View Single Post
Old 07-10-09, 08:54 AM   #1
Registered User
Join Date: May 2006
Posts: 57
Default HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/"

Nvidia people please help with this.
I use Gentoo Hardened kernel version grsecurity ver 2.1.14

When I try to run a program that uses openGL, for example nvidia-settings, I get this:
PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/
PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):10867, uid/euid: 1000/1000, PC: 000070b18cbe4410, SP: 0000726bf6bf5fa8 PAX: bytes at PC: 64 48 8b 04 25 20 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc PAX: bytes at SP-8: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/nvidia-settings

That happens with all apps that use openGL.
Please tell me how I can use your nvidia binary drivers to run openGL apps without downgrading my security. Disabling grsecurity and PAX is not an option cause that's like saying to a Windows user turn off all your antivirus and protections so you can run openGL.

So I hope you're not going to say something like "in order to use our products your have to downgrade security on your system and leave your system wide open crackers"

Nvidia developers whether you have a solution or not to this problem I would like you to state your position and opinions about it so I can decide what I should do in the future. Please reply back promptly. Thank you.

One more example:
I tried paxctl -spcm on amarok but it still doesn't start.

Also I found this on the grsecurity mail list:
"The 3rd party nvidia stuff has runtime execution code in the shared
object ( & drivers ) so any program that is directly linked to it and
calls whatever function in it is going to cause the same error. So just
use the chpax or paxctl on the glx{gears,info} or use the rbac system.

Anyway the root of the problem is in the 3rd party driver & app so it's
not something trivially we can fix. The vendor has to be persuaded to
release a non runtime exec compatible versions and I don't think they
really want to do that (yet).

> I know it doesn't make much sense to be using grsec with a desktop machine,

It makes complete sense to run grsec and PaX on a desktop just the same
as a server. Think about it for a sec.. Where do you ssh from into your
servers or whatever.. Most of the time your desktop, and if your desktop
gets owned then your going to be mega screwed."
konst is offline   Reply With Quote