grsecurity forums

[thatsstrange]

Hello!

Today I've compiled a 3.13.9 vanilla kernel with grsec patch set on my Debian Jessie and everything is working flawless except two very strange things I've never encountered with grsec

Code: Select all

# cat /boot/config-3.13.9-hardened-grsec | grep GRKERNSEC_PROC_GID
CONFIG_GRKERNSEC_PROC_GID=2001
# id thatsstrange
uid=1000(thatsstrange) gid=1000(thatsstrange) grupy=1000(thatsstrange),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),103(fuse),105(scanner),108(lpadmin),110(bluetooth),112(netdev),113(kvm),124(debian-tor),126(clamav),69(wheel),134(wireshark),2001(grsecex)

It's totally ignoring the fact that I'm in grsecex group, that should exclude me from /proc restrictions
[EDIT]
OK, I've probably messed something with CONFIG_GRKERNSEC_PROC_USER, I'll recompile it tomorrow and let you know


This problem remains:
And the second thing is that system do not load the contents of /etc/sysctl.conf, leaving no information in dmesg or syslog. Surprisingly it works if I do sysctl -p

Kind regards,
thatsstrange

[thatsstrange]

Hello again,

Yeah, it was my fault. I forgot to set CONFIG_GRKERNSEC_PROC_USER to "N".


And the sysctl problem seems to be Jessie-specific.

You can delete the topic if you like.


Kind regards,
thatsstrange

[spender]

How did you manage to compile such a kernel? GRKERNSEC_PROC_GID depends on GRKERNSEC_PROC_USERGROUP being enabled, but both GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP cannot be both enabled at the same time -- there will be an #error that triggers in include/linux/grsecurity.h.

-Brad