Grsecurity/Pax installation on Debian GNU/Linux

Share your own howto's etc. Not for support questions!

Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2013-10-29 20:21

EDIT START 2014-09-30
I have studied the issues related with the latest very questionable changes in FOSS Linux very dedicatedly in recent weeks, and am linking the latest article of mine here because the systemd and other poetteringware changes by design can/could only have adverse if not threatening influence on grsecurity, which is the way to go for anyone aware of privacy issues in our big-brotherly time.

Therefore this Tips page on installing grsecurity-hardened kernel in Debian could be starting to be put in question as well.

These new links I tried and they worked fine just hours ago, and they have been consistent as I posted them and edited them in these couple of days eversince my initial posting of them:

Why is Gentoo not switching to systemd?
https://forums.gentoo.org/viewtopic-t-9 ... ml#7624042
https://forums.gentoo.org/viewtopic-t-9 ... ml#7624044

(in the #7624044, the second of the above, is the main read)

Somewhat long that read is, however you should find it revealing and facts and deductions there striking hard where due.

Why do I go about consistency of the article that should open to you buried in the 13th page of a huge discussion on Gentoo Forums?

I'll try and explain that in today's post of this very topic you are reading:

viewtopic.php?f=16&t=108616&p=554940#p554940

. Only vis major (Latin) can prevent me from explaning, such as "problems" with my internet connection:

EDIT END 2014-09-30
--
EDIT START Tue Apr 15 18:58:29 BST 2014
This is currently the latest edit, meaning the latest few lines, these on the very top currently, of all of the entire topic on Tue Apr 15.
I am running out of space on the server hosting CroatiaFidelis.hr
where for that reason I'll delete old Debian Grsec-patched kernel packages.
That means deleting those packages that anyway wouldn't be the best option for installing, since better newer packages have replaced them.
This note in the adequate way will apply in all later cases. Users lose nothing really.
Thanks.
EDIT END

WARNING: Advanced users, pls allow for some verbosity in pastes. I know I needed a little spoonfeeding back when I was a GNU/Linux newbie. Pls. suffer newbies to more easily reach the information that I am offering here.

EDIT START
Thu Oct 31 17:27:01 UTC 2013
This article is another attempt of mine to point other users, esp. newbies, in the right direction. Out of plain gratitude towards Spender and Pax Team, without whose two pack of programs my Debian machines would have been hacked with irreparable damage (data stolen and such) The last defence by Grsecurity/Pax against bruteforce attack on my machine can be read about here:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3841
EDIT END

Lots of the following is simply pastes. Actual today's command line input and output of mine.
For amd64 arch it may really be possible that you reuse my lines often with little or no modifications, today and a few more days ahead, but of course, versions will soon be replaced.

Newbies, pls. distinguish commands from the output. Simple: all the commands are on the one line after the prompt (unless, but I don't think we have any here, the end of line is a '\'). All is left here so you can compare what you are trying to do with this successful (or not, but it's indicated when it wasn't) download/patch/installation etc. commands.

Still: pls. first read all you can find of explanation/documentation starting from:

http://www.grsecurity.net

and then come back and follow this guide (but make sure you replace the versions for the current ones, if you are reading this days/months ahead from now).

You have been warned!

Code: Select all
me@mybox:/some-dir/download-dir$ wget -nc https://grsecurity.net/test/grsecurity-2.9.1-3.11.6-201310271552.patch
--2013-10-29 13:06:08--  https://grsecurity.net/test/grsecurity-2.9.1-3.11.6-201310271552.patch
Resolving grsecurity.net (grsecurity.net)... 173.10.160.233
Connecting to grsecurity.net (grsecurity.net)|173.10.160.233|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3738234 (3.6M) [text/plain]
Saving to: ‘grsecurity-2.9.1-3.11.6-201310271552.patch’

100%[=======================================================>] 3,738,234    626KB/s   in 6.3s   

2013-10-29 13:06:16 (580 KB/s) - ‘grsecurity-2.9.1-3.11.6-201310271552.patch’ saved [3738234/3738234]

me@mybox:/some-dir/download-dir$ wget -nc https://grsecurity.net/test/grsecurity-2.9.1-3.11.6-201310271552.patch.sig
--2013-10-29 13:08:09--  https://grsecurity.net/test/grsecurity-2.9.1-3.11.6-201310271552.patch.sig
Resolving grsecurity.net (grsecurity.net)... 173.10.160.233
Connecting to grsecurity.net (grsecurity.net)|173.10.160.233|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 72 [text/plain]
Saving to: ‘grsecurity-2.9.1-3.11.6-201310271552.patch.sig’

100%[=======================================================>] 72          --.-K/s   in 0s     

2013-10-29 13:08:19 (823 KB/s) - ‘grsecurity-2.9.1-3.11.6-201310271552.patch.sig’ saved [72/72]

me@mybox:/some-dir/download-dir$ wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.6.tar.xz
--2013-10-29 13:06:53--  https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.6.tar.xz
Resolving www.kernel.org (www.kernel.org)... 198.145.20.140, 149.20.4.69
Connecting to www.kernel.org (www.kernel.org)|198.145.20.140|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 75095360 (72M) [application/x-xz]
Saving to: ‘linux-3.11.6.tar.xz’

100%[=======================================================>] 75,095,360   608KB/s   in 2m 0s 

2013-10-29 13:08:56 (612 KB/s) - ‘linux-3.11.6.tar.xz’ saved [75095360/75095360]

me@mybox:/some-dir/download-dir$ wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.6.tar.sign
--2013-10-29 13:07:18--  https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.6.tar.sign
Resolving www.kernel.org (www.kernel.org)... 198.145.20.140, 149.20.4.69
Connecting to www.kernel.org (www.kernel.org)|198.145.20.140|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 836 [application/pgp-signature]
Saving to: ‘linux-3.11.6.tar.sign’

100%[=======================================================>] 836         --.-K/s   in 0s     

2013-10-29 13:07:30 (13.9 MB/s) - ‘linux-3.11.6.tar.sign’ saved [836/836]

me@mybox:/some-dir/download-dir$ ls -l *3.11.6*
-rw-r--r-- 1 mr mr  3738234 Oct 27 19:53 grsecurity-2.9.1-3.11.6-201310271552.patch
-rw-r--r-- 1 mr mr       72 Oct 27 19:54 grsecurity-2.9.1-3.11.6-201310271552.patch.sig
-rw-r--r-- 1 mr mr      836 Oct 18 18:27 linux-3.11.6.tar.sign
-rw-r--r-- 1 mr mr 73928040 Oct 29 13:08 linux-3.11.6.tar.xz
me@mybox:/some-dir/download-dir$ gpg --verify grsecurity-2.9.1-3.11.6-201310271552.patch.sig
gpg: Signature made Sun 27 Oct 2013 07:54:01 PM UTC using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A
me@mybox:/some-dir/download-dir$ gpg --verify gradm-2.9.1-201309161709.tar.gz.sig
gpg: Signature made Mon 16 Sep 2013 09:10:02 PM UTC using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A
me@mybox:/some-dir/download-dir$ xz
xz       xzcat    xzcmp    xzdiff   xzegrep  xzfgrep  xzgrep   xzless   xzmore   


# The following is not a command, but a teb that I pressed, to see what options I have for
# filename after 'linux-3.11.'
Code: Select all
me@mybox:/some-dir/download-dir$ xz linux-3.11.
linux-3.11.3.tar       linux-3.11.3.tar.sign  linux-3.11.6.tar.sign


# This is the actual command
Code: Select all
me@mybox:/some-dir/download-dir$ unxz linux-3.11.6.tar.xz
me@mybox:/some-dir/download-dir$ gpg --verify linux-3.11.6.tar.sign
gpg: Signature made Fri 18 Oct 2013 06:24:39 PM UTC using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

me@mybox:/some-dir/download-dir$ gpg --verify grsecurity-2.9.1-3.11.6-201310271552.patch.sig
gpg: Signature made Sun 27 Oct 2013 07:54:01 PM UTC using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A
me@mybox:/some-dir/download-dir$ gpg --verify gradm-2.9.1-201309161709.tar.gz.sig
gpg: Signature made Mon 16 Sep 2013 09:10:02 PM UTC using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A
me@mybox:/some-dir/download-dir$ xz
xz       xzcat    xzcmp    xzdiff   xzegrep  xzfgrep  xzgrep   xzless   xzmore   
me@mybox:/some-dir/download-dir$ xz linux-3.11.
linux-3.11.3.tar       linux-3.11.3.tar.sign  linux-3.11.6.tar.sign 
me@mybox:/some-dir/download-dir$ unxz linux-3.11.6.tar.xz
me@mybox:/some-dir/download-dir$ gpg --verify linux-3.11.6.tar.sign
gpg: Signature made Fri 18 Oct 2013 06:24:39 PM UTC using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E


Code: Select all
me@mybox:/some-dir/src$ tar tvf ../download-dir/linux-3.11.6.tar
drwxrwxr-x root/root         0 2013-10-18 18:24 linux-3.11.6/
-rw-rw-r-- root/root      1097 2013-10-18 18:24 linux-3.11.6/.gitignore
-rw-rw-r-- root/root      4465 2013-10-18 18:24 linux-3.11.6/.mailmap
-rw-rw-r-- root/root     18693 2013-10-18 18:24 linux-3.11.6/COPYING
-rw-rw-r-- root/root     95317 2013-10-18 18:24 linux-3.11.6/CREDITS
drwxrwxr-x root/root         0 2013-10-18 18:24 linux-3.11.6/Documentation/
-rw-rw-r-- root/root       107 2013-10-18 18:24 linux-3.11.6/Documentation/.gitignore
-rw-rw-r-- root/root     16957 2013-10-18 18:24 linux-3.11.6/Documentation/00-INDEX
drwxrwxr-x root/root         0 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/
-rw-rw-r-- root/root      3284 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/README
drwxrwxr-x root/root         0 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/
-rw-rw-r-- root/root       248 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/proc-sys-vm-nr_pdflush_threads
-rw-rw-r-- root/root      1296 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-bus-usb
-rw-rw-r-- root/root      1063 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-class-rfkill
-rw-rw-r-- root/root      2820 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-koneplus
-rw-rw-r-- root/root      3657 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-kovaplus
-rw-rw-r-- root/root      3767 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-pyra
drwxrwxr-x root/root         0 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/removed/
-rw-rw-r-- root
...[snip]...


Code: Select all
me@mybox:/some-dir/src$ tar xvf ../download-dir/linux-3.11.6.tar
linux-3.11.6/
linux-3.11.6/.gitignore
linux-3.11.6/.mailmap
linux-3.11.6/COPYING
linux-3.11.6/CREDITS
linux-3.11.6/Documentation/
linux-3.11.6/Documentation/.gitignore
linux-3.11.6/Documentation/00-INDEX
linux-3.11.6/Documentation/ABI/
linux-3.11.6/Documentation/ABI/README
linux-3.11.6/Documentation/ABI/obsolete/
linux-3.11.6/Documentation/ABI/obsolete/proc-sys-vm-nr_pdflush_threads
linux-3.11.6/Documentation/ABI/obsolete/sysfs-bus-usb
linux-3.11.6/Documentation/ABI/obsolete/sysfs-class-rfkill
linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-koneplus
linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-kovaplus
linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-pyra
linux-3.11.6/Documentation/ABI/removed/
linux-3.11.6/Doc
...[snip]...


