grsecurity forums

I've been using grsec for quite a long time now. Recently I've began upgrading all of my servers from 2.4.20, grsec-1.9.9e to 2.4.21, grsec-1.9.11. The upgrade was fine for most computers except for a few. Grsecurity is set to 'medium'.

Minor issue was that 'ide' modules would fail during modprobe, although if i were to compile ide modules within kernel then they work.

The major issue is highmem support. When I enable 'highmem' support in kernel and when computer starts up all the modules fail during modprobe. The same thing happens when I enable SMP support in kernel. I am pretty sure this is a grsec issue because when I compile unpatched kernel then it works. With grsec kernel even if i disable everything, the 'highmem' and SMP support just break all the modules.

This is a new issue, and I never had anything like this with previous kernels/grsec versions.

I would appreciate if any of the developers respond to this, because of this issue I am unable to upgrade my most critical servers.

Thank You,
Walter.

Modules don't work when you compile your system with SMP and not highmem?

I'm sure there are hundreds if not thousands of people with that kind of configuration using grsecurity right now with no problems.

Did you remember to make modules modules_install ?

-Brad

Yes, I remembered compiling modules and installing them.
I've compiled hundreds of kernels before this one, so this is not my first time.

Is there anyone else having a problem with the new kernel/grsec?

Thanks,
Walter.

Can you answer my first question as well?

-Brad

Yes, modules do compile after selecting highmem or SMP. But after installing/rebooting and when modprobe starts up I see a whole list of module errors.

I test out the modules with modprobe and I get errors that either mention highmem or SMP support. I guess I could just select things that I need and not use modules at all, but this looks like a definite error/bug.

I have tried this on more than 10 servers and I am able to reproduce the same errors on each of them.

Also, on servers where do not require highmem or SMP support they start up fine and modules work except for ide modules. modprobe spits out some errors when probing ide modules. In those cases where ide were actually used I compiled them within the kernel. In any case, I'm not sure if this is related but I thought I'd mention it anyways.

Thank You,
Walter.

So, with ONLY SMP support, and not HIGHMEM support, you can reproduce the problems? Can you paste the module errors?

-Brad

I can reproduce the problems with highmem and/or with smp. Here's the errors I get when I compile with highmem:
--------------------------------------------------------------------
[root@euler root]# depmod -a
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/fs/nfs/nfs.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/fs/smbfs/smbfs.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/net/sunrpc/sunrpc.o

[root@euler root]# modprobe nfs
sunrpc.o: unresolved symbol kunmap_high
sunrpc.o: unresolved symbol highmem_start_page
sunrpc.o: unresolved symbol kmap_prot
sunrpc.o: unresolved symbol kmap_high
sunrpc.o: unresolved symbol kmap_pte
sunrpc.o: insmod /lib/modules/2.4.21-grsec/kernel/net/sunrpc/sunrpc.o failed
sunrpc.o: insmod nfs failed
--------------------------------------------------------------------
Here are the errors I get if I turn off highmem and turn on SMP support:
[root@euler root]# depmod -a
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/drivers/block/floppy.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/drivers/char/serial.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/drivers/net/3c59x.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/drivers/net/8139too.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/drivers/net/acenic.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/drivers/net/e100/e100.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/drivers/net/eepro100.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/drivers/pnp/isa-pnp.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/drivers/scsi/sg.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/fs/autofs4/autofs4.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/fs/lockd/lockd.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/fs/nfs/nfs.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/fs/nfsd/nfsd.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/fs/smbfs/smbfs.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/net/ipv4/netfilter/arp_tables.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/net/ipv4/netfilter/ip_conntrack.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/net/ipv4/netfilter/ip_tables.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/net/ipv4/netfilter/iptable_nat.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-grsec/kernel/net/sunrpc/sunrpc.o

[root@euler root]# modprobe nfs
sunrpc.o: unresolved symbol del_timer_sync
sunrpc.o: unresolved symbol kernel_flag_cacheline
sunrpc.o: unresolved symbol atomic_dec_and_lock
sunrpcc.o: insmod /lib/modules/2.4.21-grsec/kernel/net/sunrpc/sunrpc.o failed
sunrpc.o: insmod nfs failed
--------------------------------------------------------------------

Notice that SMP support breaks alot more modules. While highmem only breaks some fs modules.

Also, all of these errors go away if I just compile unpatched(grsec) kernel.

Thank You,
Walter.
[/quote][/code]

can you mail your config to spender@grsecurity.net? I'll try it out on a few machines here.

-Brad

Have you tried copying the new System.map into your /boot directory after you compile the new kernel with SMP/highmem & grsecurity? Unresolved Symbol errors usually mean the system doesn't know about system calls you are trying to make - System.map is a map for all of the system calls that the kernel understands.

Yes, I always copy the updated System.map file.

You sure you've called a make mrproper after patching? Or even between builds... looks like bad linking.

I forgot to post here that I tried out your config a couple weeks ago on an SMP box at work. The kernel compiled and booted fine with the modules. There were no dependency errors.

-Brad