grsecurity forums


https://forums.grsecurity.net./

pax fails to compile vanilla kernel

https://forums.grsecurity.net./viewtopic.php?f=1&t=1943

Page 1 of 1

pax fails to compile vanilla kernel

PostPosted: Tue Apr 08, 2008 2:13 am
by cormander
Hey guys,

Compiling the kernel with just the PaX patch: pax-linux-2.6.24.4-test38.patch

Code: Select all
...snip...
  CC      net/sysctl_net.o
  CC      net/sunrpc/auth_gss/gss_krb5_mech.o
  CC      net/sunrpc/auth_gss/gss_krb5_seal.o
  CC      net/sunrpc/auth_gss/gss_krb5_unseal.o
  CC      net/sunrpc/auth_gss/gss_krb5_seqnum.o
  LD      net/sunrpc/xprtrdma/built-in.o
  CC      net/sunrpc/auth_gss/gss_krb5_wrap.o
  LD      net/sunrpc/sunrpc.o
  LD      net/sunrpc/auth_gss/auth_rpcgss.o
  LD      net/sunrpc/auth_gss/rpcsec_gss_krb5.o
  LD      net/sunrpc/auth_gss/built-in.o
  LD      net/sunrpc/built-in.o
  LD      net/built-in.o
  GEN     .version
  CHK     include/linux/compile.h
  UPD     include/linux/compile.h
  CC      init/version.o
  LD      init/built-in.o
  LD      .tmp_vmlinux1
fs/built-in.o: In function `load_elf_binary':
/usr/src/redhat/BUILD/kernel-pax-2.6.24.4/linux-2.6.24.4/fs/binfmt_elf.c:1028: undefined reference to `pax_set_initial_flags'
make: *** [.tmp_vmlinux1] Error 1


PaX related .config options:

Code: Select all
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y


I built the kernel with grsecurity-2.1.11-2.6.24.4-200804072155.patch (which I'm assuming uses this version of PaX?) and it compiled just fine....

Is this because of this section?

Code: Select all
+       prompt 'MAC system integration'
+       default PAX_NO_ACL_FLAGS
+       help
+         Mandatory Access Control systems have the option of controlling
+         PaX flags on a per executable basis, choose the method supported
+         by your particular system.
+
+         - "none": if your MAC system does not interact with PaX,
+         - "direct": if your MAC system defines pax_set_initial_flags() itself,
+         - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
+
+         NOTE: this option is for developers/integrators only.
+


I'm assuming that with just PaX, anything other then "none" fails... but that's just an assumption.

Any ideas?

Re: pax fails to compile vanilla kernel

PostPosted: Tue Apr 08, 2008 9:16 am
by PaX Team
cormander wrote:I built the kernel with grsecurity-2.1.11-2.6.24.4-200804072155.patch (which I'm assuming uses this version of PaX?) and it compiled just fine....
you can't take a grsec .config blindly and use it under PaX directly, the ACL hook option must be (re)set properly - just search the forum, this came up a few times already.

Re: pax fails to compile vanilla kernel

PostPosted: Tue Apr 08, 2008 12:19 pm
by cormander
Sorry about that, thanks for the clarification.

I added a line in my spec file to reset that option on a paxonly build, it finished just fine. Now I have three different kernel RPMs... kernel-grsec, kernel-pax, and kernel-grsec-nopax
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/