grsecurity forums

[kleenex]

Hello everyone. I have one question about kernel with grsecurity patch. How would I update the kernel? I mean with standard distribution kernel it is very simple e.g. we can use automatic update, like "Update Manager" etc, but what about "my own" kernel (downloaded e.g. from kernel.org)? I understand, that the update manager does not update that kernel with grsec patch, right? So how can I do it?

Standard way? Downloading kernel, cd to /usr/src directory, unapcking kernel and run make menuconfig etc? Or can I do it - for example - with way, which is provided by Debian: Rebuilding official Debian kernel packages

I apologize for such a question, but I preparing to implement grsecurity on ​​a large scale and I want to have absolute confidence. I must thank You all for creating such a project! It is amazing, good job.

[spender]

Hi,

We have a wiki entry on this:
https://en.wikibooks.org/wiki/Grsecurit ... grsecurity

My personal choice is to configure with make menuconfig, then using make oldconfig with the same .config for subsequent kernels. You will need to compile+install a new kernel each time you wish to update. There's no automatic process for this from us (yet).

If you can build in the functionality needed to boot and mount the root partition, you can avoid the additional hassle of having to create initrd images.

-Brad

[kleenex]

Hi Brad. Thanks for your response. It may seem strange, but it will be my first attempt to compile the Linux kernel. I hope that everything will be ok. So far, I built kernels only on the FreeBSD systems.

[timbgo]

Debian users of grsecurity: kindly give advice to non-advanced users like me!
In reply to the previously posted in this thread, I can say:
It is not going to be my first attempt at compiling the kernel, but this is a level that is much closer to me than most of other posts (which I admire bug findings and fixes of, but is beyond my full undestanding).
And I also have trouble compiling grsecurity/pax into distro:Debian like the original poster.
So I thought I better try and post here, since it is within topic.
I have been battling to compile grsecurity/pax into Debian for a few days now, and there has been no help from Debian community so far, other than a little by one developer, whom I am really thankful to, but in personal mails.
I actually have a binary debian kernel + grsecurity/pax installed, but it is sooo.... (...@!~...)I have to be nice, sorry!
Pls. have a look at my attempts you can wind down to last 2 or 3 posts if time in short supply:
http://forums.debian.net/viewtopic.php?f=5&t=103302
but pls. take notice that... I have to paste that part:

Code: Select all

    myhost:$ ls -l /boot/
    total 16825
    -rw-r--r-- 1 root root  129038 Mar 26 07:48 config-3.2.0-4-amd64
    -rw-r--r-- 1 root root  131042 Apr  3 11:21 config-3.2.0-4-grsec-amd64
    drwxr-xr-x 3 root root    5120 Apr 15 18:51 grub
    -rw-r--r-- 1 root root 3354720 Apr 13 19:29 initrd.img-3.2.0-4-amd64
    -rw-r--r-- 1 root root 3378279 Apr 15 18:51 initrd.img-3.2.0-4-grsec-amd64
    drwxr-xr-x 2 root root   12288 Apr 13 18:22 lost+found
    -rw-r--r-- 1 root root 2105340 Mar 26 07:48 System.map-3.2.0-4-amd64
    -rw-r--r-- 1 root root 2065577 Apr  3 11:21 System.map-3.2.0-4-grsec-amd64
    -rw-r--r-- 1 root root 2833216 Mar 26 07:33 vmlinuz-3.2.0-4-amd64
    -rw-r--r-- 1 root root 3134592 Apr  3 11:20 vmlinuz-3.2.0-4-grsec-amd64
    myhost:$ grep SELINUX /boot/config-3.2.0-4-grsec-amd64
    CONFIG_SECURITY_SELINUX=y
    # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
    # CONFIG_SECURITY_SELINUX_DISABLE is not set
    CONFIG_SECURITY_SELINUX_DEVELOP=y
    CONFIG_SECURITY_SELINUX_AVC_STATS=y
    CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
    # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
    # CONFIG_DEFAULT_SECURITY_SELINUX is not set
    myhost:$


See? SELINUX is fully operating. God! I have to be nice.
...And there are other issues with the binary install of grsecurity. The iceweasel, the nfs server is broken are all broken for usel....

My plea is to you Debian users who have made it to compile fine kernel with grsecurity/pax and things, to point us lesser users of Debian how to do it. Just to give us a nudge or two.

I will be very greatful if this post is allowed, and don't expect Grsecurity/Pax developers to waste any time at all with us lesser users here.
But rather you, more advanced Debian users/devs, if you will, please!

Thank you in advance!

I have just downloaded with jigdo-lite the next wheezy testing and sources, and I'll be trying all over, and be back (might take me long hours), if I am permitted, to post where I reached.

[timbgo]

Thank you, Spender and Pax people!
You and the Hungarian (and possibly other) Pax developers are people I admire the most in contrast to the bleak and mostly profiteering top computing brains of today.
I would donate if I weren't heading for broke and very slowly and as yet remotely to maybe even foreclosure.
I can only encourage those who can, to donate. I rarely click on ads, but I did this time, just to see the kind firms who support you. I thank them as well!

Upon having such bad binary grsecurity installed and in such bad way, I decided I needed my system clean and I mean from scratch, so I reinstalled it...

(And I am saying this for newbies: there are still nice people in various Linux distros, but beware what and how you install. Myself, I opted for simple lxde desktop without some Gnome mine-tracker orm track-miner stuff (I couldn't care less to go find the exact name now, sorry!) and things that rummage through your system, and while doing do, claim they don't use your data for anything but your own needs. C'mon!...
!! For newbies to take notice, is the above !! (Most of this is for newbies, actually, up until I fail again in my install.)
There are still really nice people, say in Debian various teams, but...)

...And that is loong time reinstalling!

And then it took me long time to finally figure out how to do it.

I think I understand now how I need to do it.

In my case:
https://www.kernel.org/pub/linux/kernel/v3.x/
where:
linux-3.8.7.tar.bz2
linux-3.8.7.tar.sign

Because I'm on Debian testing, that's Wheezy Release Candidate 1 now, IIUC. I like newer stuff, am not so afraid of instabilities, so newer kernels I prefer.

It is to go with:
pax-linux-3.8.7-test20.patch
and
grsecurity-2.9.1-3.8.7-201304142158.patch
and
gradm-2.9.1-201301041755.tar.gz

according to (sure different numbers there, older versions):
https://en.wikibooks.org/wiki/Grsecurit ... grsecurity

I almost got it wrong again, because I did here first go for the binary kernels, just a few hours ago... No!, no way, grsecurity/pax patches are done for the exact kernels, and strictly for the sources of the kernels. They patch the sources, not the binary image of the kernel. It took me a while to finally settle that in my mind.

And, also this, no Debian kernel sources go with the grsecurity patch from grsecurity.net download, but you got Julian Tinnes or Corsac (a lot about the latter in my thread on forums.debian.org linked above), and some more things to observe and apply, I don't know any more details on that at this time.

So, here we go:

Code: Select all

me@myhost:~$ mkdir kernel/
me@myhost:~$ cd kernel/
me@myhost:/my_downloads$ bunzip2 linux-3.8.7.tar.bz2
me@myhost:/my_downloads$ gpg --verify linux-3.8.7.tar.sign linux-3.8.7.tar
gpg: Signature made Fri 12 Apr 2013 04:57:45 PM UTC using RSA key ID 6092693E
gpg: Can't check signature: public key not found
me@myhost:/my_downloads$

But just go to, say, pgp.mit.edu and input 0x6092693E, then compare fingeprint, you'll see it's ok.

