grsecurity forums

Hej grsecurity folks,

I'm having some difficulties getting grsecurity to work.
Right now I am trying to implement grsecurity-2.9.1-3.2.44-201304271916.patch on Ubuntu Server 12 32bit Virtualbox guest within a Windows 7 host.
I followed the tutorial on Wikibooks and created the .deb files issuing the following commands:

make-kpkg clean
fakeroot make-kpkg --initrd --append-to-version=-custom kernel_image kernel_headers

Now, when I try to boot the grsec option in Grub, I get the following message:

Loading Linux 3.2.44grsec-grsec ...
Loading initial ramdisk ...

And then the boot hangs.
Also, when I try to boot in recovery mode, I am unable to select any options.
How can I get around this?

I know my way around Linux, but I don't consider myself an advanced user.
If you need more information, don't hestitate to ask and I will provide you with it.

Thanks in advance!

With some help I was finally able to install the kernel and get one step forward.
The kernel is Linux 3.2.44 and grsecurity is of the corresponding version.
However, now I am running into this error message:



I googled around a lot to find an answer, but so far without any results.
Can you give me some advice or tips on how to fix this error?

virtualbox is not compatible with several kernel self-protection features in PaX, disable KERNEXEC and UDEREF at least.

Thanks for you reply!
I disabled those options, but I'm still getting the same error.
This is my config file at the moment: http://pastebin.com/0PaBMdY6
Do you see any other options that are not compatible with virtualization?
Or do you see any other anomalies?

something's wrong with your config, it has CONFIG_PAX_KERNEXEC=m and CONFIG_PAX_MEMORY_UDEREF=m which are impossible (these features can't be modular at all). how did you end up with this config?

Well, I edited those options because I thought the 'y' meant to include the option during kernel boot and 'm' meant to exclude.
But obviously I was wrong in that, since it means modular.
If I want to exclude those options like you said, should I then delete them from the config file?
Is it fundamentally a wrong idea to use grsecurity in a virtualized environment?

RinkeB wrote:Well, I edited those options because I thought the 'y' meant to include the option during kernel boot and 'm' meant to exclude.
But obviously I was wrong in that, since it means modular.
If I want to exclude those options like you said, should I then delete them from the config file?

i think you should read up on how to configure linux , you never ever hand-edit the config file, that's what menuconfig/nconfig/etc are for.

Is it fundamentally a wrong idea to use grsecurity in a virtualized environment?

depends on your expectations .

Thanks for your answer.
I decided to install grsecurity with ubuntu on a standalone system to avoid virtualization issues.
Maybe you have the answer to the following questions.
When I choose to install grsecurity with a minimum of options first, do I have to recompile the complete kernel if I want to add more options?
Because I would like to run a working patched kernel first and then slowly add more options to see where and when problems appear.