grsecurity install: cannot find patch file: patch-3.2.42

[timbgo]

I'm not proficient the matters Debian, but I see it's an issue not settled, grsecurity patch on debian adapted kernel.
http://packages.debian.org/de/wheezy/li ... rsecurity2
That is the version in the latest testing branch (become wheezy release candidate now, I think):
2.9.1+3.2.21-201206221855-1
Actually, upon installing linux-patch-grsecurity2 that is what I get installed.
And it installed more-vanilla-then-what-debian-usually-uses kernel:
linux-source-3.2
I see in aptitude: 3.2.41-2 for it.
That is, if I don't get something wrong about it or in the process...

Very importantly, attempts at getting at this long standing issue (very wishful for solution, some of us) have not ceased:
http://anonscm.debian.org/gitweb/?p=use ... ;a=summary
That's not very long ago, is it...

But upon following the Debian Linux Kernel Handbook steps, and when trying to apply grsecurity patch above mentioned, I get the error:

Code: Select all

myhost:/usr/src/linux# scripts/patch-kernel . .. 
Current kernel version is 3.2.41 ( Saber-toothed Squirrel)
cannot find patch file: patch-3.2.42
myhost:/usr/src/linux#

Some of the links I found on this forum of which none is recent. such as:
http://forums.debian.net/viewtopic.php?f=5&t=85863
I mean users will want to have grsecurity/pax, once they are informed (pls. see: http://grsecurity.net/). The issue is being requested over and over, and a team smarter then grsecurity/pax developers, I doubt can come up just so soon nor easily.

And also here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678942
I found an interesting discussion, pasting over the last lines:

> SELinux is more common if you need restrictions on your Linux OS.

To be honest, I don't use RBAC, I'm more interested by the PaX and
generic Grsec hardening than by MAC.

Regards,
--
Yves-Alexis

I too trust grsecurity/pax, my Debian wouldn't be in harmony with me and my world without them...
Anyone else to pitch in and help/lobby/solve our queries?

[timbgo]

I'm on the right track, but have more mileage ahead.
I mixed different sources/efforts at debian+grsec/pax kernel compilation (debian+grsec for short in further text).
Will now try and explain.

http://packages.debian.org/de/wheezy/li ... rsecurity2
That is the version in the latest testing branch (become wheezy release candidate now, I think):
2.9.1+3.2.21-201206221855-1
Actually, upon installing linux-patch-grsecurity2 that is what I get installed.
And it installed more-vanilla-then-what-debian-usually-uses kernel:
linux-source-3.2
I see in aptitude: 3.2.41-2 for it.
That is, if I don't get something wrong about it or in the process...

Sure, the above is completely different effort (which I is labeled "linux-patch-grsecurity2") at debian+grsec than this one below, which is Yves-Alexis' effort at debian+grsec:

Very importantly, attempts at getting at this long standing issue (very wishful for solution, some of us) have not ceased:
http://anonscm.debian.org/gitweb/?p=use ... ;a=summary
That's not very long ago, is it...

And it is necessary to keep in mind that this error:

But upon following the Debian Linux Kernel Handbook steps, and when trying to apply grsecurity patch above mentioned, I get the error:

Code: Select all

myhost:/usr/src/linux# scripts/patch-kernel . .. 
Current kernel version is 3.2.41 ( Saber-toothed Squirrel)
cannot find patch file: patch-3.2.42
myhost:/usr/src/linux#

I experienced with the linux-patch-grsecurity2, and I am yet to see what Yves-Alexis' patches can do for me.

I managed to learn a little more from
http://anonscm.debian.org/gitweb/?p=use ... ;a=summary
and after git cloning it.
And I got the advice to try stuff, for my wheezy RC1 (IUUC), from here:

http://molly.corsac.net/~corsac/debian/ ... kages/sid/

which I intend to do.

