| 1 |
On 170508-22:49+0200, Miroslav Rovis wrote: |
| 2 |
> ... |
| 3 |
> I'll be back with an ebuild to discuss. |
| 4 |
> ... |
| 5 |
> On 170508-22:07+0200, Mathias Krause wrote: |
| 6 |
> > On 8 May 2017 at 20:08, Miroslav Rovis <miro.rovis@××××××××××××××.hr> wrote: |
| 7 |
... |
| 8 |
> > > Unofficial forward ports of the last publicly available grsecurity patch |
| 9 |
> > > https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec |
| 10 |
> > > |
| 11 |
> > > which I cloned into my machine. |
| 12 |
... |
| 13 |
> > ...as it used to be the case for the official grsec patch. So nothing |
| 14 |
> > has changed here. ;) But I can understand your concerns. If you're |
| 15 |
> > used to getting a patch and have to use a git repo now, it's not |
| 16 |
> > intuitive on *how* to make use of it. But, again, see below... |
| 17 |
... |
| 18 |
> > I'm not familiar with the gentoo ebuild based package system but I |
| 19 |
> > guess patches integrate more smoothly than git repositories do. So |
| 20 |
> > here's how you generate a patch for the unofficial port for v4.9.27 |
| 21 |
> > (just pushed ;): |
| 22 |
> > |
| 23 |
> > $ git remote update |
| 24 |
I'm used to doing: |
| 25 |
$ git pull |
| 26 |
(and I think it did the same, but I need to do it all over, more below, |
| 27 |
and in my next try I'll to 'git remote update') |
| 28 |
> > [update log foo] |
| 29 |
> > $ git diff v4.9.27..v4.9.27-unofficial_grsec > ~/unofficial_grsec-v4.9.27.diff |
| 30 |
Yes, that is how I got the grsec patch. I named it: |
| 31 |
4420_grsecurity-3.1-4.9.27-201705082100.patch |
| 32 |
|
| 33 |
This is what I did by comparison. The 4.9.24/ is gotten by: |
| 34 |
tar xf /usr/portage/distfiles/hardened-patches-4.9.24-1.extras.tar.bz2 |
| 35 |
|
| 36 |
and so I created: |
| 37 |
mkdir 4.9.27/, placed the content of the old 4.9.24/, except not the old |
| 38 |
patch, but the new I placed in it. See: |
| 39 |
|
| 40 |
# ls -ABRgo 4.9.24/ |
| 41 |
4.9.24/: |
| 42 |
total 9380 |
| 43 |
-rw-r--r-- 1 2003 2017-04-22 17:58 0000_README |
| 44 |
-rw-r--r-- 1 101631 2017-04-22 17:58 1023_linux-4.9.24.patch |
| 45 |
-rw-r--r-- 1 9451813 2017-04-22 17:38 4420_grsecurity-3.1-4.9.24-201704220732.patch |
| 46 |
-rw-r--r-- 1 665 2016-11-10 01:55 4425_grsec_remove_EI_PAX.patch |
| 47 |
-rw-r--r-- 1 1359 2017-01-01 18:15 4426_default_XATTR_PAX_FLAGS.patch |
| 48 |
-rw-r--r-- 1 1444 2017-02-15 14:14 4427_force_XATTR_PAX_tmpfs.patch |
| 49 |
-rw-r--r-- 1 303 2015-08-14 08:04 4430_grsec-remove-localversion-grsec.patch |
| 50 |
-rw-r--r-- 1 1528 2016-08-14 12:16 4435_grsec-mute-warnings.patch |
| 51 |
-rw-r--r-- 1 641 2015-08-14 08:04 4440_grsec-remove-protected-paths.patch |
| 52 |
-rw-r--r-- 1 4184 2016-12-14 13:33 4450_grsec-kconfig-default-gids.patch |
| 53 |
-rw-r--r-- 1 2616 2016-12-14 13:32 4465_selinux-avc_audit-log-curr_ip.patch |
| 54 |
-rw-r--r-- 1 2553 2017-02-15 14:14 4470_disable-compat_vdso.patch |
| 55 |
-rw-r--r-- 1 1467 2017-01-16 22:22 4475_emutramp_default_on.patch |
| 56 |
# |
| 57 |
|
| 58 |
# ls -ABRgo 4.9.27/ |
| 59 |
4.9.27/: |
| 60 |
total 9184 |
| 61 |
-rw-r--r-- 1 2003 2017-04-22 17:58 0000_README |
| 62 |
-rw-r--r-- 1 9352316 2017-05-08 23:47 4420_grsecurity-3.1-4.9.27-201705082100.patch |
| 63 |
-rw-r--r-- 1 665 2016-11-10 01:55 4425_grsec_remove_EI_PAX.patch |
| 64 |
