grsecurity forums

Skip to content

pax fails to compile vanilla kernel

Discuss and suggest new grsecurity features
Topic locked

pax fails to compile vanilla kernel

Postby cormander » Tue Apr 08, 2008 2:13 am

Hey guys,

Compiling the kernel with just the PaX patch: pax-linux-2.6.24.4-test38.patch

Code: Select all
...snip...
  CC      net/sysctl_net.o
  CC      net/sunrpc/auth_gss/gss_krb5_mech.o
  CC      net/sunrpc/auth_gss/gss_krb5_seal.o
  CC      net/sunrpc/auth_gss/gss_krb5_unseal.o
  CC      net/sunrpc/auth_gss/gss_krb5_seqnum.o
  LD      net/sunrpc/xprtrdma/built-in.o
  CC      net/sunrpc/auth_gss/gss_krb5_wrap.o
  LD      net/sunrpc/sunrpc.o
  LD      net/sunrpc/auth_gss/auth_rpcgss.o
  LD      net/sunrpc/auth_gss/rpcsec_gss_krb5.o
  LD      net/sunrpc/auth_gss/built-in.o
  LD      net/sunrpc/built-in.o
  LD      net/built-in.o
  GEN     .version
  CHK     include/linux/compile.h
  UPD     include/linux/compile.h
  CC      init/version.o
  LD      init/built-in.o
  LD      .tmp_vmlinux1
fs/built-in.o: In function `load_elf_binary':
/usr/src/redhat/BUILD/kernel-pax-2.6.24.4/linux-2.6.24.4/fs/binfmt_elf.c:1028: undefined reference to `pax_set_initial_flags'
make: *** [.tmp_vmlinux1] Error 1


PaX related .config options:

Code: Select all
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y


I built the kernel with grsecurity-2.1.11-2.6.24.4-200804072155.patch (which I'm assuming uses this version of PaX?) and it compiled just fine....

Is this because of this section?

Code: Select all
+       prompt 'MAC system integration'
+       default PAX_NO_ACL_FLAGS
+       help
+         Mandatory Access Control systems have the option of controlling
+         PaX flags on a per executable basis, choose the method supported
+         by your particular system.
+
+         - "none": if your MAC system does not interact with PaX,
+         - "direct": if your MAC system defines pax_set_initial_flags() itself,
+         - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
+
+         NOTE: this option is for developers/integrators only.
+


I'm assuming that with just PaX, anything other then "none" fails... but that's just an assumption.

Any ideas?
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm
Top

Re: pax fails to compile vanilla kernel

Postby PaX Team » Tue Apr 08, 2008 9:16 am

cormander wrote:I built the kernel with grsecurity-2.1.11-2.6.24.4-200804072155.patch (which I'm assuming uses this version of PaX?) and it compiled just fine....
you can't take a grsec .config blindly and use it under PaX directly, the ACL hook option must be (re)set properly - just search the forum, this came up a few times already.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Re: pax fails to compile vanilla kernel

Postby cormander » Tue Apr 08, 2008 12:19 pm

Sorry about that, thanks for the clarification.

I added a line in my spec file to reset that option on a paxonly build, it finished just fine. Now I have three different kernel RPMs... kernel-grsec, kernel-pax, and kernel-grsec-nopax
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm
Top
Topic locked

Return to grsecurity development

Powered by phpBB® Forum Software © phpBB Group