On Sun, Mar 08, 2015 at 08:21:42AM +0200, Martijn Dekkers wrote: > > Just to clarify... *Java will run* with a grsecurity hardened kernel, > > with pax enabled. It just needs mprotect disabled for the specific programs > > that need it disabled. (and also many other things need this... python, > > kdeinit4, skype, kscreenlocker_greet, thunderbird, firefox, > > plugin-container, gdb, utox, grub-probe, etc. also firefox needs JIT > > disabled for optimal stability). For this you need some kernel features > > enabled; I recommend the one using xattrs because then the binaries don't > > need modifications (or backups, and modified binaries won't run properly in > > a non-grsec kernel, but they run fine with xattrs). > > > > Set the extended file system attribute with: > > > > setfattr -n user.pax.flags -v m /usr/lib*/jvm/java-*-openjdk-*/jre/bin/java > > > > (example path, may not be right for Debian openjdk) > > > > cool, thanks! I think it would be important that packages that have an > issue running under grsec all do what they need to do on installation to > make sure the correct configs are in place to actually work under grsec. > This is often left out, making proper security expensive and difficult to > track down.
Wouldn't this hit every program that does JIT compilation? Or is execution from writable memory different? -- hendrik _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
