grsecurity forums

[sauruspl]

Heya
I have some problems with the newest grsecurity (grsecurity-2.1.11-2.6.24.4-200804142048.patch.gz) it does compile without any errors, but my kernel doesnt want to boot, when I compile and install kernel without grsecurity patch its all ok but when i patch kernel and compile and install new kernel it doesnt want to boot?
any hints?
its really wierd..

[cormander]

When you say "doesn't want to boot", what exactly happens? Whats the last message given to your terminal? Also, what kind of machine are you running?

I keep the latest grsecurity kernels compiled as RPMs, my machines are booting just fine with the grsecurity-2.1.11-2.6.24.4-200804142048.patch

[sauruspl]

my machine is Semptron 64 2800+, i do it on Trustix linux 3.0.5, last message is when when initrd image trying to load, i cant even paste it here becaouse after this computer reboot, i cant even pause to see it, but last message is when initrd image is trying to load,
my grub config is:
root (hd0,0)
kernel /2.6.24.4 ro root=/dev/hda2
initrd /2.6.24.4.initrd.img

when i compile my kernel without grsecurity patch its all working ok, but when patch is enabled it reboot after reading initrd image

what should I do?

[cormander]

my grub config is:
root (hd0,0)
kernel /2.6.24.4 ro root=/dev/hda2
initrd /2.6.24.4.inird.img

Your initrd is trying to load... it possible you mispelled the path to your initrd image? Looks like you're missing a t

Check the spelling, verify that it does infact exist, and try again.

[sauruspl]

oh sorry I only mistyped it here, i have right it here, anyway it would tell me that file doesnt exist but it start loading it but then reboot....

[djGrrr]

i think i'm having this same issue with a new server i'm setting up, but i can't see any messages even over kvm because it reboots so quickly, i did some testing, configured the kernel the way i wanted, without grsec, worked fine, then simply applied the patch, and didn't enable any of the options, and the server reboots after grub exits, and i can't really give any details cause i can't see whats going on, i am running x64 architecture.

i have checked to make sure DEBUG_RODATA and COMPAT_VSDO were disabled and it didn't make any difference
i wish there was some way to get more info

[cormander]

You can debug the kernel with gdb. I've never done used gdb with a kernel myself, but using strings like gdb, vmlinux, kernel, etc on google will return some interesting results. Here is one:

http://stackframe.blogspot.com/2007/04/ ... -with.html

step to the point where it loads the initrd image and see what happens. Oh, and it would be useful to compile the kernel with CONFIG_DEBUG set

[PaX Team]

can you guys send me your bzImage, vmlinux, .config and System.map files please? also, can you try the PaX patch alone to see if the problem still occurs?

[sauruspl]

sure i can, how can I send you? on email?

[djGrrr]

i can't compile the kernel with just the pax patch pax-linux-2.6.24.4-test42.patch:
arch/x86/ia32/built-in.o: In function `load_elf32_binary':
/home/dev/kernel/linux-2.6.24.4/arch/x86/ia32/../../../fs/binfmt_elf.c:1028: undefined reference to `pax_set_initial_flags'
fs/built-in.o: In function `load_elf_binary':
/home/dev/kernel/linux-2.6.24.4/fs/binfmt_elf.c:1028: undefined reference to `pax_set_initial_flags'
make: *** [.tmp_vmlinux1] Error 1

[cormander]

I ran into this earlier: viewtopic.php?f=1&t=1943

you can't take a grsec .config blindly and use it under PaX directly, the ACL hook option must be (re)set properly - just search the forum, this came up a few times already.

If you're using an x86 machine (not 64bit, I don't have one to build on yet) I've got RPMs on my site that you can install

[djGrrr]

actually i've figured out that you just need to set the integration mode to hook instead of direct, i am about to test if this kernel will boot, i will post my results in a few minutes

[djGrrr]

it seems the same thing happens with just the pax patch, and not the grsec, so i guess its an issue with the pax side of the patch, if i knew where i should send the .config system.map, etc i would gladly do it if it will help

[cormander]

You can get the correct email address by finding the "The PaX Team" hyperlink on the pax homepage: http://pax.grsecurity.net/

[sauruspl]

yeah, I did send them my image and config we will see