grsecurity forums

[b0red]

Hi All,
I'm trying to install the grsec kernel patch, I've read the quickstart guide but i'm having issues.

I'm running kernel 2.6.15-26-386,
b0red@mercury:/usr/src$ uname -r
2.6.15-26-386

I downloaded the correct kernel source
b0red@mercury:/usr/src$ ls
grsecurity-2.1.9-2.6.17.11-200609031316.patch linux-headers-2.6.15-26-386 linux-source-2.6.15 linux-source-2.6.15.tar.bz2

but when i patch using the patch underneath i get
b0red@mercury:/usr/src# patch -p0 < ./grsecurity-2.1.9-2.6.17.11-200609031316.patch
can't find file to patch at input line 4
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff -urNp linux-2.6.17.11/arch/alpha/kernel/module.c linux-2.6.17.11/arch/alpha/kernel/module.c
|--- linux-2.6.17.11/arch/alpha/kernel/module.c 2006-08-07 00:18:54.000000000 -0400
|+++ linux-2.6.17.11/arch/alpha/kernel/module.c 2006-09-01 16:20:28.000000000 -0400
--------------------------
File to patch:

I think I am using the correct patch for the kernel version I'm running
pointers please

[Thrawn]

You need linux-2.6.17.11.

[b0red]

o far....
Downloaded kernel 2.6.17 unpacked it
Applied patch applied perfectly

>>>copying in generic-config to usr/src and /usr/src/linux-2.6.17.11

root@Mercury:/usr/src# cp /home/b0red/grsec/generic-config .

root@Mercury:/usr/src# cp /home/b0red/grsec/generic-config /usr/src/linux-2.6.17.11

>>>renaming linux-2.6.17.11 linux-2.6.17.11-grsec

root@Mercury:/usr/src# mv linux-2.6.17.11 linux-2.6.17.11-grsec

>>>creating a symlink called linux with linux-2.6.17.11-grsec

root@Mercury:/usr/src# ln -s linux-2.6.17.11-grsec/ linux

>>>switch to linux symlink

root@Mercury:/usr/src# cd linux

>>>copying in my boot config

root@Mercury:/usr/src/linux# cp /boot/config-2.6.15-26-386 .config


>>>Make xconfig and dies <<<

root@Mercury:/usr/src/linux# make xconfig
HOSTCC scripts/basic/fixdep
HOSTCC scripts/basic/split-include
HOSTCC scripts/basic/docproc
CHECK qt
HOSTCC scripts/kconfig/conf.o
sed < scripts/kconfig/lkc_proto.h > scripts/kconfig/lkc_defs.h 's/P(\([^,]*\),.*/#define \1 (\*\1_p)/'
HOSTCC scripts/kconfig/kconfig_load.o
HOSTCC scripts/kconfig/kxgettext.o
HOSTCC scripts/kconfig/mconf.o
SHIPPED scripts/kconfig/zconf.tab.c
SHIPPED scripts/kconfig/lex.zconf.c
SHIPPED scripts/kconfig/zconf.hash.c
HOSTCC scripts/kconfig/zconf.tab.o
/usr/bin/moc -i scripts/kconfig/qconf.h -o scripts/kconfig/qconf.moc
HOSTCXX scripts/kconfig/qconf.o
HOSTLD scripts/kconfig/qconf
scripts/kconfig/qconf arch/i386/Kconfig
qconf: cannot connect to X server
make[1]: *** [xconfig] Error 1
make: *** [xconfig] Error 2

[fixinko]

try make menuconfig

[b0red]

