aTan wrote:[...]Will it work (grsec+VServer) in one kernel? [...]
My general experience is that Yes it will work, but not without some effort - you do have to apply parts of the patch by hand.
http://www.linux-vserver.org has links to several sites that provide patches already merged, but last I checked none of them are up-to-date. The two patches sometimes modify the same function, thus the need to hand-apply some patches. Most of the patch rejects are fairly trivial to resolve (lots of rejects surrounding #includes at the top, etc.), but a few require you to be somewhat familiar with the kernel.
Of course there is always some degree of risk of subtle or not-so-subtle interactions between the patches. Do familiarize yourself with the areas of the system that are modified esp. by the linux-vserver patch.
The process I follow to merge these:
1. plan on having five copies of the kernel tree.
2. extract one copy of the kernel tree, and plan on not touching it.
3. apply grsec
first, to a second copy of the tree.
4. in a third copy of the tree, apply linux-vserver.
5. do a diff with much more context (I use 16 lines) between the pristine copy and the linux-vserver copy.
6. make a copy of the grsec tree, call it grsec+vserver or whatnot.
7. apply the diff from step 5 to the tree from step 6.
8. there will be dozens of .rej's. Carefully hand-apply each one.
9. make a copy of the tree from step 8
10. do your configs and builds in the tree from step 9.
Be particularly careful where function arguments have been changed, the changes are directly adjacent, or control flow and error handling have been changed by one or both patches. You will have to occasionally tweak #include's in some files.
Note that grsec has some functionality overlap with linux-vserver now, with regard to hiding processes in chroot's from each other. Also note that double-chroot is handled differently by the two patches.
Posted: Sat Dec 24, 2005 6:50 am