grsecurity forums

[devper94]

I have a silly question here...

I am using Ubuntu 9.10 and trying to compile a new kernel. I tried to apply the patch (grsecurity-2.1.14-2.6.31.11-201001071931.patch, which I think is the most appropriate one), but it won't work (some hunks keep failing). My kernel source version is 2.6.31-17.54 (based on 2.6.31.1, I think)

Thanks for helping.

[specs]

That kernel is not supported by grsecurity. If you want support for a distributionkernel ask your distributor. But is unlikely they will support their kernel with a grsecurity-patch.

If you want to use grsecurity start with using vanilla kernels. You can download them at http://www.kernel.org/pub/linux/kernel/v2.6/
Take the newest kernelpatch on the download section of this site: http://www.grsecurity.org/test.php and use the vanilla kernel with the same version.
See more hints: http://en.wikibooks.org/wiki/Grsecurity ... nux_Kernel

[devper94]

But I don't know which patches are applied on that kernel, so I am not likely to make a working one.
Anyway, Canonical support is out of my reach, and I have a backup kernel just in case.

[specs]

The standard Ubuntu kernels are just the vanilla kernels with some Ubuntu patches applied. Most computers will run fine without the ubuntu patches.

If you start with the vanilla kernel you will know exactly what patches are applied: none if you did not apply any.
Installing grsecurity is not really hard, but it is not trivial either. You need to be able to configure, compile and install your own kernels before you start with grsecurity. I suggest you install a vanilla kernel without patches first (without ubuntu patches and without grsecurity or pax patches). If you have that kernel working you know you will be able to install grsecurity.

[devper94]

[quote="specs"]Most computers will run fine without the Ubuntu patches.[/quote]
Ubuntu won't. It depends on patches that manage the hard disk (I can't remember exactly). You won't be able to mount more than 1 hard disk unless you have a properly patched kernel. (I tried a vanilla one before, and I had to revert to my old kernel)
If you can, please provide me the list of patches used in Ubuntu kernel.
Thanks for helping.

[specs]

If you get the kernel with "apt-get source linux-source", you will see an image of linux-2.6.31 and a patch for ubuntu. Ubuntu does not state which subversion they use for their kernel.
However I don't think that is where your problems are. Ubuntu does not release completely different kernels from other distributions.

They do however offer a bootloader (grub2) and a very peculiar configuration.
To be able to see what happens during the bootprocess you might need the kernel-option CONFIG_X86_VERBOSE_BOOTUP=y. You might need to disable the "quiet splash"-option in /etc/default/grub or you might need to add an UUID-rule with the information from "blkid /dev/sda1". There are a lot of ways the installation of a new kernel could fail (not in the last place missing or broken drivers). Since these problems are specific to the Ubuntu distribution, you should ask for help to compile a vanilla kernel at the Ubuntu forums and not here.

If you know the vanilla kernel boots, you will probably also be able to configure a grsec-patched kernel.

[specs]

Ok, Ubuntu (9.10) is a bit hard to get working, but I just booted a grsecurity patched kernel with Ubuntu in a VirtualBox.

Just for the record:
linux-2.6.31.tar.gz
patch-2.6.32.bz2
patch-2.6.32.3.bz2
grsecurity-2.1.14-2.6.32.3-201001071929.patch (I started tweaking before the 2.6.32.6-patch)
(no other patches needed, Virtualbox uses the VESA-compatible mode for X.)

I do not have a maximum secure grsecurity yet ("Disable privileged I/O", zie help menuconfig for grsecurity options).
I added the UUID-string to the commandline, since I'm not very experienced with grub2. Without UUID I can't mount "/".

For the rest: drivers for sata in the kernel, drivers for ext4 in the kernel, no initrd.