Code: Select all
me@mybox:/some-dir/src$ ls -l
total 4
drwxr-xr-x 23 mr mr 4096 Oct 18 18:24 linux-3.11.6
me@mybox:/some-dir/src$ ls -l linux-3.11.6/
total 548
drwxr-xr-x  32 mr mr   4096 Oct 18 18:24 arch
drwxr-xr-x   3 mr mr   4096 Oct 18 18:24 block
-rw-r--r--   1 mr mr  18693 Oct 18 18:24 COPYING
-rw-r--r--   1 mr mr  95317 Oct 18 18:24 CREDITS
drwxr-xr-x   4 mr mr   4096 Oct 18 18:24 crypto
drwxr-xr-x 101 mr mr  12288 Oct 18 18:24 Documentation
drwxr-xr-x 112 mr mr   4096 Oct 18 18:24 drivers
drwxr-xr-x  36 mr mr   4096 Oct 18 18:24 firmware
drwxr-xr-x  73 mr mr   4096 Oct 18 18:24 fs
drwxr-xr-x  27 mr mr   4096 Oct 18 18:24 include
drwxr-xr-x   2 mr mr   4096 Oct 18 18:24 init
drwxr-xr-x   2 mr mr   4096 Oct 18 18:24 ipc
-rw-r--r--   1 mr mr   2536 Oct 18 18:24 Kbuild
-rw-r--r--   1 mr mr    252 Oct 18 18:24 Kconfig
drwxr-xr-x  12 mr mr   4096 Oct 18 18:24 kernel
drwxr-xr-x  11 mr mr   4096 Oct 18 18:24 lib
-rw-r--r--   1 mr mr 260046 Oct 18 18:24 MAINTAINERS
-rw-r--r--   1 mr mr  48517 Oct 18 18:24 Makefile
drwxr-xr-x   2 mr mr   4096 Oct 18 18:24 mm
drwxr-xr-x  56 mr mr   4096 Oct 18 18:24 net
-rw-r--r--   1 mr mr  18736 Oct 18 18:24 README
-rw-r--r--   1 mr mr   7485 Oct 18 18:24 REPORTING-BUGS
drwxr-xr-x  12 mr mr   4096 Oct 18 18:24 samples
drwxr-xr-x  13 mr mr   4096 Oct 18 18:24 scripts
drwxr-xr-x   9 mr mr   4096 Oct 18 18:24 security
drwxr-xr-x  22 mr mr   4096 Oct 18 18:24 sound
drwxr-xr-x  17 mr mr   4096 Oct 18 18:24 tools
drwxr-xr-x   2 mr mr   4096 Oct 18 18:24 usr
drwxr-xr-x   3 mr mr   4096 Oct 18 18:24 virt

Code: Select all
me@mybox:/some-dir/src$ cp -aiv ../download-dir/grsecurity-2.9.1-3.11.6-201310271552.patch .
‘../download-dir/grsecurity-2.9.1-3.11.6-201310271552.patch’ -> ‘./grsecurity-2.9.1-3.11.6-201310271552.patch’
me@mybox:/some-dir/src$ ls -l
total 3656
-rw-r--r--  1 mr mr 3738234 Oct 27 19:53 grsecurity-2.9.1-3.11.6-201310271552.patch
drwxr-xr-x 23 mr mr    4096 Oct 18 18:24 linux-3.11.6
me@mybox:/some-dir/src$ cd linux-3.11.6/
me@mybox:/some-dir/src/linux-3.11.6$ patch  -p1 < ../grsecurity-2.9.1-3.11.6-201310271552.patch
patching file Documentation/dontdiff
patching file Documentation/kernel-parameters.txt
patching file Makefile
patching file arch/alpha/include/asm/atomic.h
patching file arch/alpha/include/asm/cache.h
patching file arch/alpha/include/asm/elf.h
patching file arch/alpha/include/asm/pgalloc.h
patching file arch/alpha/include/asm/pgtable.h
patching file arch/alpha/kernel/module.c
patching file arch/alpha/kernel/osf_sys.c
patching file arch/alpha/mm/fault.c
patching file arch/arm/Kconfig
patching file arch/arm/include/asm/atomic.h
patching file arch/arm/include/asm/cache.h
patching file arch/arm/include/asm/cacheflush.h
patching file arch/arm/include/asm/checksum.h
patching file arch/arm/include/asm/cmpxchg.h
patching file arch/arm/include/asm/domain.h
patching file arch/arm/include/asm/elf.h
patching file arch/arm/include/asm/fncpy.h
patching file arch/arm/include/asm/futex.h
patching file arch/arm/include/asm/kmap_types.h
patching file arch/arm/include/asm/mach/dma.h
patching file arch/arm/include/asm/mach/map.h
patching file arch/arm/include/asm/outercache.h
patching file arch/arm/include/asm/page.h
...[snip]...
patching file tools/gcc/constify_plugin.c
patching file tools/gcc/generate_size_overflow_hash.sh
patching file tools/gcc/kallocstat_plugin.c
patching file tools/gcc/kernexec_plugin.c
patching file tools/gcc/latent_entropy_plugin.c
patching file tools/gcc/size_overflow_hash.data
patching file tools/gcc/size_overflow_plugin.c
patching file tools/gcc/stackleak_plugin.c
patching file tools/gcc/structleak_plugin.c
patching file tools/lib/lk/Makefile
patching file tools/perf/util/include/asm/alternative-asm.h
patching file tools/perf/util/include/linux/compiler.h
patching file virt/kvm/kvm_main.c
me@mybox:/some-dir/src/linux-3.11.6$


##################################################
## We now have Grsec/Pax patched kernel ###
####################################################

Part 2 is to follow.
Last edited by timbgo on 2014-09-30 10:37, edited 8 times in total.
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2013-10-29 20:29

Part 2

Code: Select all
me@mybox:/some-dir/src/linux-3.11.6$ fakeroot make deb-pkg
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/kconfig/conf.o
  SHIPPED scripts/kconfig/zconf.tab.c
  SHIPPED scripts/kconfig/zconf.lex.c
  SHIPPED scripts/kconfig/zconf.hash.c
  HOSTCC  scripts/kconfig/zconf.tab.o
In file included from scripts/kconfig/zconf.tab.c:2501:0:
scripts/kconfig/expr.c: In function ‘expr_print_gstr_helper’:
scripts/kconfig/expr.c:1156:41: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
In file included from scripts/kconfig/zconf.tab.c:2502:0:
scripts/kconfig/symbol.c: In function ‘sym_rel_comp’:
scripts/kconfig/symbol.c:983:9: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/symbol.c:983:40: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/symbol.c:985:9: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/symbol.c:985:40: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
In file included from scripts/kconfig/zconf.tab.c:2503:0:
scripts/kconfig/menu.c: In function ‘menu_set_type’:
scripts/kconfig/menu.c:116:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf --silentoldconfig Kconfig
***
*** Configuration file ".config" not found!
***
*** Please run some configurator (e.g. "make oldconfig" or
*** "make menuconfig" or "make xconfig").
***
make[2]: *** [silentoldconfig] Error 1
make[1]: *** [silentoldconfig] Error 2
make: *** No rule to make target `include/config/auto.conf', needed by `include/config/kernel.release'.  Stop.
me@mybox:/some-dir/src/linux-3.11.6$


Sure enough. No .config in there... No big deal, *that* is no big deal...

For amd64, try fiddling with mine, that I'll attach or post complete... No warranties, pls! At your own risk. It works for me, just defended me from a bruteforce attack, that's what I can tell...

EDIT START
Thu Oct 31 17:35:20 UTC 2013
Here the actual config that I used back yesterday when I postied this tip.
http://forums.debian.net/viewtopic.php?f=16&t=108616&p=516981#p517006
EDIT END

This is what my /boot looks like:

Code: Select all
root@mybox:/some-dir/mr# ls -l /boot/
total 57471
-rw-r--r-- 1 root root   126974 Aug  7 04:37 config-3.10.5-grsec-130807
-rw-r--r-- 1 root root   126725 Aug 28 01:47 config-3.10.9-grsec-130827
-rw-r--r-- 1 root root   128663 Oct  9 06:37 config-3.11.3-grsec-131009
-rw-r--r-- 1 root root   129038 Mar 26  2013 config-3.2.0-4-amd64
drwxr-xr-x 3 root root     5120 Oct 28 15:58 grub
-rw-r--r-- 1 root root 11189354 Aug  7 05:05 initrd.img-3.10.5-grsec-130807
-rw-r--r-- 1 root root 11309328 Oct 11 02:06 initrd.img-3.10.9-grsec-130827
-rw-r--r-- 1 root root 11371623 Oct 11 02:07 initrd.img-3.11.3-grsec-131009
-rw-r--r-- 1 root root  3372771 Apr 17  2013 initrd.img-3.2.0-4-amd64
drwx------ 2 root root     1024 Sep 18 15:22 lost+found
-rw-r--r-- 1 root root  2171130 Aug  7 04:37 System.map-3.10.5-grsec-130807
-rw-r--r-- 1 root root  2180693 Aug 28 01:47 System.map-3.10.9-grsec-130827
-rw-r--r-- 1 root root  2220919 Oct  9 06:37 System.map-3.11.3-grsec-131009
-rw-r--r-- 1 root root  2105340 Mar 26  2013 System.map-3.2.0-4-amd64
-rw-r--r-- 1 root root  2972112 Aug  7 04:37 vmlinuz-3.10.5-grsec-130807
-rw-r--r-- 1 root root  3167504 Aug 28 01:47 vmlinuz-3.10.9-grsec-130827
-rw-r--r-- 1 root root  3181136 Oct  9 06:37 vmlinuz-3.11.3-grsec-131009
-rw-r--r-- 1 root root  2833216 Mar 26  2013 vmlinuz-3.2.0-4-amd64
root@mybox:/some-dir/mr#


The old vmlinuz-3.2.0-4-amd64 is the stock Debian kernel. I haven't used it in months. The *-3.2.0-4-amd64 pack, actually, we are talking.

And the three other packs are some of the more recent grsec kernels that I've compiled.

We'll take the latest config, sure.

Code: Select all
me@mybox:/some-dir/src/linux-3.11.6$ cp /boot/config-3.11.3-grsec-131009 .config


However, if you use some other config file, pls. take good care to rid of any SELinux configuration options. Basically, or in simplified terms, and trying hard not to get into gory political (and worse) details, SELinux and Grsecurity are not compatible, at least in some of the possible semantics/meanings/senses.

If you do use some other config-XYZ-whatever, I advise you to look up here:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3712
and grep it for selin:
Code: Select all
# cat /boot/config-3.10.9-grsec-130821 | grep -i selin
#
, pls. read there for more.

Code: Select all
me@mybox:/some-dir/src/linux-3.11.6$ make menuconfig
  HOSTCC  scripts/kconfig/lxdialog/checklist.o
scripts/kconfig/lxdialog/checklist.c: In function ‘dialog_checklist’:
scripts/kconfig/lxdialog/checklist.c:182:13: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/lxdialog/checklist.c:182:13: warning: signed and unsigned type in conditional expression [-Wsign-compare]
  HOSTCC  scripts/kconfig/lxdialog/inputbox.o
  HOSTCC  scripts/kconfig/lxdialog/menubox.o
  HOSTCC  scripts/kconfig/lxdialog/textbox.o
scripts/kconfig/lxdialog/textbox.c: In function ‘print_line’:
scripts/kconfig/lxdialog/textbox.c:346:10: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/lxdialog/textbox.c:346:10: warning: signed and unsigned type in conditional expression [-Wsign-compare]
scripts/kconfig/lxdialog/textbox.c:349:22: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/lxdialog/textbox.c:349:22: warning: signed and unsigned type in conditional expression [-Wsign-compare]
  HOSTCC  scripts/kconfig/lxdialog/util.o
scripts/kconfig/lxdialog/util.c: In function ‘dialog_clear’:
scripts/kconfig/lxdialog/util.c:294:13: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/lxdialog/util.c: In function ‘print_title’:
scripts/kconfig/lxdialog/util.c:368:14: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/lxdialog/util.c:368:14: warning: signed and unsigned type in conditional expression [-Wsign-compare]
scripts/kconfig/lxdialog/util.c: In function ‘print_autowrap’:
scripts/kconfig/lxdialog/util.c:415:34: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/lxdialog/util.c: In function ‘first_alpha’:
scripts/kconfig/lxdialog/util.c:536:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  HOSTCC  scripts/kconfig/lxdialog/yesno.o
  HOSTCC  scripts/kconfig/mconf.o
scripts/kconfig/mconf.c: In function ‘set_config_filename’:
scripts/kconfig/mconf.c:305:11: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/mconf.c:310:11: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  HOSTLD  scripts/kconfig/mconf
scripts/kconfig/mconf Kconfig


And at this point here the terminal is taken over by the menuconfig.

