grsecurity in kernel? [ doc and "PaX performance impact"]

Glenn at
Thu Dec 30 00:24:51 CET 2010

At 23:38 +0100 29/12/10, Vinzenz Hersche wrote:
>Glenn, i like to try this for a kernel..  it should need just be a patched
>kernel (so need to recompile) and a loaded kernel or what do you think?
>i don't know so much about cross-compile, but i like to learn it.. if also
>someone else like to join the try or so, you're welcome :)
>Timo, you'r right about X.. that's a big hole.. how is it on qtmoko, because
>of no x-server?
>Timo schrieb am Mittwoch 29 Dezember 2010:


PaX performance impact:
Quote: "...
Overall Conclusion

It is my opinion that PaX is a very good patchset, being an important 
step towards improved operating system and therefore services' 
security. The memory protection plays an important role but the 
effectiveness of the patchset is maximized in conjunction with the 
other mechanisms supplied. grsecurity includes PaX and presents a 
very complete approach for improved linux security.

Some applications that were badly written, aggressively optimized or 
derived from very old and thus crippled code may not work with this 
kind of security patches. There is no hope for those applications 
other than two solutions:

* Selectively disable PaX features with useland tool on misbehaving 
binaries, thus lowering the security level (not possible on all 
setups without some serious changes)

* Change or have someone change the application to run in protected 
memory and randomized mapping environments

More information about the community mailing list