EDIT START Sat Jan 18 15:24:54 EST 2014
All the files there are some 360MB, and while compiling with this script is safer, for newbies willing to try at their own risk, downloading the Debian packages into a newly created directory and running (as root):
# dpkg -i *.deb
could install the Grsecurity patched kernel without much fuss. (Then no development tools installation is needed.)
See more talk about it in bottom.
Code: Select all
#!/bin/bash # # This is grsec_debian_v3.12.8.sh # # copyright Miroslav Rovis, Zagreb, Croatia, www.CroatiaFidelis.hr # (the above needs to be cited if the script is modified/further developed, # even if my NGO Croatia Fidelis were to be shut down by my country's regime, # as well as if the script is used as basis for later kernel versions # patching and compilations) # # licenced under GNU v3.0 or later, at your choice # # How to use this script? # ======================= # In case of issues, the user needs to consult official Debian documentation, # such as Debian Kernel Handbook, as well as Grsecurity documentation, and # other documentation and manuals, wikis and forums. # 'chmod 755 grsec_debian_v3.12.8.sh' once you downloaded this script, place # it, best, in your homedir, and follow instructions as you run it. If you # encounter problems, modify for your needs. Also, pls. report errors on Debian # Forums where I made the Tips page: # "Grsecurity/Pax installation on Debian GNU Linux" # but pls. if you will be waiting for my replies, it could take days and longer # sometimes. Thank you! # echo echo " Caveat emptor! " echo echo " Do not use this script if you do not understand " echo " what you are doing. You are responsible if anything " echo " breaks in your system (possible!) " echo " " echo " OTOH, maybe you could open it in another terminal for " echo " perusing each next step before hitting Enter to run " echo " that next step, one by one in this terminal." echo " Of course you should be checking yourself how the script is" echo " faring, are the commands doing the intended and all." echo " This is GNU Linux after all." echo echo "The script contains some code which is clumsy, but does the work; the" echo "following: it is populated with 'read FAKE ;' lines. That is just" echo "someone's (mine, who knows no better yet), way to tell you to decide" echo "to continue running the script or issue Ctrl-C to kill it." echo read FAKE ; echo echo "Tell this script what your username is, so we can create the workspace." read user ; echo "If you are user $user and your homedir is /home/$user/ then this" echo "script should work for you. If not, modify the script to suit you." read FAKE ; echo "We create next two directories in your homedir, 'dLo' for the downloads," echo "and 'src' for the compilation. Will not create them if they exist," echo "but pls. you make sure that nothing in them obstructs this script," echo "meaning, we'll run command: 'mkdir -pv /home/$user/dLo/ /home/$user/src/'" read FAKE ; mkdir -pv /home/$user/dLo/ /home/$user/src/ echo ; echo ls -l /home/$user/dLo/ /home/$user/src/ ; ls -l /home/$user/dLo/ /home/$user/src/ echo ; echo cd /home/$user/dLo/ ; cd /home/$user/dLo/ ; pwd ; echo ; echo "We download next the kernel, the patch, the config to use." echo "In case you already did, you'll see info and/or innocuous errors." echo "I only want the script to work, can't polish it. Sorry!" read FAKE ; wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.8.tar.sign wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.8.tar.xz wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.8-201401160931.patch wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.8-201401160931.patch.sig wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.12.7-grsec-140113-16.sig wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.12.7-grsec-140113-16.gz echo ; echo "Import my new key, because I had to revoke the previous one:" echo "gpg -recv-key 0x4FBAF0AE" read FAKE ; gpg -recv-key 0x4FBAF0AE echo ; echo "Next, copy all downloads to /home/$user/src/" read FAKE ; cp -iav linux-3.12.8.tar.* /home/$user/src/ cp -iav grsecurity-3.0-3.12.8-201401160931.patch* /home/$user/src/ cp -iav config-3.12.7-grsec-140113-16* /home/$user/src/ cd /home/$user/src/ ; pwd ls -l linux-3.12.8* read FAKE ; echo ; echo unxz linux-3.12.8.tar.xz ; read FAKE ; unxz linux-3.12.8.tar.xz ; echo ; echo gpg --verify linux-3.12.8.tar.sign ; read FAKE ; gpg --verify linux-3.12.8.tar.sign ; echo ; echo gpg --verify grsecurity-3.0-3.12.8-201401160931.patch.sig; read FAKE ; gpg --verify grsecurity-3.0-3.12.8-201401160931.patch.sig; echo ; echo gunzip config-3.12.7-grsec-140113-16.gz; read FAKE ; gunzip config-3.12.7-grsec-140113-16.gz; echo ; echo gpg --verify config-3.12.7-grsec-140113-16.sig ; read FAKE ; gpg --verify config-3.12.7-grsec-140113-16.sig ; echo ; echo tar xvf linux-3.12.8.tar ; read FAKE ; tar xvf linux-3.12.8.tar ; echo ; echo cd linux-3.12.8; read FAKE ; cd linux-3.12.8; pwd echo ; echo "patch -p1 < ../grsecurity-3.0-3.12.8-201401160931.patch"; read FAKE ; patch -p1 < ../grsecurity-3.0-3.12.8-201401160931.patch echo ; echo cd ../; cd ../ ; pwd read FAKE ; echo ; echo cp -iav config-3.12.7-grsec-140113-16 linux-3.12.8/.config; read FAKE ; cp -iav config-3.12.7-grsec-140113-16 linux-3.12.8/.config echo ; echo cd linux-3.12.8; read FAKE ; cd linux-3.12.8 pwd echo ; echo "Here we modify the LOCALVERSION variable to be -YYMMDD-HH" locver=`date +%y%m%d-%H` echo $locver read FAKE ; echo sed -i.bak "s/140113-16/$locver/" .config read FAKE ; sed -i.bak "s/140113-16/$locver/" .config echo ; echo "And we need to check that we