Even worse

root@Mercury:/usr/src# cd linux-2.6.17.11-grsec/
root@Mercury:/usr/src/linux-2.6.17.11-grsec# make menuconfig
HOSTCC scripts/kconfig/lxdialog/checklist.o
In file included from scripts/kconfig/lxdialog/checklist.c:24:
scripts/kconfig/lxdialog/dialog.h:31:20: error: curses.h: No such file or directory
In file included from scripts/kconfig/lxdialog/checklist.c:24:
scripts/kconfig/lxdialog/dialog.h:128: error: syntax error before 'use_colors'
scripts/kconfig/lxdialog/dialog.h:128: warning: type defaults to 'int' in declaration of 'use_colors'
scripts/kconfig/lxdialog/dialog.h:128: warning: data definition has no type or storage class
scripts/kconfig/lxdialog/dialog.h:129: error: syntax error before 'use_shadow'
scripts/kconfig/lxdialog/dialog.h:129: warning: type defaults to 'int' in declaration of 'use_shadow'
scripts/kconfig/lxdialog/dialog.h:129: warning: data definition has no type or storage class
scripts/kconfig/lxdialog/dialog.h:131: error: syntax error before 'attributes'
scripts/kconfig/lxdialog/dialog.h:131: warning: type defaults to 'int' in declaration of 'attributes'
scripts/kconfig/lxdialog/dialog.h:131: warning: data definition has no type or storage class
scripts/kconfig/lxdialog/dialog.h:143: error: syntax error before '*' token
scripts/kconfig/lxdialog/dialog.h:143: warning: function declaration isn't a prototype
scripts/kconfig/lxdialog/dialog.h:146: error: syntax error before '*' token
scripts/kconfig/lxdialog/dialog.h:146: warning: function declaration isn't a prototype
scripts/kconfig/lxdialog/dialog.h:147: error: syntax error before '*' token
scripts/kconfig/lxdialog/dialog.h:147: warning: function declaration isn't a prototype
scripts/kconfig/lxdialog/dialog.h:148: error: syntax error before '*' token
scripts/kconfig/lxdialog/dialog.h:148: warning: function declaration isn't a prototype
scripts/kconfig/lxdialog/dialog.h:149: error: syntax error before '*' token
scripts/kconfig/lxdialog/dialog.h:150: warning: function declaration isn't a prototype
scripts/kconfig/lxdialog/dialog.h:151: error: syntax error before '*' token
scripts/kconfig/lxdialog/dialog.h:151: warning: function declaration isn't a prototype
scripts/kconfig/lxdialog/checklist.c:31: error: syntax error before '*' token
scripts/kconfig/lxdialog/checklist.c:33: warning: function declaration isn't a prototype
scripts/kconfig/lxdialog/checklist.c: In function 'print_item':
scripts/kconfig/lxdialog/checklist.c:37: warning: implicit declaration of function 'wattrset'
scripts/kconfig/lxdialog/checklist.c:37: error: 'win' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:37: error: (Each undeclared identifier is reported only once
scripts/kconfig/lxdialog/checklist.c:37: error: for each function it appears in.)
scripts/kconfig/lxdialog/checklist.c:38: warning: implicit declaration of function 'wmove'
scripts/kconfig/lxdialog/checklist.c:38: error: 'choice' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:40: warning: implicit declaration of function 'waddch'
scripts/kconfig/lxdialog/checklist.c:43: error: 'selected' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:44: warning: implicit declaration of function 'wprintw'
scripts/kconfig/lxdialog/checklist.c:44: error: 'status' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:47: warning: implicit declaration of function 'mvwaddch'
scripts/kconfig/lxdialog/checklist.c:47: error: 'item' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:49: warning: implicit declaration of function 'waddstr'
scripts/kconfig/lxdialog/checklist.c:52: warning: implicit declaration of function 'wrefresh'
scripts/kconfig/lxdialog/checklist.c: At top level:
scripts/kconfig/lxdialog/checklist.c:59: error: syntax error before '*' token
scripts/kconfig/lxdialog/checklist.c:61: warning: function declaration isn't a prototype
scripts/kconfig/lxdialog/checklist.c: In function 'print_arrows':
scripts/kconfig/lxdialog/checklist.c:62: error: 'win' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:62: error: 'y' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:62: error: 'x' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:64: error: 'scroll' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:76: error: 'height' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:79: error: 'item_no' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:79: error: 'choice' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c: At top level:
scripts/kconfig/lxdialog/checklist.c:95: error: syntax error before '*' token
scripts/kconfig/lxdialog/checklist.c:96: warning: function declaration isn't a prototype
scripts/kconfig/lxdialog/checklist.c: In function 'print_buttons':
scripts/kconfig/lxdialog/checklist.c:97: error: 'width' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:98: error: 'height' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:100: error: 'dialog' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:100: error: 'selected' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c: In function 'dialog_checklist':
scripts/kconfig/lxdialog/checklist.c:117: error: 'WINDOW' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:117: error: 'dialog' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:117: error: 'list' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:117: warning: left-hand operand of comma expression has no effect
scripts/kconfig/lxdialog/checklist.c:117: warning: statement with no effect
scripts/kconfig/lxdialog/checklist.c:121: warning: implicit declaration of function 'endwin'
scripts/kconfig/lxdialog/checklist.c:122: warning: implicit declaration of function 'fprintf'
scripts/kconfig/lxdialog/checklist.c:122: warning: incompatible implicit declaration of built-in function 'fprintf'
scripts/kconfig/lxdialog/checklist.c:122: error: 'stderr' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:140: error: 'COLS' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:141: error: 'LINES' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:143: error: 'stdscr' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:145: warning: implicit declaration of function 'newwin'
scripts/kconfig/lxdialog/checklist.c:146: warning: implicit declaration of function 'keypad'
scripts/kconfig/lxdialog/checklist.c:146: error: 'TRUE' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:166: warning: implicit declaration of function 'subwin'
scripts/kconfig/lxdialog/checklist.c:199: warning: implicit declaration of function 'wnoutrefresh'
scripts/kconfig/lxdialog/checklist.c:201: warning: implicit declaration of function 'doupdate'
scripts/kconfig/lxdialog/checklist.c:204: warning: implicit declaration of function 'wgetch'
scripts/kconfig/lxdialog/checklist.c:211: error: 'KEY_UP' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:211: error: 'KEY_DOWN' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:221: error: 'FALSE' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:222: warning: implicit declaration of function 'scrollok'
scripts/kconfig/lxdialog/checklist.c:223: warning: implicit declaration of function 'wscrl'
scripts/kconfig/lxdialog/checklist.c:282: warning: incompatible implicit declaration of built-in function 'fprintf'
scripts/kconfig/lxdialog/checklist.c:283: warning: implicit declaration of function 'delwin'
scripts/kconfig/lxdialog/checklist.c:287: error: 'KEY_LEFT' undeclared (first use in this function)
scripts/kconfig/lxdialog/checklist.c:288: error: 'KEY_RIGHT' undeclared (first use in this function)
make[2]: *** [scripts/kconfig/lxdialog/checklist.o] Error 1
make[1]: *** [menuconfig] Error 2
make: *** [menuconfig] Error 2

