grsecurity forums

Hi, when come a Patch for the stable 2.6.20 kernel?

Thanks

A-N wrote:Hi, when come a Patch for the stable 2.6.20 kernel?

Thanks

hi,

i think it will be released for the first bugfix release, 2.6.20.1

Strange

2.6.20 support Core2Duo Processors

A-N wrote:Strange

2.6.20 support Core2Duo Processors

i think 2.6.20.1 will be released pretty soon

for grsec, i donno, but till then you might use the kernel without it

A-N wrote:Hi, when come a Patch for the stable 2.6.20 kernel?

it's out, let me know how it works, especially under non-i386 archs and also paravirtualization (i tried to support it but i don't actually have a real hypervisor to test under, at least the native ops work).

PaX Team wrote:

A-N wrote:Hi, when come a Patch for the stable 2.6.20 kernel?

it's out,

Where?

Sorry for noob question, but what are PaX Patch and grsecurity Patch now? What is different?!

viktor wrote:i think it will be released for the first bugfix release, 2.6.20.1

2.6.20.1 is now out. I'm holding my breath for the grsecurity patch!

A-N wrote:Sorry for noob question, but what are PaX Patch and grsecurity Patch now? What is different?!

grsecurity patch usually already includes pax patch and grsecurity itself. PaX patch has not much sense for me at last.

A-N wrote:Sorry for noob question, but what are PaX Patch

check out http://pax.grsecurity.net/ and especially the docs

and grsecurity Patch now? What is different?!

PaX is a building block for a HIPS such as grsecurity, it's included in grsec for your convenience and also easier integration (such as PaX flags control).

dweekly wrote:

viktor wrote:i think it will be released for the first bugfix release, 2.6.20.1

2.6.20.1 is now out. I'm holding my breath for the grsecurity patch!

Breath continuing to be held. Who can I bribe to get this out the door now that it looks like the PaX 2.6.20.1 patch is shipping?

-D

dweekly wrote:

dweekly wrote:

viktor wrote:i think it will be released for the first bugfix release, 2.6.20.1

2.6.20.1 is now out. I'm holding my breath for the grsecurity patch!

Breath continuing to be held. Who can I bribe to get this out the door now that it looks like the PaX 2.6.20.1 patch is shipping?

-D

man i suppose you really love grsec

How does the test-patch work? Are there any problems or issues know about it or does it work smoothly?

Not tested yet but tried to build the 2.6.10.1 with the pax-linux-2.6.20.1-test5.patch on i686 and x86_64 archs with config options:

Code: Select all

$ grep PAX .config
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
CONFIG_PAX_HOOK_ACL_FLAGS=y
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_DEFAULT_PAGEEXEC is not set
CONFIG_PAX_DEFAULT_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_UDEREF is not set

Note that I havn't got the CONFIG_PAX_KERNEXEC set for i686. The result x86_64 arch builded fine (with sightly modified config btw). On the i686 it fails with

Code: Select all

  GEN     .version
  CHK     include/linux/compile.h
  UPD     include/linux/compile.h
  CC      init/main.o
  CC      init/version.o
  LD      init/built-in.o
  LD      .tmp_vmlinux1
arch/i386/mm/built-in.o: In function `free_initmem':
(.text+0x241): undefined reference to `__init_end'
arch/i386/mm/built-in.o: In function `mem_init':
(.init.text+0x6b0): undefined reference to `__init_end'
arch/i386/mm/built-in.o: In function `mem_init':
(.init.text+0x740): undefined reference to `__init_end'
make: *** [.tmp_vmlinux1] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.92244 (%build)

I suspect that the problem could be related to changes to arch/i386/kernel/vmlinux.lds.S file in which the patch unconditionally removes __init_end = .; from .bss section and adds __init_end = . + __KERNEL_TEXT_OFFSET; to the .text.align section but only when we have CONFIG_PAX_KERNEXEC set.