My problem is, I don't yet know how.
I managed to install my Debian using aptitude, apt-get, even synaptic.
I'm not yet familiar with Debian, so I just don't know yet how I can compile a kernel out of deb packages, like those in that link on corsac.net .
Where's a tutorial, where is it on wiki, if anyone can tell us?
Whew!
Don't let me tell you, that I have yet to figure out what and how to possibly revert from, or remove or what not, with what I've attempted so far...

[timbgo]

EDIT: Pls. bear in mind that here I got it wrong for the most part. I am against deleting post unless absolutely necessary for reasons far more serious than is here the case. But you can simply skip on to the next post in this thread.

Inching on...
Links that don't feature in the thread on this forum yet, and which are necess for Corsac debian+grsec:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090
But that might mostly be a point of reference if need be, it's a hefty read, and time in short supply, I cut corners where I can.

Here is where I'll try my best attempts:
http://www.corsac.net/?rub=blog&post=1535
As reads there:

Code: Select all

deb http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/ sid/

I added that to /etc/apt/sources.list.
Also I imported Yves-Alexis' key:

Code: Select all

gpg --recv-keys  0x71EF0BA8   --keyserver pgp.mit.edu

Now, the next lines there need be modified.
This is how I am appllying those to today's versions and packages:

Code: Select all

mkdir  kernel-grsec
cd  kernel-grsec
svn checkout svn://svn.debian.org/svn/kernel/dists/sid/linux
git clone git://anonscm.debian.org/users/corsac/grsec-patches.git
wget http://www.kernel.org/pub/linux/kernel/v3.x/linux-3.2.41.tar.bz2
wget http://www.kernel.org/pub/linux/kernel/v3.x/linux-3.2.41.tar.bz2.sig
gpg --recv-keys  0x6092693E --keyserver pgp.mit.edu
gpg --verify linux-3.2.41.tar.sign  linux-3.2.41.tar.bz2 

I don't have the vaguest idea why, but I get bad signature, which I'\m not expanding on here, since:
wget http://www.kernel.org/pub/linux/kernel/ ... 56sums.asc
gives me the right checksum for that kernel source.
And here I thought that the vanilla patch need be applied first, shouldn't it?

Code: Select all

wget http://www.kernel.org/pub/linux/kernel/v3.x/patch-3.2.41.bz2
wget http://www.kernel.org/pub/linux/kernel/v3.x/patch-3.2.41.sign
gpg --verify patch-3.2.41.sign  patch-3.2.41.bz2 

Bad again, but checksum good nonetheless...
So far so... unresolved.
And here I stop to go and learn (or remember, or figure out) how exactly to apply the vanilla patch to the source before continuing, if it is true that it needs to be done before moving on to the rest of Yves' hints.

[timbgo]

Before I post where I reached with the absolutely better way to go, I am now able to point to a temporary soulution that I achieved and which is there for the taking.

The absolutely better way is to compile your own kernel and choose the grsecurity/pax options and things for yourself, you'll see why shortly.

The temporary solution is the binary kernel I found and installed.

Code: Select all

myhost:$ uname -r
3.2.0-4-grsec-amd64
myhost:$

It's kid's stuff to find it in aptitude and install it, along with whatever else is needed, and reboot into the new kernel.

But I said I was going to tell you why shortly.

Because I haven't rid myself of the SELinux yet.

