Implementing GRsecurity

int0x80 · 09-23-2002, 08:53 PM

After seeing the kernel patch thread, and the offer made in there, I felt I couldn't pass up on asking a few questions. Previously, I have downloaded the recent grsecurity patch and its compatible kernel (grsecurity-1.9.6-2.4.19.patch.gz and linux-2.4.19.tar.gz, respectively). I followed the installation instructions found in the documentation at http://grsecurity.net/gracldoc.htm and everything looked ok. When I ran make xconfig, the following occurred:

Code:

root@slack:/usr/src/linux# make xconfig
rm -f include/asm
( cd include ; ln -sf asm-i386 asm)
make -C scripts kconfig.tk
make[1]: Entering directory `/usr/src/linux-2.4.18/scripts'
cat header.tk >> ./kconfig.tk
./tkparse < ../arch/i386/config.in >> kconfig.tk
echo "set defaults \"arch/i386/defconfig\"" >> kconfig.tk
echo "set ARCH \"i386\"" >> kconfig.tk
cat tail.tk >> kconfig.tk
chmod 755 kconfig.tk
make[1]: Leaving directory `/usr/src/linux-2.4.18/scripts'
wish -f scripts/kconfig.tk
Application initialization failed: no display name and no $DISPLAY environment variable
Error in startup script: invalid command name "button"
    while executing
"button .ref"
    (file "scripts/kconfig.tk" line 51)
make: *** [xconfig] Error 1

I searched google for this and eventually found something about applying some extra code somewhere, but I don't feel that comfortable working with the kernel yet. So I ran make menuconfig and that loaded up fine. I didn't see any extra options implemented by grsecurity so I exited the kernel configuration without changing anything but saved the configuration. I proceeded to execute the remaining commands (make dep bzImage modules modules_install install) and change my boot loader information:

Code:

cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.19
cp System.map /boot/System.map-2.4.19

[/etc/lilo.conf]
image = /boot/vmlinuz-2.4.19
label = 2.4.19

I then ran /sbin/lilo and successfully rebooted. Everything was ok until I went to ssh into the machine. It would not let me even put in a user name. Just kept denying access. I checked to make sure sshd was running, and it was. Flushed all the firewall rules (only running iptables). So what it comes down to is:

1. Was the grsecurity patch applied, and if so, where do I access it's configuration options for the kernel?

2. How do I resolve the errors I received from executing make xconfig?

3. Why am I now locked out even though I didn't make any changes to the kernel configuration when I was in make menuconfig?

By the way, I am running Slackware 8.1

jeremy · 09-23-2002, 08:57 PM

The patch contained in -lq3 fixes the problem with make xconfig.

--jeremy

int0x80 · 09-23-2002, 09:46 PM

After not finding any documentation on installation, I am sorry to ask another question. Do I apply the 2.4.19-lq3 patch the same way that grsecurity is supposed to be applied? E.g.

Code:

tar –zxvf linux-2.4.19.tar.gz
patch –p0 < 2.4.19-lq3.patch
cd linux-2.4.19
make xconfig
make dep bzImage modules modules_install install

unSpawn · 09-24-2002, 04:08 AM

To start with your most recent question, I applied the gzipped version as "gunzip -cd lq3.gz | patch -p0 -d /usr/src/linux" over a pristine kernel, if you want to verify that this works try using patch with "--dry-run" would show any errors. The rest of the kernel config/compile remains the same ofcourse.

1. Grsecurity's features are the last ones in the config. Applying the kernel patch doesn't automagically enable them unless you copy over a .config which already has been used to enable Grsecurity-1.9.6. If you did enable it's sysctl option you will find them options under /proc/sys/kernel/grsecurity. Everything there *except* acl is tweakable.
Sysctl options can be set automated by using sysctl or echoing a set of variables. Using "sysctl -e -p /etc/grsec.conf", the grsec.conf entries would look like
"kernel.grsecurity.restrict_ksyms =0" (w/o quotes).

3. If you didn't make any changes to the kernel options you already had plus you didn't post the relevant Grsecurity options you enabled in the first place, I cannot determine why the error would lie with Grsecurity.
If you have sysctl turned on for it, have a look at if any socket_.* options are enabled.
These are available to help restrict creation of (any|client|server) sockets for local users.

int0x80 · 09-24-2002, 09:38 AM

I tried applying the patch as recommended, and ran into this:

Code:

root@slack:/usr/src# gunzip -cd 2.4.19-lq3.gz | patch -p0 -d /usr/src/linux --dry-run
can't find file to patch at input line 4
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff -Nru linux-2.4.19/Documentation/Configure.help linux-2.4.19-lq/Documentation/Configure.help
|--- linux-2.4.19/Documentation/Configure.help  Fri Aug  2 18:39:42 2002
|+++ linux-2.4.19-lq/Documentation/Configure.help       Mon Sep 23 06:58:06 2002
--------------------------
File to patch:

This has happened to me once before (the first time I tried applying GRsecurity), but every time after that it had gone through a whole process and reported no errors. So I'm pretty uncertain about what needs to be done here.

jeremy · 09-24-2002, 10:36 AM

Take out the -d option from patch and make sure you have a linux-2.4.19 directory.

