[DEBIAN] problem patching kernel 2.4.27-10

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

[DEBIAN] problem patching kernel 2.4.27-10

Postby texilee » Wed Jun 15, 2005 5:30 am

hi all.. I get this error when I try to patch kernel src
<<<<<<<<<<
START applying grsecurity2 patch (Greater Security for Linux 2.4 and 2.6)
Testing whether "Greater Security for Linux 2.4 and 2.6" patch for 2.4.27 applie s (dry run):
3 out of 12 hunks FAILED -- saving rejects to file fs/binfmt_elf.c.rej
1 out of 17 hunks FAILED -- saving rejects to file fs/exec.c.rej
1 out of 7 hunks FAILED -- saving rejects to file include/linux/mm.h.rej
"Greater Security for Linux 2.4 and 2.6" patch for 2.4.27 does not apply cleanly
>>>>>>>>>>


I cannot find .rej files.. so I cannot understand what is the problem. any idea??
thx
texilee
 
Posts: 6
Joined: Wed Jun 15, 2005 3:26 am

Postby Zhenech » Wed Jun 15, 2005 5:46 am

Where do you have the patch from?
Using the original grsec Patch with Debian kernels isnt a good idea since Deabian have a lot of patches in their kernels.

I have a Debian server with a grsec enabled kernel running, but I'm using a vanilla kernel plus the latest grsec patch from this page ;-) (I've updated to 2.4.31-grsec today)

Zhe
Zhenech
 
Posts: 10
Joined: Wed Jun 15, 2005 5:44 am

Postby texilee » Wed Jun 15, 2005 8:08 am

the patch is from debian...

kernel-patch-grsecurity2


but now i read


<<<<<<<<<<<
Furthermore, 2.4.2x versions of this patch will not apply to Debian kernels
2.4.20 and above. You will have to use vanilla kernel sources to apply this
patch. Reasons are documented in README.2.4.2x contained within the
package.
>>>>>>>>>>


sure now I must use vanilla kernel... but i cannot find any README.2.4.x .

In production is enough secure using vanilla 2.4.31 + grsec. patch?
texilee
 
Posts: 6
Joined: Wed Jun 15, 2005 3:26 am

Postby Zhenech » Wed Jun 15, 2005 4:26 pm

afaik yes

my servers run without problems
some kiddies tried to ddos me - no chance =)

try it out, i dont think youll find any differences

greets, zhe
Zhenech
 
Posts: 10
Joined: Wed Jun 15, 2005 5:44 am

Postby texilee » Thu Jun 16, 2005 5:15 am

ok.. i get kernel 2.4.31 from kernel.org and the latest grsecurity patch.

I have builded 2 kernel.. one has security level LOW and other one has HIGH level

finally paxtest give me some infos about grsec: with "low level" my system is easy vulnerable. with high level paxtest return




Code: Select all
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect)              : Killed
Anonymous mapping randomisation test     : 16 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 25 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : 17 bits (guessed)
Shared library randomisation test        : 16 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 23 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Killed






[OT]is there a way to export a .deb kernel with grsec patch?

thx for previous reply :)
texilee
 
Posts: 6
Joined: Wed Jun 15, 2005 3:26 am

Postby texilee » Thu Jun 16, 2005 7:52 am

ok solved :) the previus problem with make-kpkg ...

now.. the default flags config for each binary is (PeMRxS) ... why it isnt (PEMRXS) ?

is there a way to have all flags active?
texilee
 
Posts: 6
Joined: Wed Jun 15, 2005 3:26 am


Return to grsecurity support

cron