grsecurity forums

[harrygittens]

Using 2.6.19.2 and latest grsecurity. Compiled kernel with instructions in grsecurity docs.

However, compiling kernel modules for most things fails. I've tried compiling madwifi modules, VMware kernel modules and TrueCrypt. Everything I've tried so far has failed. They all work on the same kernel but without grsec.

My config is the generic config with grsecurity set to high, nothing else changed apart from PC Card support was enabled.

http://madwifi.org/ticket/1086

Somebody else is getting the exact same error I'm getting with madwifi, and they are concluding it is grsecurity's fault because it compiles fine on 2.6.19.2 without grsec but will NOT compile once grsecurity has been applied to 2.6.19.2.

What's happening?

[tosh]

Are you compiling the modules for 2.6.19.2 while running that kernel? If so please look into kernel log messages in /var/log and check if gcc hasn't been killed by PaX (probably text relocations).

I compile truecrypt on kernels with grsecurity with no problems, including 2.6.19.2.

[harrygittens]

Hi

dmesg doesn't show any PaX messages for gcc or make I'm afraid, so I'm at a loss as to why I can't seem to compile anything on 2.6.19.2 with grsec, but it works fine without grsec.

Perhaps it is not PaX but one of the protections offered by grsec? Would you be so kind as to post your 2.6.19.2 config so I can see if that works?

I'm hoping the Madwifi guys will look into this a little further, but for me it isn't specific for madwifi either (as truecrypt and various other things won't compile with grsec either).

I hope I can get this resolved as I would really like to use grsecurity.

EDIT: okay, maybe not. The madwifi guys aren't concerned with it:

Right, moving this to a lower priority. I suggest you ask on the gr-security list.

[Alexei.Sheplyakov]

Using 2.6.19.2 and latest grsecurity. Compiled kernel
with instructions in grsecurity docs.

However, compiling kernel modules for most things fails. I've tried
compiling madwifi modules, VMware kernel modules and TrueCrypt.
Everything I've tried so far has failed. They all work on the same
kernel but without grsec.

My config is the generic config with grsecurity set to high, nothing
else changed apart from PC Card support was enabled.

http://madwifi.org/ticket/1086

Somebody else is getting the exact same error I'm getting with madwifi,
and they are concluding it is grsecurity's fault because it compiles fine
on 2.6.19.2 without grsec but will NOT compile once grsecurity has been
applied to 2.6.19.2.

What's happening?

First of all, disclaimer: I'm not a kernel hacker!

I don't think this issue has anything to do with grsecurity patch. madwifi
#include's obosolete <linux/config.h> here and there, so I wonder how you
managed to build it with vanilla 2.6.19 (<linux/config.h> does not exist
there). Anyway, try replacing <linux/config.h> with <linux/autoconf.h>.

[harrygittens]

Apologies. Madwifi doesn't actually compile for me on vanilla 2.6.19.2 either. I thought it did, but I had forgot to boot that kernel and was using 2.6.17.something, which it does compile on. That bugrep lead me up the garden path and made me think grsec was at fault.

I have no idea why I can't compile truecrypt under grsec though when it works for tosh.

Edit: I tried the latest CVS snapshot of madwifi and it compiles just fine even under grsec. Oops

Another edit: Double oops. Looks like there's a problem with truecrypt (see bottom of here). Don't worry, I'll learn how to use google before posting next time

[tosh]

Forgot to point it but yes you need to patch truecrypt to compile on never kernels.

[PaX Team]

http://madwifi.org/ticket/1086

Somebody else is getting the exact same error I'm getting with madwifi, and they are concluding it is grsecurity's fault because it compiles fine on 2.6.19.2 without grsec but will NOT compile once grsecurity has been applied to 2.6.19.2.

What's happening?

besides what you discovered so far, what can get unsuspecting external modules is the extra compiler warnings that PaX enables and will abort compilation if the module uses -Werror itself. it's normally a good idea to look at these warnings and fix them if reasonable.

[harrygittens]

is the extra compiler warnings that PaX enables and will abort compilation if the module uses -Werror itself

Okay, being a noob I didn't really understand what you meant by that but now I do.

On vanilla 2.6.18 some modules compile fine, but with grsec applied some won't compile unless I remove -Werror.

I'd like to understand this better: so PaX makes the compiler more "picky"? (because I don't get those warnings on the vanilla kernel). Is it normal to have to remove -Werror to get things to compile on grsec/PaX?

Is there an option in the .config that disables this feature PaX adds? Or do I really need it?

thank you

[PaX Team]

I'd like to understand this better: so PaX makes the compiler more "picky"? (because I don't get those warnings on the vanilla kernel).

if you want to put it that way, yes. what goes on behind the scenes (try make V=1 one day too) is that i added extra switches to CFLAGS which turn on some more gcc warnings (the vanilla kernel itself enables quite a few already).

Is it normal to have to remove -Werror to get things to compile on grsec/PaX?

well, that's one way for fixing the symptoms, and should be the last resort, the proper way is to look at what triggered the warning and fix the underlying problem if there's one.

Is there an option in the .config that disables this feature PaX adds?

it's unconditionally patched into the main Makefile, you can remove it if you want.

Or do I really need it?

only if you're interested in tracking down (or just knowing about) the potential problems exposed by the extra warnings.