~drscream

grsec pax update-grub, terminating task grub-probe

I’ve installed a debian machine with the grsec kernel from kernelsec.cr0.org. Everything looks good and working fine, after some time i’ve found out that update-grub doesn’t work anymore.

[root@grapefruit]:~ # update-grub
Searching for GRUB installation directory ... found: /boot/grub

So looking in the dmesg output we will see the problem is grub-probe:

Nov  7 23:07:57 grapefruit kernel: [96585.754724] PAX: From 127.0.0.6: execution attempt in: <anonymous mapping>, ...
Nov  7 23:07:57 grapefruit kernel: [96585.761809] PAX: terminating task: /usr/sbin/grub-probe(grub-probe):20649, uid/euid: 0/0, ...
Nov  7 23:07:57 grapefruit kernel: [96585.769773] PAX: bytes at PC: 41 ...
Nov  7 23:07:57 grapefruit kernel: [96585.776171] PAX: bytes at SP-8: 0000000000000006 ...

Now it’s time to checking the pax flags of grub-probe, here we will see the default options:

[root@grapefruit]:~ # chpax -v /usr/sbin/grub-probe
---[ chpax 0.7 : Current flags for /usr/sbin/grub-probe (PeMRxS) ]---
 * Paging based PAGE_EXEC       : enabled (overridden)
 * Trampolines                  : not emulated
 * mprotect()                   : restricted
 * mmap() base                  : randomized
 * ET_EXEC base                 : not randomized
 * Segmentation based PAGE_EXEC : enabled

We should disable paging and segmentation based PAGE_EXEC:

[root@grapefruit]:~ # chpax -ps /usr/sbin/grub-probe

And, tadaaaaa, update-grub working:

[root@grapefruit]:~ # update-grub
Searching for GRUB installation directory ... found: /boot/grub
Searching for default file ... found: /boot/grub/default
Testing for an existing GRUB menu.lst file ...
   found: /boot/grub/menu.lst
Searching for splash image ... none found, skipping ...
Found kernel: /boot/vmlinuz-2.6.32.15-1-grsec
Updating /boot/grub/menu.lst ... done

Send your comment by mail.