This is from the README from corsac.net grsecurity to debian git (link can be found somewhere in previous posts).
git clone git://anonscm.debian.org/users/corsac/grsec-patches.git
----
== Getting the sources
There are two ways to get the sources. Either you use a source package, or you
get the svn content.
.Get source package
----
apt-get source linux
----
This will download and unpack the current source package in sid. Check the
tags in +grsec-patch+ to see if that version is supported.
.Get the svn
----
svn co svn://svn.debian.org/svn/kernel/dists/sid/linux
----
This will get you the latest commits in the sid branch, which might get you an
unreleased (not yet uploaded to sid) kernel.
== Applying the patches for grsecurity featureset
The grsec featureset is distributed as a quilt series, so we use quilt to
apply it on top of the svn or linux-2.6 source package.
.Apply patches for grsecurity featureset
----
cd linux*
export QUILT_PATCHES=../grsec-patches QUILT_PC=.pc-grsec
quilt push -a
I did the above (I took the svn out), and followed on the README, and this is how it went.
Code: Select all
root@myhost:/usr/src# cd linux*
root@myhost:/usr/src/linux# export QUILT_PATCHES=../grsec-patches QUILT_PC=.pc-grsec
root@myhost:/usr/src/linux# quilt push -a
Applying patch 02_force-hostcc-version.patch
patching file debian/rules.real
Hunk #1 succeeded at 133 (offset 13 lines).
Applying patch 03_add-grsec-featureset.patch
patching file debian/config/amd64/defines
patching file debian/config/amd64/grsec/defines
patching file debian/config/defines
patching file debian/config/featureset-grsec/config
patching file debian/config/featureset-grsec/defines
patching file debian/config/i386/defines
patching file debian/config/i386/grsec/defines
patching file debian/patches/features/all/grsec/gen-patch
patching file debian/patches/series-grsec
Applying patch 04_grsecurity.patch
patching file debian/patches/features/all/grsec/grsecurity-2.9.1-3.2.42-201304022025+debian.patch
Now at patch 04_grsecurity.patch
root@myhost:/usr/src/linux# cd ../grsec-patches/
root@myhost:/usr/src/grsec-patches# git tag -l
v2.6.32-41squeeze2+grsec1_2.9-2.6.32.59-201203251921
v2.6.32-43+grsec1_2.9-2.6.32.59-201204062020
v2.6.32-45+grsec1+2.9-2.6.32.59-201205151706
v2.6.32-45+grsec1_2.9-2.6.32.59-201205151706
v3.2.10-1+grsec1_2.9-3.2.11-201203131840
v3.2.12-1+grsec1_2.9-3.2.12-201203191822
v3.2.13-1+grsec1_2.9-3.2.13-201203251921
v3.2.18-1+grsec1_2.9-3.2.17-201205191125
v3.2.19-1+grsec1_2.9-3.2.18-201206031033
v3.2.20-1+grsec1_2.9.1-3.2.20-201206111836
v3.2.29-1+grsec1_2.9.1-3.2.30-201209192117
v3.2.30-1+grsec1_2.9.1-3.2.30-201209241828
v3.2.35-2+grsec1_2.9.1-3.2.35-201212151420
v3.2.39-1+grsec1_2.9.1-3.2.39-201302252105
v3.2.41+grsec2_2.9.1-3.2.42-201304022025
v3.2.9-1+grsec1_2.9-3.2.9-201203062051
root@myhost:/usr/src/grsec-patches# cd -
/usr/src/linux
root@myhost:/usr/src/linux# dch --local grsec
dch: debian/changelog unmodified; exiting.
root@myhost:/usr/src/linux# DEBIAN_KERNEL_DISABLE_INSTALLER=1 DEBIAN_KERNEL_DISABLE_DEBUG=1 python debian/bin/gencontrol.py
debian/bin/gencontrol.py:119: UserWarning: Disable building of debug infos on request (DEBIAN_KERNEL_DISABLE_INSTALLER set)
warnings.warn(u'Disable building of debug infos on request (DEBIAN_KERNEL_DISABLE_INSTALLER set)')
debian/bin/gencontrol.py:289: UserWarning: Disable building of debug infos on request (DEBIAN_KERNEL_DISABLE_DEBUG set)
warnings.warn(u'Disable building of debug infos on request (DEBIAN_KERNEL_DISABLE_DEBUG set)')
root@myhost:/usr/src/linux# dpkg-buildpackage -us -uc
dpkg-buildpackage: source package linux
dpkg-buildpackage: source version 3.2.43-1
dpkg-buildpackage: source changed by Ben Hutchings <ben@decadent.org.uk>
dpkg-buildpackage: host architecture amd64
dpkg-source --before-build linux
dpkg-source: info: using options from linux/debian/source/local-options: --abort-on-upstream-changes
dpkg-source: info: using options from linux/debian/source/options: --compression=xz
dpkg-checkbuilddeps: Unmet build dependencies: kernel-wedge (>= 2.84) gcc-4.6 gcc-4.6-plugin-dev xmlto
dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting
dpkg-buildpackage: warning: (Use -d flag to override.)
