[Lguest] NX bit support

Philip Sanderson philip.k.sanderson at gmail.com
Sat Nov 6 23:13:26 EST 2010


Hello,

short version:

- Any plans for NX bit support?
- Patch for Documentation/lguest/lguest.c -- remove prot_exec, adds chroot.
- /dev/random is broken, even if --rng is specified.

tl;dr version:

Is there any plan to support NX bit for PAE kernels? I've tried to adapt it
myself, but I rarely do kernel stuff, so I'm not sure what I'm doing. I've
tried disabling masking out NX bit support on cpuid instruction, and tried
finding where the NX bit is being masked out, but to no luck.

As a side note, I've attached a patch which removes PROT_EXEC flag from
Documentation/lguest/lguest.c, and implements dropping to privileges and
chrooting to a directory. PROT_EXEC seems to be completely unnecessary (as
the lguest binary never executes there), and will allow it to work with
SELinux (and more importantly, PaX :-) as they can/do forbid writable and
executable mappings.

There also appears to be a bug in the /dev/random code in 2.6.35.8
regardless of --rng being specified or not. dd if=/dev/random bs=8 count=1
blocks. /dev/urandom works as expected. strace'ing lguest shows it never
reads from /dev/random. The .config has

# grep RANDOM_VIRT .config
CONFIG_HW_RANDOM_VIRTIO=y

set.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/lguest/attachments/20101106/74a17a57/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lguest.diff
Type: text/x-patch
Size: 3872 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/lguest/attachments/20101106/74a17a57/attachment.bin>


More information about the Lguest mailing list