grsecurity forums

Skip to content

grsec with kernel 2.4.21-rc7-ac1 ?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

grsec with kernel 2.4.21-rc7-ac1 ?

Postby tuxfan » Sun Jun 08, 2003 6:48 pm

Hi,

this is my 1st posting to this forum and I would like to know if it is possible to create a vanilla-kernel 2.4.20 with the 2.4.21-rc7 + 2.4.21-rc7-ac1 + grsecurity-1.9.9h-2.4.20.patch ?

If this should be possible, which patch of the 3 above mentioned do I have to install first?
tuxfan
 
Posts: 8
Joined: Sun Jun 08, 2003 6:20 pm
Top

Postby spender » Mon Jun 09, 2003 12:29 am

I don't know what the AC patches include nowadays that can conflict with grsecurity, but I have a 2.4.21 patch ready to go when 2.4.21 final is released.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby tuxfan » Mon Jun 09, 2003 2:10 pm

Is this patch available for tests?

Kernel 2.420 has a bug: [ide-cd.o] Error 1 and when I try to patch grsecurity-1.9.9h after I patched to rc7 I get errors.
tuxfan
 
Posts: 8
Joined: Sun Jun 08, 2003 6:20 pm
Top

Postby spender » Mon Jun 09, 2003 2:29 pm

http://grsecurity.net/grsecurity-1.9.10-2.4.21.patch

http://grsecurity.net/grsecurity-2.0-pre5-2.4.21.patch

You will need the current cvs of gradm or gradm2 as well.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby tuxfan » Tue Jun 10, 2003 5:21 am

A short feedback, although I didn't compile the kernel 'til now:
2.4.20 -> patch-2.4.21-rc7.gz -> grsecurity-1.9.10-2.4.21.patch worked.
tuxfan
 
Posts: 8
Joined: Sun Jun 08, 2003 6:20 pm
Top

Postby tuxfan » Tue Jun 10, 2003 8:20 am

Ok, the kernel compilation worked too with patch-2.4.21-rc7.gz and grsecurity-1.9.10-2.4.21.patch.

I configured "low" which includes CONFIG_GRKERNSEC_RANDID=y

At the moment only this option is important to me, because I don't want that somebody can find out, if a network exists, when a client connects to the Internet.

help for CONFIG_GRKERNSEC_RANDID says: "If the sysctl option is enabled, a sysctl option with name "rand_ip_ids" is created" So do I need this, that the id field on all outgoing packets will be randomized? Do I need gradm?

How can I check if "random id" works?
tuxfan
 
Posts: 8
Joined: Sun Jun 08, 2003 6:20 pm
Top

Postby tuxfan » Tue Jun 10, 2003 9:24 am

While grsecurity-1.9.10-2.4.21.patch works with patch-2.4.21-rc7.gz it doesn't when patch-2.4.21-rc7-ac1.gz is patched too.
tuxfan
 
Posts: 8
Joined: Sun Jun 08, 2003 6:20 pm
Top

Postby spender » Tue Jun 10, 2003 10:03 am

Use tcpdump -vv on your machine. Look at the ID fields on the packets you're sending out. They should look random. You can also nmap yourself, it will tell you the class of IP IDs you're sending.

As for it not applying cleanly to -ac1, that's expected. I'll have to make a separate patch for that, but it's not my top priority right now.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group
cron