root@myhost:/usr/src/linux# dpkg-buildpackage -us -uc -d
dpkg-buildpackage: source package linux
dpkg-buildpackage: source version 3.2.43-1
dpkg-buildpackage: source changed by Ben Hutchings <ben@decadent.org.uk>
dpkg-buildpackage: host architecture amd64
dpkg-source --before-build linux
dpkg-source: info: using options from linux/debian/source/local-options: --abort-on-upstream-changes
dpkg-source: info: using options from linux/debian/source/options: --compression=xz
debian/rules clean
dh_testdir
rm -rf debian/build debian/stamps debian/lib/python/debian_linux/*.pyc debian/linux-headers-* debian/linux-image-* debian/linux-support-* debian/linux-source-* debian/linux-doc-* debian/linux-manual-* debian/xen-linux-system-* debian/*-modules-*-di*
dh_clean
dpkg-source -b linux
dpkg-source: info: using options from linux/debian/source/local-options: --abort-on-upstream-changes
dpkg-source: info: using options from linux/debian/source/options: --compression=xz
dpkg-source: error: can't build with source format '3.0 (quilt)': no upstream tarball found at ../linux_3.2.43.orig.tar.{bz2,gz,lzma,xz}
dpkg-buildpackage: error: dpkg-source -b linux gave error exit status 255
root@myhost:/usr/src/linux#
Break, lest I forget the sequence of events...
Soo... Seeing that line apparently crucial:
Code: Select all
dpkg-checkbuilddeps: Unmet build dependencies: kernel-wedge (>= 2.84) gcc-4.6 gcc-4.6-plugin-dev xmlto
esp. after never even adding the -d flag as suggested "(Use -d flag to override.)", got me any further, I went for the packages gcc-4.6 gcc-4.6-plugin-dev xmlto.
I ran aptitude, found them and installed them all.
But...
Code: Select all
root@myhost:/usr/src/linux# dpkg-buildpackage -us -uc
dpkg-buildpackage: source package linux
dpkg-buildpackage: source version 3.2.43-1
dpkg-buildpackage: source changed by Ben Hutchings <ben@decadent.org.uk>
dpkg-buildpackage: host architecture amd64
dpkg-source --before-build linux
dpkg-source: info: using options from linux/debian/source/local-options: --abort-on-upstream-changes
dpkg-source: info: using options from linux/debian/source/options: --compression=xz
dpkg-checkbuilddeps: Unmet build dependencies: kernel-wedge (>= 2.84)
dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting
dpkg-buildpackage: warning: (Use -d flag to override.)
root@myhost:/usr/src/linux# dpkg-buildpackage -us -uc -d
dpkg-buildpackage: source package linux
dpkg-buildpackage: source version 3.2.43-1
dpkg-buildpackage: source changed by Ben Hutchings <ben@decadent.org.uk>
dpkg-buildpackage: host architecture amd64
dpkg-source --before-build linux
dpkg-source: info: using options from linux/debian/source/local-options: --abort-on-upstream-changes
dpkg-source: info: using options from linux/debian/source/options: --compression=xz
debian/rules clean
dh_testdir
rm -rf debian/build debian/stamps debian/lib/python/debian_linux/*.pyc debian/linux-headers-* debian/linux-image-* debian/linux-support-* debian/linux-source-* debian/linux-doc-* debian/linux-manual-* debian/xen-linux-system-* debian/*-modules-*-di*
dh_clean
dpkg-source -b linux
dpkg-source: info: using options from linux/debian/source/local-options: --abort-on-upstream-changes
dpkg-source: info: using options from linux/debian/source/options: --compression=xz
dpkg-source: error: can't build with source format '3.0 (quilt)': no upstream tarball found at ../linux_3.2.43.orig.tar.{bz2,gz,lzma,xz}
dpkg-buildpackage: error: dpkg-source -b linux gave error exit status 255
root@myhost:/usr/src/linux#
...But to no avail.
I was told I could use binary packages or, alternatively, patched sources, to be found in:
Code: Select all
deb http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/ sid/
if I understood correctly.
I even added
Code: Select all
deb http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/ squeeze/
as well, just in case.
But, upon some perusal of those, it is not clear to me where in corsac repo are those, which exact ones?
NOTE: I did find a binary to use in the meantime, and it is in the previous post to this one in the thread. Previous, because I am not done with compilation, which is the absolutely preferable way, as I explained somewhere in this thread. I'm really sorry, but I am too tired right now to reedit this.
...
As I already stated, securitywise, I just don't see that I could happily live without grsecurity/pax, that much I can say.
I am also tired, especially for having to still live with what I didn't opt for, in my Debian, as I explained in the post immediately preceding this one.
I wish, and I will keep around for a little while, in case someone help with advice, I could go on and finish the compilation of Yves-Alexis' kernel-grsec, but I don't abound with time anymore.