I'll mark what you need to select (using arrow keys) with "---->" on the left of the column of selectable entries.

In the first paste below you can see there is "---->" on the left of General setup. Select it and click Enter.


Code: Select all
.config - Linux/x86 3.11.6 Kernel Configuration
 ───────────────────────────────────────────────────────────────────────────────────────────────
  ┌───────────────────────── Linux/x86 3.11.6 Kernel Configuration ──────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] 64-bit kernel                                                             │ │ 
  │ │ ---->      General setup  --->                                                       │ │ 
  │ │        [*] Enable loadable module support  --->                                      │ │ 
  │ │        -*- Enable the block layer  --->                                              │ │ 
  │ │            Processor type and features  --->                                         │ │ 
  │ │            Power management and ACPI options  --->                                   │ │ 
  │ │            Bus options (PCI etc.)  --->                                              │ │ 
  │ │            Executable file formats / Emulations  --->                                │ │ 
  │ │        -*- Networking support  --->                                                  │ │ 
  │ │            Device Drivers  --->                                                      │ │ 
  │ │            Firmware Drivers  --->                                                    │ │ 
  │ │            File systems  --->                                                        │ │ 
  │ │            Kernel hacking  --->                                                      │ │ 
  │ │            Security options  --->                                                    │ │ 
  │ │        -*- Cryptographic API  --->                                                   │ │ 
  │ │        [*] Virtualization  --->                                                      │ │ 
  │ │            Library routines  --->                                                    │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 
   



Code: Select all
.config - Linux/x86 3.11.6 Kernel Configuration
 > General setup ───────────────────────────────────────────────────────────────────────────────
  ┌───────────────────────────────────── General setup ──────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        ()  Cross-compiler tool prefix                                                │ │ 
  │ │        [ ] Compile also drivers which will not load                                  │ │ 
  │ │  ----> (-131009) Local version - append to kernel release                            │ │ 
  │ │        [ ] Automatically append version information to the version string            │ │ 
  │ │            Kernel compression mode (Gzip)  --->                                      │ │ 
  │ │        ((none)) Default hostname                                                     │ │ 
  │ │        [*] Support for paging of anonymous memory (swap)                             │ │ 
  │ │        [*] System V IPC                                                              │ │ 
  │ │        [*] POSIX Message Queues                                                      │ │ 
  │ │        [*] open by fhandle syscalls                                                  │ │ 
  │ │        [*] Auditing support                                                          │ │ 
  │ │        [*]   Enable system-call auditing support                                     │ │ 
  │ │        [ ]   Make audit loginuid immutable                                           │ │ 
  │ │            IRQ subsystem  --->                                                       │ │ 
  │ │            Timers subsystem  --->                                                    │ │ 
  │ │            CPU/Task time and stats accounting  --->                                  │ │ 
  │ │            RCU Subsystem  --->                                                       │ │ 
  │ │        < > Kernel .config support                                                    │ │ 
  │ │        (17) Kernel log buffer size (16 => 64KB, 17 => 128KB)                         │ │ 
  │ └────────┴(+)──────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 

Of course the following is an optional change. But I like my kernels with local versions.

Code: Select all
.config - Linux/x86 3.11.6 Kernel Configuration
 > General setup ───────────────────────────────────────────────────────────────────────────────









           ┌─────────────── Local version - append to kernel release ────────────────┐
           │  Please enter a string value. Use the <TAB> key to move from the input  │ 
           │  field to the buttons below it.                                         │ 
           │ ┌─────────────────────────────────────────────────────────────────────┐ │ 
           │ │-131009                                                              │ │ 
           │ └─────────────────────────────────────────────────────────────────────┘ │ 
           │                                                                         │ 
           ├─────────────────────────────────────────────────────────────────────────┤ 
           │                         <  Ok  >      < Help >                          │ 
           └─────────────────────────────────────────────────────────────────────────┘ 
                                                                                       












Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > General setup ───────────────────────────────────────────────────────────────────────────────









           ┌─────────────── Local version - append to kernel release ────────────────┐
           │  Please enter a string value. Use the <TAB> key to move from the input  │ 
           │  field to the buttons below it.                                         │ 
           │ ┌─────────────────────────────────────────────────────────────────────┐ │ 
           │ │-131029                                                              │ │ 
           │ └─────────────────────────────────────────────────────────────────────┘ │ 
           │                                                                         │ 
           ├─────────────────────────────────────────────────────────────────────────┤ 
           │                         <  Ok  >      < Help >                          │ 
           └─────────────────────────────────────────────────────────────────────────┘ 
     


That bove I did using backspace two times and typing 29
Back we go now.

Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 ───────────────────────────────────────────────────────────────────────────────────────────────
  ┌───────────────────────── Linux/x86 3.11.6 Kernel Configuration ──────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] 64-bit kernel                                                             │ │ 
  │ │            General setup  --->                                                       │ │ 
  │ │        [*] Enable loadable module support  --->                                      │ │ 
  │ │        -*- Enable the block layer  --->                                              │ │ 
  │ │            Processor type and features  --->                                         │ │ 
  │ │            Power management and ACPI options  --->                                   │ │ 
  │ │            Bus options (PCI etc.)  --->                                              │ │ 
  │ │            Executable file formats / Emulations  --->                                │ │ 
  │ │        -*- Networking support  --->                                                  │ │ 
  │ │            Device Drivers  --->                                                      │ │ 
  │ │            Firmware Drivers  --->                                                    │ │ 
  │ │            File systems  --->                                                        │ │ 
  │ │            Kernel hacking  --->                                                      │ │ 
  │ │  ---->     Security options  --->                                                    │ │ 
  │ │        -*- Cryptographic API  --->                                                   │ │ 
  │ │        [*] Virtualization  --->                                                      │ │ 
  │ │            Library routines  --->                                                    │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 



Code: Select all
.config - Linux/x86 3.11.6 Kernel Configuration
 > Security options ────────────────────────────────────────────────────────────────────────────
  ┌──────────────────────────────────── Security options ────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │  ---->     Grsecurity  --->                                                          │ │ 
  │ │        -*- Enable access key retention support                                       │ │ 
  │ │        < >   TRUSTED KEYS                                                            │ │ 
  │ │        < >   ENCRYPTED KEYS                                                          │ │ 
  │ │        [ ]   Enable the /proc/keys file by which keys may be viewed                  │ │ 
  │ │        [ ] Restrict unprivileged access to the kernel syslog                         │ │ 
  │ │        [ ] Enable different security models                                          │ │ 
  │ │        -*- Enable the securityfs filesystem                                          │ │ 
  │ │        [ ] Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)               │ │ 
  │ │            Default security module (Unix Discretionary Access Controls)  --->        │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity ───────────────────────────────────────────────────────────────
  ┌─────────────────────────────────────── Grsecurity ───────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] Grsecurity                                                                │ │ 
  │ │              Configuration Method (Custom)  --->                                     │ │ 
  │ │              Customize Configuration  --->                                           │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity ───────────────────────────────────────────────────────────────







                ┌──────────────────── Configuration Method ─────────────────────┐
                │  Use the arrow keys to navigate this window or press the      │ 
                │  hotkey of the item you wish to select followed by the <SPACE │ 
                │  BAR>. Press <?> for additional information about this        │ 
                │ ┌───────────────────────────────────────────────────────────┐ │ 
                │ │                       ( ) Automatic                       │ │ 
                │ │                       (X) Custom                          │ │ 
                │ │                                                           │ │ 
                │ │                                                           │ │ 
                │ │                                                           │ │ 
                │ │                                                           │ │ 
                │ └───────────────────────────────────────────────────────────┘ │ 
                ├───────────────────────────────────────────────────────────────┤ 
                │                    <Select>      < Help >                     │ 
                └───────────────────────────────────────────────────────────────┘ 
     

Back we go now.
And you can see where we are by the line underneath:
".config - Linux/x86 3.11.6 Kernel Configuration" which I leave intact in all the pastes.
So if from now I leave out to mark what to select with "---->", you can still know how to get there.

Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration ─────────────────────────────────────
  ┌──────────────────────────────── Customize Configuration ─────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │            PaX  --->                                                                 │ │ 
  │ │            Memory Protections  --->                                                  │ │ 
  │ │            Role Based Access Control Options  --->                                   │ │ 
  │ │            Filesystem Protections  --->                                              │ │ 
  │ │            Kernel Auditing  --->                                                     │ │ 
  │ │            Executable Protections  --->                                              │ │ 
  │ │            Network Protections  --->                                                 │ │ 
  │ │            Physical Protections  --->                                                │ │ 
  │ │            Sysctl Support  --->                                                      │ │ 
  │ │            Logging Options  --->                                                     │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX ───────────────────────────────
  ┌────────────────────────────────────────── PaX ───────────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] Enable various PaX features                                               │ │ 
  │ │              PaX Control  --->                                                       │ │ 
  │ │              Non-executable pages  --->                                              │ │ 
  │ │              Address Space Layout Randomization  --->                                │ │ 
  │ │            Miscellaneous hardening features  --->                                    │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX > PaX Control ─────────────────
  ┌────────────────────────────────────── PaX Control ───────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [ ] Support soft mode                                                         │ │ 
  │ │        [ ] Use legacy ELF header marking                                             │ │ 
  │ │        [*] Use ELF program header marking                                            │ │ 
  │ │        [ ] Use filesystem extended attributes marking                                │ │ 
  │ │            MAC system integration (none)  --->                                       │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


I am not expert at all. I don't understand even some of the explanations in the help, occasionally... I am open to learn from people who know more than me.

I don't claim that my choices are the best, esp. because I don't always have enough time to dig deep enough to weigh pros and cons in so many of options that Grsec/Pax presents us with.

But I am trying to make a user-to-user tips-and-tricks page here on Debian forums because I believe in freedom and privacy and I believe that there is hardly good privacy for a beginner's Debian machine without Grsec/Pax kernel. And I believe privacy is essential for freedom.

I'll make a digression to paste some of the help, precisely because e.g. users of Skype (I am not one of those currently) will find how their .config will probably need to differ here from mine.


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX > PaX Control ─────────────────
  ┌─────────────────────── Use filesystem extended attributes marking ───────────────────────┐
  │ CONFIG_PAX_XATTR_PAX_FLAGS:                                                              │ 
  │                                                                                          │ 
  │ Enabling this option will allow you to control PaX features on                           │ 
  │ a per executable basis via the 'setfattr' utility.  The control                          │ 
  │ flags will be read from the user.pax.flags extended attribute of                         │ 
  │ the file.  This marking has the benefit of supporting binary-only                        │ 
  │ applications that self-check themselves (e.g., skype) and would                          │ 
  │ not tolerate chpax/paxctl changes.  The main drawback is that                            │ 
  │ extended attributes are not supported by some filesystems (e.g.,                         │ 
  │ isofs, udf, vfat) so copying files through such filesystems will                         │ 
  │ lose the extended attributes and these PaX markings.                                     │ 
  │                                                                                          │ 
  │ Note that if you enable the legacy EI_PAX marking support as well,                       │ 
  │ the EI_PAX marks will be overridden by the XATTR_PAX_FLAGS marks.                        │ 
  │                                                                                          │ 
  │ If you enable both PT_PAX_FLAGS and XATTR_PAX_FLAGS support then you                     │ 
  │ must make sure that the marks are the same if a binary has both marks.                   │ 
  │                                                                                          │ 
  │ If you enable none of the marking options then all applications                          │ 
  │ will run with PaX enabled on them by default.                                            │ 
  │                                                                                          │ 
  │ Symbol: PAX_XATTR_PAX_FLAGS [=n]                                                         │ 
  │ Type  : boolean                                                                          │ 
  │ Prompt: Use filesystem extended attributes marking                                       │ 
  │   Location:                                                                              │ 
  ├──────────────────────────────────────────────────────────────────────────────────( 68%)──┤ 
  │                                         < Exit >                                         │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


I, myself, still have only:

Code: Select all
  │ │        [*] Use ELF program header marking                                            │ │ 


selected.