Code: Select all

me@myhost:~/kernel$ ls -l /Cmn/deb_dLo/linux-3.8.7.tar
-rw-r--r-- 1 mr mr 505743360 Apr 17 13:19 /Cmn/deb_dLo/linux-3.8.7.tar
me@myhost:~/kernel$ ls -l
total 0
me@myhost:~/kernel$ tar xf /Cmn/deb_dLo/linux-3.8.7.tar
me@myhost:~/kernel$ ls -l
total 4
drwxr-xr-x 23 mr mr 4096 Apr 12 16:52 linux-3.8.7
me@myhost:~/kernel$ ls -l linux-3.8.7/
total 524
drwxr-xr-x  30 mr mr   4096 Apr 12 16:52 arch
drwxr-xr-x   3 mr mr   4096 Apr 12 16:52 block
-rw-r--r--   1 mr mr  18693 Apr 12 16:52 COPYING
-rw-r--r--   1 mr mr  95054 Apr 12 16:52 CREDITS
drwxr-xr-x   4 mr mr   4096 Apr 12 16:52 crypto
drwxr-xr-x  99 mr mr  12288 Apr 12 16:52 Documentation
drwxr-xr-x 108 mr mr   4096 Apr 12 16:52 drivers
drwxr-xr-x  36 mr mr   4096 Apr 12 16:52 firmware
drwxr-xr-x  72 mr mr   4096 Apr 12 16:52 fs
drwxr-xr-x  25 mr mr   4096 Apr 12 16:52 include
drwxr-xr-x   2 mr mr   4096 Apr 12 16:52 init
drwxr-xr-x   2 mr mr   4096 Apr 12 16:52 ipc
-rw-r--r--   1 mr mr   2536 Apr 12 16:52 Kbuild
-rw-r--r--   1 mr mr    252 Apr 12 16:52 Kconfig
drwxr-xr-x  10 mr mr   4096 Apr 12 16:52 kernel
drwxr-xr-x   9 mr mr   4096 Apr 12 16:52 lib
-rw-r--r--   1 mr mr 239609 Apr 12 16:52 MAINTAINERS
-rw-r--r--   1 mr mr  48024 Apr 12 16:52 Makefile
drwxr-xr-x   2 mr mr   4096 Apr 12 16:52 mm
drwxr-xr-x  55 mr mr   4096 Apr 12 16:52 net
-rw-r--r--   1 mr mr  18736 Apr 12 16:52 README
-rw-r--r--   1 mr mr   3371 Apr 12 16:52 REPORTING-BUGS
drwxr-xr-x  13 mr mr   4096 Apr 12 16:52 samples
drwxr-xr-x  13 mr mr   4096 Apr 12 16:52 scripts
drwxr-xr-x   9 mr mr   4096 Apr 12 16:52 security
drwxr-xr-x  22 mr mr   4096 Apr 12 16:52 sound
drwxr-xr-x  15 mr mr   4096 Apr 12 16:52 tools
drwxr-xr-x   2 mr mr   4096 Apr 12 16:52 usr
drwxr-xr-x   3 mr mr   4096 Apr 12 16:52 virt
me@myhost:~/kernel$

The point here is, "3.8.7" must correspond exactly to the vanilla kernel from kerne.org, I mean the sources kernel which it only ever is, on kernel.org, IIUC.

Code: Select all

me@myhost:/my_downloads$ gpg2 --verify  grsecurity-2.9.1-3.8.7-201304142158.patch.sig grsecurity-2.9.1-3.8.7-201304142158.patch
gpg: Signature made Mon 15 Apr 2013 03:59:27 CEST using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A
me@myhost:/my_downloads$

And now I apply the patch as Spender said (the complete output is very long so I cut it much shorter).

Code: Select all

me@myhost:~/kernel/linux-3.8.7$ patch -p1 < /Cmn/deb_dLo/grsec_test/grsecurity-2.9.1-3.8.7-201304142158.patch
patching file Documentation/dontdiff
patching file Documentation/kernel-parameters.txt
patching file Makefile
patching file arch/alpha/include/asm/atomic.h
patching file arch/alpha/include/asm/cache.h
patching file arch/alpha/include/asm/elf.h
patching file arch/alpha/include/asm/pgalloc.h
patching file arch/alpha/include/asm/pgtable.h
patching file arch/alpha/kernel/module.c
patching file arch/alpha/kernel/osf_sys.c
patching file arch/alpha/mm/fault.c
patching file arch/arm/Kconfig
patching file arch/arm/common/gic.c
patching file arch/arm/include/asm/atomic.h
patching file arch/arm/include/asm/cache.h

...[snip]...

patching file tools/gcc/Makefile
patching file tools/gcc/checker_plugin.c
patching file tools/gcc/colorize_plugin.c
patching file tools/gcc/constify_plugin.c
patching file tools/gcc/generate_size_overflow_hash.sh
patching file tools/gcc/kallocstat_plugin.c
patching file tools/gcc/kernexec_plugin.c
patching file tools/gcc/latent_entropy_plugin.c
patching file tools/gcc/size_overflow_hash.data
patching file tools/gcc/size_overflow_plugin.c
patching file tools/gcc/stackleak_plugin.c
patching file tools/gcc/structleak_plugin.c
patching file tools/perf/util/include/asm/alternative-asm.h
patching file tools/perf/util/include/linux/compiler.h
patching file virt/kvm/ioapic.c
patching file virt/kvm/kvm_main.c
me@myhost:~/kernel/linux-3.8.7$

That's what the patch does! All these files are changed on precise lines and in precise terms.

That's a grsecurity-patched no-more-vanilla kernel, but sooo much better kernel!

Here I am not completely sure, but I think I need to apply pax patch now.

Gradm2, according to the contained README, I understand is installed later just fine. Gradm2 is not a patch, but source of a program to compile.

So, I go:

Code: Select all

me@myhost:~/kernel/linux-3.8.7$ patch -p1 < /Cmn/deb_dLo/grsec_test/pax-linux-3.8.7-test20.patch
patching file arch/alpha/include/asm/atomic.h
Reversed (or previously applied) patch detected!  Assume -R? [n]

which is, I ran into problems. I clearly get it that the patch program figured out I patched the kernel with another patch, sure, but I don't know (yet) what that "Assume -R? [n] " wants to (not) do, because if I just hit Enter it won't do it.

But I guess it must stand, the R for reverting the previous patch. I'll go and find it in 'man patch'...

Yeah, in that man page there is "-R or --reverse"...

So I hit Enter, bracing myself for what might even go wrong, because I'm not completely sure I'm doing right...
It just gave me another:

Code: Select all

Apply anyway? [n]

And here I have to type in Y or yes, else it won't apply anything...

Code: Select all

Apply anyway? [n] Y
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file arch/alpha/include/asm/atomic.h.rej
patching file arch/alpha/include/asm/elf.h
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n] yes
Hunk #1 succeeded at 98 with fuzz 2 (offset 7 lines).
patching file arch/alpha/include/asm/pgalloc.h
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n] yes
Hunk #1 succeeded at 35 with fuzz 1 (offset 6 lines).
patching file arch/alpha/include/asm/pgtable.h
Reversed (or previously applied) patch detected!  Assume -R? [n]   
Apply anyway? [n] yes
Hunk #1 FAILED at 102.
1 out of 1 hunk FAILED -- saving rejects to file arch/alpha/include/asm/pgtable.h.rej
patching file arch/alpha/kernel/module.c
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n] ye
Hunk #1 FAILED at 160.
1 out of 1 hunk FAILED -- saving rejects to file arch/alpha/kernel/module.c.rej
patching file arch/alpha/kernel/osf_sys.c
Hunk #1 FAILED at 1304.
Hunk #2 succeeded at 1344 with fuzz 2 (offset 4 lines).
Hunk #3 FAILED at 1351.
2 out of 3 hunks FAILED -- saving rejects to file arch/alpha/kernel/osf_sys.c.rej
patching file arch/alpha/mm/fault.c
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n] yes
Hunk #1 succeeded at 28 with fuzz 2 (offset -25 lines).
Hunk #2 FAILED at 251.
1 out of 2 hunks FAILED -- saving rejects to file arch/alpha/mm/fault.c.rej
patching file arch/arm/common/gic.c
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n] yes
Hunk #1 FAILED at 81.
Hunk #2 FAILED at 329.
2 out of 2 hunks FAILED -- saving rejects to file arch/arm/common/gic.c.rej
patching file arch/arm/include/asm/atomic.h
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n] yes
Hunk #1 FAILED at 17.
Hunk #2 FAILED at 42.
Hunk #3 FAILED at 60.
Hunk #4 FAILED at 80.
Hunk #5 FAILED at 98.
Hunk #6 succeeded at 282 (offset 148 lines).
Hunk #7 FAILED at 189.
Hunk #8 FAILED at 204.
Hunk #9 succeeded at 386 with fuzz 1 (offset 167 lines).
Hunk #10 FAILED at 236.
Hunk #11 FAILED at 248.
Hunk #12 succeeded at 463 with fuzz 2 (offset 195 lines).
Hunk #13 succeeded at 499 (offset 208 lines).
Hunk #14 succeeded at 540 (offset 222 lines).
Hunk #15 succeeded at 592 with fuzz 1 (offset 252 lines).
Hunk #16 FAILED at 381.
Hunk #17 FAILED at 410.
Hunk #18 succeeded at 685 (offset 249 lines).
Hunk #19 succeeded at 856 (offset 357 lines).
Hunk #20 FAILED at 546.
Hunk #21 FAILED at 583.
Hunk #22 FAILED at 602.
14 out of 22 hunks FAILED -- saving rejects to file arch/arm/include/asm/atomic.h.rej
patching file arch/arm/include/asm/cacheflush.h
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n] yes
Hunk #1 FAILED at 116.
1 out of 1 hunk FAILED -- saving rejects to file arch/arm/include/asm/cacheflush.h.rej
patching file arch/arm/include/asm/cache.h
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n] yes
Hunk #1 FAILED at 4.
Hunk #2 FAILED at 24.
2 out of 2 hunks FAILED -- saving rejects to file arch/arm/include/asm/cache.h.rej
patching file arch/arm/include/asm/checksum.h
Reversed (or previously applied) patch detected!  Assume -R? [n]