Code: Select all

myhost:$ ls -l /boot/
total 16825
-rw-r--r-- 1 root root  129038 Mar 26 07:48 config-3.2.0-4-amd64
-rw-r--r-- 1 root root  131042 Apr  3 11:21 config-3.2.0-4-grsec-amd64
drwxr-xr-x 3 root root    5120 Apr 15 18:51 grub
-rw-r--r-- 1 root root 3354720 Apr 13 19:29 initrd.img-3.2.0-4-amd64
-rw-r--r-- 1 root root 3378279 Apr 15 18:51 initrd.img-3.2.0-4-grsec-amd64
drwxr-xr-x 2 root root   12288 Apr 13 18:22 lost+found
-rw-r--r-- 1 root root 2105340 Mar 26 07:48 System.map-3.2.0-4-amd64
-rw-r--r-- 1 root root 2065577 Apr  3 11:21 System.map-3.2.0-4-grsec-amd64
-rw-r--r-- 1 root root 2833216 Mar 26 07:33 vmlinuz-3.2.0-4-amd64
-rw-r--r-- 1 root root 3134592 Apr  3 11:20 vmlinuz-3.2.0-4-grsec-amd64
myhost:$ grep SELINUX /boot/config-3.2.0-4-grsec-amd64 
CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
myhost:$ 

Why keep that thing there, for those who opt to go without it, if I may know, in the name of reason?

I went and read about Debian, and it is beautiful how Debian started, it looks like a story written in the stars for good people.

And I wish for the freedom that Debian should still give to diligent individuals worldwide who do not shy from steep learning curves and associates, among which I belong.

I thank everyone who, like the Corsac guy Yves-Alexis, work for the good side which is still there in Debian!

So, that's temporary solution, and also, not all works out of the box.
E.g. I had to:

Code: Select all

# cd /usr/lib/iceweasel/
paxctl -v firefox-bin

which told me it wasn't pax converted, which I did and alse more, and only then I got iceweasel to open...
But it's a known issue...
Anyway, I will, hopefully, next, post where I got with the more earnest attempt at getting grsecurity into my debian kernel, rather than this SELinux infected one...

[timbgo]

This is from the README from corsac.net grsecurity to debian git (link can be found somewhere in previous posts).

git clone git://anonscm.debian.org/users/corsac/grsec-patches.git
----

== Getting the sources

There are two ways to get the sources. Either you use a source package, or you
get the svn content.

.Get source package
----
apt-get source linux
----

This will download and unpack the current source package in sid. Check the
tags in +grsec-patch+ to see if that version is supported.

.Get the svn
----
svn co svn://svn.debian.org/svn/kernel/dists/sid/linux
----

This will get you the latest commits in the sid branch, which might get you an
unreleased (not yet uploaded to sid) kernel.

== Applying the patches for grsecurity featureset

The grsec featureset is distributed as a quilt series, so we use quilt to
apply it on top of the svn or linux-2.6 source package.

.Apply patches for grsecurity featureset
----
cd linux*
export QUILT_PATCHES=../grsec-patches QUILT_PC=.pc-grsec
quilt push -a

I did the above (I took the svn out), and followed on the README, and this is how it went.

Code: Select all

root@myhost:/usr/src# cd linux*
root@myhost:/usr/src/linux# export QUILT_PATCHES=../grsec-patches QUILT_PC=.pc-grsec
root@myhost:/usr/src/linux# quilt push -a
Applying patch 02_force-hostcc-version.patch
patching file debian/rules.real
Hunk #1 succeeded at 133 (offset 13 lines).

Applying patch 03_add-grsec-featureset.patch
patching file debian/config/amd64/defines
patching file debian/config/amd64/grsec/defines
patching file debian/config/defines
patching file debian/config/featureset-grsec/config
patching file debian/config/featureset-grsec/defines
patching file debian/config/i386/defines
patching file debian/config/i386/grsec/defines
patching file debian/patches/features/all/grsec/gen-patch
patching file debian/patches/series-grsec

Applying patch 04_grsecurity.patch
patching file debian/patches/features/all/grsec/grsecurity-2.9.1-3.2.42-201304022025+debian.patch