But I want to make another digression here. For two reasons.

Firstly, that newbies understand what blessing GNU/Debian is (nevertheless that I have a few compaints about it, which I do occasionally publicly declare), in comparison with any closed-source such as Microsoft in this currecnt digression.

Secondly, how superb the program Grsecurity is, namely so great that of all security options that the wide world offers, Microsoft chose to kind of steal exactly Grsecuriy for it's Skype deployment!

Pls. the links for your kind perusal:
http://expertmiami.blogspot.com/2012/05/skype-does-away-with-random-supernodes.html
http://arstechnica.com/business/2012/05/skype-replaces-p2p-supernodes-with-linux-boxes-hosted-by-microsoft/

and, esp. for the less initiated, pls. find my take on it here:

https://forums.grsecurity.net/viewtopic.php?f=3&t=3594#p13203

Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX > PaX Control ─────────────────
  ┌────────────────────────────────────── PaX Control ───────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [ ] Support soft mode                                                         │ │ 
  │ │        [ ] Use legacy ELF header marking                                             │ │ 
  │ │        [*] Use ELF program header marking                                            │ │ 
  │ │        [ ] Use filesystem extended attributes marking                                │ │ 
  │ │            MAC system integration (none)  --->                                       │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX > PaX Control ─────────────────







                ┌─────────────────── MAC system integration ────────────────────┐
                │  Use the arrow keys to navigate this window or press the      │ 
                │  hotkey of the item you wish to select followed by the <SPACE │ 
                │  BAR>. Press <?> for additional information about this        │ 
                │ ┌───────────────────────────────────────────────────────────┐ │ 
                │ │                        (X) none                           │ │ 
                │ │                        ( ) direct                         │ │ 
                │ │                        ( ) hook                           │ │ 
                │ │                                                           │ │ 
                │ │                                                           │ │ 
                │ │                                                           │ │ 
                │ └───────────────────────────────────────────────────────────┘ │ 
                ├───────────────────────────────────────────────────────────────┤ 
                │                    <Select>      < Help >                     │ 
                └───────────────────────────────────────────────────────────────┘ 
                                                                                   




Part 3 is to follow.
Last edited by timbgo on 2013-10-31 17:33, edited 5 times in total.
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2013-10-29 20:31

Part 3

Code: Select all
.config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX ───────────────────────────────
  ┌────────────────────────────────────────── PaX ───────────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] Enable various PaX features                                               │ │ 
  │ │              PaX Control  --->                                                       │ │ 
  │ │              Non-executable pages  --->                                              │ │ 
  │ │              Address Space Layout Randomization  --->                                │ │ 
  │ │            Miscellaneous hardening features  --->                                    │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 







Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX > Non-executable pages ────────
  ┌────────────────────────────────── Non-executable pages ──────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] Enforce non-executable pages                                              │ │ 
  │ │        [*]   Paging based non-executable pages                                       │ │ 
  │ │        [*] Emulate trampolines                                                       │ │ 
  │ │        [*] Restrict mprotect()                                                       │ │ 
  │ │        [*]   Use legacy/compat protection demoting (read help)                       │ │ 
  │ │        [ ]   Allow ELF text relocations (read help)                                  │ │ 
  │ │        [ ] Enforce non-executable kernel pages                                       │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX ───────────────────────────────
  ┌────────────────────────────────────────── PaX ───────────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] Enable various PaX features                                               │ │ 
  │ │              PaX Control  --->                                                       │ │ 
  │ │              Non-executable pages  --->                                              │ │ 
  │ │              Address Space Layout Randomization  --->                                │ │ 
  │ │            Miscellaneous hardening features  --->                                    │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 [...] ptions > Grsecurity > Customize Configuration > PaX > Address Space Layout Randomization
  ┌─────────────────────────── Address Space Layout Randomization ───────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] Address Space Layout Randomization                                        │ │ 
  │ │        [*] Randomize kernel stack base                                               │ │ 
  │ │        [*] Randomize user stack base                                                 │ │ 
  │ │        [*] Randomize mmap() base                                                     │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 [...]  options > Grsecurity > Customize Configuration > PaX > Miscellaneous hardening features
  ┌──────────────────────────── Miscellaneous hardening features ────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] Sanitize all freed memory                                                 │ │ 
  │ │        [*] Sanitize kernel stack                                                     │ │ 
  │ │        [*] Forcibly initialize local variables copied to userland                    │ │ 
  │ │        [*] Prevent invalid userland pointer dereference                              │ │ 
  │ │        [*] Prevent various kernel object reference counter overflows                 │ │ 
  │ │        [*] Harden heap object copies between kernel and userland                     │ │ 
  │ │        [*] Prevent various integer overflows in function size parameters             │ │ 
  │ │        [ ] Generate some entropy during boot and runtime                             │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Memory Protections ────────────────
  ┌─────────────────────────────────── Memory Protections ───────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port                │ │ 
  │ │        [ ] Disable privileged I/O                                                    │ │ 
  │ │        [*] Harden BPF JIT against spray attacks                                      │ │ 
  │ │        [*] Disable unprivileged PERF_EVENTS usage by default                         │ │ 
  │ │        [*] Insert random gaps between thread stacks                                  │ │ 
  │ │        [*] Harden ASLR against information leaks and entropy reduction               │ │ 
  │ │        [*] Deter exploit bruteforcing                                                │ │ 
  │ │        [ ] Harden module auto-loading                                                │ │ 
  │ │        [*] Hide kernel symbols                                                       │ │ 
  │ │        [*] Active kernel exploit response                                            │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Role Based Access Control Options ─
  ┌─────────────────────────── Role Based Access Control Options ────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [ ] Disable RBAC system                                                       │ │ 
  │ │        [*] Hide kernel processes                                                     │ │ 
  │ │        (3) Maximum tries before password lockout                                     │ │ 
  │ │        (30) Time to wait after max password tries, in seconds                        │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Filesystem Protections ────────────
  ┌───────────────────────────────── Filesystem Protections ─────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] Proc restrictions                                                         │ │ 
  │ │        [ ]   Restrict /proc to user only                                             │ │ 
  │ │        [ ]     Allow special group                                                   │ │ 
  │ │        [*] Linking restrictions                                                      │ │ 
  │ │        [ ] Kernel-enforced SymlinksIfOwnerMatch                                      │ │ 
  │ │        [*] FIFO restrictions                                                         │ │ 
  │ │        [*] Sysfs/debugfs restriction                                                 │ │ 
  │ │        [*] Runtime read-only mount protection                                        │ │ 
  │ │        [*] Eliminate stat/notify-based device sidechannels                           │ │ 
  │ │        [*] Chroot jail restrictions                                                  │ │ 
  │ │        [*]   Deny mounts                                                             │ │ 
  │ │        [*]   Deny double-chroots                                                     │ │ 
  │ │        [*]   Deny pivot_root in chroot                                               │ │ 
  │ │        [*]   Enforce chdir("/") on all chroots                                       │ │ 
  │ │        [*]   Deny (f)chmod +s                                                        │ │ 
  │ │        [*]   Deny fchdir out of chroot                                               │ │ 
  │ │        [*]   Deny mknod                                                              │ │ 
  │ │        [*]   Deny shmat() out of chroot                                              │ │ 
  │ │        [*]   Deny access to abstract AF_UNIX sockets out of chroot                   │ │ 
  │ │        [*]   Protect outside processes                                               │ │ 
  │ │        [*]   Restrict priority changes                                               │ │ 
  │ │        [*]   Deny sysctl writes                                                      │ │ 
  │ │        [*]   Capability restrictions                                                 │ │ 
  │ │        [ ]   Exempt initrd tasks from restrictions                                   │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 



Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Kernel Auditing ───────────────────
  ┌──────────────────────────────────── Kernel Auditing ─────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [ ] Single group for auditing                                                 │ │ 
  │ │        [*] Exec logging                                                              │ │ 
  │ │        [*] Resource logging                                                          │ │ 
  │ │        [*] Log execs within chroot                                                   │ │ 
  │ │        [*] Ptrace logging                                                            │ │ 
  │ │        [*] Chdir logging                                                             │ │ 
  │ │        [*] (Un)Mount logging                                                         │ │ 
  │ │        [*] Signal logging                                                            │ │ 
  │ │        [*] Fork failure logging                                                      │ │ 
  │ │        [*] Time change logging                                                       │ │ 
  │ │        [*] /proc/<pid>/ipaddr support                                                │ │ 
  │ │        [*] Denied RWX mmap/mprotect logging                                          │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Executable Protections ────────────
  ┌───────────────────────────────── Executable Protections ─────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] Dmesg(8) restriction                                                      │ │ 
  │ │        [*] Deter ptrace-based process snooping                                       │ │ 
  │ │        [*] Require read access to ptrace sensitive binaries                          │ │ 
  │ │        [*] Enforce consistent multithreaded privileges                               │ │ 
  │ │        [ ] Trusted Path Execution (TPE)                                              │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Network Protections ───────────────
  ┌────────────────────────────────── Network Protections ───────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] Larger entropy pools                                                      │ │ 
  │ │        [*] TCP/UDP blackhole and LAST_ACK DoS prevention                             │ │ 
  │ │        [*] Disable TCP Simultaneous Connect                                          │ │ 
  │ │        [ ] Socket restrictions                                                       │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Physical Protections ──────────────
  ┌────────────────────────────────── Physical Protections ──────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [ ] Deny new USB connections after toggle                                     │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Sysctl Support ────────────────────
  ┌───────────────────────────────────── Sysctl Support ─────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        [*] Sysctl support                                                            │ │ 
  │ │        [*]   Turn on features by default                                             │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 


Code: Select all
 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Logging Options ───────────────────
  ┌──────────────────────────────────── Logging Options ─────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │ 
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │ 
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │ 
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │        (10) Seconds in between log messages (minimum)                                │ │ 
  │ │        (6) Number of messages in a burst (maximum)                                   │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ │                                                                                      │ │ 
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │ 
  ├──────────────────────────────────────────────────────────────────────────────────────────┤ 
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │ 
  └──────────────────────────────────────────────────────────────────────────────────────────┘ 



That's all the configuration. I admit I haven't had time to reread most of the help of the options since maybe a few months ago. But I did spend quite a few afternoons studying Grsecurity/Pax previously! And I don't regret it one bit! Instead I hope I will dig much deeper some day into how to better yet use the protections that these programs afford.

Once the configuration is completed (of course you might need to configure the "pristine" kernel for completely different issues than Grsec/Pax now as well.

