grsecurity forums

http://www.kernel.org/pub/linux/kernel/ ... 2.6.13.bz2

will we see grsecurity for 2.6.13?

grsecurity-2.1.7-2.6.13-rc6-200508232047.patch

You can try this for the time being...

niiiiice

Oh yes, we love you mr "spender"
I hope grsec find a way into kernel tree and will be updated for a long time, because I can't live without it

Blueroot wrote:Oh yes, we love you mr "spender"
I hope grsec find a way into kernel tree and will be updated for a long time, because I can't live without it

I'll second that. Though the Linux kernel is free, I'd probably pay for GRSec patch if need be.

Any ETA for a stable relase? Because I don't know if I should use that RC or wait, I am a little hurry to upgrade, because 2.6.11 has issues with my SCSI controller. :evil:

Regards.

I also have outstanding issues related to IPSec with 2.6.11

I'm looking forward to see grsec patches for more recent kernel releases.

Although IMHO the 2.6.13 (odd) should not be considered that stable...

Thanks to the grsec team for their great job!

Hannibal wrote:grsecurity-2.1.7-2.6.13-rc6-200508232047.patch

It fails on x86 with 2.6.13/gcc 4.0.1:
CC fs/binfmt_elf.o
fs/binfmt_elf.c: In function 'pax_parse_elf_flags':
fs/binfmt_elf.c:680: error: 'struct mm_struct' has no member named 'pax_flags'
make[1]: *** [fs/binfmt_elf.o] Error 1
make: *** [fs] Error 2

Don't enable the PaX control options unless you enable other PaX options (like randomization or PAGEEXEC/SEGMEXEC). That should fix the problem.

-Brad

Hey spender.

When will the "final" be available?

2.1.7 Tests for 2.6.13 and 2.4.31 have been released

http://www.grsecurity.net/~spender/grse ... 2221.patch

http://www.grsecurity.net/~spender/grse ... 2019.patch

Update: 2.6.13 patched flawlessly, compiled and running. No problems as of yet!...not that I really expect any.

Hi!

I get the following error:

Code: Select all

 AR      arch/i386/lib/lib.a
  GEN     .version
  CHK     include/linux/compile.h
  UPD     include/linux/compile.h
  CC      init/version.o
  LD      init/built-in.o
  LD      vmlinux
arch/i386/mm/built-in.o(.text+0xeb4): In function `do_page_fault':
: undefined reference to `pax_handle_fetch_fault'
make: *** [vmlinux] Error 1


I have the following in my .config regarding to pax and grsecurity:

Code: Select all

CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y
# CONFIG_GRKERNSEC_KMEM is not set
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
CONFIG_GRKERNSEC_EXECVE=y
# CONFIG_GRKERNSEC_SHM is not set
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=418
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=417
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=416
# CONFIG_GRKERNSEC_SYSCTL is not set
CONFIG_GRKERNSEC_FLOODTIME=8
CONFIG_GRKERNSEC_FLOODBURST=12
# PaX
CONFIG_PAX=y
# PaX Control
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_NOVSYSCALL=y


Thanks for the help in advance, and sorry for the long post.

onyx wrote:I get the following error:

Code: Select all

 AR      arch/i386/lib/lib.a
  GEN     .version
  CHK     include/linux/compile.h
  UPD     include/linux/compile.h
  CC      init/version.o
  LD      init/built-in.o
  LD      vmlinux
arch/i386/mm/built-in.o(.text+0xeb4): In function `do_page_fault':
: undefined reference to `pax_handle_fetch_fault'
make: *** [vmlinux] Error 1


thanks, i fixed it in PaX (hopefully , you can either apply the interdiff or wait for spender to update grsec.

Code: Select all

--- linux-2.6.13-pax/arch/i386/mm/fault.c       2005-08-30 23:30:12.000000000 +0100
+++ linux-2.6.13-pax/arch/i386/mm/fault.c       2005-09-07 18:54:41.000000000 +0100
@@ -204,7 +204,7 @@

 fastcall void do_invalid_op(struct pt_regs *, unsigned long);

-#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_EMUTRAMP)
+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
 static int pax_handle_fetch_fault(struct pt_regs *regs);
 #endif

@@ -717,7 +717,7 @@
        }
 }

-#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_EMUTRAMP)
+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
 /*
  * PaX: decide what to do with offenders (regs->eip = fault address)
  *


Hello,

I'm getting this when I try to compile 2.6.13 with grsecurity-2.1.7-2.6.13-200509062221.patch:

arch/i386/kernel/vmlinux.lds:951: undefined symbol `PMD_SHIFT' referenced in expression

forsaken wrote:arch/i386/kernel/vmlinux.lds:951: undefined symbol `PMD_SHIFT' referenced in expression

let me guess, you have KERNEXEC enabled but PAE disabled, right? i'll fix it up tomorrow.