grsecurity forums

When I compile kernel 2.6.24.2 with grsecurity with flag CONFIG_COMPAT_VDSO=y (kernel is compiled ok) after enable RBAC, set policy for paxtest programs in gradm policy file or by use paxctl - paxtest show that system is vulnerable for attacks.
When I disable CONFIG_COMPAT_VDSO kernel is compiled and when make start compile modules, I have got error:

Code: Select all

Setup is 11012 bytes (padded to 11264 bytes).
System is 1557 kB
Kernel: arch/x86/boot/bzImage is ready  (#1)
  Building modules, stage 2.
  MODPOST 1933 modules
ERROR: "KERNEL_TEXT_OFFSET" [arch/x86/oprofile/oprofile.ko] undefined!
make[1]: *** [__modpost] Error 1
make: *** [modules] Error 2


My config is:
http://bstec.fm.interia.pl/config.htm

bsxx wrote:When I compile kernel 2.6.24.2 with grsecurity with flag CONFIG_COMPAT_VDSO=y (kernel is compiled ok) after enable RBAC, set policy for paxtest programs in gradm policy file or by use paxctl - paxtest show that system is vulnerable for attacks.

that's normal, COMPAT_VDSO isn't compatible with the non-exec methods of PaX. fortunately you're unlikely to need this option these days.

When I disable CONFIG_COMPAT_VDSO kernel is compiled and when make start compile modules, I have got error:

try a new patch, it's been fixed already.

Thank you for new Patch. It allow to kernel compile, but when system start I have got error:
VSF cannot open root device or unknown block(0,0).
I have SATA disc on P4p8X motheboard.
I tried both bios settings for ide "Compatible" or "enhanced" . Error is shown in both cases.
When I jused old patch with CONFIG_COMPAt_VDSO kernel loaded root partition.
Another kernel without grsecurity loads root partition, because a use multi config.
Thanks for help
bs

When I disable CONFIG_PAX_KERNELEXEC it is work fine.
Thanks

bsxx wrote:When I disable CONFIG_PAX_KERNELEXEC it is work fine.
Thanks

well, that's only half good news because then it means that something goes wrong under KERNEXEC whereas nothing really should. can you email me a dmesg of a successful boot? and if you can capture a bootlog via serial or netconsole, i'd need the log of a failing boot as well.

I have only one computer. I cannot conect by RS or net to my computer. If I can help, I can send that nothing is saved to system log.
Sorry
How I can send to console more debug informations? I can check it.

bsxx wrote:I have only one computer. I cannot conect by RS or net to my computer. If I can help, I can send that nothing is saved to system log.

when your system boots, dmesg is normally saved into /var/log/messages or /var/log/kern.log or something similar, that'd be one piece of the puzzle i'd need.

How I can send to console more debug informations? I can check it.

what you can do is use the framebuffer console (say, vesafb) and also pass fbcon=scrollback:1024k or something big enough on the kernel command line, then you can scroll back with shift-pageup once the kernel boot stops/fails and maybe take a few screenshots for me (the goal of the whole exercise is to find the difference in the boot messages, that'd probably help me find out what works differently with KERNEXEC enabled).

I tried start kernel with additional debug info, but I have only this informations

Code: Select all

md: Autodetecting RAID Arrays.
md:Scanned 0 and added 0 devices.
md:autorun ...
md:... autorun DONE.
VFS: Cannot open root device "807" or unknown block(8,7)
Please append a correct "root=" boot option; here are the available partitions:
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,7)


Nothing is saved into /var/log files. dmesg has info from old good boot messages too, kern.log is not created.
When I start computer from ata drive everthing goes OK. I can connect partitions from SATA disc.