grsecurity forums

[User-Name]

Hello,

I downloaded the kernel 2.36.32.41 and patched it with Grsecurity for 2.36.32.41, then I installed it (on a Debian 6 "Squeeze") then I rebooted and could't SSH my server anymore.

My host has a rescue system that allows me to mount my partitions so I can fix the conf files and such ... but for now I'm lost, I don't know what I did wrong, I don't know what's broken so I have no idea of what to fix and how.

I don't even know if GRUB is loading.

Usually what might cause such problem ? What do I have to fix etc ?

Thanks in advance, I really need some help here ...

[spender]

Not configuring the kernel properly would be the main reason (for instance, not compiling in the filesystems your root fs needs). Were you using a config that worked previously? If it's your first time compiling a kernel or first time using grsecurity, you should be using a (remote) serial console to debug these kinds of issues. Netconsole can be helpful too.

-Brad

[User-Name]

I managed to fix the server by modifying fstab ( proc wasn't mounted). I still couldn't boot the new kernel though, so I am using the old one. I gave a try at compiling the kernel the debian way by making a .deb file to see if it would work, but it seems I can't compile it :

ERROR: "usb_kill_urb" [drivers/staging/rtl8192su/r8192s_usb.ko] undefined!
ERROR: "usb_deregister" [drivers/staging/rtl8192su/r8192s_usb.ko] undefined!
ERROR: "usb_control_msg" [drivers/staging/rtl8192su/r8192s_usb.ko] undefined!
ERROR: "usb_submit_urb" [drivers/staging/rtl8192su/r8192s_usb.ko] undefined!
ERROR: "usb_register_driver" [drivers/staging/rtl8192su/r8192s_usb.ko] undefined!
ERROR: "usb_free_urb" [drivers/staging/rtl8192su/r8192s_usb.ko] undefined!
ERROR: "usb_alloc_urb" [drivers/staging/rtl8192su/r8192s_usb.ko] undefined!
WARNING: modpost: Found 19089 section mismatch(es).
To see full details build your kernel with:
'make CONFIG_DEBUG_SECTION_MISMATCH=y'
make[2]: *** [__modpost] Error 1
make[1]: *** [modules] Error 2
make[1]: Leaving directory `/*folder*/linux-2.6.32.41'
make: *** [debian/stamp/build/kernel] Error 2

[User-Name]

Any idea on why I get this error ?

[specs]

Just to see what would happen I tried a "fakeroot make-kpkg --bzImage binary".
I started with using fresh patched sources (grsecurity-2.2.2-2.6.39.1-201106042120) and a .config that has been used before.
Since I use debian I ran into a small documented problem (viewtopic.php?f=3&t=2649)

Simply using "make oldconfig && make bzImage modules" builds a working kernel which can be copied easily. make-kpkg only adds an easy-to-install binary image. I hardly find it worth the extra time and trouble, but YMMV
Perhaps it would be worthwhile if I was using initrd, but since I don't maintain many different pc's I can customize kernels for each computer. Without initrd installation becomes much more simple: just copying the kernel image and the modules to the right place, add a line to grub/lilo and you are ready.

I haven't tried running or installing the newmade deb, but I think it will work since it's based on the same config as my running kernel.

Support for make-kpkg should be asked from the make-kpkg maintainers.
But before you ask support, perhaps you should make sure your vanilla kernel builds correctly using only the tools kernel.org provided: "make bzImage modules".

[kevinff]

I myself use make-kpkg on debian squeeze and was using my config file for quite some time.
After the release of 2.36.32.41 i modified the patch of .40 for this version and it worked perfectly.

I saw that there were some new changes in the grsec patch (a new PAX version) so i got the patch from grsecurity. But my server didn't boot with it as well.
So i think there's really something wrong with the new PAX patch, but i'm unable to check on that server..

[PaX Team]

I saw that there were some new changes in the grsec patch (a new PAX version) so i got the patch from grsecurity. But my server didn't boot with it as well.
So i think there's really something wrong with the new PAX patch, but i'm unable to check on that server..

is this an amd64 kernel? i made a change there that i reverted later in the last round of patches, so you should try the latest grsec to see if that caused you the problem, sorry about it.

[User-Name]

I tried again, I didn't change much I think, I used the last patch that was a bit newer, didn't try to deactivate USB and it worked

So now I'm struggling with my CentOS server, when compiling I remember there was 3 errors about some USB modules but it continued anyway. There was no config file created in the boot folder and a kernel panic at reboot, this is what I got :

http://img193.imageshack.us/img193/4853/yoaqa.jpg
http://img805.imageshack.us/img805/5316/8pzte.jpg

It probably has nothing to do with Grsec but I'm asking here since people might now what to do ... So what does these errors mean ? Will it be fixed if I compile the kernel again without deactivating the USB modules ? (those errors don't seem related to usb though ...)

[User-Name]

I tried again, no error during compilation, but it still didn't create a config file by itself so I had to copy it manually but it didn't boot

I see some people mentioning that the followings should be enable in the config file
CONFIG_SYSFS_DEPRECATED=y
CONFIG_SYSFS_DEPRECATED_V2=y
Why ? Will it work ?