iptables 1.2.11 compile fails with grsecurity-2.0.3-2.6.10-2

Discuss and suggest new grsecurity features

iptables 1.2.11 compile fails with grsecurity-2.0.3-2.6.10-2

Postby devillinux » Sun Jan 02, 2005 11:10 pm

Hey,

iptables 1.2.11 doesn't compile when grsecurity-2.0.3-2.6.10-200501011505.patch is applied to the kernel.

Heiko

cc -O2 -fno-stack-protector -Wall -Wunused -I/data/build/tmp/linux-2.6.10/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.11\" -fPIC -o extensions/libipt_ah_sh.o -c extensions/libipt_ah.c
ld -shared -o extensions/libipt_ah.so extensions/libipt_ah_sh.o
cc -O2 -fno-stack-protector -Wall -Wunused -I/data/build/tmp/linux-2.6.10/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.11\" -fPIC -o extensions/libipt_connlimit_sh.o -c extensions/libipt_connlimit.c
In file included from /data/build/tmp/linux-2.6.10/include/asm/processor.h:18,
from /data/build/tmp/linux-2.6.10/include/asm/atomic.h:6,
from /data/build/tmp/linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack.h:11,
from extensions/libipt_connlimit.c:9:
/data/build/tmp/linux-2.6.10/include/asm/system.h: In function `__set_64bit_var':
/data/build/tmp/linux-2.6.10/include/asm/system.h:194: warning: dereferencing type-punned pointer will break strict-aliasing rules
/data/build/tmp/linux-2.6.10/include/asm/system.h:194: warning: dereferencing type-punned pointer will break strict-aliasing rules
In file included from /data/build/tmp/linux-2.6.10/include/asm/atomic.h:6,
from /data/build/tmp/linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack.h:11,
from extensions/libipt_connlimit.c:9:
/data/build/tmp/linux-2.6.10/include/asm/processor.h: In function `load_esp0':
/data/build/tmp/linux-2.6.10/include/asm/processor.h:481: warning: implicit declaration of function `unlikely'
/data/build/tmp/linux-2.6.10/include/asm/processor.h: In function `prefetch':
/data/build/tmp/linux-2.6.10/include/asm/processor.h:647: error: `__KERNEL_TEXT_OFFSET' undeclared (first use in this function)
/data/build/tmp/linux-2.6.10/include/asm/processor.h:647: error: (Each undeclared identifier is reported only once
/data/build/tmp/linux-2.6.10/include/asm/processor.h:647: error: for each function it appears in.)
/data/build/tmp/linux-2.6.10/include/asm/processor.h: In function `prefetchw':
/data/build/tmp/linux-2.6.10/include/asm/processor.h:661: error: `__KERNEL_TEXT_OFFSET' undeclared (first use in this function)
make: *** [extensions/libipt_connlimit_sh.o] Error 1
devillinux
 
Posts: 30
Joined: Tue Dec 24, 2002 6:55 pm

kernel config

Postby devillinux » Sun Jan 02, 2005 11:23 pm

Oh I almost forgott, here's the relevant parts of the kernel config:

root:/data/build/tmp/linux-2.6.10# grep PAX .config
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_RANDEXEC=y
CONFIG_PAX_NOVSYSCALL=y

***********************************************************
root:/data/build/tmp/linux-2.6.10# grep GRKERN .config
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=10
devillinux
 
Posts: 30
Joined: Tue Dec 24, 2002 6:55 pm

Postby spender » Mon Jan 03, 2005 2:37 pm

This has been fixed in the latest patch. Thanks for reporting the problem.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby devillinux » Mon Jan 03, 2005 2:51 pm

OK that was fast. :D

I started a new compile of the distribution, to see if there are any other problems.
If you don't hear from me tonight, then everything worked.

Heiko
devillinux
 
Posts: 30
Joined: Tue Dec 24, 2002 6:55 pm

Postby devillinux » Mon Jan 03, 2005 8:45 pm

So far so good.
All the base libraries and programs for DL compiled fine with the latest patch.
I'll start a full compile, but that will take until tomorrow morning.

Heiko
D:evil:-Linux
devillinux
 
Posts: 30
Joined: Tue Dec 24, 2002 6:55 pm

Postby devillinux » Tue Jan 04, 2005 11:47 am

The full compilation of the distribution ran through without any problems.
I still need to do some functional testing, but have no idea when I'll get to it.

But so far you have my blessing (except the mentioned SYSCTL_ON annoyance)

Heiko
devillinux
 
Posts: 30
Joined: Tue Dec 24, 2002 6:55 pm

Postby spender » Tue Jan 04, 2005 11:52 am

what SYSCTL_ON annoyance?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby devillinux » Tue Jan 04, 2005 11:54 am

My other post with the title CONFIG_GRKERNSEC_SYSCTL_ON

Heiko
devillinux
 
Posts: 30
Joined: Tue Dec 24, 2002 6:55 pm


Return to grsecurity development