-rw-r--r-- 1 1359 2017-01-01 18:15 4426_default_XATTR_PAX_FLAGS.patch |
| 65 |
-rw-r--r-- 1 1444 2017-02-15 14:14 4427_force_XATTR_PAX_tmpfs.patch |
| 66 |
-rw-r--r-- 1 303 2015-08-14 08:04 4430_grsec-remove-localversion-grsec.patch |
| 67 |
-rw-r--r-- 1 1528 2016-08-14 12:16 4435_grsec-mute-warnings.patch |
| 68 |
-rw-r--r-- 1 641 2015-08-14 08:04 4440_grsec-remove-protected-paths.patch |
| 69 |
-rw-r--r-- 1 4184 2016-12-14 13:33 4450_grsec-kconfig-default-gids.patch |
| 70 |
-rw-r--r-- 1 2616 2016-12-14 13:32 4465_selinux-avc_audit-log-curr_ip.patch |
| 71 |
-rw-r--r-- 1 2553 2017-02-15 14:14 4470_disable-compat_vdso.patch |
| 72 |
-rw-r--r-- 1 1467 2017-01-16 22:22 4475_emutramp_default_on.patch |
| 73 |
# |
| 74 |
|
| 75 |
And then I issued: |
| 76 |
|
| 77 |
tar cjf /usr/portage/distfiles/hardened-patches-4.9.27-1.extras.tar.bz2 4.9.27/ |
| 78 |
|
| 79 |
Similarly, looking up what |
| 80 |
tar xf /usr/portage/distfiles/genpatches-4.9-24.base.tar.xz |
| 81 |
decompresses into, actually it needs a folder created before it does so: |
| 82 |
tar xf /usr/portage/distfiles/genpatches-4.9-24.base.tar.xz -C linux |
| 83 |
, I copied it to |
| 84 |
[[ STOP, I found why the below, exactly because I didn't descend in that |
| 85 |
directory when I created, be see further below ]] |
| 86 |
|
| 87 |
However (and also logs are to follow), the patching didn't go right: |
| 88 |
# find /usr/src/linux/ -name '*.rej' |
| 89 |
/usr/src/linux/arch/x86/mm/init.c.rej |
| 90 |
/usr/src/linux/arch/x86/entry/entry_32.S.rej |
| 91 |
/usr/src/linux/mm/nommu.c.rej |
| 92 |
/usr/src/linux/mm/memory.c.rej |
| 93 |
/usr/src/linux/net/core/neighbour.c.rej |
| 94 |
/usr/src/linux/net/packet/af_packet.c.rej |
| 95 |
/usr/src/linux/net/unix/af_unix.c.rej |
| 96 |
/usr/src/linux/net/mpls/af_mpls.c.rej |
| 97 |
/usr/src/linux/include/linux/sched.h.rej |
| 98 |
/usr/src/linux/include/linux/capability.h.rej |
| 99 |
/usr/src/linux/include/linux/mm.h.rej |
| 100 |
/usr/src/linux/fs/namespace.c.rej |
| 101 |
/usr/src/linux/fs/exec.c.rej |
| 102 |
/usr/src/linux/fs/splice.c.rej |
| 103 |
/usr/src/linux/drivers/char/mem.c.rej |
| 104 |
/usr/src/linux/drivers/hv/hv.c.rej |
| 105 |
/usr/src/linux/kernel/ptrace.c.rej |
| 106 |
/usr/src/linux/kernel/cpu.c.rej |
| 107 |
# |
| 108 |
|
| 109 |
So the above happened, but (and this is the "further belows") it |
| 110 |
happened because, here's the paste: |
| 111 |
|
| 112 |
# tar tf /usr/portage/distfiles/genpatches-4.9-27.base.tar.xz | head |
| 113 |
linux/ |
| 114 |
linux/1012_linux-4.9.13.patch |
| 115 |
linux/1022_linux-4.9.23.patch |
| 116 |
linux/1008_linux-4.9.9.patch |
| 117 |
linux/1005_linux-4.9.6.patch |
| 118 |
linux/1011_linux-4.9.12.patch |
| 119 |
linux/2900_dev-root-proc-mount-fix.patch |
| 120 |
linux/1009_linux-4.9.10.patch |
| 121 |
linux/1024_linux-4.9.25.patch |
| 122 |
linux/1016_linux-4.9.17.patch |
| 123 |
# tar tf /usr/portage/distfiles/genpatches-4.9-24.base.tar.xz | head |
| 124 |
./0000_README |
| 125 |
./1000_linux-4.9.1.patch |
| 126 |
./1001_linux-4.9.2.patch |
| 127 |
./1002_linux-4.9.3.patch |
| 128 |
./1003_linux-4.9.4.patch |
| 129 |
./1004_linux-4.9.5.patch |
| 130 |
./1005_linux-4.9.6.patch |
| 131 |
./1006_linux-4.9.7.patch |
| 132 |
./1007_linux-4.9.8.patch |
| 133 |
./1008_linux-4.9.9.patch |
| 134 |
# |
| 135 |
|
