grsecurity forums

hi all.. I get this error when I try to patch kernel src
<<<<<<<<<<
START applying grsecurity2 patch (Greater Security for Linux 2.4 and 2.6)
Testing whether "Greater Security for Linux 2.4 and 2.6" patch for 2.4.27 applie s (dry run):
3 out of 12 hunks FAILED -- saving rejects to file fs/binfmt_elf.c.rej
1 out of 17 hunks FAILED -- saving rejects to file fs/exec.c.rej
1 out of 7 hunks FAILED -- saving rejects to file include/linux/mm.h.rej
"Greater Security for Linux 2.4 and 2.6" patch for 2.4.27 does not apply cleanly
>>>>>>>>>>


I cannot find .rej files.. so I cannot understand what is the problem. any idea??
thx

Where do you have the patch from?
Using the original grsec Patch with Debian kernels isnt a good idea since Deabian have a lot of patches in their kernels.

I have a Debian server with a grsec enabled kernel running, but I'm using a vanilla kernel plus the latest grsec patch from this page (I've updated to 2.4.31-grsec today)

Zhe

the patch is from debian...

kernel-patch-grsecurity2


but now i read


<<<<<<<<<<<
Furthermore, 2.4.2x versions of this patch will not apply to Debian kernels
2.4.20 and above. You will have to use vanilla kernel sources to apply this
patch. Reasons are documented in README.2.4.2x contained within the
package.
>>>>>>>>>>


sure now I must use vanilla kernel... but i cannot find any README.2.4.x .

In production is enough secure using vanilla 2.4.31 + grsec. patch?

afaik yes

my servers run without problems
some kiddies tried to ddos me - no chance =)

try it out, i dont think youll find any differences

greets, zhe

ok.. i get kernel 2.4.31 from kernel.org and the latest grsecurity patch.

I have builded 2 kernel.. one has security level LOW and other one has HIGH level

finally paxtest give me some infos about grsec: with "low level" my system is easy vulnerable. with high level paxtest return

Code: Select all

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect)              : Killed
Anonymous mapping randomisation test     : 16 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 25 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : 17 bits (guessed)
Shared library randomisation test        : 16 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 23 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Killed


[OT]is there a way to export a .deb kernel with grsec patch?

thx for previous reply

ok solved the previus problem with make-kpkg ...

now.. the default flags config for each binary is (PeMRxS) ... why it isnt (PEMRXS) ?

is there a way to have all flags active?