Automatically building grsec-patched kernel (grsec-slackware)
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Automatically building grsec-patched kernel (grsec-slackware)
After the recent COW stuff, I decided to finally get around to looking into grsecurity. Unfortunately the releases for the stable kernel can't be obtained, so there's only the test release for the public. Anyway, I built it on my Thinkpad X200 and it works well, so I thought I would try scripting up something to automatically pull the latest version of grsec and the relevant kernel, and build it. You can find my effort here. The script doesn't actually install anything on the system, just downloads the source and builds it in /tmp (as well as creating a slackpkg).
Be advised that I basically learnt this stuff on the fly (largely out of interest), and I can't guarantee anything. That said, the script doesn't need root access, and I've tested it on a couple of systems without issue. The kernel config is based on the Slackware 14.2 one, and I've disabled RBAC by default (but you still get PaX and all that nice stuff). The script gives you the chance to change whatever settings you want, and I think it makes it easier to at least try grsec. If you want to test it;
Code:
git clone https://github.com/drgibbon/grsec-slackware.git
cd grsec-slackware
./grsec-slackware.SlackBuild
Checking kernel signature
gpg: assuming signed data in 'linux-4.7.10.tar'
gpg: Signature made Sat 22 Oct 2016 05:08:37 AM CDT using RSA key ID 6092693E
gpg: Can't check signature: No public key
Bad signature. Exiting
It's looking for the public GPG kernel signing key of Greg Kroah-Hartman (the person who signed that kernel source release). If you don't have it, then gpg has no way of verifying that the archive has not been modified since it was released (i.e., that the archive was signed with Greg's private key). The part in the script that is failing is doing this;
Code:
gpg2 --verify linux-4.7.10.tar.sign
You can try that from the command line (where the source is); you will get the same error. The signatures page on kernel.org explains the process and has the info you need. If you want to quickly fix it you can do;
I've had this quite a while and have used it to validate git tags and kernel sources many times, so if your fingerprint matches, you can be fairly sure you've got a good copy of the key. (assuming you can trust what I've written here hasn't been tampered with... but then we are really getting into tin-foil-hat land! )
It is extracting the kernel source now. I had to import the key for grsec also - it failed there as well.
That failure is a good thing Otherwise you could be getting a tampered source archive and installing something very nasty into your system. The signing process is designed to stop that from happening. No public key = no go (as GazL pointed out though, you have to make sure you have the right public key). In theory the script could download the public keys, but I think it's better that the user handles that.
I do need to make an update incorporating the use of kernel patches where possible (instead of always downloading full source archives). If anyone has any other ideas for improvements, feel free to contribute something using git, I'd quite like to expand my knowledge with it.
In case anyone is using this, I realised that there was a packaging bug where two symlinks were not set correctly (in /lib/modules, resulting in failing compilations for new kernel modules, like VirtualBox). I've fixed that, and also changed the default config to use KVM, since I've not had any luck getting VirtualBox to work with grsec. You can still find it on Github.
There are also a number of PaX flags that need to be set, so I need to get around to making a paxctld Slackware set. In the meantime, some necessary flags can be found here.
I'm wanting to install grsec-slackware kernel 4.9.11.
Is there any reason that I can't use this script with slackware64-current?
It appears I modify the slackbuild to kernel version 4.9.11 in KVERSION?
It appears the script will pull down the latest version of grsec?
Do I change GVERSION to "-201702181444"?
How do I add the RBAC so I can apply the PaX and iptable patches?
For security shouldn't fakeroot be rempved after using this script?
Can the script be run from root without installing fakeroot?
Cheers, BrianA_MN
I'm wanting to install grsec-slackware kernel 4.9.11.
Is there any reason that I can't use this script with slackware64-current?
Should be more likely to work with current than with stable
Quote:
Originally Posted by bamunds
It appears I modify the slackbuild to kernel version 4.9.11 in KVERSION?
It appears the script will pull down the latest version of grsec?
Do I change GVERSION to "-201702181444"?
You only need to change those variables if for some reason the automatic download/version detection doesn't work. Basically once you run it, the script will grab the grsec patch and kernel source required (no script modification needed).
Quote:
Originally Posted by bamunds
How do I add the RBAC so I can apply the PaX and iptable patches?
The script will run the kernel config for you. If you want to save time, rename "config-4.8.11-grsec-3.1" to "config-4.9.11-grsec-3.1" (then the script will run make oldconfig on that). Then you should configure grsec appropriately for your system. E.g., Security Options -> Grsecurity -> Customize -> Role Based Access Control Options.
Quote:
Originally Posted by bamunds
For security shouldn't fakeroot be rempved after using this script?
No, fakeroot is not a security risk. It doesn't escalate privileges, it just fakes root permissions. Without actually being root, nothing can be done that root cannot do (in other words, fakeroot is just used to build the packages with proper privileges, but you need to actually be root to install them/modify the system).
Quote:
Originally Posted by bamunds
Can the script be run from root without installing fakeroot?
Sure. Comment out the stuff that checks for root/fakeroot (lines 29--34). Then just remove 'fakeroot' from line 298. I personally prefer running SlackBuilds as an unprivileged user.
The script works fine, but it's kind of basic. I will have the chance to improve it later on this year.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.