You are not logged in.

#1 2009-03-06 15:29:30

wsduvall
Member
From: Blacksburg
Registered: 2009-02-05
Posts: 54
Website

grsecurity patch

Hey guys,

I've been using linux for awhile, but I've never really messed with the kernel. I wanted to add the grsecurity patches to the kernel. Theres a package on AUR thats out of date, and a wiki that is also out of date.

I want to recompile my kernel exactly how it is, except with the grsecurity enabled. I haven't ventured a look at the kernel package in ABS, but I guess I'll do that soon. Any suggestions would be appreciated!


My 5 node 9 CPU cluster: www.amenrecluster.com
OS: Arch Linux
Machines:Fujitsu T4210 and IBM eServer xSeries 335

Offline

#2 2009-03-06 16:23:53

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,839

Re: grsecurity patch

ABS is the way to go IMO. Grab the official PKGBUILD and other build files, edit as required to apply your patch, build, install.

There are a few kernel compilation threads in the forum - check them out for more details.

Offline

#3 2009-03-06 18:27:05

wsduvall
Member
From: Blacksburg
Registered: 2009-02-05
Posts: 54
Website

Re: grsecurity patch

I added the following in my under config in the package build. This comes from the w

#
# Security options
#
#
# PaX
#
CONFIG_PAX=y
#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_DEFAULT_PAGEEXEC is not set
CONFIG_PAX_DEFAULT_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_KEYS=y
# CONFIG_KEYS_DEBUG_PROC_KEYS is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_CAPABILITIES=m
CONFIG_SECURITY_ROOTPLUG=m

and then rebuild the package. Is that all I need to do? Is there anyway to test PaX?

Also, during build, it asks me a series of questions. What are the responses used to build the arch kernel.

Last edited by wsduvall (2009-03-06 18:36:08)


My 5 node 9 CPU cluster: www.amenrecluster.com
OS: Arch Linux
Machines:Fujitsu T4210 and IBM eServer xSeries 335

Offline

#4 2009-03-06 20:51:38

broch
Banned
From: L.A. California
Registered: 2006-11-13
Posts: 975

Re: grsecurity patch

I hope that you know that:
CONFIG_PAX_NOEXEC=y

will efficiently kill X?

also with PAX ASLR enabled you may consider
setting
CONFIG_GRKERNSEC_PROC_MEMMAP=y

this option enabled will close a hole that makes the full ASLR uselessin the case of suid binaries.

Offline

#5 2009-03-06 23:56:49

wsduvall
Member
From: Blacksburg
Registered: 2009-02-05
Posts: 54
Website

Re: grsecurity patch

Thanks for the response. I don't use X on my server though. However for my laptop I will keep that in mind.


My 5 node 9 CPU cluster: www.amenrecluster.com
OS: Arch Linux
Machines:Fujitsu T4210 and IBM eServer xSeries 335

Offline

Board footer

Powered by FluxBB