grsecurity forums

Hello

We have problem to build kernel for debian lenny with xen and grsecurity.
We use 2.6.32.5 kernel version and patch grsecurity-2.2.1-2.6.32.27-201012121726.patch, but we have problems when we want to compile it.
Anyone know how to build kernel in debian way with xen and grsecurity ?

Best regards
Sebastian Stach

You should choose whether you want a kernel with grsecurity or a kernel with debian-patches and grsecurity.

For a kernel with grsecurity download the latest vanilla kernel available from http://www.kernel.org with the corresponding patch for grsecurity. Patch it, configure it, make it, install it, test it.
This would be the first step to get grsecurity running on any system. The latest patch is allways supported in this forum (currently 2.6.32.27).

If you want the debian patches as well you could look at cormanders repository.

I started tracking grsecurity patches in git since 2.6.32.8, you can see the various patches as commits by searching my name as author. Here is a link to the gitweb search for it:

http://git.cormander.com/?p=linux-2.6.s ... +Henderson

Every new patch gets pulled down into this repo. If you want you can clone it like so:

git clone git://git.cormander.com/linux-2.6.stable-grsec.git

Then issue the "git diff" command between the linux version tag and the sha1sum of whichever patch you wanted, and it'll give you the full diff for it.

Of course this would mean you'd have to apply the grsecurity patches to the debian-kernel yourself or you would have to apply the debian-patches to the grsec-patched kernel.

Original thread where he posted the above:
viewtopic.php?f=3&t=2272&p=9754&hilit=debian#p9754

Hello

We can build kernel with grsec but we have problems when we want to build kernel with xen and grsecurity patches:

linux-2.6-xen is 2.6.32

$ git clone git://git.kernel.org/pub/scm/linux/kern ... my/xen.git linux-2.6-xen
$ cd linux-2.6-xen
$ git reset --hard
$ make clean
$ git pull

GRSECURITY

$ patch -p1 < grsecurity-2.2.1-2.6.32.27-201012130740.patch

$ make menuconfig
$ ON grsecurity
$ make
HOSTLD scripts/kconfig/conf
scripts/kconfig/conf -s arch/x86/Kconfig
CHK include/linux/version.h
UPD include/linux/version.h
CHK include/linux/utsrelease.h
UPD include/linux/utsrelease.h
SYMLINK include/asm -> include/asm-x86
CC kernel/bounds.s
GEN include/linux/bounds.h
CC arch/x86/kernel/asm-offsets.s
In file included from /usr/src/linux-2.6-xen/arch/x86/include/asm/pgtable.h:327,
from /usr/src/linux-2.6-xen/arch/x86/include/asm/uaccess_64.h:12,
from /usr/src/linux-2.6-xen/arch/x86/include/asm/uaccess.h:640,
from include/linux/uaccess.h:5,
from include/linux/crypto.h:26,
from arch/x86/kernel/asm-offsets_64.c:8,
from arch/x86/kernel/asm-offsets.c:4:
/usr/src/linux-2.6-xen/arch/x86/include/asm/pgtable_64.h: In function 'native_set_pmd':
/usr/src/linux-2.6-xen/arch/x86/include/asm/pgtable_64.h:80: error: implicit declaration of function 'pax_open_kernel'
/usr/src/linux-2.6-xen/arch/x86/include/asm/pgtable_64.h:82: error: implicit declaration of function 'pax_close_kernel'
In file included from /usr/src/linux-2.6-xen/arch/x86/include/asm/pgtable.h:680,
from /usr/src/linux-2.6-xen/arch/x86/include/asm/uaccess_64.h:12,
from /usr/src/linux-2.6-xen/arch/x86/include/asm/uaccess.h:640,
from include/linux/uaccess.h:5,
from include/linux/crypto.h:26,
from arch/x86/kernel/asm-offsets_64.c:8,
from arch/x86/kernel/asm-offsets.c:4:
include/asm-generic/pgtable.h: At top level:
include/asm-generic/pgtable.h:348: error: conflicting types for 'pax_open_kernel'
/usr/src/linux-2.6-xen/arch/x86/include/asm/pgtable_64.h:80: note: previous implicit declaration of 'pax_open_kernel' was here
include/asm-generic/pgtable.h:352: error: conflicting types for 'pax_close_kernel'
/usr/src/linux-2.6-xen/arch/x86/include/asm/pgtable_64.h:82: note: previous implicit declaration of 'pax_close_kernel' was here
make[1]: *** [arch/x86/kernel/asm-offsets.s] Error 1
make: *** [prepare0] Error 2

We also try to build kernel from debian kernel with debian-patches for xen and grsecurity patch. Then we get error:
CALL scripts/checksyscalls.sh
CHK include/linux/compile.h
CC mm/mmap.o
mm/mmap.c: In function 'expand_downwards':
mm/mmap.c:1912: error: 'struct vm_area_struct' has no member named 'vm_prev'
make[1]: *** [mm/mmap.o] Error 1

Best regards,
Sebastian Stach

You should ask brad if xenlinux is supported.

Some people had success with xen (at least xen-unstable, 2.6.32.21and 64 bit).
viewtopic.php?f=1&t=1913&start=30

sebagred wrote:We can build kernel with grsec but we have problems when we want to build kernel with xen and grsecurity patches:

our patches are generated against vanilla linux (the Linus tree), for everything else you'll need a proper port which may involve more or less work .