Now at patch 04_grsecurity.patch
root@myhost:/usr/src/linux# cd ../grsec-patches/
root@myhost:/usr/src/grsec-patches# git tag -l
v2.6.32-41squeeze2+grsec1_2.9-2.6.32.59-201203251921
v2.6.32-43+grsec1_2.9-2.6.32.59-201204062020
v2.6.32-45+grsec1+2.9-2.6.32.59-201205151706
v2.6.32-45+grsec1_2.9-2.6.32.59-201205151706
v3.2.10-1+grsec1_2.9-3.2.11-201203131840
v3.2.12-1+grsec1_2.9-3.2.12-201203191822
v3.2.13-1+grsec1_2.9-3.2.13-201203251921
v3.2.18-1+grsec1_2.9-3.2.17-201205191125
v3.2.19-1+grsec1_2.9-3.2.18-201206031033
v3.2.20-1+grsec1_2.9.1-3.2.20-201206111836
v3.2.29-1+grsec1_2.9.1-3.2.30-201209192117
v3.2.30-1+grsec1_2.9.1-3.2.30-201209241828
v3.2.35-2+grsec1_2.9.1-3.2.35-201212151420
v3.2.39-1+grsec1_2.9.1-3.2.39-201302252105
v3.2.41+grsec2_2.9.1-3.2.42-201304022025
v3.2.9-1+grsec1_2.9-3.2.9-201203062051
root@myhost:/usr/src/grsec-patches# cd -
/usr/src/linux
root@myhost:/usr/src/linux# dch --local grsec
dch: debian/changelog unmodified; exiting.
root@myhost:/usr/src/linux# DEBIAN_KERNEL_DISABLE_INSTALLER=1 DEBIAN_KERNEL_DISABLE_DEBUG=1 python debian/bin/gencontrol.py 
debian/bin/gencontrol.py:119: UserWarning: Disable building of debug infos on request (DEBIAN_KERNEL_DISABLE_INSTALLER set)
  warnings.warn(u'Disable building of debug infos on request (DEBIAN_KERNEL_DISABLE_INSTALLER set)')
debian/bin/gencontrol.py:289: UserWarning: Disable building of debug infos on request (DEBIAN_KERNEL_DISABLE_DEBUG set)
  warnings.warn(u'Disable building of debug infos on request (DEBIAN_KERNEL_DISABLE_DEBUG set)')
root@myhost:/usr/src/linux# dpkg-buildpackage -us -uc
dpkg-buildpackage: source package linux
dpkg-buildpackage: source version 3.2.43-1
dpkg-buildpackage: source changed by Ben Hutchings <ben@decadent.org.uk>
dpkg-buildpackage: host architecture amd64
 dpkg-source --before-build linux
dpkg-source: info: using options from linux/debian/source/local-options: --abort-on-upstream-changes
dpkg-source: info: using options from linux/debian/source/options: --compression=xz
dpkg-checkbuilddeps: Unmet build dependencies: kernel-wedge (>= 2.84) gcc-4.6 gcc-4.6-plugin-dev xmlto
dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting
dpkg-buildpackage: warning: (Use -d flag to override.)
root@myhost:/usr/src/linux# dpkg-buildpackage -us -uc -d
dpkg-buildpackage: source package linux
dpkg-buildpackage: source version 3.2.43-1
dpkg-buildpackage: source changed by Ben Hutchings <ben@decadent.org.uk>
dpkg-buildpackage: host architecture amd64
 dpkg-source --before-build linux
dpkg-source: info: using options from linux/debian/source/local-options: --abort-on-upstream-changes
dpkg-source: info: using options from linux/debian/source/options: --compression=xz
 debian/rules clean
dh_testdir
rm -rf debian/build debian/stamps debian/lib/python/debian_linux/*.pyc debian/linux-headers-* debian/linux-image-* debian/linux-support-* debian/linux-source-* debian/linux-doc-* debian/linux-manual-* debian/xen-linux-system-* debian/*-modules-*-di*
dh_clean
 dpkg-source -b linux
dpkg-source: info: using options from linux/debian/source/local-options: --abort-on-upstream-changes
dpkg-source: info: using options from linux/debian/source/options: --compression=xz
dpkg-source: error: can't build with source format '3.0 (quilt)': no upstream tarball found at ../linux_3.2.43.orig.tar.{bz2,gz,lzma,xz}
dpkg-buildpackage: error: dpkg-source -b linux gave error exit status 255
root@myhost:/usr/src/linux# 

Break, lest I forget the sequence of events...