But once you are done, and Once you saved the menuconfig, and exited, this is what you see:

Code: Select all
configuration written to .config

*** End of the configuration.
*** Execute 'make' to start the build or try 'make help'.


Part 4 is to follow.
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2013-10-29 20:33

Part 4

Now, as normal user:
Code: Select all
me@mybox:/some-dir/src/linux-3.11.6$ fakeroot make deb-pkg
scripts/kconfig/conf --silentoldconfig Kconfig
make KBUILD_SRC=
  HOSTCXX -fPIC tools/gcc/colorize_plugin.o
  GENHASH  /some-dir/src/linux-3.11.6/tools/gcc/size_overflow_hash.h
  HOSTCXX -fPIC tools/gcc/size_overflow_plugin.o
  HOSTCXX -fPIC tools/gcc/stackleak_plugin.o
  HOSTCXX -fPIC tools/gcc/structleak_plugin.o
  HOSTLLD -shared tools/gcc/stackleak_plugin.so
  HOSTLLD -shared tools/gcc/colorize_plugin.so
  HOSTLLD -shared tools/gcc/size_overflow_plugin.so
  HOSTLLD -shared tools/gcc/structleak_plugin.so
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/syscalls/../include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/syscalls/../include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/syscalls/../include/generated/asm/unistd_64_x32.h
  SYSTBL  arch/x86/syscalls/../include/generated/asm/syscalls_64.h
  HOSTCC  arch/x86/tools/relocs_32.o
  HOSTCC  arch/x86/tools/relocs_64.o
In file included from arch/x86/tools/relocs_64.c:17:0:
arch/x86/tools/relocs.c: In function ‘do_reloc64’:
arch/x86/tools/relocs.c:798:24: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  HOSTCC  arch/x86/tools/relocs_common.o
  HOSTLD  arch/x86/tools/relocs
  WRAP    arch/x86/include/generated/asm/clkdev.h
  CHK     include/generated/uapi/linux/version.h
  UPD     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  UPD     include/generated/utsrelease.h
  CC      kernel/bounds.s
  GEN     include/generated/bounds.h
  CC      arch/x86/kernel/asm-offsets.s
  GEN     include/generated/asm-offsets.h
  CALL    scripts/checksyscalls.sh
  HOSTCC  scripts/genksyms/genksyms.o
  SHIPPED scripts/genksyms/lex.lex.c
  SHIPPED scripts/genksyms/keywords.hash.c
  SHIPPED scripts/genksyms/parse.tab.h
  HOSTCC  scripts/genksyms/lex.lex.o
scripts/genksyms/lex.lex.c_shipped: In function ‘yy_get_next_buffer’:
scripts/genksyms/lex.lex.c_shipped:1135:3: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  SHIPPED scripts/genksyms/parse.tab.c
  HOSTCC  scripts/genksyms/parse.tab.o
  HOSTLD  scripts/genksyms/genksyms
  CC      scripts/mod/empty.o
  HOSTCC  scripts/mod/mk_elfconfig
  MKELF   scripts/mod/elfconfig.h
  CC      scripts/mod/devicetable-offsets.s
  GEN     scripts/mod/devicetable-offsets.h
  HOSTCC  scripts/mod/file2alias.o
scripts/mod/file2alias.c: In function ‘do_vmbus_entry’:
scripts/mod/file2alias.c:878:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/mod/file2alias.c: In function ‘do_ipack_entry’:
scripts/mod/file2alias.c:1035:2: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/mod/file2alias.c:1036:2: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  HOSTCC  scripts/mod/modpost.o
  HOSTCC  scripts/mod/sumversion.o
  HOSTLD  scripts/mod/modpost
  HOSTCC  scripts/kallsyms
  HOSTCC  scripts/conmakehash
  HOSTCC  scripts/sortextable
scripts/sortextable.c: In function ‘main’:
scripts/sortextable.c:295:6: warning: variable ‘n_error’ might be clobbered by ‘longjmp’ or ‘vfork’ [-Wclobbered]
  CC      init/main.o
  CHK     include/generated/compile.h
  UPD     include/generated/compile.h
  CC      init/version.o
  CC      init/do_mounts.o
  CC      init/do_mounts_initrd.o
  LD      init/mounts.o
  CC      init/initramfs.o
  CC      init/calibrate.o
  CC      init/init_task.o
  LD      init/built-in.o
  HOSTCC  usr/gen_init_cpio
  GEN     usr/initramfs_data.cpio
  AS      usr/initramfs_data.o
  LD      usr/built-in.o
  LD      arch/x86/crypto/built-in.o
  CC [M]  arch/x86/crypto/ablk_helper.o
  CC [M]  arch/x86/crypto/glue_helper.o
  AS [M]  arch/x86/crypto/aes-x86_64-asm_64.o
  CC [M]  arch/x86/crypto/aes_glue.o
  AS [M]  arch/x86/crypto/aesni-intel_asm.o
  CC [M]  arch/x86/crypto/aesni-intel_glue.o
  CC [M]  arch/x86/crypto/fpu.o
  AS [M]  arch/x86/crypto/blowfish-x86_64-asm_64.o
  CC [M]  arch/x86/crypto/blowfish_glue.o
  CC [M]  arch/x86/crypto/crc32c-intel_glue.o
  AS [M]  arch/x86/crypto/crc32c-pcl-intel-asm_64.o
  AS [M]  arch/x86/crypto/ghash-clmulni-intel_asm.o
  CC [M]  arch/x86/crypto/ghash-clmulni-intel_glue.o
  AS [M]  arch/x86/crypto/salsa20-x86_64-asm_64.o
  CC [M]  arch/x86/crypto/salsa20_glue.o
  AS [M]  arch/x86/crypto/sha1_ssse3_asm.o
  CC [M]  arch/x86/crypto/sha1_ssse3_glue.o
  AS [M]  arch/x86/crypto/twofish-x86_64-asm_64-3way.o
  CC [M]  arch/x86/crypto/twofish_glue_3way.o
  AS [M]  arch/x86/crypto/twofish-x86_64-asm_64.o
  CC [M]  arch/x86/crypto/twofish_glue.o
  LD [M]  arch/x86/crypto/aes-x86_64.o
  LD [M]  arch/x86/crypto/blowfish-x86_64.o
  LD [M]  arch/x86/crypto/twofish-x86_64.o
  LD [M]  arch/x86/crypto/twofish-x86_64-3way.o
  LD [M]  arch/x86/crypto/salsa20-x86_64.o
  LD [M]  arch/x86/crypto/aesni-intel.o
  LD [M]  arch/x86/crypto/ghash-clmulni-intel.o
...[snip]...

This of course may take its time. I use Debian on my slow boxes, where conpilation which is done on my Gentoo boxes is prohibitive task in terms of time... Gentoo compilations (I also use Gentoo on a few machines of my SOHO), Gentoo compilations are compilations of all and any programs (well almost) that you install, while in Debian we have only compilation of this "pristine" kernel Grsecurity/Pax patched (unless you are a developer... well but then you don't need to read this, do you?).

On this box (the one I was to replace back then, now call them my old machines), one of the slow same MBO pack of my SOHO:

Use old amd64 gentoo image on new amd64 hardware, possible?
https://forums.gentoo.org/viewtopic-t-940916-start-0-postdays-0-postorder-asc-highlight-.html

it'll take a few hours of compilation to get the packages compiled and ready for installation.

Longer. But pls. notice that it's some 7-8 yrs old technology, these machines of which this one is maybe the slowest I have...

After two hours twenty minutes I am at the last stretch with my kernel compilation:

Code: Select all
...[snip]...
  INSTALL include/linux/sunrpc (1 file)
  INSTALL include/linux/tc_act (7 files)
  INSTALL include/linux/tc_ematch (4 files)
  INSTALL include/linux/usb (10 files)
  INSTALL include/linux/wimax (1 file)
  INSTALL include/linux (386 files)
  INSTALL include/mtd (5 files)
  INSTALL include/rdma (6 files)
  INSTALL include/scsi/fc (4 files)
  INSTALL include/scsi (3 files)
  INSTALL include/sound (10 files)
  INSTALL include/video (3 files)
  INSTALL include/xen (2 files)
  INSTALL include/uapi (0 file)
  INSTALL include/asm (64 files)
dpkg-deb: building package `linux-firmware-image' in `../linux-firmware-image_3.11.6-grsec-131029-1_amd64.deb'.
dpkg-deb: building package `linux-headers-3.11.6-grsec-131029' in `../linux-headers-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb'.
dpkg-deb: building package `linux-libc-dev' in `../linux-libc-dev_3.11.6-grsec-131029-1_amd64.deb'.
dpkg-deb: building package `linux-image-3.11.6-grsec-131029' in `../linux-image-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb'.

Yeah, from here there's at least one more hour. But then I will be able to install these same binaries that the last one is being churned out, onto this and one more of my Debian boxes.

No. The command prompt is back after only ;-) one half more hour.

But pls., again, bear in mind that it is really old tech, these machines.

# repasting part of the last paste here
Code: Select all
dpkg-deb: building package `linux-image-3.11.6-grsec-131029' in `../linux-image-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb'.
me@mybox:/some-dir/src/linux-3.11.6$

So I go root now.

Code: Select all
root@mybox:/some-dir/mr# cd /some-dir/src
root@mybox:/some-dir/src# ls -l
total 518296
-rw-r--r--  1 mr mr   3738234 Oct 27 19:53 grsecurity-2.9.1-3.11.6-201310271552.patch
drwx------ 26 mr mr      4096 Oct 29 16:51 linux-3.11.6
-rw-r--r--  1 mr mr   1136064 Oct 29 16:52 linux-firmware-image_3.11.6-grsec-131029-1_amd64.deb
-rw-r--r--  1 mr mr   9188410 Oct 29 16:52 linux-headers-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb
-rw-r--r--  1 mr mr 515704298 Oct 29 17:16 linux-image-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb
-rw-r--r--  1 mr mr    947038 Oct 29 16:52 linux-libc-dev_3.11.6-grsec-131029-1_amd64.deb
root@mybox:/some-dir/src#

And simply:

Code: Select all
root@mybox:/some-dir/src# dpkg -i *.deb
(Reading database ... 233022 files and directories currently installed.)
Preparing to replace linux-firmware-image 3.11.3-grsec-131009-1 (using linux-firmware-image_3.11.6-grsec-131029-1_amd64.deb) ...
Unpacking replacement linux-firmware-image ...
Selecting previously unselected package linux-headers-3.11.6-grsec-131029.
Unpacking linux-headers-3.11.6-grsec-131029 (from linux-headers-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb) ...
Selecting previously unselected package linux-image-3.11.6-grsec-131029.
Unpacking linux-image-3.11.6-grsec-131029 (from linux-image-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb) ...
Preparing to replace linux-libc-dev 3.11.3-grsec-131009-1 (using linux-libc-dev_3.11.6-grsec-131029-1_amd64.deb) ...
Unpacking replacement linux-libc-dev ...
Setting up linux-firmware-image (3.11.6-grsec-131029-1) ...
Setting up linux-headers-3.11.6-grsec-131029 (3.11.6-grsec-131029-1) ...
Setting up linux-image-3.11.6-grsec-131029 (3.11.6-grsec-131029-1) ...
update-initramfs: Generating /boot/initrd.img-3.11.6-grsec-131029
Killed
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.11.6-grsec-131029
Found initrd image: /boot/initrd.img-3.11.6-grsec-131029
Killed
Killed
Found linux image: /boot/vmlinuz-3.11.3-grsec-131009
Found initrd image: /boot/initrd.img-3.11.3-grsec-131009
Killed
Killed
Found linux image: /boot/vmlinuz-3.10.9-grsec-130827
Found initrd image: /boot/initrd.img-3.10.9-grsec-130827
Killed
Killed
Found linux image: /boot/vmlinuz-3.10.5-grsec-130807
Found initrd image: /boot/initrd.img-3.10.5-grsec-130807
Killed
Killed
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
Killed
Killed
Killed
Syntax errors are detected in generated GRUB config file.
Ensure that there are no errors in /etc/default/grub
and /etc/grub.d/* files or please file a bug report with
/boot/grub/grub.cfg.new file attached.
done
Setting up linux-libc-dev (3.11.6-grsec-131029-1) ...
root@mybox:/some-dir/src#

Aarghhh!!! There goes one problem that I haven't yet solved...

I thought I have, but I haven't yet...

As can be read here:

https://forums.grsecurity.net/viewtopic.php?f=3&t=3712#p13424

1. grub has nested function trampolines (you would have seen it in the kernel logs probably) so you'll either have to enable EMUTRAMP or disable MPROTECT on the grub binaries.


I investigated and tried to apply:

Code: Select all
root@mybox:/home/me# paxctl -v /usr/sbin/grub-mkdevicemap  /usr/sbin/grub-probe
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

file /usr/sbin/grub-mkdevicemap does not have a PT_PAX_FLAGS program header, try conversion
file /usr/sbin/grub-probe does not have a PT_PAX_FLAGS program header, try conversion
root@mybox:/home/me# paxctl -cm /usr/sbin/grub-mkdevicemap  /usr/sbin/grub-probe
file /usr/sbin/grub-mkdevicemap had a PT_GNU_STACK program header, converted
file /usr/sbin/grub-probe had a PT_GNU_STACK program header, converted
root@mybox:/home/me# paxctl -v /usr/sbin/grub-mkdevicemap  /usr/sbin/grub-probe
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/usr/sbin/grub-mkdevicemap]
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
- PaX flags: -----m-x-e-- [/usr/sbin/grub-probe]
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
root@mybox:/home/me#


But, hey, the emutrap is disabled. Let's enable it.