[ralphy]

missing ncurses
apt-get install ncurses-dev

or alteratively just 'make oldconfig'

[b0red]

thanks ralphy that did it . make xconfig still does'nt work...but make menuconfig now does.

So for everyone else out there you need to apt-get the following before patching and compiling.

build-essential
bin86
kernel-package
libqt3-headers
libqt3-mt-dev
ncurses-dev

[Kp]

I'm pretty sure you don't need Qt just to configure the kernel with menuconfig. Your xconfig problem was probably environmental and/or authorization related. Check that $DISPLAY points to your X server and that $XAUTHORITY points to your .Xauthority (usually in ~).

It's ok to have $XAUTHORITY unset if you use the default location for your .Xauthority file and run the configurator under the same account as the user who logged in to the X server. Since you are running the configurator as root, you would need to be logged in as root on the X server for the Xauthority guessing to work. Logging in as root is an extremely bad idea. Instead, you should set $XAUTHORITY to point to your .Xauthority file.

[b0red]

Thanks kp i'll check that later today .

I'm not out of the woods yet though

I ran make-kpkg clean make-kpkg -initrd --revision=gr2 kernel_image
and got the following error

make-kpkg clean make-kpkg -initrd --revision=gr2 kernel_image
Error: Unknown target make-kpkg
use --targets to display help on valid targets.

