grsecurity forums

[SunMar]

Hi,

I'm running Gentoo Linux and am using the hardened-2.6.7-r10 kernel which implements Grsecurity, unfortunately it doesn't completely work for me. Everything compiles just fine, however at the end of `make modules_install` I get:

Code: Select all

WARNING: /lib/modules/2.6.7-hardened-r10/kernel/security/commoncap.ko needs unknown symbol gr_check_user_change
WARNING: /lib/modules/2.6.7-hardened-r10/kernel/security/commoncap.ko needs unknown symbol gr_check_group_change
WARNING: /lib/modules/2.6.7-hardened-r10/kernel/security/commoncap.ko needs unknown symbol gr_handle_chroot_caps

In my USE flags in /etc/make.conf I have "hardened" (installed my system with that), except for gcc which I have set to -hardened in /etc/portage/package.use.

I've looked a bit at the source code of Grsecurity and the missing symbols are present in linux/security/grsec_chroot.c, so my guess is the file isn't properly compiled or linked into the modules.

Because of the unknown symbols I can't load the commoncap module (and with that the capability module which requires commoncap), `modprobe capability` returns:

Code: Select all

WARNING: Error inserting commoncap (/lib/modules/2.6.7-hardened-r10/kernel/security/commoncap.ko): Unknown symbol in module, or unknown parameter (see dmesg)
FATAL: Error inserting capability (/lib/modules/2.6.7-hardened-r10/kernel/security/capability.ko): Unknown symbol in module, or unknown parameter (see dmesg)

Dmesg returns the following (which seems to give the impression that not only commoncap but capability itself has some problems aswell):

Code: Select all

commoncap: Unknown symbol gr_check_user_change
commoncap: Unknown symbol gr_check_group_change
commoncap: Unknown symbol gr_handle_chroot_caps
capability: Unknown symbol cap_ptrace
capability: Unknown symbol cap_inode_setxattr
capability: Unknown symbol cap_syslog
capability: Unknown symbol cap_capget
capability: Unknown symbol cap_task_reparent_to_init
capability: Unknown symbol cap_task_post_setuid
capability: Unknown symbol cap_bprm_set_security
capability: Unknown symbol cap_bprm_secureexec
capability: Unknown symbol cap_capset_check
capability: Unknown symbol cap_bprm_apply_creds
capability: Unknown symbol cap_capable
capability: Unknown symbol cap_capset_set
capability: Unknown symbol cap_vm_enough_memory
capability: Unknown symbol cap_inode_removexattr

I've searched the forums here, at gentoo.org, searched the gentoo bug tracker and even googled for it but I can't even one other person who has the same problem. Posted pretty much the exact same post yesterday on the Gentoo forums but didn't get any replies which is what brings me here now.

Anybody here got any idea what it could be or how I could fix it?

Sidenote: I have typed all the output stuff above over by hand, as far as I can tell it's typo-free but you never know ...

[Sleight of Mind]

I think you should disable the stuff from the security/ subdirectory in your config. It's selinux and stuff, and afaik not compatible (or needed anyway) with grsec.
You could also try a vanilla kernel with grsec patch only, so you're sure the gentoo people didn't introduce any mistakes that you're hitting.

-Rik

[SunMar]

Oops, I think I made a small mistake. Since the module was using grsec_ functions I assumed that they were modules of grsecurity.

Anyways I turned off the extra security features and now commoncap and capability are simply not compiled, hopefully named will stop bugging me about capset failed aswell, but that's another bug. At least now I know where to look (still little to go on, but it's better than being in the dark).

Thanks for the reply!