Code: Select all
root@mybox:/home/me# paxctl -E /usr/sbin/grub-mkdevicemap  /usr/sbin/grub-probe
root@mybox:/home/me# paxctl -v /usr/sbin/grub-mkdevicemap  /usr/sbin/grub-probe
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-xE--- [/usr/sbin/grub-mkdevicemap]
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is enabled
- PaX flags: -----m-xE--- [/usr/sbin/grub-probe]
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is enabled
root@mybox:/home/me#


But the right way to go about it, I think, is first uninstall the packages that may not be properly installed...

No, not, because it's there, the new kernel is installed.

Code: Select all
root@mybox:/some-dir/mr# ls -l /boot/
total 74051
-rw-r--r-- 1 root root   126974 Aug  7 04:37 config-3.10.5-grsec-130807
-rw-r--r-- 1 root root   126725 Aug 28 01:47 config-3.10.9-grsec-130827
-rw-r--r-- 1 root root   128663 Oct  9 06:37 config-3.11.3-grsec-131009
-rw-r--r-- 1 root root   128663 Oct 29 16:49 config-3.11.6-grsec-131029
-rw-r--r-- 1 root root   129038 Mar 26  2013 config-3.2.0-4-amd64
drwxr-xr-x 3 root root     5120 Oct 29 17:22 grub
-rw-r--r-- 1 root root 11189354 Aug  7 05:05 initrd.img-3.10.5-grsec-130807
-rw-r--r-- 1 root root 11309328 Oct 11 02:06 initrd.img-3.10.9-grsec-130827
-rw-r--r-- 1 root root 11371623 Oct 11 02:07 initrd.img-3.11.3-grsec-131009
-rw-r--r-- 1 root root 11370633 Oct 29 17:22 initrd.img-3.11.6-grsec-131029
-rw-r--r-- 1 root root  3372771 Apr 17  2013 initrd.img-3.2.0-4-amd64
drwx------ 2 root root     1024 Sep 18 15:22 lost+found
-rw-r--r-- 1 root root  2171130 Aug  7 04:37 System.map-3.10.5-grsec-130807
-rw-r--r-- 1 root root  2180693 Aug 28 01:47 System.map-3.10.9-grsec-130827
-rw-r--r-- 1 root root  2220919 Oct  9 06:37 System.map-3.11.3-grsec-131009
-rw-r--r-- 1 root root  2221258 Oct 29 16:49 System.map-3.11.6-grsec-131029
-rw-r--r-- 1 root root  2105340 Mar 26  2013 System.map-3.2.0-4-amd64
-rw-r--r-- 1 root root  2972112 Aug  7 04:37 vmlinuz-3.10.5-grsec-130807
-rw-r--r-- 1 root root  3167504 Aug 28 01:47 vmlinuz-3.10.9-grsec-130827
-rw-r--r-- 1 root root  3181136 Oct  9 06:37 vmlinuz-3.11.3-grsec-131009
-rw-r--r-- 1 root root  3182608 Oct 29 16:49 vmlinuz-3.11.6-grsec-131029
-rw-r--r-- 1 root root  2833216 Mar 26  2013 vmlinuz-3.2.0-4-amd64
root@mybox:/some-dir/mr#


I think I can try:

Code: Select all
root@mybox:/some-dir/mr# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-3.11.6-grsec-131029
root@mybox:/some-dir/mr#

Seems OK.

I am yet to know if all really went well.

I am going to see if I can now reboot into my new kernel.

# ((after the reboot))
Of course not. It was the grub-mkconfig, stupid!... wasn't concentrated in here (was watching Russia Today as I was writing this).

Code: Select all
root@mybox:/home/me# grub-mkconfig -o /boot/grub/grub.cfg
Generating grub.cfg ...
Found background image: .background_cache.png
Found linux image: /boot/vmlinuz-3.11.6-grsec-131029
Found initrd image: /boot/initrd.img-3.11.6-grsec-131029
Found linux image: /boot/vmlinuz-3.11.3-grsec-131009
Found initrd image: /boot/initrd.img-3.11.3-grsec-131009
Found linux image: /boot/vmlinuz-3.10.9-grsec-130827
Found initrd image: /boot/initrd.img-3.10.9-grsec-130827
Found linux image: /boot/vmlinuz-3.10.5-grsec-130807
Found initrd image: /boot/initrd.img-3.10.5-grsec-130807
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
Killed
Syntax errors are detected in generated GRUB config file.
Ensure that there are no errors in /etc/default/grub
and /etc/grub.d/* files or please file a bug report with
/boot/grub/grub.cfg.new file attached.
done
root@mybox:/home/me#

Much better than before.

Now comes one important thing that users need to know, the users of Grsecurity/Pax (or simply Grsecurity, which is often used for short, but this is a two-pack of programs).

You need to get a little more familiar with the logs in /var/log/
Well. some of the logs.
Grsec writes a lot, and it writes mostly in messsages (/var/log/messages) and importantly, kern.log
So, I'll try to find what got killed (there's now only one "Killed" instead of many) in the grub-mkconfig trampoline execution (IIUC).

And I find these four lines:

Code: Select all
Oct 29 17:43:29 naibd7 kernel: [  282.917617] grsec: exec of /usr/bin/grub-script-check (/usr/bin/grub-script-check /boot/grub/grub.cfg.new ) by /usr/bin/grub-script-check[grub-mkconfig:4511] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/grub-mkconfig[grub-mkconfig:3331] uid/euid:0/0 gid/egid:0/0
Oct 29 17:43:29 naibd7 kernel: [  282.921526] PAX: execution attempt in: <stack>, 380ef9a7000-380ef9c9000 3fffffdd000
Oct 29 17:43:29 naibd7 kernel: [  282.921535] PAX: terminating task: /usr/bin/grub-script-check(grub-script-che):4511, uid/euid: 0/0, PC: 00000380ef9c79f0, SP: 00000380ef9c6398
Oct 29 17:43:29 naibd7 kernel: [  282.921542] PAX: bytes at PC: 41 bb 30 27 40 00 49 ba e0 79 9c ef 80 03 00 00 49 ff e3 90
Oct 29 17:43:29 naibd7 kernel: [  282.921552] PAX: bytes at SP-8: 0000000000000011 0000000000404011 0000000003a49b50 0000000000000000 0000000003a49ad0 0000000003a49b50 0000000003a49b51 0000000003a4bb91 0000000003a4bb90 0000000000405ca6 0000000000000002
Oct 29 17:43:29 naibd7 kernel: [  282.921581] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/grub-script-check[grub-script-che:4511] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/grub-mkconfig[grub-mkconfig:3331] uid/euid:0/0 gid/egid:0/0

There I see that the binary in question could be:

Code: Select all
root@mybox:/home/me# ls -l /usr/bin/grub-script-check
-rwxr-xr-x 1 root root 88240 Jul  3 03:40 /usr/bin/grub-script-check
root@mybox:/home/me# file /usr/bin/grub-script-check
/usr/bin/grub-script-check: ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=da65413513b541d3b796a3249cc6b62289d4e42e, stripped
root@mybox:/home/me# paxctl -v /usr/bin/grub-script-check
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

file /usr/bin/grub-script-check does not have a PT_PAX_FLAGS program header, try conversion
root@mybox:/home/me# paxctl -cmE /usr/bin/grub-script-check
file /usr/bin/grub-script-check had a PT_GNU_STACK program header, converted
root@mybox:/home/me# paxctl -v /usr/bin/grub-script-check
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-xE--- [/usr/bin/grub-script-check]
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is enabled
root@mybox:/home/me#

This should work now.

Code: Select all
root@mybox:/home/me# grub-mkconfig -o /boot/grub/grub.cfg
Generating grub.cfg ...
Found background image: .background_cache.png
Found linux image: /boot/vmlinuz-3.11.6-grsec-131029
Found initrd image: /boot/initrd.img-3.11.6-grsec-131029
Found linux image: /boot/vmlinuz-3.11.3-grsec-131009
Found initrd image: /boot/initrd.img-3.11.3-grsec-131009
Found linux image: /boot/vmlinuz-3.10.9-grsec-130827
Found initrd image: /boot/initrd.img-3.10.9-grsec-130827
Found linux image: /boot/vmlinuz-3.10.5-grsec-130807
Found initrd image: /boot/initrd.img-3.10.5-grsec-130807
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
done
root@mybox:/home/me#

Let's reboot now.

# ((after another reboot))
Code: Select all
me@mybox:~$ uname -r
3.11.6-grsec-131029
me@mybox:~$


Right! Thanks God!

I wish I could explain more in detail the few possibly more difficult points as newbies may find them to be, but I'm really out of time.

I've just had another instance of fine defence by Grsecurity/Pax against bruteforce attack on the other of my two Debian machines:

https://forums.grsecurity.net/viewtopic.php?f=3&t=3841

and I feel I need to report how it went on Grsecurity's forums, because I may be a stubborn political/religeous/anti-surveillance nerd (that some of the disbelievers might think, who read around the link with Pax Team's line on trampolining grub binaries), if you really want, but I am not ungrateful.

Anyway, a newbie can get a lot of information if he/she just followed the links that are suggested further from somewhere around that already given link(s), or simply the suggested documentation on Grsecurity's site and regular Debian GNU/Linux documentation.

Miroslav Rovis,
Zagreb, Croatia
Last edited by timbgo on 2013-10-31 17:33, edited 2 times in total.
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2013-10-30 13:35

The
config-3.11.3-grsec-131009
that I actually used in the compilation I am now trying to attach (32k gzipped archive)
But I am getting the notice:
Sorry, the board attachment quota has been reached.

Will try later or try other means, don't know.
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2013-10-30 13:43

Trying with 28k xz archive...
Not allowed...
Will try later, or differently...
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2013-10-30 17:25

Here the config file
http://www.croatiafidelis.hr/gnu/deb/config-3.11.3-grsec-131009.gz
Pls. make sure you verify it:
http://www.croatiafidelis.hr/gnu/deb/config-3.11.3-grsec-131009.gz.sig
And I think that a newbie can still do it today, and maybe in a few days ahead.
Grsecuriy is a "conditio sine qua non"!
The other missing "LINK HERE" I'll try and fix later. They are less important than this one.
EDIT START
Thu Oct 31 10:15:59 UTC 2013
Righy now fixed those too. All is fine now, I guess. Newbies and others, your feedback is most appreciated!
EDIT END
I checked it, the link is alive, but pls. bear in mind that the rightwings like me are badly surveilled and censored in my Croatia which is ruled by traitors of this day.

Miroslav Rovis,
Zagreb, Croatia
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby /dev/null » 2013-11-06 02:49

Outstanding stuff!!!
It's a real pity that debian's security is so shamefully disregard (let's face it, comparing to gentoo, debian is a helpless little girl - last time I checked debian's gradm didn't even work, I had to copiled it from source :cry: ).
THANK YOU!

BTW why this thread is not sticky yet???
/dev/null
 
Posts: 62
Joined: 2013-01-30 17:31

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2013-11-23 02:32

/dev/null wrote:Outstanding stuff!!!
It's a real pity that debian's security is so shamefully disregard (let's face it, comparing to gentoo, debian is a helpless little girl - last time I checked debian's gradm didn't even work, I had to copiled it from source :cry: ).
THANK YOU!

BTW why this thread is not sticky yet???

Thanks, /dev/null !
I'm sorry I wasn't around in the meantime.
I did leave notes aound explaining how I actually take sometimes patience-breaking times to do things, and occasionally I even desist from exhaustion... And postpone things. (And I can only dedicate a couple of days maximum per month to this hardening of my Debian with Grsecurity... from other things in my life.)

However there is a pattern in applying Grsecurity/Pax to harden your Debian GNU Linux and every next time I really employ less and less time to achieve the correct compilation and things.

I have just successfully compiled, and am browsing this forum now, with:

Code: Select all
# uname -r
3.11.8-grsec-131123
#


131123 is for 2013-11-23, which has just begun.

I'll try and explain, next, in new post, the exact commands that newbies can, surely at their own responsability, if they dare, try and reuse (amd64 is my arch).

