You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2009-03-06 15:29:30
- wsduvall
- Member
- From: Blacksburg
- Registered: 2009-02-05
- Posts: 54
- Website
grsecurity patch
Hey guys,
I've been using linux for awhile, but I've never really messed with the kernel. I wanted to add the grsecurity patches to the kernel. Theres a package on AUR thats out of date, and a wiki that is also out of date.
I want to recompile my kernel exactly how it is, except with the grsecurity enabled. I haven't ventured a look at the kernel package in ABS, but I guess I'll do that soon. Any suggestions would be appreciated!
My 5 node 9 CPU cluster: www.amenrecluster.com
OS: Arch Linux
Machines:Fujitsu T4210 and IBM eServer xSeries 335
Offline
#2 2009-03-06 16:23:53
- tomk
- Forum Fellow
- From: Ireland
- Registered: 2004-07-21
- Posts: 9,839
Re: grsecurity patch
ABS is the way to go IMO. Grab the official PKGBUILD and other build files, edit as required to apply your patch, build, install.
There are a few kernel compilation threads in the forum - check them out for more details.
Offline
#3 2009-03-06 18:27:05
- wsduvall
- Member
- From: Blacksburg
- Registered: 2009-02-05
- Posts: 54
- Website
Re: grsecurity patch
I added the following in my under config in the package build. This comes from the w
#
# Security options
#
#
# PaX
#
CONFIG_PAX=y
#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_DEFAULT_PAGEEXEC is not set
CONFIG_PAX_DEFAULT_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_KEYS=y
# CONFIG_KEYS_DEBUG_PROC_KEYS is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_CAPABILITIES=m
CONFIG_SECURITY_ROOTPLUG=mand then rebuild the package. Is that all I need to do? Is there anyway to test PaX?
Also, during build, it asks me a series of questions. What are the responses used to build the arch kernel.
Last edited by wsduvall (2009-03-06 18:36:08)
My 5 node 9 CPU cluster: www.amenrecluster.com
OS: Arch Linux
Machines:Fujitsu T4210 and IBM eServer xSeries 335
Offline
#4 2009-03-06 20:51:38
- broch
- Banned
- From: L.A. California
- Registered: 2006-11-13
- Posts: 975
Re: grsecurity patch
I hope that you know that:
CONFIG_PAX_NOEXEC=y
will efficiently kill X?
also with PAX ASLR enabled you may consider
setting
CONFIG_GRKERNSEC_PROC_MEMMAP=y
this option enabled will close a hole that makes the full ASLR uselessin the case of suid binaries.
Offline
#5 2009-03-06 23:56:49
- wsduvall
- Member
- From: Blacksburg
- Registered: 2009-02-05
- Posts: 54
- Website
Re: grsecurity patch
Thanks for the response. I don't use X on my server though. However for my laptop I will keep that in mind.
My 5 node 9 CPU cluster: www.amenrecluster.com
OS: Arch Linux
Machines:Fujitsu T4210 and IBM eServer xSeries 335
Offline
Pages: 1