Soo... Seeing that line apparently crucial:

Code: Select all

dpkg-checkbuilddeps: Unmet build dependencies: kernel-wedge (>= 2.84) gcc-4.6 gcc-4.6-plugin-dev xmlto

esp. after never even adding the -d flag as suggested "(Use -d flag to override.)", got me any further, I went for the packages gcc-4.6 gcc-4.6-plugin-dev xmlto.
I ran aptitude, found them and installed them all.
But...

Code: Select all

root@myhost:/usr/src/linux# dpkg-buildpackage -us -uc 
dpkg-buildpackage: source package linux
dpkg-buildpackage: source version 3.2.43-1
dpkg-buildpackage: source changed by Ben Hutchings <ben@decadent.org.uk>
dpkg-buildpackage: host architecture amd64
 dpkg-source --before-build linux
dpkg-source: info: using options from linux/debian/source/local-options: --abort-on-upstream-changes
dpkg-source: info: using options from linux/debian/source/options: --compression=xz
dpkg-checkbuilddeps: Unmet build dependencies: kernel-wedge (>= 2.84)
dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting
dpkg-buildpackage: warning: (Use -d flag to override.)
root@myhost:/usr/src/linux# dpkg-buildpackage -us -uc -d
dpkg-buildpackage: source package linux
dpkg-buildpackage: source version 3.2.43-1
dpkg-buildpackage: source changed by Ben Hutchings <ben@decadent.org.uk>
dpkg-buildpackage: host architecture amd64
 dpkg-source --before-build linux
dpkg-source: info: using options from linux/debian/source/local-options: --abort-on-upstream-changes
dpkg-source: info: using options from linux/debian/source/options: --compression=xz
 debian/rules clean
dh_testdir
rm -rf debian/build debian/stamps debian/lib/python/debian_linux/*.pyc debian/linux-headers-* debian/linux-image-* debian/linux-support-* debian/linux-source-* debian/linux-doc-* debian/linux-manual-* debian/xen-linux-system-* debian/*-modules-*-di*
dh_clean
 dpkg-source -b linux
dpkg-source: info: using options from linux/debian/source/local-options: --abort-on-upstream-changes
dpkg-source: info: using options from linux/debian/source/options: --compression=xz
dpkg-source: error: can't build with source format '3.0 (quilt)': no upstream tarball found at ../linux_3.2.43.orig.tar.{bz2,gz,lzma,xz}
dpkg-buildpackage: error: dpkg-source -b linux gave error exit status 255
root@myhost:/usr/src/linux# 

...But to no avail.

I was told I could use binary packages or, alternatively, patched sources, to be found in:

Code: Select all

deb http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/ sid/

if I understood correctly.
I even added

Code: Select all

deb http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/ squeeze/

as well, just in case.
But, upon some perusal of those, it is not clear to me where in corsac repo are those, which exact ones?

NOTE: I did find a binary to use in the meantime, and it is in the previous post to this one in the thread. Previous, because I am not done with compilation, which is the absolutely preferable way, as I explained somewhere in this thread. I'm really sorry, but I am too tired right now to reedit this.
...

As I already stated, securitywise, I just don't see that I could happily live without grsecurity/pax, that much I can say.

I am also tired, especially for having to still live with what I didn't opt for, in my Debian, as I explained in the post immediately preceding this one.
I wish, and I will keep around for a little while, in case someone help with advice, I could go on and finish the compilation of Yves-Alexis' kernel-grsec, but I don't abound with time anymore.