--jeremy

int0x80 · 09-24-2002, 11:33 PM

This is some crazy stuff. Here is the listing of how it went down:
[list=1][*]Downloaded linux-2.4.19.tar.gz kernel[*]Downloaded 2.4.19-lq3.gz from Linux Questions[*]Checked md5sums[*]Executed the following commands:[/list=1]

Code:

root@slack:/usr/src/$ gunzip -cd 2.4.19-lq3.gz | patch -p0
root@slack:/usr/src/$ cd linux-2.4.19
root@slack:/usr/src/linux-2.4.19$ make xconfig

At this point make xconfig failed again as it had before.

Code:

root@slack:/usr/src/linux-2.4.19$ make menuconfig

The only section I edited was 'Grsecurity', and all I did was enable stack overflow protection. Nothing else.

Code:

root@slack:/usr/src/linux-2.4.19$ make dep bzImage modules module_install install
root@slack:/usr/src/linux-2.4.19$ cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.19
root@slack:/usr/src/linux-2.4.19$ cp System.map /boot/System.map-2.4.19
root@slack:/usr/src/linux-2.4.19$ vi /etc/lilo.conf

<made following changes>
    image = /boot/vmlinuz-2.4.19
    label = 2.4.19

root@slack:/usr/src/linux-2.4.19$ /sbin/lilo
root@slack:/usr/src/linux-2.4.19$ shutdown -r now

Everything looked normal in the reboot process. Everything loaded back up. I saw it successfully start the sshd again. One note is the frame buffer was now gone. It prompted me for login so I logged in as my regular user name, and this is what happened:

Code:

No directory, logging in with HOME=/
Linux-2.4.19-lq3
Last login ... on pts/0 from clax.
No mail.
david@slack:/$

My /home directory is empty, and I am again remotely locked out (thank goodness for kvm). Now my status qualifies for completely lost + confused + frustrated. At this point I'm currently looking through google trying to find someone with similar experiences that solved the problem; but any advice, information, and resources you have would be appreciated.

RijilV · 09-25-2002, 01:54 AM

Quote:

Originally posted by GNUbie

The only section I edited was 'Grsecurity', and all I did was enable stack overflow protection. Nothing else.

welp,. you didn't change ANYTHING else on the default kernel .config ?

if you have /home on a seperate partition, it might be of an unsupported filesystem. this explains your lack of a framebuffer...

I could be like, missing something or misunderstanding stuff..

RijilV · 09-25-2002, 01:55 AM

Quote:

Originally posted by GNUbie

The only section I edited was 'Grsecurity', and all I did was enable stack overflow protection. Nothing else.

welp,. you didn't change ANYTHING else on the default kernel .config ?

if you have /home on a seperate partition, it might be of an unsupported filesystem for the default .config

if you didn't change anything, framebuffer is not part of the default .config

I could be like, missing something or misunderstanding stuff..

int0x80 · 09-25-2002, 08:57 AM

Quote:

Originally posted by RijilV

welp,. you didn't change ANYTHING else on the default kernel .config ?

Correct.

Quote:

if you have /home on a seperate partition, it might be of an unsupported filesystem. this explains your lack of a framebuffer...

/ is mounted on /dev/hda2 while /home was mounted on /dev/hda7. I didn't think to check before my previous post, but the only partition that exists now is /dev/hda2, everything else is gone. /home was ext3 by the way, and I'm assuming that the data regarding the framebuffer was stored somewhere in there.

Quote:

I could be like, missing something or misunderstanding stuff..

Nope, you seem to be correct in what you posted. I am the one who is misunderstanding and missing things

jeremy · 09-25-2002, 09:04 AM

GNUbie,
You will need to configure your new kernel to support what your old kernel did. Do you have an old .config you can use as a baseline? If not you will have to go through the options and make sure you add support for everything you use (such as ext3).

--jeremy

int0x80 · 09-25-2002, 11:30 AM

Looks like some long nights ahead.

Any resources you recommend regarding learning more about working with the kernel in Linux? I am quite interested in this stuff.

unSpawn · 09-25-2002, 03:54 PM

Naw, you could prolly get it right in under half an hour :-]
Try The Linux Kernel HOWTO for some help.

markus1982 · 09-30-2002, 03:31 PM

As a side note as I've started messing around with kernel stuff I used the website www.kernelnewbies.org ... might be worth a look although I think the older site was quite more useful