grsecurity forums

[viktor]

Any fix in near future for the failed build or should I change the file above previously mentioned?

change this line like prevoiusly mentioned.
after the "Enable various PaX features" string change

Code: Select all

+   depends on GRSECURITY && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)

to

Code: Select all

+   depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)

[Ironwalker]

Thank you,I will do that now and try again.



This is the end lines,everything compiled fine except for the last part.
The no hostname thing I fixed;



Finished prerequisites of target file `modules_install'.
Must remake target `modules_install'.
Successfully remade target file `modules_install'.
hostname: Unknown host
Reaping losing child 0x080a71d8 PID 4116
make[1]: *** [deb-pkg] Error 1
Removing child 0x080a71d8 PID 4116 from chain.
Reaping losing child 0x080dd078 PID 29488
make: *** [deb-pkg] Error 2
Removing child 0x080dd078 PID 29488 from chain.


Thanks again!

[Ironwalker]

Just realised I don't have the same problem.
I should have read the thread more clearly.
I have that line and indeed have all the pax options there.



Sorry,if I need to start another thread please let me know mods...thanks.

By the way,this is my first grsecurity kernel compile,I have been long interested in this project and have been visting here for a long time.I am just trying this today.

[PaX Team]

Sorry,if I need to start another thread please let me know mods...thanks.

i must be missing something, but if you fixed the hostname problem, what else is failing? from the look of it, you managed to compile a kernel, at which point it's probably a more generic kernel install issue... maybe if you stated your distro/what you did, people on similar setups could offer help. and yes, a new thread would be a better place .

[linkfanel]

ld fails with the last grsecurity-2.1.10-2.6.21-200705041939.patch:

Code: Select all

  LD      vmlinux
ld: vmlinux: section `.init.text' can't be allocated in segment 0
ld: final link failed: Bad value
make[1]: *** [vmlinux] Erreur 1


This happens only with PaX enabled.

[PaX Team]

ld fails with the last grsecurity-2.1.10-2.6.21-200705041939.patch:

Code: Select all

  LD      vmlinux
ld: vmlinux: section `.init.text' can't be allocated in segment 0
ld: final link failed: Bad value
make[1]: *** [vmlinux] Erreur 1


This happens only with PaX enabled.

what's the ld version? if you're not at 2.17 already, you should try that at least.

[linkfanel]

what's the ld version? if you're not at 2.17 already, you should try that at least.

It is debian sid's ld: GNU ld (GNU Binutils for Debian) 2.17.50.20070426

[PaX Team]

It is debian sid's ld: GNU ld (GNU Binutils for Debian) 2.17.50.20070426

can you try to flip KERNEXEC in your .config and see if it works then?

[linkfanel]

Well spotted, it works fine when KERNEXEC is disabled.

[Ironwalker]

Sorry to be a nuciance,but,where exactly is the "KERNEXEC" option in config?
Which config exactly?

I searched .config for kernel (/usr/src/linux) and nothing....I searched /usr/src/grsecurity/kconfig and found a pax entry for KERNEXEC;

select PAX_KERNEXEC if (!X86_64 && !MODULES && !HOTPLUG_PCI_COMPAQ_NVRAM && !PCI_BIOS)

So am I being spectacularly naive here or is this the option in which case how do I turn it off ? Sometimes,I think so much and figure out the hard and intricate but totally miss the obvious right in front of my eyes.


By the way,previously I fixed the hostname thing and then the error saying grsec has no version numbers? Fixed this too and am installed.


The test kernel I am building gives me the error above but do not see where to change or turn off select KERNEXEC ,

Thanks in advance

[PaX Team]

Sorry to be a nuciance,but,where exactly is the "KERNEXEC" option in config?
Which config exactly?

it's under PaX options/Non-executable pages/Enforce non-executable kernel pages

select PAX_KERNEXEC if (!X86_64 && !MODULES && !HOTPLUG_PCI_COMPAQ_NVRAM && !PCI_BIOS)

So am I being spectacularly naive here or is this the option in which case how do I turn it off ? Sometimes,I think so much and figure out the hard and intricate but totally miss the obvious right in front of my eyes.

all those !options mean that you must disable them if you want to use KERNEXEC. i'm guessing that it's a 2.4 kernel so you have to disable modules and chose direct PCI access at least.

The test kernel I am building gives me the error above but do not see where to change or turn off select KERNEXEC

which error? the linker failure? i don't know what causes it yet, but i know that ld 2.17 links any kernel fine, with or without KERNEXEC. also, if you can't even select KERNEXEC in your config, how can it cause any problem?

[linkfanel]

For your information, I rebuild my binutils, roughly reverting this, and now it links and runs fine.

[Ironwalker]

Thanks guys,all good.

[Ironwalker]

Thanks guys,all good.

[specs]

Sorry to bother, but...
I got an "section `.init.text' can't be allocated in segment 0" error during compilation. As mentioned in the thread I turned of KERNEEXEC and ran "make oldconfig". The resulting config was something like:
#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_DEFAULT_PAGEEXEC is not set
CONFIG_PAX_DEFAULT_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
# CONFIG_PAX_KERNEXEC is not set

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y
# CONFIG_KEYS is not set
# CONFIG_SECURITY is not set

It resulting in a compiling kernel. On boot init got killed recusively.
No screendump since the kernel won't boot far enough.

But for some problems with one binary with /dev/ports access I might have tightened the whole grsec and pax setting, but right now I want the program to work with as much of the protection of grsecurity as possible. I do realize it is only a weak protection without the major features turned on.

Right now I'm trying to get a kernel to compile which will boot.
Perhaps I should try to patch pax to the latest test-patch after patching in the grsec-patch.

Kernel version 2.6.21.6 with grsecurity-2.1.10-2.6.21.5-200706182032.patch.
GNU ld (GNU Binutils for Debian) 2.17.50.20070718