After the recent COW stuff, I decided to finally get around to looking into grsecurity. Unfortunately the releases for the stable kernel can't be obtained, so there's only the test release for the public. Anyway, I built it on my Thinkpad X200 and it works well, so I thought I would try scripting up something to automatically pull the latest version of grsec and the relevant kernel, and build it. You can find my effort here. The script doesn't actually install anything on the system, just downloads the source and builds it in /tmp (as well as creating a slackpkg).

Be advised that I basically learnt this stuff on the fly (largely out of interest), and I can't guarantee anything. That said, the script doesn't need root access, and I've tested it on a couple of systems without issue. The kernel config is based on the Slackware 14.2 one, and I've disabled RBAC by default (but you still get PaX and all that nice stuff). The script gives you the chance to change whatever settings you want, and I think it makes it easier to at least try grsec. If you want to test it;
There's also some info in the readme.

Not sure how to recover from this:

It's looking for the public GPG kernel signing key of Greg Kroah-Hartman (the person who signed that kernel source release). If you don't have it, then gpg has no way of verifying that the archive has not been modified since it was released (i.e., that the archive was signed with Greg's private key). The part in the script that is failing is doing this;
You can try that from the command line (where the source is); you will get the same error. The signatures page on kernel.org explains the process and has the info you need. If you want to quickly fix it you can do;
but it's really worth reading the kernel.org page on it.

2 members found this post helpful.

That's Greg K-H's kernel signing key

Run this:
And then when you've got it, check the fingerprint against my copy:
I've had this quite a while and have used it to validate git tags and kernel sources many times, so if your fingerprint matches, you can be fairly sure you've got a good copy of the key. (assuming you can trust what I've written here hasn't been tampered with... but then we are really getting into tin-foil-hat land! )

edit: apologies to drgibbon for the cross-post.

1 members found this post helpful.

@GazL, all good, you provided some extra info and made a reference to tin-foil-hats, so that's fine by me ;P

It is extracting the kernel source now. I had to import the key for grsec also - it failed there as well.
Thanks guys! It seems all is well now.

That failure is a good thing Otherwise you could be getting a tampered source archive and installing something very nasty into your system. The signing process is designed to stop that from happening. No public key = no go (as GazL pointed out though, you have to make sure you have the right public key). In theory the script could download the public keys, but I think it's better that the user handles that.

I do need to make an update incorporating the use of kernel patches where possible (instead of always downloading full source archives). If anyone has any other ideas for improvements, feel free to contribute something using git, I'd quite like to expand my knowledge with it.

In case anyone is using this, I realised that there was a packaging bug where two symlinks were not set correctly (in /lib/modules, resulting in failing compilations for new kernel modules, like VirtualBox). I've fixed that, and also changed the default config to use KVM, since I've not had any luck getting VirtualBox to work with grsec. You can still find it on Github.

There are also a number of PaX flags that need to be set, so I need to get around to making a paxctld Slackware set. In the meantime, some necessary flags can be found here.

I'm wanting to install grsec-slackware kernel 4.9.11.
Is there any reason that I can't use this script with slackware64-current?
It appears I modify the slackbuild to kernel version 4.9.11 in KVERSION?
It appears the script will pull down the latest version of grsec?
Do I change GVERSION to "-201702181444"?
How do I add the RBAC so I can apply the PaX and iptable patches?
For security shouldn't fakeroot be rempved after using this script?
Can the script be run from root without installing fakeroot?
Cheers, BrianA_MN

Should be more likely to work with current than with stable
You only need to change those variables if for some reason the automatic download/version detection doesn't work. Basically once you run it, the script will grab the grsec patch and kernel source required (no script modification needed).
The script will run the kernel config for you. If you want to save time, rename "config-4.8.11-grsec-3.1" to "config-4.9.11-grsec-3.1" (then the script will run make oldconfig on that). Then you should configure grsec appropriately for your system. E.g., Security Options -> Grsecurity -> Customize -> Role Based Access Control Options.
No, fakeroot is not a security risk. It doesn't escalate privileges, it just fakes root permissions. Without actually being root, nothing can be done that root cannot do (in other words, fakeroot is just used to build the packages with proper privileges, but you need to actually be root to install them/modify the system).
Sure. Comment out the stuff that checks for root/fakeroot (lines 29--34). Then just remove 'fakeroot' from line 298. I personally prefer running SlackBuilds as an unprivileged user.

The script works fine, but it's kind of basic. I will have the chance to improve it later on this year.