blog:grsec_grub-probe_update-grub_failing

Grsec & grub-probe (update-grub failing)

If you have a grsec-patched kernel and PaX is enabled, update-grub is failing, witch is a little bit annoying:

8:45 root@sloane ~# update-grub
Searching for GRUB installation directory ... found: /boot/grub
zsh: exit 137   update-grub

After a little more in-depth look, the problem comes from grub-probe not having the right PaX flags.

Default flags:

8:47 root@sloane ~# chpax -v /usr/sbin/grub-probe.

----[ chpax 0.7 : Current flags for /usr/sbin/grub-probe (PeMRxS) ]----.

 * Paging based PAGE_EXEC       : enabled (overridden).
 * Trampolines                  : not emulated.
 * mprotect()                   : restricted.
 * mmap() base                  : randomized.
 * ET_EXEC base                 : not randomized.
 * Segmentation based PAGE_EXEC : enabled

We need paging and segmentation based PAGE_EXEC to be disabled: chpax -ps /usr/sbin/grub-probe.

It should now work:

8:51 root@sloane ~# grub-probe --device-map=/boot/grub/device.map -t device /
/dev/md0
  • blog/grsec_grub-probe_update-grub_failing.txt
  • Last modified: 2015/05/18 17:18
  • by Benjamin Collet