For a while I’ve had to keep the Restrict mprotect() option in PaX disabled because it wasn’t compatible with certain programs. It was kind of a huge pain to deal with for that reason. But I’ve finally taken the 30 seconds to just deal with it and I’ll post how.
The program that has the biggest issue with the restrictions is Unity, the program that handles your user interface on Ubuntu. So, we need to kill Unity so that we can use the paxctl program to disable mprotect restrictions.
Keep in mind that you need to enable CONFIG_PAX_PT_PAX_FLAGS in your kernel config for this.
1) Download paxctl
A simple ‘apt-get install paxctl’ is enough here.
2) Kill Unity and Xorg
This is the annoying part. Xorg just restarts every time it’s killed. So you have to run the following command:
service lightdm stop
And then hit ctrl + alt + F4.
You should now have a terminal.
3) Apply flags
paxctl -c /usr/bin/unity
paxctl -m /usr/bin/unity
Now you can reboot and your UI should work. You’ll have to do this for a few programs (like Chrome) as well.
From the Grsecurity wiki on mprotect() restrictions:
Enabling this option will prevent programs from
– changing the executable status of memory pages that were
not originally created as executable,
– making read-only executable pages writable again,
– creating executable pages from anonymous memory,
– making read-only-after-relocations (RELRO) data pages writable again.
You should say Y here to complete the protection provided by
the enforcement of non-executable pages.