| 136 |
# diff linux linux-4.9-24/ |
| 137 |
Only in linux: 1023_linux-4.9.24.patch |
| 138 |
Only in linux: 1024_linux-4.9.25.patch |
| 139 |
Only in linux: 1025_linux-4.9.26.patch |
| 140 |
Only in linux: 1026_linux-4.9.27.patch |
| 141 |
# |
| 142 |
|
| 143 |
And I'm sorry for mixed-up reporting, but I will leave it like this, |
| 144 |
because I need to go to sleep, can't improve it... |
| 145 |
|
| 146 |
And there are still issues. |
| 147 |
|
| 148 |
With the ebuild attached: |
| 149 |
|
| 150 |
hardened-sources-4.9.27.ebuild |
| 151 |
|
| 152 |
the kernel installs, but upon "make menuconfig" it looks like this: |
| 153 |
|
| 154 |
|
| 155 |
.config - Linux/x86 4.9.1-hardened Kernel Configuration |
| 156 |
──────────────────────────────────────────────────────────────────────────────────────────── |
| 157 |
┌──────────────────── Linux/x86 4.9.1-hardened Kernel Configuration ────────────────────┐ |
| 158 |
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty subme |
| 159 |
... |
| 160 |
|
| 161 |
And also the compiling fails. But first the *.rej. Less than the |
| 162 |
previous time! See: |
| 163 |
|
| 164 |
# find /usr/src/linux/ -name '*.rej' |
| 165 |
/usr/src/linux/arch/x86/mm/init.c.rej |
| 166 |
/usr/src/linux/arch/x86/entry/entry_32.S.rej |
| 167 |
/usr/src/linux/net/core/neighbour.c.rej |
| 168 |
/usr/src/linux/net/packet/af_packet.c.rej |
| 169 |
/usr/src/linux/net/unix/af_unix.c.rej |
| 170 |
/usr/src/linux/net/mpls/af_mpls.c.rej |
| 171 |
/usr/src/linux/fs/namespace.c.rej |
| 172 |
/usr/src/linux/drivers/char/mem.c.rej |
| 173 |
/usr/src/linux/drivers/hv/hv.c.rej |
| 174 |
/usr/src/linux/kernel/cpu.c.rej |
| 175 |
# |
| 176 |
|
| 177 |
And here's how it failed: |
| 178 |
|
| 179 |
# make && make install & |
| 180 |
HOSTCC scripts/kconfig/conf.o |
| 181 |
HOSTLD scripts/kconfig/conf |
| 182 |
scripts/kconfig/conf --silentoldconfig Kconfig |
| 183 |
HOSTCC arch/x86/tools/relocs_32.o |
| 184 |
HOSTCC arch/x86/tools/relocs_64.o |
| 185 |
HOSTLD arch/x86/tools/relocs |
| 186 |
CHK include/config/kernel.release |
| 187 |
UPD include/config/kernel.release |
| 188 |
CHK include/generated/uapi/linux/version.h |
| 189 |
CHK include/generated/utsrelease.h |
| 190 |
UPD include/generated/utsrelease.h |
| 191 |
HOSTCXX -fPIC scripts/gcc-plugins/rap_plugin/rap_plugin.o |
| 192 |
scripts/gcc-plugins/rap_plugin/rap_plugin.c: In function ‘bool rap_cgraph_indirectly_callable(cgraph_node_ptr)’: |
| 193 |
scripts/gcc-plugins/rap_plugin/rap_plugin.c:132:87: error: ‘cgraph_for_node_and_aliases’ was not declared in this scope |
| 194 |
return cgraph_for_node_and_aliases(node, __rap_cgraph_indirectly_callable, NULL, true); |
| 195 |
^ |
| 196 |
make[2]: *** [scripts/Makefile.host:158: scripts/gcc-plugins/rap_plugin/rap_plugin.o] Error 1 |
| 197 |
make[1]: *** [scripts/Makefile.build:544: scripts/gcc-plugins/rap_plugin] Error 2 |
| 198 |
make: *** [scripts/Makefile.gcc-plugins:129: gcc-plugins] Error 2 |
| 199 |
|
| 200 |
# |
| 201 |
|
| 202 |
Good night. In case somebody wants to look up why it failed, and should |
| 203 |
I ask Mathias or file a bug, or something else, here is also my emerge |
| 204 |
--info, gzip'd: |
| 205 |
|
| 206 |
Good night! |
| 207 |
-- |
| 208 |
Miroslav Rovis |
| 209 |
Zagreb, Croatia |
| 210 |
https://www.CroatiaFidelis.hr |
Archives