grsecurity forums

[forsaken]

grsecurity-2.1.14-2.6.30.5-200908252105 wants to do a "chmod 500 /lib/modules" this will fail if the directory doesn't exist and stop the build:

make -f scripts/Makefile.build obj=grsecurity
chmod 500 /boot 2> /dev/null
chmod 500 /lib/modules 2> /dev/null
make[1]: *** [grsecurity/grsec_hidesym.o] Error 1
make: *** [grsecurity] Error 2

[specs]

Not only does it try to chmod /boot, /lib/modules and /usr/src. It tries to chmod those files at the initial compilation process.

It fails on my pc on 3 errors:
- I compile kernels as a normal user (i.e. no rights to change settings for /boot, /usr/src or /lib/modules);
- after compiling kernels I install the kernel on a different machine ("make bzImage modules" is seperate from the actual installation);
- FYI on my pc you can't find the kernel sources under /usr/src (chmod 500 ./. would be more appropriate).

If you try to chmod anything it should be configurable.
And it should be during the "make install" or the "make modules_install".

Edit:
Actually I like the idea of changing the rights to minimal. Although I don't like the idea of someone messing with my system via a Makefile.
The settings should be checked, not changed by default. Important should be detecting change and proposing improved settings.

[spender]

I've fixed the compile erroring out if the directories don't exist or you don't have permissions to perform the chmod, and have it explicitly changing the permissions on the current kernel source directory.

I understand there's still a problem if you're copying your compiled kernel to another machine (where you should have changed the permissions on those paths already, according to the kernel configuration help no one reads ) and there's no automatic resolution for that yet.

BTW, this chmodding only happens for people with GRKERNSEC_HIDESYM enabled, so it's specifically for people who neglect to read the kernel configuration help and thus reduce/negate the effectiveness of the option by having /proc/kallsyms removed but their kernel image still visible to everyone.

-Brad

[specs]

Code: Select all

user@localhost:~/src/linux-2.6.30$ chmod 755 .
user@localhost:~/src/linux-2.6.30$ make bzImage modules
  CHK     include/linux/version.h
  CHK     include/linux/utsrelease.h
  SYMLINK include/asm -> include/asm-x86
  CALL    scripts/checksyscalls.sh
  CHK     include/linux/compile.h
make[1]: [grsecurity/grsec_hidesym.o] Error 1 (ignored)
make[1]: [grsecurity/grsec_hidesym.o] Error 1 (ignored)
  grsec: protected kernel image paths
  LD      vmlinux.o
ld: cannot open output file vmlinux.o: Permission denied
make: *** [vmlinux.o] Error 1
user@localhost:~/src/linux-2.6.30$ vi grsecurity/Makefile


And after I remove the line from the makefile to prevent make from "chmod 500 ./." everything compiles.
Probably some mistake in the order, a "chmod 700 ." before writing vmlinux.o and a "chmod 500 ." after fixes all.
For the record, I simply removed the "chmod 500 ." line here.

Note: this kernel is gonna be used on another pc.