I then tried
make dep bzImage modules modules_install install

and the kernel compiled..and i got this message at the end

GRUB is installed. To automatically switch to new kernels, point your
default entry in menu.lst to /boot/vmlinuz-2.6.17.11-grsec

I edited menu.lst to
title Ubuntu, kernel 2.6.17.11-grsec
root (hd0,1)
kernel /boot/vmlinuz-2.6.17.11-grsec root=/dev/hda2 ro quiet splash
initrd /boot/initrd.img-2.6.15-26-386
savedefault
boot

title Ubuntu, kernel 2.6.15-26-386
root (hd0,1)
kernel /boot/vmlinuz-2.6.15-26-386 root=/dev/hda2 ro quiet splash
initrd /boot/initrd.img-2.6.15-26-386
savedefault
boot

but on boot I get the error cannot find /dev/hda2 (where my O/S is) I think it's to do with the /boot/initrd.img-2.6.15-26-386 as the grsec kernel did not produce it's own initrd.img file i used the last existing one.

as a last point when i try to boot with the new kernel I get an error saying cannot find /lib/modules/vmlinuz-2.6.17.11-grsec.something.temp
alert cannot open /dev/hda2

it then drops to a shell when i do uname -aI get vmlinuz-2.6.17.11-grsec
so I think I'm getitng there.

Thanks for bearing with me on this guys.

[ralphy]

if you're sure its the missing initrd, try
man mkinitrd
to see how you'd make a initrd for the new kernel. if you're missing that try apt-get'ing
initrd-tools
from the repositories

[Kp]

I ran make-kpkg clean make-kpkg -initrd --revision=gr2 kernel_image
and got the following error

make-kpkg clean make-kpkg -initrd --revision=gr2 kernel_image
Error: Unknown target make-kpkg
use --targets to display help on valid targets.

I don't know where you got that command line from, but I suspect you lost some semi-colons. It was probably meant to be: make-kpkg clean ; make-kpkg -init --revision=gr2 kernel_image.

but on boot I get the error cannot find /dev/hda2 (where my O/S is) I think it's to do with the /boot/initrd.img-2.6.15-26-386 as the grsec kernel did not produce it's own initrd.img file i used the last existing one.

as a last point when i try to boot with the new kernel I get an error saying cannot find /lib/modules/vmlinuz-2.6.17.11-grsec.something.temp
alert cannot open /dev/hda2

Please post the exact text of the error message. New users commonly assume that getting it close is good enough. I would guess that you built some critical disk-related driver as a module, so the kernel cannot open your hard disk until the module is loaded. The module would normally be placed on the RAM disk to avoid the obvious chicken-and-egg problem.

For safety, modules are locked to a particular kernel version and compiler version. Thus, the modules in your 2.6.15 RAM disk are not acceptable to your 2.6.17.11-grsec kernel. It rejects them on the chance they might have a different ABI, which would make loading them a very bad idea. A kernel panic is likely in short order if you mismatch module ABIs. If you're lucky, the kernel panics before it corrupts your filesystem.

[b0red]

Cheers kp

Tried it again and it compiled with the extra ;
Here's the end output..
guess this is the problem and probably what i saw previously

WARNING: Couldn't open directory debian/tmp-image/lib/modules/2.6.17.11: No such file or directory
FATAL: Could not open debian/tmp-image/lib/modules/2.6.17.11/modules.dep.temp for writing: No such file or directory


