Grsecurity 1.9.11 Bugs
Posted: Wed Jun 25, 2003 7:24 am
Hi,
it seems 1.9.11 got some bugs, when i try to compile it (make bzImage):
rm -f $tmppiggy $tmppiggy.gz $tmppiggy.lnk; \
objcopy -O binary -R .note -R .comment -S /usr/src/linux-2.4.21/vmlinux $tmppiggy; \
gzip -f -9 < $tmppiggy > $tmppiggy.gz; \
echo "SECTIONS { .data : { input_len = .; LONG(input_data_end - input_data) input_data = .; *(.data) input_data_end = .; }}" > $tmppiggy.lnk; \
ld -m elf_i386 -r -o piggy.o -b binary $tmppiggy.gz -b elf32-i386 -T $tmppiggy.lnk; \
rm -f $tmppiggy $tmppiggy.gz $tmppiggy.lnk
BFD: Warning: Writing section `.text.startup' to huge (ie negative) file offset 0xc0100000.
BFD: Warning: Writing section `.data' to huge (ie negative) file offset 0xc0100080.
BFD: Warning: Writing section `.data.cacheline_aligned' to huge (ie negative) file offset 0xc0110d80.
BFD: Warning: Writing section `.data.init_task' to huge (ie negative) file offset 0xc0112000.
BFD: Warning: Writing section `.data.page_aligned' to huge (ie negative) file offset 0xc0114000.
BFD: Warning: Writing section `.bss' to huge (ie negative) file offset 0xc0119000.
BFD: Warning: Writing section `.data.init' to huge (ie negative) file offset 0xc0145000.
BFD: Warning: Writing section `.setup.init' to huge (ie negative) file offset 0xc016c740.
BFD: Warning: Writing section `.initcall.init' to huge (ie negative) file offset 0xc016c850.
BFD: Warning: Writing section `.text.init' to huge (ie negative) file offset 0xc016c8f8.
BFD: Warning: Writing section `.rodata.page_aligned' to huge (ie negative) file offset 0xc04f7000.
BFD: Warning: Writing section `.rodata' to huge (ie negative) file offset 0xc04f7800.
BFD: Warning: Writing section `__ex_table' to huge (ie negative) file offset 0xc0526960.
objcopy: _tmp_22158piggy: File truncated
gcc -D__ASSEMBLY__ -D__KERNEL__ -I/usr/src/linux-2.4.21/include -traditional -c head.S
gcc -D__KERNEL__ -I/usr/src/linux-2.4.21/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686 -DKBUILD_BASENAME=misc -c misc.c
ld -m elf_i386 -Ttext 0x100000 -e startup_32 -o bvmlinux head.o misc.o piggy.o
make[2]: Leaving directory `/usr/src/linux-2.4.21/arch/i386/boot/compressed'
gcc -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -o tools/build tools/build.c -I/usr/src/linux-2.4.21/include
objcopy -O binary -R .note -R .comment -S compressed/bvmlinux compressed/bvmlinux.out
tools/build -b bbootsect bsetup compressed/bvmlinux.out CURRENT > bzImage
Root device is (3, 1)
Boot sector 512 bytes.
Setup is 2524 bytes.
System is 12 kB
make[1]: Leaving directory `/usr/src/linux-2.4.21/arch/i386/boot'
As you can see, the resulting kernel is only 12kb in size and of course doesnt work.
Here's my .config:
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y
#
# Address Space Protection
#
CONFIG_GRKERNSEC_PAX_NOEXEC=y
# CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set
# CONFIG_GRKERNSEC_PAX_SEGMEXEC is not set
# CONFIG_GRKERNSEC_PAX_MPROTECT is not set
CONFIG_GRKERNSEC_PAX_KERNEXEC=y
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_RTC=y
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
# CONFIG_GRKERNSEC_HIDESYM is not set
#
# ACL options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
#
# Filesystem Protections
#
# CONFIG_GRKERNSEC_PROC is not set
# CONFIG_GRKERNSEC_LINK is not set
# CONFIG_GRKERNSEC_FIFO is not set
# CONFIG_GRKERNSEC_CHROOT is not set
#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
# CONFIG_GRKERNSEC_FORKFAIL is not set
# CONFIG_GRKERNSEC_TIME is not set
#
# Executable Protections
#
# CONFIG_GRKERNSEC_EXECVE is not set
# CONFIG_GRKERNSEC_DMESG is not set
# CONFIG_GRKERNSEC_RANDPID is not set
# CONFIG_GRKERNSEC_TPE is not set
#
# Network Protections
#
# CONFIG_GRKERNSEC_RANDNET is not set
# CONFIG_GRKERNSEC_RANDISN is not set
# CONFIG_GRKERNSEC_RANDID is not set
# CONFIG_GRKERNSEC_RANDSRC is not set
# CONFIG_GRKERNSEC_RANDRPC is not set
# CONFIG_GRKERNSEC_RANDPING is not set
# CONFIG_GRKERNSEC_SOCKET is not set
#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set
#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
Jonas
it seems 1.9.11 got some bugs, when i try to compile it (make bzImage):
rm -f $tmppiggy $tmppiggy.gz $tmppiggy.lnk; \
objcopy -O binary -R .note -R .comment -S /usr/src/linux-2.4.21/vmlinux $tmppiggy; \
gzip -f -9 < $tmppiggy > $tmppiggy.gz; \
echo "SECTIONS { .data : { input_len = .; LONG(input_data_end - input_data) input_data = .; *(.data) input_data_end = .; }}" > $tmppiggy.lnk; \
ld -m elf_i386 -r -o piggy.o -b binary $tmppiggy.gz -b elf32-i386 -T $tmppiggy.lnk; \
rm -f $tmppiggy $tmppiggy.gz $tmppiggy.lnk
BFD: Warning: Writing section `.text.startup' to huge (ie negative) file offset 0xc0100000.