Wrong, and I don't know where I went wrong this time around...

I might go for more perusing and internet searching, and I also need to post this, so I maybe get advice what to do.

[PaX Team]

grsec already contains PaX, you need only one or the other but not both.

[timbgo]

Thank you for your reply.
I did figure it out on my own, only, obviously, my mind takes its time figuring things
Much more progress I made....

Code: Select all

me@myhost:~/kernel/linux-3.8.7$ cp -iav /boot/config-3.2.0-4-amd64 .config
me@myhost:~/kernel/linux-3.8.7$ make menuconfig
me@myhost:~/kernel/linux-3.8.7$ fakeroot make deb-pkg
make KBUILD_SRC=
Makefile:630: *** Your gcc installation does not support plugins.  If the necessary headers for plugin support are missing, they should be installed.  On Debian, apt-get install gcc-<ver>-plugin-dev.  If you choose to ignore this error and lessen the improvements provided by this patch, re-run make with the DISABLE_PAX_PLUGINS=y argument..  Stop.
make[1]: *** [deb-pkg] Error 2
make: *** [deb-pkg] Error 2
me@myhost:~/kernel/linux-3.8.7$

In aptitude, I somehow figured out and installed, as can be seen from /var/log/dpkg.log:

Code: Select all

2013-04-17 23:04:52 install gcc-4.6-plugin-dev:amd64 <none> 4.6.3-14
2013-04-17 23:04:52 status half-installed gcc-4.6-plugin-dev:amd64 4.6.3-14
2013-04-17 23:04:52 status unpacked gcc-4.6-plugin-dev:amd64 4.6.3-14
2013-04-17 23:04:52 status unpacked gcc-4.6-plugin-dev:amd64 4.6.3-14

But this wasn't yet it... The warning/errors/whatever-you-call'em remained unchanged...

Code: Select all

2013-04-17 23:04:53 startup packages configure
...[snip]...
2013-04-17 23:05:53 configure gcc-4.7-plugin-dev:amd64 4.7.2-5 <none>
2013-04-17 23:05:53 status unpacked gcc-4.7-plugin-dev:amd64 4.7.2-5
2013-04-17 23:05:53 status half-configured gcc-4.7-plugin-dev:amd64 4.7.2-5
2013-04-17 23:05:53 status installed gcc-4.7-plugin-dev:amd64 4.7.2-5


That did it!

This:

Code: Select all

me@myhost:~/kernel/linux-3.8.7$ fakeroot make deb-pkg
make KBUILD_SRC=
  HOSTCXX -fPIC tools/gcc/colorize_plugin.o
  HOSTLLD -shared tools/gcc/colorize_plugin.so
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/syscalls/../include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/syscalls/../include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/syscalls/../include/generated/asm/unistd_64_x32.h
  SYSTBL  arch/x86/syscalls/../include/generated/asm/syscalls_64.h
  HOSTCC  arch/x86/tools/relocs
  WRAP    arch/x86/include/generated/asm/clkdev.h
  CHK     include/generated/uapi/linux/version.h
  UPD     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  UPD     include/generated/utsrelease.h
  CC      kernel/bounds.s
  GEN     include/generated/bounds.h
  CC      arch/x86/kernel/asm-offsets.s
  GEN     include/generated/asm-offsets.h
  CALL    scripts/checksyscalls.sh
  HOSTCC  scripts/genksyms/genksyms.o
  SHIPPED scripts/genksyms/lex.lex.c
  SHIPPED scripts/genksyms/keywords.hash.c
  SHIPPED scripts/genksyms/parse.tab.h
  HOSTCC  scripts/genksyms/lex.lex.o
scripts/genksyms/lex.lex.c_shipped: In function ‘yy_get_next_buffer’:
scripts/genksyms/lex.lex.c_shipped:1135:3: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  SHIPPED scripts/genksyms/parse.tab.c
  HOSTCC  scripts/genksyms/parse.tab.o
  HOSTLD  scripts/genksyms/genksyms
  CC      scripts/mod/empty.o
  HOSTCC  scripts/mod/mk_elfconfig
  MKELF   scripts/mod/elfconfig.h
  HOSTCC  scripts/mod/file2alias.o
scripts/mod/file2alias.c: In function ‘do_vmbus_entry’:
scripts/mod/file2alias.c:828:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/mod/file2alias.c: In function ‘do_ipack_entry’:
scripts/mod/file2alias.c:977:2: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/mod/file2alias.c:978:2: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  HOSTCC  scripts/mod/modpost.o
  HOSTCC  scripts/mod/sumversion.o
  HOSTLD  scripts/mod/modpost
  HOSTCC  scripts/kallsyms
  HOSTCC  scripts/conmakehash
  HOSTCC  scripts/sortextable
scripts/sortextable.c: In function ‘main’:
scripts/sortextable.c:290:6: warning: variable ‘n_error’ might be clobbered by ‘longjmp’ or ‘vfork’ [-Wclobbered]
  CC      init/main.o
  CHK     include/generated/compile.h
  UPD     include/generated/compile.h
  CC      init/version.o
  CC      init/do_mounts.o
  CC      init/do_mounts_initrd.o
  LD      init/mounts.o
  CC      init/initramfs.o
  CC      init/calibrate.o
  CC      init/init_task.o
  LD      init/built-in.o
  HOSTCC  usr/gen_init_cpio
  GEN     usr/initramfs_data.cpio
  AS      usr/initramfs_data.o
  LD      usr/built-in.o
  LD      arch/x86/crypto/built-in.o
  CC [M]  arch/x86/crypto/ablk_helper.o
  CC [M]  arch/x86/crypto/glue_helper.o
  AS [M]  arch/x86/crypto/aes-x86_64-asm_64.o
  CC [M]  arch/x86/crypto/aes_glue.o
  AS [M]  arch/x86/crypto/aesni-intel_asm.o
  CC [M]  arch/x86/crypto/aesni-intel_glue.o
  CC [M]  arch/x86/crypto/fpu.o
  AS [M]  arch/x86/crypto/blowfish-x86_64-asm_64.o
  CC [M]  arch/x86/crypto/blowfish_glue.o
  CC [M]  arch/x86/crypto/crc32c-intel_glue.o
  AS [M]  arch/x86/crypto/crc32c-pcl-intel-asm_64.o
  AS [M]  arch/x86/crypto/ghash-clmulni-intel_asm.o
  CC [M]  arch/x86/crypto/ghash-clmulni-intel_glue.o
  AS [M]  arch/x86/crypto/salsa20-x86_64-asm_64.o
  CC [M]  arch/x86/crypto/salsa20_glue.o
  AS [M]  arch/x86/crypto/sha1_ssse3_asm.o
  CC [M]  arch/x86/crypto/sha1_ssse3_glue.o
  AS [M]  arch/x86/crypto/twofish-x86_64-asm_64-3way.o
  CC [M]  arch/x86/crypto/twofish_glue_3way.o
  AS [M]  arch/x86/crypto/twofish-x86_64-asm_64.o
  CC [M]  arch/x86/crypto/twofish_glue.o
  LD [M]  arch/x86/crypto/aes-x86_64.o
  LD [M]  arch/x86/crypto/blowfish-x86_64.o
  LD [M]  arch/x86/crypto/twofish-x86_64.o
  LD [M]  arch/x86/crypto/twofish-x86_64-3way.o
  LD [M]  arch/x86/crypto/salsa20-x86_64.o
  LD [M]  arch/x86/crypto/aesni-intel.o
  LD [M]  arch/x86/crypto/ghash-clmulni-intel.o
  LD [M]  arch/x86/crypto/crc32c-intel.o
  LD [M]  arch/x86/crypto/sha1-ssse3.o
  AS      arch/x86/ia32/ia32entry.o
  CC      arch/x86/ia32/sys_ia32.o
  CC      arch/x86/ia32/ia32_signal.o


...[snip]...