[timbgo]

I'm a medium level user who just understand I can't anymore get security in my system, with kernel that's gone hollowy, without grsecurity/pax.
I opted for Debian because of its shiny Commons/Open/GNU/you-name-it origin, and have spent days to get a grsecurity/pax Debian for me.

Code: Select all

  
  ┌──────────────────┤ Configuring linux-patch-grsecurity2 ├──────────────────┐  
 │                                                                           │  
 │ The 2.1.2 release is a security bugfix release, please upgrade!           │
 │                                                                           │                       
 │ In the included PaX patch a security bug was found. It affects kernels    │
 │ with SEGMEXEC or RANDEXEC enabled (the predefined LOW and MEDIUM	     │
 │ options do not contain these). All users are encouraged to upgrade	     │
 │ soon as the bug is locally (and maybe remotely) exploitable; if you	     │
 │ can not upgrade, then echo "0 0" > /proc/sys/vm/pagetable_cache would     │
 │ reduce the risk, but patching is still unavoidable. References:	     │
 │ http://lists.netsys.com/pipermail/full-disclosure/2005-March/032240.htm   │                       
 │ http://www.grsecurity.net/news.php#grsec212                               │                       
 │                                                                           │                       
 │                               <Ok>                                        │                   
 │                                                                           │                   
 └───────────────────────────────────────────────────────────────────────────┘                                                                                          
 

Code: Select all

                                                                                                    
 ┌───────────────────┤ Configuring linux-patch-grsecurity2 ├───────────────┐  
 │                                                                         │  
 │ The 2.1.3 release is also a security bugfix release, please upgrade!    │ 
 │                                                                         │ 
 │ Quoting upstream: "During the audit, a critical vulnerability was       │ 
 │ found in the RBAC system that effectively gave every subject the "O"    │ 
 │ flag, allowing a root user for instance to gain the privileges of any   │ 
 │ other process through LD_PRELOAD or ptrace." Also, a number of other    │ 
 │ bugs were fixed in general, including PaX. Please upgrade to this       │
 │ release as soon as you can.						   │
 │                                                                         │   
 │                              <Ok>                                       │   
 └────────────────────────────────────────────────────────────────────── ──┘  
 

And upon the second Ok'ing my aptitude gives way to terminal where it is clear the messages above are nothing but pure vitriol for who knows whichever reason, here:


root@myhost:# aptitude
Preconfiguring packages ...
Selecting previously unselected package linux-patch-grsecurity2.
(Reading database ... 143871 files and directories currently installed.)
Unpacking linux-patch-grsecurity2 (from .../linux-patch-grsecurity2_2.9.1+3.2.21-201206221855-1_all.deb) ...
Setting up linux-patch-grsecurity2 (2.9.1+3.2.21-201206221855-1) ...
Press Return to continue.

grsecurity 2.1.2 and 2.1.3 are anti-diluvium and those warning have no sense nor reference to reality. Other than vitriol for the sake of vitriol.

Code: Select all

 
 ┌───────────────────────────────────────────────────────────────┐  
 │                                                               │  
 │                          < Why ? >                            │  
 │                                                               │  
 └───────────────────────────────────────────────────────────────┘  
  

But anyways:

me@myhost:~/kernel/linux-source-3.2$ file /usr/src/kernel-patches/all/apply/grsecurity2 /usr/src/kernel-patches/all/apply/grsecurity2: Bourne-Again shell script, ASCII text executable
me@myhost:~/kernel/linux-source-3.2$ /usr/src/kernel-patches/all/apply/grsecurity2
dpkg: warning: obsolete option '--print-installation-architecture'; please use '--print-architecture' instead
No "Greater Security for Linux 2.6 and 3.x" patch found for kernel version 3.2.41
me@myhost:~/kernel/linux-source-3.2$

[timbgo]

I just wrote a little over here:
http://forums.debian.net/viewtopic.php? ... 86#p494186
It is contextually connected with this topic as well.
And there is a whole lot on:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3032

Miroslav Rovis
(my real name)