grsecurity forums

[bani]

2.6.13.1 is broke for me

[nkukard]

2.6.13.1 & 2 worked for me

You can try something like BootUtils, this can drop you to shell before it mounts your root device... maybe you can use it to debug your problem?

Very complex package to use to debug with.

It doesn't need ld-linux.so.though so you might beable to do some further investigations?

Just an idea.

[nkukard]

Sorry, link http://freshmeat.net/projects/bootutils/

[bani]

try this PAX config and see if you get the same bug with 2.6.13.* as I do.

btw this config works perfect on 2.6.11.10 + grsec+pax. it kernel panics on 2.6.13.*

Code: Select all

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_NOVSYSCALL=y
CONFIG_KEYS=y
# CONFIG_KEYS_DEBUG_PROC_KEYS is not set
CONFIG_SECURITY=y
# CONFIG_SECURITY_NETWORK is not set
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_SECLVL=m
# CONFIG_SECURITY_SELINUX is not set

[Wildfire]

@bani: This is probably not a PAX problem... does your 2.6.13 kernel work without grsecurity? My guess is, it doesnt... look in your other post for a more lengthy answer.

[bani]

@bani: This is probably not a PAX problem... does your 2.6.13 kernel work without grsecurity? My guess is, it doesnt... look in your other post for a more lengthy answer.

yes, stock 2.6.13.* works perfectly for me. only with grsecurity/pax does it break.

and i'm not using devfs.

[Carceru]

And 2.6.13.3 is out, although I guess the changes doesn't really affect grsecurity.

In the final version for 2.6.13 coming soon, or are there still some bugs that need to be solved first?

[forsaken]

Hi,

the pre-patch for 2.6.13.4 has the problem with "Reversed (or previously applied) patch detected! Assume -R? [n]" as the first 2.6.13.2 had. Just thought I let you know.

/Andreas

[didl]

The patch is reversed, but you can apply it via patch -p1 -R.
Furthermore, I had to make the following change to compile
the kernel

Code: Select all

--- fs/proc/task_mmu.c  2005-10-12 10:49:43.000000000 +0000
+++ /usr/src/linux/fs/proc/task_mmu.c   2005-10-12 03:36:33.000000000 +0000
@@ -99,7 +99,7 @@
 }
 
 #ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-#define PAX_RAND_FLAGS(mm) (mm != NULL && mm != current->mm && \
+#define PAX_RAND_FLAGS(mm) (mm != NULL && \
                            (mm->pax_flags & MF_PAX_RANDMMAP || \
                             mm->pax_flags & MF_PAX_SEGMEXEC))
 #endif

[systray`]

My Compile will fails at this time:

Code: Select all

  CC      fs/proc/task_mmu.o
fs/proc/task_mmu.c: in function »show_map«:
fs/proc/task_mmu.c:126: error: structure has no member named `map'
fs/proc/task_mmu.c:127: error: structure has no member named `map'
fs/proc/task_mmu.c:138: error: structure has no member named `map'
make[2]: *** [fs/proc/task_mmu.o] error 1
make[1]: *** [fs/proc] error 2
make: *** [fs] error 2


Best regards.

[didl]

My previous post has a patch that fixes this for now

[systray`]

Oh Thanks..

I have not being see the differents, in another words: The patch is failed, than i have edited manuelly, and now my Box compiles.

Best regards.