  LD      drivers/scsi/pcmcia/built-in.o
  CC [M]  drivers/scsi/pcmcia/aha152x_stub.o
  CC [M]  drivers/scsi/pcmcia/aha152x_core.o
  CC [M]  drivers/scsi/pcmcia/fdomain_stub.o
  CC [M]  drivers/scsi/pcmcia/fdomain_core.o
  CC [M]  drivers/scsi/pcmcia/qlogic_stub.o
  LD [M]  drivers/scsi/pcmcia/qlogic_cs.o
  LD [M]  drivers/scsi/pcmcia/fdomain_cs.o
  LD [M]  drivers/scsi/pcmcia/aha152x_cs.o
  CC [M]  drivers/scsi/pcmcia/sym53c500_cs.o
  LD      drivers/scsi/pm8001/built-in.o
  CC [M]  drivers/scsi/pm8001/pm8001_init.o
  CC [M]  drivers/scsi/pm8001/pm8001_sas.o
  CC [M]  drivers/scsi/pm8001/pm8001_ctl.o
  CC [M]  drivers/scsi/pm8001/pm8001_hwi.o
  LD [M]  drivers/scsi/pm8001/pm8001.o
  LD      drivers/scsi/qla2xxx/built-in.o
  CC [M]  drivers/scsi/qla2xxx/qla_os.o
  CC [M]  drivers/scsi/qla2xxx/qla_init.o
  CC [M]  drivers/scsi/qla2xxx/qla_mbx.o
  CC [M]  drivers/scsi/qla2xxx/qla_iocb.o
...


has now been churning on for half or one hour on my old slow system.

I think I am heading in the right direction, and might even make it relatively soon.

[timbgo]

I would have been, had it not been for some (guess-what's-the-usual-kid-of) error... But, let's unwind the story. If I knew which to cut shorter, and keep it still clear, I'd cut that part... But I don't

Code: Select all

me@myhost:/Cmn/mr/kernel# ls -lh
total 985M
drwxr-xr-x  3 root root 4.0K Apr 18 07:13 boot.d
-rw-r--r--  1 root root 250M Apr 18 07:08 dd_D0418_sda1.dd
drwx------ 26 mr   mr   4.0K Apr 18 06:48 linux-3.8.7
-rw-r--r--  1 mr   mr   1.1M Apr 18 03:37 linux-firmware-image_3.8.7-grsec130417-1_amd64.deb
-rw-r--r--  1 mr   mr   1.1M Apr 18 06:49 linux-firmware-image_3.8.7-grsec130417-2_amd64.deb
-rw-r--r--  1 mr   mr   7.8M Apr 18 03:38 linux-headers-3.8.7-grsec130417_3.8.7-grsec130417-1_amd64.deb
-rw-r--r--  1 mr   mr   7.8M Apr 18 06:49 linux-headers-3.8.7-grsec130417_3.8.7-grsec130417-2_amd64.deb
-rw-r--r--  1 mr   mr   358M Apr 18 03:53 linux-image-3.8.7-grsec130417_3.8.7-grsec130417-1_amd64.deb
-rw-r--r--  1 mr   mr   358M Apr 18 07:04 linux-image-3.8.7-grsec130417_3.8.7-grsec130417-2_amd64.deb
-rw-r--r--  1 mr   mr   897K Apr 18 03:38 linux-libc-dev_3.8.7-grsec130417-1_amd64.deb
-rw-r--r--  1 mr   mr   897K Apr 18 06:49 linux-libc-dev_3.8.7-grsec130417-2_amd64.deb
me@myhost:/Cmn/mr/kernel# dpkg -i *.deb
dpkg: warning: downgrading linux-firmware-image from 3.8.7-grsec130417-2 to 3.8.7-grsec130417-1
(Reading database ... 113785 files and directories currently installed.)
Preparing to replace linux-firmware-image 3.8.7-grsec130417-2 (using linux-firmware-image_3.8.7-grsec130417-1_amd64.deb) ...
Unpacking replacement linux-firmware-image ...
Preparing to replace linux-firmware-image 3.8.7-grsec130417-1 (using linux-firmware-image_3.8.7-grsec130417-2_amd64.deb) ...
Unpacking replacement linux-firmware-image ...
Selecting previously unselected package linux-headers-3.8.7-grsec130417.
Unpacking linux-headers-3.8.7-grsec130417 (from linux-headers-3.8.7-grsec130417_3.8.7-grsec130417-1_amd64.deb) ...
Preparing to replace linux-headers-3.8.7-grsec130417 3.8.7-grsec130417-1 (using linux-headers-3.8.7-grsec130417_3.8.7-grsec130417-2_amd64.deb) ...
Unpacking replacement linux-headers-3.8.7-grsec130417 ...
Selecting previously unselected package linux-image-3.8.7-grsec130417.
Unpacking linux-image-3.8.7-grsec130417 (from linux-image-3.8.7-grsec130417_3.8.7-grsec130417-1_amd64.deb) ...
Preparing to replace linux-image-3.8.7-grsec130417 3.8.7-grsec130417-1 (using linux-image-3.8.7-grsec130417_3.8.7-grsec130417-2_amd64.deb) ...
Unpacking replacement linux-image-3.8.7-grsec130417 ...
dpkg: warning: downgrading linux-libc-dev from 3.8.7-grsec130417-2 to 3.8.7-grsec130417-1
Preparing to replace linux-libc-dev 3.8.7-grsec130417-2 (using linux-libc-dev_3.8.7-grsec130417-1_amd64.deb) ...
Unpacking replacement linux-libc-dev ...
Preparing to replace linux-libc-dev 3.8.7-grsec130417-1 (using linux-libc-dev_3.8.7-grsec130417-2_amd64.deb) ...
Unpacking replacement linux-libc-dev ...
More than one copy of package linux-firmware-image has been unpacked
 in this run !  Only configuring it once.
More than one copy of package linux-headers-3.8.7-grsec130417 has been unpacked
 in this run !  Only configuring it once.
More than one copy of package linux-image-3.8.7-grsec130417 has been unpacked
 in this run !  Only configuring it once.
More than one copy of package linux-libc-dev has been unpacked
 in this run !  Only configuring it once.
Setting up linux-firmware-image (3.8.7-grsec130417-2) ...
Setting up linux-headers-3.8.7-grsec130417 (3.8.7-grsec130417-2) ...
Setting up linux-image-3.8.7-grsec130417 (3.8.7-grsec130417-2) ...
update-initramfs: Generating /boot/initrd.img-3.8.7-grsec130417
Generating grub.cfg ...
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-3.8.7-grsec130417
Found initrd image: /boot/initrd.img-3.8.7-grsec130417
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
  /dev/dm-3: read failed after 0 of 4096 at 7516127232: Input/output error
  /dev/dm-3: read failed after 0 of 4096 at 7516184576: Input/output error
  /dev/dm-3: read failed after 0 of 4096 at 0: Input/output error
  /dev/dm-3: read failed after 0 of 4096 at 4096: Input/output error
  /dev/vg_r/var_s: read failed after 0 of 4096 at 5368643584: Input/output error
  /dev/vg_r/var_s: read failed after 0 of 4096 at 5368700928: Input/output error
  /dev/vg_r/var_s: read failed after 0 of 4096 at 0: Input/output error
  /dev/vg_r/var_s: read failed after 0 of 4096 at 4096: Input/output error
Found Windows XP Professional x64 Edition on /dev/sda4
done
Setting up linux-libc-dev (3.8.7-grsec130417-2) ...
me@myhost:/Cmn/mr/kernel#

