grsecurity forums

by **Zhenech** » Mon Aug 14, 2006 3:16 am

hey guys,

just updated my box from an old 2.6.11 to 2.6.17.8, both with grsec and found a very strange behavior.
I'm using Debian Sarge. Got latest kernel from kernel.org, applied your nice patch and did as usual 'fakeroot make-kpkg --append-to-version -grsec-mykernel kernel-image modules-image' (modules-image is for the out-of-tree loop-aes modules).
That produced me two nice debs, which I'm installed an rebooted. Works fine so far, but now comes the big but:
$ uname -r
2.6.17.8-grsec-mykernel-grsec

-grsec is double

That would not hurt, if I wouldn't use oot modules. Guess where there are installed - yeah: /lib/modules/2.6.17.8-grsec-mykernel. Whether the kernel looks for modules in /lib/modules/`uname -r`, so /lib/modules/2.6.17.8-grsec-mykernel-grsec

The old kernel/grsec did not do that, both - the normal and the oot modules were in /lib/modules/2.6.11.12-grsec-mykernel

How could I handle this best with kernel-package?

Regards
Zhenech

by **PaX Team** » Mon Aug 14, 2006 5:18 am

Zhenech wrote:How could I handle this best with kernel-package?

maybe by using --append-to-version -mykernel instead?

by **Zhenech** » Mon Aug 14, 2006 10:00 am

PaX Team wrote:maybe by using --append-to-version -mykernel instead?

nope.
this throws the modules to /lib/modules/2.6.17.8-mykernel-grsec/ and the oot modules to /lib/modules/2.6.17.8-mykernel/ - same shit differents dirs ;-)

by **spender** » Mon Aug 14, 2006 1:34 pm

I think debian just removes the -grsec change from the Makefile.

-Brad

by **tosh** » Tue Sep 12, 2006 1:56 pm

This is workaround but may work for you.

After patching kernel run:

Code: Select all: $ echo "" > localversion-grsec

now append to mykernel the -grsec suffix so mykernel now will be mykernel-grsec.

by **aldee** » Sun Oct 08, 2006 2:47 pm

Facing the same problem. I'm running Debian sarge and

# uname -r
2.6.17.11-grsec

(finally decided to migrate to 2.6 :-).

I simply built the kernel with `make-kpkg kernel_image`. No --append-to-version or any additional parameters. My /etc/kernel-pkg.conf is pretty much default (except that I set 'debian := r1'):

Despite the uname output the kernel is looking for its modules in /lib/modules/2.6.17.11 instead of /lib/modules/2.6.17.11-grsec where they get installed. Consequently, the kernel binary / config files are named *2.6.17.11 without the -grsec suffix as well.

I did symlink /lib/modules/2.6.17.11-grsec to /lib/modules/2.6.17.11 to work around the problem. Will try the localversion-grsec workaround on the next recompile.

With 2.4 everything worked as it should (also using make-kpkg).

by **aldee** » Fri Oct 27, 2006 12:42 pm

Just an update: Purging localversion-grsec does not have any effect. Compiling with --append-to-version -grsec afterwards ends up with a kernel that reports as

Code: Select all: # uname -r 2.6.17.11-grsec-grsec

as well.

by **Zhenech** » Tue Oct 31, 2006 8:49 am

cannot confirm that, for me it worked (kernel-package from etch):
patch ...
make menuconfig
echo "" > localversion-grsec
make-kpkg --append-to-version -atuin-grsec ...

reboot:
atuin:~# uname -r
2.6.18.1-atuin-grsec
atuin:~# ls /lib/modules/
2.6.17-2-amd64 2.6.18.1-atuin-grsec

so seems to work as it should

grsecurity forums

automaticaly adding -grsec to kernel version is evil :(

automaticaly adding -grsec to kernel version is evil :(

Re: automaticaly adding -grsec to kernel version is evil :(

Re: automaticaly adding -grsec to kernel version is evil :(