BFD: Warning: Writing section `.data' to huge (ie negative) file offset 0xc0100080.
BFD: Warning: Writing section `.data.cacheline_aligned' to huge (ie negative) file offset 0xc0110d80.
BFD: Warning: Writing section `.data.init_task' to huge (ie negative) file offset 0xc0112000.
BFD: Warning: Writing section `.data.page_aligned' to huge (ie negative) file offset 0xc0114000.
BFD: Warning: Writing section `.bss' to huge (ie negative) file offset 0xc0119000.
BFD: Warning: Writing section `.data.init' to huge (ie negative) file offset 0xc0145000.
BFD: Warning: Writing section `.setup.init' to huge (ie negative) file offset 0xc016c740.
BFD: Warning: Writing section `.initcall.init' to huge (ie negative) file offset 0xc016c850.
BFD: Warning: Writing section `.text.init' to huge (ie negative) file offset 0xc016c8f8.
BFD: Warning: Writing section `.rodata.page_aligned' to huge (ie negative) file offset 0xc04f7000.
BFD: Warning: Writing section `.rodata' to huge (ie negative) file offset 0xc04f7800.
BFD: Warning: Writing section `__ex_table' to huge (ie negative) file offset 0xc0526960.
objcopy: _tmp_22158piggy: File truncated
gcc -D__ASSEMBLY__ -D__KERNEL__ -I/usr/src/linux-2.4.21/include -traditional -c head.S
gcc -D__KERNEL__ -I/usr/src/linux-2.4.21/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686 -DKBUILD_BASENAME=misc -c misc.c
ld -m elf_i386 -Ttext 0x100000 -e startup_32 -o bvmlinux head.o misc.o piggy.o
make[2]: Leaving directory `/usr/src/linux-2.4.21/arch/i386/boot/compressed'
gcc -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -o tools/build tools/build.c -I/usr/src/linux-2.4.21/include
objcopy -O binary -R .note -R .comment -S compressed/bvmlinux compressed/bvmlinux.out
tools/build -b bbootsect bsetup compressed/bvmlinux.out CURRENT > bzImage
Root device is (3, 1)
Boot sector 512 bytes.
Setup is 2524 bytes.
System is 12 kB
make[1]: Leaving directory `/usr/src/linux-2.4.21/arch/i386/boot'
As you can see, the resulting kernel is only 12kb in size and of course doesnt work.
Here's my .config:
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y
#
# Address Space Protection
#
CONFIG_GRKERNSEC_PAX_NOEXEC=y
# CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set
# CONFIG_GRKERNSEC_PAX_SEGMEXEC is not set
# CONFIG_GRKERNSEC_PAX_MPROTECT is not set
CONFIG_GRKERNSEC_PAX_KERNEXEC=y
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_RTC=y
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
# CONFIG_GRKERNSEC_HIDESYM is not set
#
# ACL options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
#
# Filesystem Protections
#
# CONFIG_GRKERNSEC_PROC is not set
# CONFIG_GRKERNSEC_LINK is not set
# CONFIG_GRKERNSEC_FIFO is not set
# CONFIG_GRKERNSEC_CHROOT is not set
#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
# CONFIG_GRKERNSEC_FORKFAIL is not set
# CONFIG_GRKERNSEC_TIME is not set
#
# Executable Protections
#
# CONFIG_GRKERNSEC_EXECVE is not set
# CONFIG_GRKERNSEC_DMESG is not set
# CONFIG_GRKERNSEC_RANDPID is not set
# CONFIG_GRKERNSEC_TPE is not set
#
# Network Protections
#
# CONFIG_GRKERNSEC_RANDNET is not set
# CONFIG_GRKERNSEC_RANDISN is not set
# CONFIG_GRKERNSEC_RANDID is not set
# CONFIG_GRKERNSEC_RANDSRC is not set
# CONFIG_GRKERNSEC_RANDRPC is not set
# CONFIG_GRKERNSEC_RANDPING is not set
# CONFIG_GRKERNSEC_SOCKET is not set
#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set
#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
Jonas