grsecurity forums

HI all,

A very n00b question: when getting a grsecurity patched kernel, are the distro precompiled binaries (Debian in this case) able to run on my kernel ?
Or do i have to grab the source and recompile every package in order to be compatible with the patched kernel ?

Thanks

evilangel wrote:are the distro precompiled binaries (Debian in this case) able to run on my kernel ?

Yes.

The only time you might have to recompile something is if you were using a debian system with an old 2.4.x kernel and wanted to use a 2.6.x grsecurity kernel, or vice-versa.

OK

Thanks

Just to be sure:
On a blank HDD, I can install my system as usually, and when it is over, i can subsitute the distro kernel package with mine and reboot ?
Thanks

Yep.

OK
Thanks a lot

evilangel wrote:A very n00b question: when getting a grsecurity patched kernel, are the distro precompiled binaries (Debian in this case) able to run on my kernel ?

depending in which PaX features you enable, you can run into troubles with text relocations in libraries and GNU_STACK markings. check the forum, it was discussed a few times.

Or do i have to grab the source and recompile every package in order to be compatible with the patched kernel ?

recompiling won't help text relocations but it may help the lack of GNU_STACK markings, depends on the toolchain.

So GCC hardening (PIE, StackGuard, read-only of parts of ELF...) comes in addition to the kernel patch ?
I read that you need to compile with GCC PIE flag to fully enable ASLR.

Thanks

evilangel wrote:So GCC hardening (PIE, StackGuard, read-only of parts of ELF...) comes in addition to the kernel patch ?

yes, except for PIE, they're all independent changes in userland.

I read that you need to compile with GCC PIE flag to fully enable ASLR.

ASLR is always enabled once you configure it in the kernel, however the main executable randomization feature doesn't actually kick in until your userland binaries are recompiled/linked as a PIE (ET_DYN ELF files).

OK.

Thanks !