On Sun, Mar 08, 2015 at 08:21:42AM +0200, Martijn Dekkers wrote:
> > Just to clarify... *Java will run* with a grsecurity hardened kernel,
> > with pax enabled. It just needs mprotect disabled for the specific programs
> > that need it disabled. (and also many other things need this... python,
> > kdeinit4, skype, kscreenlocker_greet, thunderbird, firefox,
> > plugin-container, gdb, utox, grub-probe, etc. also firefox needs JIT
> > disabled for optimal stability). For this you need some kernel features
> > enabled; I recommend the one using xattrs because then the binaries don't
> > need modifications (or backups, and modified binaries won't run properly in
> > a non-grsec kernel, but they run fine with xattrs).
> >
> > Set the extended file system attribute with:
> >
> > setfattr -n user.pax.flags -v m /usr/lib*/jvm/java-*-openjdk-*/jre/bin/java
> >
> > (example path, may not be right for Debian openjdk)
> >
>
> cool, thanks! I think it would be important that packages that have an
> issue running under grsec all do what they need to do on installation to
> make sure the correct configs are in place to actually work under grsec.
> This is often left out, making proper security expensive and difficult to
> track down.

Wouldn't this hit every program that does JIT compilation? Or is
execution from writable memory different?

-- hendrik