Security
如何使用 paxd 在 grsec-hardend Arch Linux 核心上執行 Java?
我有帶有最新 grsec-hardened 4.9.x Linux 核心的 Arch Linux,並安裝了 paxd。但正因為如此,當我嘗試執行 Java 時,出現以下錯誤:
Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x0000035ea1000000, 2555904, 1) failed; error='Operation not permitted' (errno=1) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (mmap) failed to map 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /home/[username]/hs_err_pid2813.log現在,我過去遇到了這個錯誤,我設法告訴它允許 Java 執行此操作,但是我不記得也找不到如何執行此操作的資源。我已經查看了這個 SO 答案
paxctl,但是唉,我的系統告訴我,即使我安裝了 Arch wiki 上提到的所有與 grsec 相關的實用程序,也找不到該命令。那麼如何讓它允許Java呢?
paxctl應該為你工作,root #paxctl -h PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu> usage: paxctl <options> <files> options: -p: disable PAGEEXEC -P: enable PAGEEXEC -e: disable EMUTRAMP -E: enable EMUTRAMP -m: disable MPROTECT -M: enable MPROTECT -r: disable RANDMMAP -R: enable RANDMMAP -x: disable RANDEXEC -X: enable RANDEXEC -s: disable SEGMEXEC -S: enable SEGMEXEC -v: view flags -z: restore default flags -q: suppress error messages -Q: report flags in short format -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!) -C: create PT_PAX_FLAGS (see manpage!)通常我會禁用所有這樣的限制,
paxctl -pemrxs `which java`雖然您也可以更直接地設置標誌而不需要
paxctl. 因此,例如,如果你想禁用mr你會做的那些:sudo setfattr -n user.pax.flags -v "mr" `which java`