me@myhost:/Cmn/mr/kernel# ls -l /boot/
total 24484
-rw-r--r-- 1 root root   129038 Mar 26 07:48 config-3.2.0-4-amd64
-rw-r--r-- 1 root root   107407 Apr 18 06:47 config-3.8.7-grsec130417
drwxr-xr-x 3 root root     5120 Apr 18 07:18 grub
-rw-r--r-- 1 root root  3372771 Apr 17 00:24 initrd.img-3.2.0-4-amd64
-rw-r--r-- 1 root root 11098976 Apr 18 07:18 initrd.img-3.8.7-grsec130417
drwxr-xr-x 2 root root    12288 Apr 16 23:43 lost+found
-rw-r--r-- 1 root root  2105340 Mar 26 07:48 System.map-3.2.0-4-amd64
-rw-r--r-- 1 root root  2226443 Apr 18 06:47 System.map-3.8.7-grsec130417
-rw-r--r-- 1 root root  2833216 Mar 26 07:33 vmlinuz-3.2.0-4-amd64
-rw-r--r-- 1 root root  3071376 Apr 18 06:47 vmlinuz-3.8.7-grsec130417
me@myhost:/Cmn/mr/kernel#


And next I went:

Code: Select all

me@myhost:/home/mr# ls -l /boot/
total 8297
-rw-r--r-- 1 root root  129038 Mar 26 07:48 config-3.2.0-4-amd64
drwxr-xr-x 3 root root    5120 Apr 18 09:20 grub
-rw-r--r-- 1 root root 3372771 Apr 17 00:24 initrd.img-3.2.0-4-amd64
drwxr-xr-x 2 root root   12288 Apr 16 23:43 lost+found
-rw-r--r-- 1 root root 2105340 Mar 26 07:48 System.map-3.2.0-4-amd64
-rw-r--r-- 1 root root 2833216 Mar 26 07:33 vmlinuz-3.2.0-4-amd64
me@myhost:/home/mr# cd /Cmn/mr/kernel/
me@myhost:/Cmn/mr/kernel# ls -l
total 792628
drwxr-xr-x  3 root root      4096 Apr 18 07:13 boot.d
-rw-r--r--  1 root root 262144000 Apr 18 07:08 dd_D0418_sda1.dd
drwxr-xr-x  2 mr   mr        4096 Apr 18 09:21 DEL
drwx------ 26 mr   mr        4096 Apr 18 08:54 linux-3.8.7
-rw-r--r--  1 mr   mr     1136120 Apr 18 08:55 linux-firmware-image_3.8.7-grsec-130418-3_amd64.deb
-rw-r--r--  1 mr   mr     8213890 Apr 18 08:55 linux-headers-3.8.7-grsec-130418_3.8.7-grsec-130418-3_amd64.deb
-rw-r--r--  1 mr   mr   539211500 Apr 18 09:16 linux-image-3.8.7-grsec-130418_3.8.7-grsec-130418-3_amd64.deb
-rw-r--r--  1 mr   mr      918384 Apr 18 08:55 linux-libc-dev_3.8.7-grsec-130418-3_amd64.deb
me@myhost:/Cmn/mr/kernel# dpkg -i *.deb
Selecting previously unselected package linux-firmware-image.
(Reading database ... 113656 files and directories currently installed.)
Unpacking linux-firmware-image (from linux-firmware-image_3.8.7-grsec-130418-3_amd64.deb) ...
Selecting previously unselected package linux-headers-3.8.7-grsec-130418.
Unpacking linux-headers-3.8.7-grsec-130418 (from linux-headers-3.8.7-grsec-130418_3.8.7-grsec-130418-3_amd64.deb) ...
Selecting previously unselected package linux-image-3.8.7-grsec-130418.
Unpacking linux-image-3.8.7-grsec-130418 (from linux-image-3.8.7-grsec-130418_3.8.7-grsec-130418-3_amd64.deb) ...
Preparing to replace linux-libc-dev 3.8.7-grsec130417-2 (using linux-libc-dev_3.8.7-grsec-130418-3_amd64.deb) ...
Unpacking replacement linux-libc-dev ...
Setting up linux-firmware-image (3.8.7-grsec-130418-3) ...
Setting up linux-headers-3.8.7-grsec-130418 (3.8.7-grsec-130418-3) ...
Setting up linux-image-3.8.7-grsec-130418 (3.8.7-grsec-130418-3) ...
update-initramfs: Generating /boot/initrd.img-3.8.7-grsec-130418
Generating grub.cfg ...
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-3.8.7-grsec-130418
Found initrd image: /boot/initrd.img-3.8.7-grsec-130418
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
  /dev/dm-3: read failed after 0 of 4096 at 7516127232: Input/output error
  /dev/dm-3: read failed after 0 of 4096 at 7516184576: Input/output error
  /dev/dm-3: read failed after 0 of 4096 at 0: Input/output error
  /dev/dm-3: read failed after 0 of 4096 at 4096: Input/output error
  /dev/vg_r/var_s: read failed after 0 of 4096 at 5368643584: Input/output error
  /dev/vg_r/var_s: read failed after 0 of 4096 at 5368700928: Input/output error
  /dev/vg_r/var_s: read failed after 0 of 4096 at 0: Input/output error
  /dev/vg_r/var_s: read failed after 0 of 4096 at 4096: Input/output error
Found Windows XP Professional x64 Edition on /dev/sda4
done
Setting up linux-libc-dev (3.8.7-grsec-130418-3) ...
me@myhost:/Cmn/mr/kernel#  ls -l /boot/
total 24710
-rw-r--r-- 1 root root   129038 Mar 26 07:48 config-3.2.0-4-amd64
-rw-r--r-- 1 root root   125034 Apr 18 08:53 config-3.8.7-grsec-130418
drwxr-xr-x 3 root root     5120 Apr 18 09:24 grub
-rw-r--r-- 1 root root  3372771 Apr 17 00:24 initrd.img-3.2.0-4-amd64
-rw-r--r-- 1 root root 11352978 Apr 18 09:24 initrd.img-3.8.7-grsec-130418
drwxr-xr-x 2 root root    12288 Apr 16 23:43 lost+found
-rw-r--r-- 1 root root  2105340 Mar 26 07:48 System.map-3.2.0-4-amd64
-rw-r--r-- 1 root root  2209891 Apr 18 08:53 System.map-3.8.7-grsec-130418
-rw-r--r-- 1 root root  2833216 Mar 26 07:33 vmlinuz-3.2.0-4-amd64
-rw-r--r-- 1 root root  3045520 Apr 18 08:53 vmlinuz-3.8.7-grsec-130418
me@myhost:/Cmn/mr/kernel#


But this was what I got when booting the grsec kernel (and I'll reconstruct why I think it happened, because grsec which showed it was there by logging exec's, didn't mess up the booting, never even those its ante diluvium bugs touted at this time by vitrioloids in high places in Debian, apparently, pls read previous post and the link to my post on Debian forum to understand my meaning)...

Code: Select all

Booting the kernel.
Loading, please wait...
  Volume group "vg_r" not found
  Skipping volume group vg_r
Unable to find LVM volume vg_r/root
  Volume group "vg_C" not found
  Skipping volume group vg_C
Unable to find LVM volume vg_C/swap
Gave up waiting for root device.  Common problems:
 - Boot args (cat /proc/cmdline)
   - Check rootdelay= (did the system wait long enough?)
   - Check root= (did the system wait for the right device?)
 - Missing modules (cat /proc/modules; ls /dev)
ALERT!  /dev/mapper/vg_r-root does not exist.  Dropping to a shell!
modprobe: module ehci-hcd not found in modules.dep
modprobe: module uhci-hcd not found in modules.dep
modprobe: module ohci-hcd not found in modules.dep
modprobe: module usbhid not found in modules.dep


Busybox v1.20.2 (Debian 1:1.20.-7) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/bin/sh: can't access tty; job control turned off
(initramfs) _

       ^
and that    | char is blinking.