I hope I won't need long to update this tips & trick page for the current kernel and current Grsecurity/Pax patch, as can be found here:
https://grsecurity.net/download.php
Cheers!
Miroslav Rovis
Zagreb, Croatia
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2013-11-23 04:08

This is a call to give more space/interest/insight into Greater Security in Debian GNU Linux, esp. for newbies! Suffer them to have this information, they will be less likely to hurl bad words at you at later times in their lives when these things become clear to them whether you like it or not.

But I don't want to deluge newbies with sad stories about politics and treason (yes, as in any other movement, treason took roots in GNU Linux development too!)

But rather this tips & tricks page is about call to other users like me, and above all newbies of lesser understanding at this time then me, to truly secure their systems like I probably have succeeded in doing by now, only thanks to Grsecurity/Pax (which is often named short just Grsecurity) twin program patched into the kernel.

I gave, some two weeks ago, in the first few installments of this Tips & Trick page, in the previous posts to this post, a detailed, command lines and outputs of commands, recount how I installed the previous version of the kernel, patched with Grsecurity.

So, let's remind the users of just a few things to more easily deploy the tips for the current kernel.

But of course, the following will not anymore be sufficient for newbies without those previous posts, no!. Read attentively the entire page if you feel some of the concepts and explanations below don't sit as they should with you!

So first of all, the path that we take, in our approach, is:

1) _Not_ the Debian stock kernel, from Debian repositories, no!, but instead, the "pristine" kernel is to be used!
And that means, no aptitude, no apt-get install [name-of-the-kernel-package], but tar.xz (or tar.gz or tar.bz2) archive from:
https://www.kernel.org/
and precise (in case of about half of the Debian users who have the amd64 arch as I do, and in case those exact packages from my command lines below are available)...
...[and precise] commands to execute on those packages once the kernel is patched with the corresponding grsecurity patch.

2) no warranties, do it at your own risk. Works for me if I made it by the time this update to this tips & tricks page is made (sure I started writing this installment before, but by the time I'm finishing off these here lines, such as these words that you are exactly now reading, they are an addition to the draft from some three or more hours ago... And I did make it in the meantime).

Recommended: https://www.grsecurity.net and any pages you are pointed to from there and links of second and third (and further if needed) reference from there...

But it could, it could work for you just fine, simply running the commands below... It coooouuuld...

The place to start, for, not just today, but for our future installs of future Grsecurity patched kernels (just remember that I am a rightwinger, and that means the persecuted kind in Croatia of this day of its traitors, never mind my being tolerant and respectful of honest leftists, so if this does not get updated in months, I may not be among the free anymore, even worse...), so the place to start for our securing our Debian GNU Linuces is generally this one:

https://grsecurity.net/download.php

(The https is if you have HTTPS Everywhere [recommended], that you need to download from https://www.eff.org and install into your iceweasel, a quick and easy thing to do, really recommended, Electronic Frontier Foundation have been in anti-surveillance since long years, but this very note is not related to this tips & tricks page in any other way.)

Before I tell you what we need from that page, let me tell you that even though I will, for myself, regularly use a kernel without most of the modules that are all compiled into the stock kernel, and those modules are activated as needed for the recognized hardware, but also they can be abused by intruders...

...Let me tell you that even though I'll compile, for myself, for my regular use of my Debian machines, a kernel without most of the modules which are not needed for my hardware, I will try and still keep around a config file for compiling the kernel with most of the modules (or almost all actually), as I derived it from the old stock kernel whose config file I used when I first installed Grsecurity-pacthed kernel.

I will keep such all-modules-to-compile-in config file around precisely for reasons that it is quite likely that the commands below will then work for users with amd64 arch machines on various hardware, even totally different hardware from mine. (Once it does work for you, you surely will be better off and more secure if you then remove the config options for modules you have no need for, and recompile your kernel! But I won't indulge in that exercize. This page is just a call to the right direction, not an attempt to follow anyone in their particular issues, I have no resources of time, nor expertize to do so.)

OK. Let's get our system ready for kernel compilation.

Since the kernel will be about the most recent --actually just the next one after the bleeding edge kernel, because Grsecurity, the secret pride of Microsoft Skype (oh, but hackers, the hackers are thankfully often better off and cleverer than the corporate traitors! it didn't remain a secret, the stolen other peopls's product, the free product that those robbers, legal robbers that Billy and his gang and his kind are, thought thay could use secretly and hide from the world and from the hackers cleverer than they will ever be... please find links on Microsoft's use of Grsecurity in Skype in previous installments of this Tips and Tricks page)...

LINK HERE maybe to that instance of M$ stealing of others' program.

Since the kernel will be about the most recent --actually just the next one after the bleeding edge kernel, because Grsecurity, the pride of M$ Skype that was to be secret but was uncovered, wasn't good enough for Linus Torvalds the friend of NSA who decided for NSA's SELinux... instead... But I didn't mean to write about that, and will not now. I just don't have the time.

I only have to say one thing in this regard though. It is a lie that NSA was asked to help with SELinux, as somewhere I found a link to an article about it. No. SELinux is straght child of NSA. Fullstop.

LINK HERE (if I make it to find that link which I was pointed to from Debian Forums some two weeks ago.)

Since the kernel will be about the most recent --actually just the next one after the bleeding edge (I'm restarting to tell this for the third time), since the kernel will be as close to the bleeding edge version as the Security geniuses like Spender and Pax Team can make it because the one in charge suffers from Not-Invented-Here envy and makes it hard for the better ones than him to take part in development, how sad!...

Since the kernel will be almost the hottest last one, we also should best use the:

Debian Testing branch repositories (but, pls. note that it is not required, stable is just fine as well)

to update the system before we recompile the still warm kernel.

I do it by downloading with jigdo-file, the templates and things as can be found here:

http://cdimage.debian.org/cdimage/weekl ... jigdo-dvd/

It is not difficult to set up Apache, mount all the ISO files, and serve them on your SOHO, or on your standalone host, and set the links to these Apache local repos in /etc/apt/sources.list.

I'm telling you that, because if you want to counter possible, sorry probable (it is very probable, it's ubiquitous) surveillance (and the worse scenarios that build on it, such as intrusions and attacks), you certainly don't really want to just update your system while online. C'mon! But while I could write a tips & tricks page about it, which I would like to, because I don't live selfishly but wish freedom not only for me but for everybody (I'd actually want the corporate banksters and such in jail only), I can not indulge on it here because it is not the topic here...

EDIT START Mon Jan 6 16:37:08 UTC 2014
I just wrote a page "Scripts to automate jigdo download":
viewtopic.php?f=16&t=110503
EDIT END

Anyways, the core of what I am trying to suggest at this stage of preparation, is, before you compile the kernel, get the new packages and do the:

# apt-get update
...[snip]...
# apt-get upgrade
...[snip]...

It may not be absolutely necessary, but is good practice to update the system before compiling the system.

I feel I need to name this installment somehow.
Let this be:
Part II-1
And:
Part II-2 is to follow.
Last edited by timbgo on 2014-01-06 17:42, edited 3 times in total.
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2013-11-23 04:21

Part II-2
EDIT START
Corrections starting to apply at:
Sat Nov 23 10:43:45 UTC 2013
(will mark them with [edit131123-11h])
EDIT END
So, open up in your iceweasel (or other browser):
https://grsecurity.net/download.php

Download (within these 5 hours, there is now new kernel to compile, well, I wasn't fast enough this time, 3.11.8 is not there anymore...):

https://grsecurity.net/test/grsecurity- ... 2137.patch

https://grsecurity.net/test/grsecurity- ... .patch.sig

https://www.kernel.org/pub/linux/kernel ... .11.tar.xz

https://www.kernel.org/pub/linux/kernel ... .9.tar.sig

[edit131123-11h start]
http://www.croatiafidelis.hr/gnu/deb/co ... -131009.gz

http://www.croatiafidelis.hr/gnu/deb/co ... 009.gz.sig
[edit131123-11h end]

Download the new Spender's key (the old that he used was DSA, now it is very much recommended to use stronger RSA keys):

https://grsecurity.net/spender-gpg-key.asc

Allow me now a little time and I'll be back with the set of commands that will, hopefully, work, or will have already worked for me...

I'm back.
I'll now try and complete this page...
On the other machine, offline (an NSA "denigrator" like me to compile online, not a good idea!), the system is churning on the codes.
Here are the lines from the history ( 'history' command at the prompt output, and cleansed to be terse this time. If you don't understand, go and read the previous posts):

[edit131123-11h start]
All the commands are best done in a newly created dir with all the downloads moved into.
[edit131123-11h end]
Code: Select all
 unxz linux-3.11.9.tar.xz
 gpg --verify linux-3.11.9.tar.sign
 gpg --verify grsecurity-2.9.1-3.11.9-201311222137.patch.sig
 tar xvf linux-3.11.9.tar
 cd linux-3.11.9/
 patch  -p1 < ../grsecurity-2.9.1-3.11.9-201311222137.patch
 cd ../
 gpg --verify config-3.11.3-grsec-131009.gz.sig
 gunzip config-3.11.3-grsec-131009.gz
 cp config-3.11.3-grsec-131009 linux-3.11.9/.config
 cd  linux-3.11.9/
 make menuconfig

[edit131123-11h start]
Of course one of the things is change tho local version. Explained in previous posts.
Code: Select all
 fakeroot make deb-pkg


I forgot the last command last night:
Code: Select all
dpkg -i *.deb


You can probably recognize the same .config that I posted on http://www.CroatiaFidelis.hr pls. The link where you can downloaded from above in previous posts.
[edit131123-11h end]

I'll be back to tell if all went fine.

It is now morning, and I haven't slept yet.

So, good night!
[edit131123-11h start]
I have:
Code: Select all
# uname -r
3.11.9-grsec-131123
#
 

kernel running now. All seems fine. Have a fine free and, when you wish so, private life!
[edit131123-11h end]
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2014-01-07 03:27

It's been:
Code: Select all
$ ps aux | grep fakeroot
mr         899  0.0  0.0  18320   880 pts/10   S+   21:02   0:00 grep fakeroot
mr       19542  0.0  0.0  18976  1332 pts/3    S+   19:16   0:00 /bin/bash /usr/bin/fakeroot make deb-pkg
$

almost two hours that (on one of my slowest systems, OK), that fakeroot has been churning on.

So let's post the commands. Very probably many users on AMD64 machines could try and run these commands, but, as usual:

*** solely at your own risk! ***

Also, don't just run them. Say, change the LOCALVERSION when the menuconfig presents itself to you. Look up a little bit and read the extensive help that all the Grsecurity and Pax options have...

If you don't already have, get the keys to verify the kernel, grsecurity and my config, it's
gpg --recv-key 0xNNNNNNNN where the number is, say in my case you can see what a revoked key looks like, 17D681FC, so 0x17D681FC (0x is for hex)...
Or whatever else...
You were supposed to read the thread above anyways, where I went into great lengths to explain things.

