGS or XATTR_PAX_FLAGS support as they are the only way to mark executables for soft mode use. Soft mode can be activated by using the "pax_softmode=1" kernel command line option on boot. Furthermore you can control various PaX features at runtime via the entries in /proc/sys/kernel/pax.
https://gitweb.gentoo.org/proj/releng.git/commit/?id=cd39c541be8a039bc2f561364a7eedcee90e3285 This should be fixed in the next build.
Closing as we've built a few CDs since.
Seems I forgot to actually "close" the bug.