did what we meant:" grep LOCALVERSION .config echo ; echo "And we can also move the backup out of way if it went well." mv -vi .config.bak ../ ; echo ; echo make menuconfig; read FAKE ; echo "If here you will see the script complaining:" echo "./grsec_debian_v3.12.8.sh: line 125: make: command not found" echo "then you need to install the development tools (don't be worry," echo "nothing much ;-) Pls. find instructions in some of my previous/later" echo "posts in this Tip, or read the script itself at this point." # Huh? You found it? Probably these commands would get you all you're missing at # this point:" # # apt-get install build-essential fakeroot ; # # apt-get build-dep linux ; # # apt-get install libncurses5-dev ; # that's not an error '# #'. Run as root. If run as user you would see '# $' # instead. # And there's more, essential for Grsecurity/Pax install: # # apt-get install gcc-4.8-plugin-dev make menuconfig echo ; echo "The diff .config below will only show differences if you edited" echo "the config through the ncurses menuconfig interface. You may not and" echo "you may need to, in case, say, you have some exotic hardware and" echo "functionality is later found missing for you." echo diff .config*; diff .config* echo echo ; echo "Now this, the next one, can be a longer one step in the process..." echo echo ; echo fakeroot make deb-pkg; read FAKE ; fakeroot make deb-pkg echo ; echo "Here, the deb packages ought to be there..." read FAKE ; echo ; echo cd ../ ; cd ../ ; pwd ; read FAKE ; ls -l *.deb echo ; echo "If you see the packages named linux-XXXXXX-grsec-XXX.deb , above and if you already used paxctl on grub binaries as I took care to explain in detail, you're at your last step." echo ; echo "But, that step you need to execute as root, so it is not part of this script executed all as user." read FAKE ; pwd msgbeforeroot1="As root in directory /home/$user/src/ issue this command" msgbeforeroot2="dpkg -i *.deb" echo ; echo $msgbeforeroot1 echo ; echo "$msgbeforeroot2" echo "If no errors there, you can reboot." echo "Upon rebooting, you too should get something like I did below:" echo "Pls. look up the rest of the script, for that and for a message" echo "to users of Debian GNU Linux" # $ uname -a # # $ # But I despise so much the fact that the best GNU Linux security is blocked # from official Debian GNU Linux, that I intend to use my slow connection, a # fraction of what I pay for, being myself a homeland living dissident whom the # traitors in "power in my Croatia, try to keep under control through # censorship like that and worse.. Illegally they do so, but those are a bunch # of criminals, most of them, anyways... That exactly is what my friend Marko # Francišković said to some of their servants, police officers, and is now # paying for those words with being tortured, by being administered to him very # hazardous medicament like Zypress (if I got the brand name of that sh*t # correctly), and his life is in real danger. # # But I was saying that I so much despise the fact that the best GNU Linux # security is blocked from official Debian GNU Linux, that I intend to use my # slow connection, a fraction of what I pay for, to try and upload these # Grsecurity patched Debian GNU Linux packages I compiled, on # www.CroatiaFidelis. And that task might take me a few hours to even ten or # more hours time. # # That's the measure of my disgust of the Debian GNU Linux leaders having # practically and effectively, and for all intents and puposes, banned # Grsecurity from anything official in Debian GNU Linux. # # And yet it is such a small effort to compile Grsecurity/Pax patched GNU Linux # kernel for Debian GNU Linux, that a user who may only be considered somewhat # advanced and never really a developer, can do it . # # And pls.let me know if this works for you, dear Debian GNU Linux user! Those # who know how to compile, and those who hopefully learn how to compile through # my Tips pages on Debian Forums, pls. get active. We have to get a branch in # the Official Debian GNU Linux repositories, this way, some other way or in # yet other fashion, shape, form or shape, this huge injustice against us the # users and against shiny honest developers Spender and Pax Team has to be # reversed! # # Miroslav Rovis, Zagreb, Croatia, Vankina 4, +385(0)16602633, +385(0)912660202 # (but you could only reach me if secret services here allow your call through) # # email@example.com (but you have to be patient awaiting my replies, # really!, and, sure, only if those evildoers let it through) # # So the safest places to post a message to me, is on Debian Forums, and on # Grsecurity Forums, the latter especially if you have private messages for me. # But again, be patient awaiting for my replies! # # Alternative sites, if www.CroatiaFidelis.hr "disappeared": www.exDeo.com and # www.vankina2-10.com #
and off course, if it is more Debian specific, than in this topic, whre you are reading these lines.
Two only thing is due, for those who might go and try and download and install my packages:
1) at your own responsability, works for me, might nad might not for you, might even break your system, I don't think it really could, but I don't know and guarantie nothing
2) For those who install and are not home yet with Grsecurity/Pax...
get paxctl somewhere. The Iceweasel won't work out of the box, and maybe some other programs, but it's a simple fix to do it...
God, I'm so tired, but I can't go to sleep before I post that small little tip in here, right away...
I think it's:
# apt-get install paxctl
# paxctl -cm /usr/lib/iceweasel/iceweasel