Code: Select all
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.6.tar.sign
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.6.tar.xz
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.6-201401021726.patch
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.6-201401021726.patch.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.11.3-grsec-131009.gz.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.11.3-grsec-131009.gz
mkdir /Cmn/src/
cp -iav linux-3.12.6.tar.* /Cmn/src/
cp -iav grsecurity-3.0-3.12.6-201401021726.patch* /Cmn/src/
cp -iav config-3.11.3-grsec-131009.gz* /Cmn/src/
cd /Cmn/src/
unxz linux-3.12.6.tar.xz
gpg --verify linux-3.12.6.tar.sign
gpg --verify grsecurity-3.0-3.12.6-201401021726.patch.sig
gpg --verify config-3.11.3-grsec-131009.gz.sig
tar xvf linux-3.12.6.tar
cd linux-3.12.6
patch -p1 < ../grsecurity-3.0-3.12.6-201401021726.patch
cd ../
gunzip config-3.11.3-grsec-131009.gz
cp -iav config-3.11.3-grsec-131009 linux-3.12.6/.config
cd linux-3.12.6
make menuconfig
diff .config*
fakeroot make deb-pkg

The 'diff .config' is not strictly necessary, but, as I mentioned much previously in this thread, I purposefully use stock-kernel-derived config, so it can work on most ADM64 machines, not just mine, and it's from an old stock kernel now, 3.11.3, but I believe it'll work...
All the above as common user (but wait, read first the next paragraph).
Now as root:
Code: Select all
cd /Cmn/src/
dpkg -i *.deb


[ The following I wrote ahead of time, in expectation all would build fine, forgetting that I didn't have enough space available on the device... Sorry for the inconvenience... ]
The above commad might not yet work.
If you tried, or, I believe it's innocuous, if you want to try, as root, if you have Grsecurity/Pax patched kernel already installed, and you now try and install the kernel, and it fails with some of the errors you found or can find in the previous (old) thread above, then check these:
Code: Select all
# paxctl -v /usr/bin/grub-script-check /usr/sbin/grub-mkdevicemap /usr/sbin/grub-probe
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-xE--- [/usr/bin/grub-script-check]
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is enabled
- PaX flags: -----m-xE--- [/usr/sbin/grub-mkdevicemap]
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is enabled
- PaX flags: -----m-xE--- [/usr/sbin/grub-probe]
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is enabled
#


I believe it's just these three. For my configuration and things, it could be differently if you enabled/disabled various options differently than me, I am not an expert, have to remind that I am publishing these tips as I teach myself things.

So if these don't look like that for you, then run:

Code: Select all
# paxctl -cmE  /usr/bin/grub-script-check /usr/sbin/grub-mkdevicemap /usr/sbin/grub-probe

and they will. Unless something more/different is yet the matter.

OK. Now you can execute the dpkg -i *.deb command as in the previous paragraph. You should upon smooth run of it, have you Grsecurity/Pax kernle installed, and can reboot into it.
Probably. I warned you you're doing it all on your own responsability, not mine.

I fell asleep in the meantime... But it failed to build. I got lots of:
mkdir: cannot create directory ‘/Cmn/src/linux-3.12.6/debian/tmp/lib/modules/3.12.6-grsec-140106/kernel/net/netfilter’: No space left on device
That's just one random line pasted over.
Well, it's no wonder. Have a look how little space I got left before I went to sleep, not knowing that I would need to explain here, I pasted my "df -h" line in another Tip I wrote, now yesterday:
viewtopic.php?f=16&t=110503
"Scripts to automate jigdo download"
(find there the string 'df -h')...
...and building need much space, currently, this unfinished failed (for no space) build:
Code: Select all
me@mybox:/Cmn/src$ du -hs linux-3.12.6
8.1G   linux-3.12.6

Be back.
Miroslav Rovis
Zagreb, Croatia,
http://www.CroatiaFidelis.hr
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2014-01-07 10:00

root@mybox:/Cmn/src# ls -l
total 1120184
-rw-r--r-- 1 mr mr 128663 Oct 30 17:20 config-3.11.3-grsec-131009
-rw-r--r-- 1 mr mr 543 Oct 31 09:30 config-3.11.3-grsec-131009.gz.sig
-rw-r--r-- 1 mr mr 3944503 Jan 2 22:30 grsecurity-3.0-3.12.6-201401021726.patch
-rw-r--r-- 1 mr mr 543 Jan 2 22:30 grsecurity-3.0-3.12.6-201401021726.patch.sig
drwx------ 26 mr mr 4096 Jan 6 21:45 linux-3.12.6
-rw-r--r-- 1 mr mr 544061440 Dec 20 16:04 linux-3.12.6.tar
-rw-r--r-- 1 mr mr 836 Dec 20 16:04 linux-3.12.6.tar.sign
-rw-r--r-- 1 mr mr 1136084 Jan 7 07:33 linux-firmware-image-3.12.6-grsec-140106_3.12.6-grsec-140106-3_amd64.deb
-rw-r--r-- 1 mr mr 9387176 Jan 7 07:33 linux-headers-3.12.6-grsec-140106_3.12.6-grsec-140106-3_amd64.deb
-rw-r--r-- 1 mr mr 31456652 Jan 7 07:34 linux-image-3.12.6-grsec-140106_3.12.6-grsec-140106-3_amd64.deb
-rw-r--r-- 1 mr mr 555656656 Jan 7 07:57 linux-image-3.12.6-grsec-140106-dbg_3.12.6-grsec-140106-3_amd64.deb
-rw-r--r-- 1 mr mr 961842 Jan 7 07:33 linux-libc-dev_3.12.6-grsec-140106-3_amd64.deb
root@mybox:/Cmn/src# dpkg -i *.deb
Selecting previously unselected package linux-firmware-image-3.12.6-grsec-140106.
(Reading database ... 227813 files and directories currently installed.)
Unpacking linux-firmware-image-3.12.6-grsec-140106 (from linux-firmware-image-3.12.6-grsec-140106_3.12.6-grsec-140106-3_amd64.deb) ...
Selecting previously unselected package linux-headers-3.12.6-grsec-140106.
Unpacking linux-headers-3.12.6-grsec-140106 (from linux-headers-3.12.6-grsec-140106_3.12.6-grsec-140106-3_amd64.deb) ...
Selecting previously unselected package linux-image-3.12.6-grsec-140106.
Unpacking linux-image-3.12.6-grsec-140106 (from linux-image-3.12.6-grsec-140106_3.12.6-grsec-140106-3_amd64.deb) ...
Selecting previously unselected package linux-image-3.12.6-grsec-140106-dbg.
Unpacking linux-image-3.12.6-grsec-140106-dbg (from linux-image-3.12.6-grsec-140106-dbg_3.12.6-grsec-140106-3_amd64.deb) ...
Preparing to replace linux-libc-dev 3.11.9-grsec-131123-1 (using linux-libc-dev_3.12.6-grsec-140106-3_amd64.deb) ...
Unpacking replacement linux-libc-dev ...
Setting up linux-firmware-image-3.12.6-grsec-140106 (3.12.6-grsec-140106-3) ...
Setting up linux-headers-3.12.6-grsec-140106 (3.12.6-grsec-140106-3) ...
Setting up linux-image-3.12.6-grsec-140106 (3.12.6-grsec-140106-3) ...
update-initramfs: Generating /boot/initrd.img-3.12.6-grsec-140106
Generating grub.cfg ...
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-3.12.6-grsec-140106
Found initrd image: /boot/initrd.img-3.12.6-grsec-140106
Found linux image: /boot/vmlinuz-3.11.9-grsec-131123
Found initrd image: /boot/initrd.img-3.11.9-grsec-131123
Found linux image: /boot/vmlinuz-3.11.6-grsec-131103-14
Found initrd image: /boot/initrd.img-3.11.6-grsec-131103-14
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
Found Windows XP Professional x64 Edition on /dev/sda4
done
Setting up linux-image-3.12.6-grsec-140106-dbg (3.12.6-grsec-140106-3) ...
Setting up linux-libc-dev (3.12.6-grsec-140106-3) ...
root@mybox:/Cmn/src#

And that's real. If you saw XP above, that don't mean I would recommend Windows in any way. I need it for things such as checking how users would be able to view a video if I make it, or how web pages present or such purpose. Very little do I use it.

Now rebooting.

$ uname -a
Linux naibd9 3.12.6-grsec-140106 #3 SMP Tue Jan 7 07:26:38 UTC 2014 x86_64 GNU/Linux
$
Cheers!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2014-01-11 03:30

Code: Select all
#!/bin/bash

echo "  Caveat emptor! "

echo "  Do not use this script if you do not understand  "
echo " what you are doing. You are responsible if anything "
echo " breaks in your system (possible!) "
echo " "
echo " OTOH, maybe you could open it in one terminal for "
echo " perusing each next step before hitting enter to run "
echo " that next step, one by one... Hit Enter if you think you could try so. "
read FAKE ;

wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.7.tar.sign
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.7.tar.xz
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.7-201401091837.patch
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.7-201401091837.patch.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.11.3-grsec-131009.gz.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.11.3-grsec-131009.gz
mkdir -p /home/src/grsec/
cp -iav linux-3.12.7.tar.* /home/src/grsec/
cp -iav grsecurity-3.0-3.12.7-201401091837.patch* /home/src/grsec/
cp -iav config-3.11.3-grsec-131009.gz* /home/src/grsec/
cd /home/src/grsec/
pwd
#read FAKE ; # This is my way of telling the user to hit Enter if all
       # is well, or Ctrl-C if something went wrong.
# But wait, I'll make a automate this little piece of instruction...
readfake="Hit Enter if all is well, or Ctrl-C if something went wrong."
echo $readfake ; read FAKE ;

unxz linux-3.12.7.tar.xz
echo $readfake ; read FAKE ;
gpg --verify linux-3.12.7.tar.sign
echo $readfake ; read FAKE ;
gpg --verify grsecurity-3.0-3.12.7-201401091837.patch.sig
echo $readfake ; read FAKE ;
gpg --verify config-3.11.3-grsec-131009.gz.sig
echo $readfake ; read FAKE ;
tar xvf linux-3.12.7.tar
echo $readfake ; read FAKE ;
cd linux-3.12.7
pwd
echo $readfake ; read FAKE ;
patch -p1 < ../grsecurity-3.0-3.12.7-201401091837.patch
echo $readfake ; read FAKE ;
cd ../
pwd
echo $readfake ; read FAKE ;
gunzip config-3.11.3-grsec-131009.gz
echo $readfake ; read FAKE ;
cp -iav config-3.11.3-grsec-131009 linux-3.12.7/.config
echo $readfake ; read FAKE ;
cd linux-3.12.7
echo $readfake ; read FAKE ;
make menuconfig
echo $readfake ; read FAKE ;
diff .config*
echo
echo "Now this, the next one, is a longer one step
      in the process..."
echo
echo $readfake ; read FAKE ;
fakeroot make deb-pkg


echo "Here, the deb packages ought to be there..."
echo $readfake ; read FAKE ;
cd ../
echo $readfake ; read FAKE ;
ls -l *.deb
echo "If you see the packages similar as for the 3.12,6,
     above and if you already used paxctl on grub binaries as
     I took care to explain in detail, you're at your
     last step."
echo "But, that step you need to execute as root, so it
     is not part of this script executed all as user."
echo $readfake ; read FAKE ;
pwd
msgbeforeroot1="Become root and enter this command, in this directory:"
msgbeforeroot2="dpkg -i *.deb"
echo $msgbeforeroot1
echo "$msgbeforeroot2"

# Upon rebooting, I just got:
# $ uname -a
# Linux naibd9 3.12.7-grsec-140109 #2 SMP Sat Jan 11 00:50:25 UTC 2014 x86_64 GNU/Linux
# $

Upon download (just copy and paste), you need to name this script grsec_install.sh and you need to:
$ chmod 755 grsec_install.sh
and probably modify a few things (not many if you're running amd64) before finally running it with:
./grsec_install.sh
P.S. Actually, I just checked, and there are some differences in whitespace btwn what I posted and what can be downloaded.
I recommed (too much whitespace if using "Code: Select all" to copy)... I recommend selecting carefully manually with the mouse, and pasting manually with
$ cat > grsec_install.sh

(paste and press Ctrl-D)
Then the difference btwn what I entered, and which you don't have, and what you have from this forums page is OK, because upon running diff on it like this
$ diff -b -B grsec_install_mouse_select.sh grsec_install_which_you_dont_have.sh
...Then that diff returns empty string, meaning it's ok.

An link to my parallel thread on Grsecurity Forum:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835

Miroslav Rovis,
Zagreb, Croatia
www.CroatiaFidelis.hr
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2014-01-16 18:30

There's new grsecurity patch, some two or so hours ago, but, till that one I (hopefully) compile, pls. if you use instructions for the old patch and kernel, use this one:

http://www.croatiafidelis.hr/gnu/deb/co ... -140109.gz

http://www.croatiafidelis.hr/gnu/deb/co ... 140109.asc

instead than what I gave above. Should have more modules and things...
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
timbgo
 
Posts: 244
Joined: 2013-04-14 12:17

Next

Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable