grsecurity forums

Hi,

this is my 1st posting to this forum and I would like to know if it is possible to create a vanilla-kernel 2.4.20 with the 2.4.21-rc7 + 2.4.21-rc7-ac1 + grsecurity-1.9.9h-2.4.20.patch ?

If this should be possible, which patch of the 3 above mentioned do I have to install first?

I don't know what the AC patches include nowadays that can conflict with grsecurity, but I have a 2.4.21 patch ready to go when 2.4.21 final is released.

-Brad

Is this patch available for tests?

Kernel 2.420 has a bug: [ide-cd.o] Error 1 and when I try to patch grsecurity-1.9.9h after I patched to rc7 I get errors.

http://grsecurity.net/grsecurity-1.9.10-2.4.21.patch

http://grsecurity.net/grsecurity-2.0-pre5-2.4.21.patch

You will need the current cvs of gradm or gradm2 as well.

-Brad

A short feedback, although I didn't compile the kernel 'til now:
2.4.20 -> patch-2.4.21-rc7.gz -> grsecurity-1.9.10-2.4.21.patch worked.

Ok, the kernel compilation worked too with patch-2.4.21-rc7.gz and grsecurity-1.9.10-2.4.21.patch.

I configured "low" which includes CONFIG_GRKERNSEC_RANDID=y

At the moment only this option is important to me, because I don't want that somebody can find out, if a network exists, when a client connects to the Internet.

help for CONFIG_GRKERNSEC_RANDID says: "If the sysctl option is enabled, a sysctl option with name "rand_ip_ids" is created" So do I need this, that the id field on all outgoing packets will be randomized? Do I need gradm?

How can I check if "random id" works?

While grsecurity-1.9.10-2.4.21.patch works with patch-2.4.21-rc7.gz it doesn't when patch-2.4.21-rc7-ac1.gz is patched too.

Use tcpdump -vv on your machine. Look at the ID fields on the packets you're sending out. They should look random. You can also nmap yourself, it will tell you the class of IP IDs you're sending.

As for it not applying cleanly to -ac1, that's expected. I'll have to make a separate patch for that, but it's not my top priority right now.

-Brad