Trying to boot with my grsec kernel in recovery mode has the only difference that a lot of grsec lines are printed, such as:

Code: Select all

[  33.382033] grsec: exec of /bin/busybox (/bin/sh -i ) by /bin/busybox[init:492] uid/euid:0/0 gid:0/0, partnt /init[init:1] uid/euid:0/0 gid/egid:0/0


But wait a minute, I got similar error booting, subsequently, on the binary 3.2.0.4 kernel...

Code: Select all

a few lines are missing (I'm manually copying the screen, typing by hand, after pressed Scroll Lock on keyboard).
...
[   3.41153] Buffer I/O error on device dm-3, logical block 1835007
 /dev/vg_r/root_s: read failed after 0 of 4096 at 756127232: Input/output error
 /dev/vg_r/root_s: read failed after 0 of 4096 at 756104576: Input/output error
 /dev/vg_r/root_s: read failed after 0 of 4096 at 0: Input/output error
 /dev/vg_r/root_s: read failed after 0 of 4096 at 4096: Input/output error
INIT: version 2:88 booting
Using makefile-style cuncurrent boot in runlevel S.
Starting the hotplug events dispatcher: udevd.
Synthesizing the initial hotplug events...done.
Waiting for /dev to be fully populated...[   4.930015] ACPI: Invalid PBLX length [7]
[   9.448515] ali15x3_smbus 0000:00:1e.1: ALI15X3_smb region uninitialized - upgrade BIOS or use force_addr=0xaddr
[   9.448571] ali15x3_smbus 0000:00:1e.1: ALI15X3 not detected, module not inserted.
[   9.729048] platform radeon_cp.0: firmware: agent aborted loading radeon/R300_cp.bin (not found?)
[   9.729464] [drm:r100_cp_init] *ERROR* Failed to load firmware!
[   9.729518] radeon 0000:01:00.0 failed initializing CP (-2).
[   9.729567] radeon 0000:01:00.0 Disabling GPU acceleration
done.
Setting preliminary keymap..done.
Setting parameters of disc: (none).
Checking root file system..fsck from util-linux 2.20.1
/dev/ampper/vg_r-root: clean, 55737/458752 files, 1281836/1835008 blocks
done.
Loading kernel module loop.
Setting up LVM Volume Groups... /dev/dm-3: read failed after 0 of 4096 at 7516127232: Input/output error
  /dev/dm-3: read failed after 0 of 4096 at 7516184576: Input/output error
  /dev/dm-3: read failed after 0 of 4096 at 0: Input/output error
  /dev/dm-3: read failed after 0 of 4096 at 4096: Input/output error
[ 11.658695] Buffer I/O error on device dm-10, logical block 1310704
[ 11.658xxx] Buffer I/O error on device dm-10, logical block 1310xxx
[ 11.658xxx] Buffer I/O error on device dm-10, logical block 1310xxx
[ 11.658xxx] Buffer I/O error on device dm-10, logical block 1310xxx
[ 11.658xxx] Buffer I/O error on device dm-10, logical block 0
[ 11.658xxx] Buffer I/O error on device dm-10, logical block 0
[ 11.658xxx] Buffer I/O error on device dm-10, logical block 1
[ 11.658xxx] Buffer I/O error on device dm-10, logical block 1310xxx
[ 11.658xxx] Buffer I/O error on device dm-10, logical block 1310xxx
[ 11.658xxx] Buffer I/O error on device dm-10, logical block 1310xxx
[ 11.658xxx] Buffer I/O error on device dm-10, logical block 1310xxx
  /dev/dm-3: read failed after 0 of 4096 at 75xxxxxx: Input/output error
  /dev/dm-3: read failed after 0 of 4096 at 75xxxxxx: Input/output error
  /dev/dm-3: read failed after 0 of 4096 at 0: Input/output error
  /dev/dm-3: read failed after 0 of 4096 at 4096: Input/output error


('x's introduces instead real numbers here and there, surely, those real are not double checked, where only represent time IIUC or other triviality).
And I'm relinquishing Scroll Lock now.

And pressing it again.

Code: Select all

done.
Activating lvm and md swap...done.
Checking file systems...fsck from util-linux 2.20.1
/dev/sda1: clean, 244/128000 files, 42922/256000 blocks
/dev/mapper/vg_r-tmp: clean xxxx/xxxxx files xxxxx/xxxxxxx blocks
/dev/mapper/vg_r-usr: clean xxxx/xxxxx files xxxxx/xxxxxxx blocks
/dev/mapper/vg_r-var: clean xxxx/xxxxx files xxxxx/xxxxxxx blocks
done
Mounting local filesystem...done.
Activating swapfile swap...done.
[ ok ] Cleaning up temporary files.. /tmp.
[ ok ] Setting kernel variables ..done.
[ ok ] Configuring network interfaces...done.
[ ok ] Starting rpcbind angel....
Why do people call them daemons? ;-) Angels are beautiful and truly mighty. Daemons are not!


Surely, the last is genuine non-machine input by me (and I'm here under psydonim, because a dissenter in a neighboring to Hungary country, my regime hates me (I wish my rightwingers came to power along with someone great like Victor Orban, but we don't have anyone like him at this time...)...

And I tink I know why these recoverable by the Debian own binary kernel have been introduced...

It's nothing to do with grsecurity, let alone grsecurity's ante diluvium bugs like those presented in Debian packages grsecurity

In the next post. Have to keep the audience in suspense.

(The system booted fine on the binary Debian kernel.)

[timbgo]

But we, the tolerant rightwingers in Croatia (I am Miroslav Rovis), do not torture people. So I'm pronto telling you the rest of the story.
Here's what must have introduced the error.
Unfortunately, I was too tired, and relaxed my concentration.
I issued, this is from memory:

Code: Select all

umount /dev/sda1/

That is I unmounted /boot.
I really hope that it was then that I also did:

Code: Select all

dd if=/dev/sda1 of=dd_D0418_sda1.dd

the file that's listed somewhere in pasted terminal output above.
If I did that prior to messing up, than I'll be able to restore it and those errors in booting won't reappear...
Because, while the /boot was not mounted, I issued:

Code: Select all

dkpg -i *.deb

and that is what introduced the error.
More follows hopefully soon. Have other things that will take hours for me now of my time.

[timbgo]

The issue is solve as grsecuriy install goes.
Upon longer thinking I figured out what it is.
I checked in parallel on another same arch, same hardware machine, and the failing initramfs issue, because that where i am now stuck with is *not* related to my mistake.
It's probably rather simple.
The initramfs in my wheezy doesn't support that kernle. End of story for now.
See here and the links therefrom:
http://forums.debian.net/viewtopic.php? ... fs#p494039

EDIT, 7 weeks later, start
This, above, is not the link that open the page that contains the text below. It is not (probably) anymore. I mean, the above and the below corresponded just fine, back then, very very probably.
Even if I don't find my notes of the time, it is extremely unlikely that it didn't correspond, because, since oftentimes a good number of people read my posts, I very carefully double check the links that I give, first thing upon publishing.
My suspicion is completely of the NSA's aficionados club.
One clear indication of the cahoots of the zombies of the world against freedom is the payout Google gives to the faithful Debian nice people keeping their page first thing in iceweasel...
One clear indication of the cahoots of the zombies of the world with the any-and-all secret services of the world best profiteering information provider Google...
That, at any newbies Internet access via iceweasel, how faithful to the monopoly scum!
One clear indication of the above cahoots is that the text below is nowhere in (probably) no search engines anymore, to be found, other than if you read this or have sometime in the past dwelled a little on this here page!
I mean, for the newbies, if you paste, but quoted, pls. take note, " and " and start and end, into http://www.startpage.com (which is advised, they don't keep user info, and give Google's findings) or, say ddg.gg which is duckduckgo.com I think... If you give:
"the 3.8-trunk series is in the experimental repo"
literally in those serach engines, unless things change, you find only this here page on
https://forums.grsecurity.net/
that you arre reading...
You'lll (probably or maybe) be able to verify that it is so only soon after I post this, or maybe the text below has vanished forever and can be found only here for the rest of... the life of me and the Debian which IMO should relinquish on its name, because the subterfuges against users is not worth the shiny tradition in which it was founded and spread.
But how can I tell it'll be or not be found anymore?
How can I be faster than Google who hides, plenty of proofs to that to anyone savvy enough and honest enough, who often hides information from users!
Who often hides information from users!
Who is allowed to know on Microsoft having basically stolen grsecurity's code and used it in newly acquired Skype, back a few years ago?
But I am not a journalist, not a programmer, just a user, and my time will be limited to what it necessary to make a complete topic that I'm in these days on this forum, just as this 7 weeks old topic here was complete back then, but is now, very very probably (how could I possibly prove that?, no resources of time and knowledge for actual proofs here!)...
...But is (this topic), deliberately, through deleting, worse!, worse!, putting completely non-related stuff under (some of these) links, which are referenced from here, made incomplete!
What's free in free Debian vitrioloids who do so?
EDIT end.