INSTALL sound/usb/usx2y/snd-usb-usx2y.ko
if [ -r System.map -a -x /sbin/depmod ]; then /sbin/depmod -ae -F System.map -b /usr/src/linux/debian/tmp-image -r 2.6.17.11-grsec; fi
make[2]: Leaving directory `/usr/src/linux-2.6.17.11-grsec'
test ! -e debian/tmp-image/lib/modules/2.6.17.11/source || \
mv debian/tmp-image/lib/modules/2.6.17.11/source ./debian/source-link
test ! -e debian/tmp-image/lib/modules/2.6.17.11/build || \
mv debian/tmp-image/lib/modules/2.6.17.11/build ./debian/build-link
depmod -q -FSystem.map -b debian/tmp-image 2.6.17.11;
WARNING: Couldn't open directory debian/tmp-image/lib/modules/2.6.17.11: No such file or directory
FATAL: Could not open debian/tmp-image/lib/modules/2.6.17.11/modules.dep.temp for writing: No such file or directory
make[1]: [real_stamp_image] Error 1 (ignored)
test ! -e ./debian/source-link || \
mv ./debian/source-link debian/tmp-image/lib/modules/2.6.17.11/source
test ! -e ./debian/build-link || \
mv ./debian/build-link debian/tmp-image/lib/modules/2.6.17.11/build
cp arch/i386/boot/bzImage debian/tmp-image/boot/vmlinuz-2.6.17.11
chmod 644 debian/tmp-image/boot/vmlinuz-2.6.17.11;
if test -d /usr/src/linux/debian/image.d ; then \
IMAGE_TOP=debian/tmp-image version=2.6.17.11 \
run-parts --verbose /usr/src/linux/debian/image.d ; \
fi
if [ -x debian/post-install ]; then \
IMAGE_TOP=debian/tmp-image STEM=kernel version=2.6.17.11 \
debian/post-install; \
fi
test ! -s applied_patches || cp applied_patches \
debian/tmp-image/boot/patches-2.6.17.11
test ! -s applied_patches || chmod 644 \
debian/tmp-image/boot/patches-2.6.17.11
test ! -f System.map || cp System.map \
debian/tmp-image/boot/System.map-2.6.17.11;
test ! -f System.map || chmod 644 \
debian/tmp-image/boot/System.map-2.6.17.11;
# For LKCD enabled kernels
test ! -f Kerntypes || cp Kerntypes \
debian/tmp-image/boot/Kerntypes-2.6.17.11
test ! -f Kerntypes || chmod 644 \
debian/tmp-image/boot/Kerntypes-2.6.17.11
dpkg-gencontrol -DArchitecture=i386 -isp \
-pkernel-image-2.6.17.11 -Pdebian/tmp-image/
chmod -R og=rX debian/tmp-image
chown -R root:root debian/tmp-image
dpkg --build debian/tmp-image ..
dpkg-deb: building package `kernel-image-2.6.17.11' in `../kernel-image-2.6.17.11_gr2_i386.deb'.

also got this

root@Mercury:/usr/src# dpkg -i kernel-image-2.6.17.11_gr2_i386.deb
Selecting previously deselected package kernel-image-2.6.17.11.
(Reading database ... 96926 files and directories currently installed.)
Unpacking kernel-image-2.6.17.11 (from kernel-image-2.6.17.11_gr2_i386.deb) ...
Setting up kernel-image-2.6.17.11 (gr2) ...
Cannot find /lib/modules/2.6.17.11
Failed to create initrd image.
dpkg: error processing kernel-image-2.6.17.11 (--install):
subprocess post-installation script returned error exit status 2
Errors were encountered while processing:
kernel-image-2.6.17.11

[Kp]

What do you get if you run find /usr/src/linux/debian/tmp-image -type f -ls (cheap way to get a recursive listing that looks nicer than ls -R)? My guess is that the installation phase installed your kernel modules in /usr/src/linux/debian/tmp-image/lib/modules/2.6.17.11-grsec, but the Debian script is not expecting that -grsec suffix. I am not very confident in that since the other files appear not to have a -grsec suffix, but I don't see anything else wrong. If I'm right, you might be able to work around it by cd'ing to /usr/src/linux/debian/tmp-image/lib/modules and running ln -s 2.6.17.11-grsec 2.6.17.11, then re-running the command that produced the first error.

This may turn out to be a generic issue with installing any patched non-Debian kernel, in which case the Debian forums / mailing lists might offer clues to why their packager is choking on this.

[b0red]

Thank you for the time you are spending on this and your patience

root@Mercury:~# find /usr/src/linux/debian/tmp-image -type f -ls
find: /usr/src/linux/debian/tmp-image: No such file or directory

root@Mercury:/usr/src/linux/debian# ls
buildinfo changelog control files rules

[Kp]

The Debian build process must be cleaning up after itself and deleting that directory. Run the failed build command again and suspend it partway through (hit control-Z), then run the find command. That will hopefully get a listing of what is being put into the tmp-image directory.