And I'm pasting over this section:

the 3.8-trunk series is in the experimental repo, ATM, but it also needs the new initramfs-tools package to be upgraded to version 0.110 also from experimental for both wheezy and sid systems

In my wheezy it's 0.109 if I remember well.
I might be back just to give the resume once I finally start using my grsecurity kernel on Debian, for completeness sake.
Regards to readers, and thumbs up for Spender and Pax people!

[timbgo]

I finaly made it.
But with the stable grsecurity.
The procedure is the same as the one above that I attempted with the experimental kernel, only here there weren't any issues with installing initramfs.

I hope I'll be back, I can't promise, but I have something in mind.
God bless all the readers!

[timbgo]

Surely, firefox, (called, actually repackaged as) iceweasel, wouldn't really run upon my booting into my long awaited grsecurity/pax enhanced vanilla kernel on Debian:

Code: Select all

me@myhost:~$ uname -r
3.2.43-grsec130418-21
me@myhost:~$

Note: '130418-21' is my own local version, it was last night at 21 that I named it so when I configured the kernel.

Code: Select all

me@myhost:~$iceweasel &
[1] 3709
me@myhost:~$ top
...
top - 06:33:07 up  7:44,  2 users,  load average: 0.87, 0.37, 0.20
Tasks: 172 total,   2 running, 169 sleeping,   0 stopped,   1 zombie
%Cpu(s):  8.2 us, 91.8 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:   4056312 total,   554760 used,  3501552 free,    38700 buffers
KiB Swap: 13631484 total,        0 used, 13631484 free,   287324 cached

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND           
 3709 mr        20   0  354m  20m  12m R  96.4  0.5   0:49.42 firefox-bin       
 2822 root      20   0  134m  29m 9436 S   1.3  0.7   2:31.79 Xorg             
 3570 mr        20   0  316m  13m 9864 S   1.3  0.3   0:01.25 lxterminal   
...


And it would keep spending resources like that to no avail: no window appearing whatsoever.
That's icewasel, the firefox-bin running, but it's a real mess with names, that I won't dedicate much time to.
Sp:

Code: Select all

me@myhost:~$ killall firefox-bin
[1]+  Terminated              iceweasel
me@myhost:~$

It is not working what it's programmed for because the grsecurity/pax installation isn't in iceweasel (firefox), on Debian, accounted for, reckoned with, yet, and still, to the hardening that you get with grsecurity/pax no other security feature available in todays kernel, is a match anywhere nearly.
The solution to that issue isn't difficult.
Upon looking under the hood for who is the binary there running the iceweasel program.

Code: Select all

root@myhost:/usr/lib/xulrunner-10.0# file xulrunner-bin
xulrunner-bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x8bfcf695b8f24d2417324b978570d42374de1861, stripped
root@myhost:/usr/lib/xulrunner-10.0# file xulrunner-stub
xulrunner-stub: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x20aeeadbaa9b25009877ae9e5703309907e59863, stripped
root@myhost:/usr/lib/xulrunner-10.0# file plugin-container
plugin-container: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x6d919de16419e388df0844e9718a84ad7cfed507, stripped
root@myhost:/usr/lib/xulrunner-10.0#

I believe these guys need to be:
1) converted with paxctl program, available from http://pax.grsecurity.net
2) have their pax flags modified (POST SCRIPTUM: only one exact same flag each one of them, as I finally figured out!)

Looking into them won't yet change them:

Code: Select all

root@myhost:/usr/lib/xulrunner-10.0# paxctl -v xulrunner-bin xulrunner-stub plugin-container
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

file xulrunner-bin does not have a PT_PAX_FLAGS program header, try conversion
file xulrunner-stub does not have a PT_PAX_FLAGS program header, try conversion
file plugin-container does not have a PT_PAX_FLAGS program header, try conversion
root@myhost:/usr/lib/xulrunner-10.0#

But before changing them let's back them up somewhere.

Code: Select all

root@myhost:/usr/lib/xulrunner-10.0# cp -iav xulrunner-bin xulrunner-stub plugin-container  /somewhere/backup/
`xulrunner-bin' -> `/somewhere/backup/xulrunner-bin'
`xulrunner-stub' -> `/somewhere/backup/xulrunner-stub'
`plugin-container' -> `/somewhere/backup/plugin-container'
root@myhost:/usr/lib/xulrunner-10.0#

Code: Select all

root@myhost:/usr/lib/xulrunner-10.0# paxctl -c xulrunner-bin xulrunner-stub plugin-container 
file xulrunner-bin had a PT_GNU_STACK program header, converted
file xulrunner-stub had a PT_GNU_STACK program header, converted
file plugin-container had a PT_GNU_STACK program header, converted
root@myhost:/usr/lib/xulrunner-10.0#

Now we can see what paxctl can tell us about them, which is the way to find out why that program wouldn't (really) run for us.

Code: Select all

root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -v xulrunner-bin xulrunner-stub plugin-container 
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-- [xulrunner-bin]
   RANDEXEC is disabled
   EMUTRAMP is disabled
- PaX flags: -------x-e-- [xulrunner-stub]
   RANDEXEC is disabled
   EMUTRAMP is disabled
- PaX flags: -------x-e-- [plugin-container]
   RANDEXEC is disabled
   EMUTRAMP is disabled
root@dmyhost:/usr/lib/xulrunner-10.0#

I am no expert, and can only give you first aid explanation, so you can find the best flags from among these:

Code: Select all

 root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -h
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

usage: paxctl <options> <files>

options:
   -p: disable PAGEEXEC      -P: enable PAGEEXEC
   -e: disable EMUTRAMP      -E: enable EMUTRAMP
   -m: disable MPROTECT      -M: enable MPROTECT
   -r: disable RANDMMAP      -R: enable RANDMMAP
   -x: disable RANDEXEC      -X: enable RANDEXEC
   -s: disable SEGMEXEC      -S: enable SEGMEXEC

   -v: view flags         -z: restore default flags
   -q: suppress error messages   -Q: report flags in short format
   -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
   -C: create PT_PAX_FLAGS (see manpage!)
root@dmyhost:/usr/lib/xulrunner-10.0#

to modify to get the iceweasel (really) working.

The help tells you all.
So, I'll try for myself, because it'll be the first time that iceweasel will be running on my grsecurity/pax enhanced Debian...
But I know I usually needed to (don't know it that's finally improved there) to do some of either -p or -m or -r or -s even something other applied to some or even all of the three binaries above in plain Tor browser ( from http://www.torproject.org , but know that there are http://tails.boum.org and http://dee.su there too) which there are called their Mozilla names: firefox, firefox-bin and plugin-container... POST SCRIPTUM: probably only needed only -r there too!
Soo... Since, I'm a little tired, this has really taken me long and steep learning curve to get my Debian in right shape, I'll just try and quickly draw to an end here with...

POST SCRIPTUM: Not needed! Feel free to skip to the exact words: "HERE. This only is needed!"

Code: Select all

root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -p xulrunner-bin xulrunner-stub plugin-container 
root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -v xulrunner-bin xulrunner-stub plugin-container 
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-----x-e-- [xulrunner-bin]
   PAGEEXEC is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
- PaX flags: -p-----x-e-- [xulrunner-stub]
   PAGEEXEC is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
- PaX flags: -p-----x-e-- [plugin-container]
   PAGEEXEC is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
root@dmyhost:/usr/lib/xulrunner-10.0#


and fire up iceweasel from eithe menu or command line as above. No work. Kill it as above.

Code: Select all

 root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -m xulrunner-bin xulrunner-stub plugin-container 
root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -v xulrunner-bin xulrunner-stub plugin-container 
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -p---m-x-e-- [xulrunner-bin]
   PAGEEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
- PaX flags: -p---m-x-e-- [xulrunner-stub]
   PAGEEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
- PaX flags: -p---m-x-e-- [plugin-container]
   PAGEEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
root@dmyhost:/usr/lib/xulrunner-10.0#

And iterate the attempts, till I get it working.

Code: Select all

root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -m xulrunner-bin xulrunner-stub plugin-container 
root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -v xulrunner-bin xulrunner-stub plugin-container 
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -p---m-x-e-- [xulrunner-bin]
   PAGEEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
- PaX flags: -p---m-x-e-- [xulrunner-stub]
   PAGEEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
- PaX flags: -p---m-x-e-- [plugin-container]
   PAGEEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -h
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

usage: paxctl <options> <files>

options:
   -p: disable PAGEEXEC      -P: enable PAGEEXEC
   -e: disable EMUTRAMP      -E: enable EMUTRAMP
   -m: disable MPROTECT      -M: enable MPROTECT
   -r: disable RANDMMAP      -R: enable RANDMMAP
   -x: disable RANDEXEC      -X: enable RANDEXEC
   -s: disable SEGMEXEC      -S: enable SEGMEXEC

   -v: view flags         -z: restore default flags
   -q: suppress error messages   -Q: report flags in short format
   -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
   -C: create PT_PAX_FLAGS (see manpage!)
root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -s xulrunner-bin xulrunner-stub plugin-container 
root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -v xulrunner-bin xulrunner-stub plugin-container 
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-s-m-x-e-- [xulrunner-bin]
   PAGEEXEC is disabled
   SEGMEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
- PaX flags: -p-s-m-x-e-- [xulrunner-stub]
   PAGEEXEC is disabled
   SEGMEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
- PaX flags: -p-s-m-x-e-- [plugin-container]
   PAGEEXEC is disabled
   SEGMEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -r xulrunner-bin xulrunner-stub plugin-container 
root@dmyhost:/usr/lib/xulrunner-10.0#
root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -v xulrunner-bin xulrunner-stub plugin-container 
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-s-m-x-e-r [xulrunner-bin]
   PAGEEXEC is disabled
   SEGMEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is disabled
- PaX flags: -p-s-m-x-e-r [xulrunner-stub]
   PAGEEXEC is disabled
   SEGMEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is disabled
- PaX flags: -p-s-m-x-e-r [plugin-container]
   PAGEEXEC is disabled
   SEGMEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is disabled
root@dmyhost:/usr/lib/xulrunner-10.0# 

Now this surely defeats the purpose, because Pax is now completely disabled on Iceweasel!
I can't leave it like that. I must get a little more protection than nada, nill, none, zero, from Pax on Iceweasel!

HERE. This only is needed!

It's good to have backup.

Code: Select all

 root@dmyhost:/usr/lib/xulrunner-10.0# cp -iav   /somewhere/backup/xulrunner-* /somewhere/backup/plugin-container .
cp: overwrite `./xulrunner-bin'? y
`/somewhere/backup/xulrunner-bin' -> `./xulrunner-bin'
cp: overwrite `./xulrunner-stub'? y
`/somewhere/backup/xulrunner-stub' -> `./xulrunner-stub'
cp: overwrite `./plugin-container'? y
`/somewhere/backup/plugin-container' -> `./plugin-container'
root@dmyhost:/usr/lib/xulrunner-10.0#


Right!

Code: Select all

root@dmyhost:/usr/lib/xulrunner-10.0# paxctl -r xulrunner-bin xulrunner-stub plugin-container 
root@myhost:/usr/lib/xulrunner-10.0# paxctl -v xulrunner-bin xulrunner-stub plugin-container 
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-r [xulrunner-bin]
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is disabled
- PaX flags: -------x-e-r [xulrunner-stub]
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is disabled
- PaX flags: -------x-e-r [plugin-container]
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is disabled
root@myhost:/usr/lib/xulrunner-10.0#

And upon fireing Iceweasel from the menu, it works fine now!
Again, for clarity (I'm writing for newbies here) upon converting those files, only:

Code: Select all

paxctl -r xulrunner-bin xulrunner-stub plugin-container

is needed to modify.
And it's great to have backup, isn't it?

[timbgo]

I don't want to push no agenda of mine, but I believe that my own rights as human being, and just a mention of them, won't be frowned upon by honest users of grsecurity/pax and I also hope that it won't be such burden to the developers of grsecurity/pax who provide such fine service which is a little light left in linuxing in this orwellian world we find ourself ever deeper quagmired in.
I lost another of my email account.
Here's the quote that I just read upon trying to sign into my recent hushmail account (the one that I psydonimed in here, and on Debian forums, pls. see links above and see that only here I revealed my real name... Else, I browse with Tails and use macchanger...):

We're sorry...

The computer you are using has been blocked from our website, possibly due to abuse or spam. Computers are blocked using an automatic process that will sometimes make mistakes, resulting in people who were not abusing the system being unable to access our website. If you believe that you are seeing this message in error, please contact us at https://www.hushmail.com/contact/abuse/ and we will unblock your computer as soon as possible

Please try again..

Literal quote, and taken over here only that time after I read it as much as signing in and typing these lines takes my.

And it is my final effort that I will now try to make:

9650ffd30f4886eb81118e1aad04500b I_will_do_this.txt

[timbgo]

This existed:
9650ffd30f4886eb81118e1aad04500b I_will_do_this.txt
But I lost it.
I tried and couldn't get a mail account anywhere now.
Luckily, I can see that there is freedom in Debian, because I can log into there.
Only I must not forget my passwords neither here nor there.
And what I said in that file was, sure I can only paraphrase myself now:

I will now try and introduce a Wiki topic on Grsecurity/Pax in Debian Wiki...

Forgive my messed up writing, had a minor breakdown just a while ago...

I can't promise, but I will invest a few hours or more to explain to newbies what Grsecuriy is, and how to install it...

To that effect was the text in the file I_will_do_this.txt, only much finer worded.
And I went and prepared, for hours, a tutorial, but being on Tails, because, if they hunt me like this, and for mere hate (Gosh, I love my country Croatia, and there is in the Constitution that all citizens are guarrantied privacy and secrecy in their communication!)...

But I was saying... being on Tails, because if they hunt me like this, does anyone think that they wouldn't make a pie of my system in anything longer than 10 to 15 minutes on-line...
I first have to learn... And stuff like Tripwire and Wireshark and things, apart from the top of my likes Grsecurity...
And only than can I try longer times on-line.

But I was also saying (a nested saying programmers will understand).. And I went and prepared, for hours, a tutorial, and I liked it, but I lost it, because it got me, their hunt on me! And I really lost my nerves!

And forgot to copy over from my RAM, and rebooted the comp running Tails...
Because neither persistency in Tails work really, but only DVD booting.. No USB. The kernel is too hollow for anyhing....

Hey Linus Thorvalds, what have you done with you NIH policy? You're not my hero anymore!

But, as I said, I am only without a mail accout at this time, I seem to be free.
There seem to be still fine people also at Debian, just they should really allow for Grsecurity full and free use in Debian for newbies as well! Please!

Thank you Spender and the Hungarian Pax people (judging by your mail adress that has .hu at the end, are you friend of Arpi who made mplayer, the program that I also like very much?), for allowing me to post here!

[timbgo]

I have written:
Grsecurity patched vanilla kernel (the missing part)
which can be found at:
http://forums.debian.net/viewtopic.php?f=16&t=103425
and this will now wrap up my thread on forums.grsecurity.net as well as http://forums.debian.net because I'm now terribly overdue in other fields of my life.
I greet everyone with lots of wishes for peace and esp. for all our developers, lots of good programming!