public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed
From: Miroslav Rovis <miro.rovis@croatiafidelis.hr>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Technical repercussions of grsecurity removal
Date: Tue, 9 May 2017 01:31:03 +0200	[thread overview]
Message-ID: <20170508233103.GA27111@g0n.xdwgrp> (raw)
In-Reply-To: <20170508204912.GA15294@g0n.xdwgrp>


[-- Attachment #1.1: Type: text/plain, Size: 8742 bytes --]

On 170508-22:49+0200, Miroslav Rovis wrote:
> ...
> I'll be back with an ebuild to discuss.
> ...
> On 170508-22:07+0200, Mathias Krause wrote:
> > On 8 May 2017 at 20:08, Miroslav Rovis <miro.rovis@croatiafidelis.hr> wrote:
...
> > > Unofficial forward ports of the last publicly available grsecurity patch
> > > https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec
> > >
> > > which I cloned into my machine.
...
> > ...as it used to be the case for the official grsec patch. So nothing
> > has changed here. ;) But I can understand your concerns. If you're
> > used to getting a patch and have to use a git repo now, it's not
> > intuitive on *how* to make use of it. But, again, see below...
...
> > I'm not familiar with the gentoo ebuild based package system but I
> > guess patches integrate more smoothly than git repositories do. So
> > here's how you generate a patch for the unofficial port for v4.9.27
> > (just pushed ;):
> > 
> >   $ git remote update
I'm used to doing:
$ git pull
(and I think it did the same, but I need to do it all over, more below,
and in my next try I'll to 'git remote update')
> >   [update log foo]
> >   $ git diff v4.9.27..v4.9.27-unofficial_grsec > ~/unofficial_grsec-v4.9.27.diff
Yes, that is how I got the grsec patch. I named it:
4420_grsecurity-3.1-4.9.27-201705082100.patch

This is what I did by comparison. The 4.9.24/ is gotten by:
tar xf /usr/portage/distfiles/hardened-patches-4.9.24-1.extras.tar.bz2

and so I created:
mkdir 4.9.27/, placed the content of the old 4.9.24/, except not the old
patch, but the new I placed in it. See:

# ls -ABRgo 4.9.24/
4.9.24/:
total 9380
-rw-r--r-- 1    2003 2017-04-22 17:58 0000_README
-rw-r--r-- 1  101631 2017-04-22 17:58 1023_linux-4.9.24.patch
-rw-r--r-- 1 9451813 2017-04-22 17:38 4420_grsecurity-3.1-4.9.24-201704220732.patch
-rw-r--r-- 1     665 2016-11-10 01:55 4425_grsec_remove_EI_PAX.patch
-rw-r--r-- 1    1359 2017-01-01 18:15 4426_default_XATTR_PAX_FLAGS.patch
-rw-r--r-- 1    1444 2017-02-15 14:14 4427_force_XATTR_PAX_tmpfs.patch
-rw-r--r-- 1     303 2015-08-14 08:04 4430_grsec-remove-localversion-grsec.patch
-rw-r--r-- 1    1528 2016-08-14 12:16 4435_grsec-mute-warnings.patch
-rw-r--r-- 1     641 2015-08-14 08:04 4440_grsec-remove-protected-paths.patch
-rw-r--r-- 1    4184 2016-12-14 13:33 4450_grsec-kconfig-default-gids.patch
-rw-r--r-- 1    2616 2016-12-14 13:32 4465_selinux-avc_audit-log-curr_ip.patch
-rw-r--r-- 1    2553 2017-02-15 14:14 4470_disable-compat_vdso.patch
-rw-r--r-- 1    1467 2017-01-16 22:22 4475_emutramp_default_on.patch
#

# ls -ABRgo 4.9.27/
4.9.27/:
total 9184
-rw-r--r-- 1    2003 2017-04-22 17:58 0000_README
-rw-r--r-- 1 9352316 2017-05-08 23:47 4420_grsecurity-3.1-4.9.27-201705082100.patch
-rw-r--r-- 1     665 2016-11-10 01:55 4425_grsec_remove_EI_PAX.patch
-rw-r--r-- 1    1359 2017-01-01 18:15 4426_default_XATTR_PAX_FLAGS.patch
-rw-r--r-- 1    1444 2017-02-15 14:14 4427_force_XATTR_PAX_tmpfs.patch
-rw-r--r-- 1     303 2015-08-14 08:04 4430_grsec-remove-localversion-grsec.patch
-rw-r--r-- 1    1528 2016-08-14 12:16 4435_grsec-mute-warnings.patch
-rw-r--r-- 1     641 2015-08-14 08:04 4440_grsec-remove-protected-paths.patch
-rw-r--r-- 1    4184 2016-12-14 13:33 4450_grsec-kconfig-default-gids.patch
-rw-r--r-- 1    2616 2016-12-14 13:32 4465_selinux-avc_audit-log-curr_ip.patch
-rw-r--r-- 1    2553 2017-02-15 14:14 4470_disable-compat_vdso.patch
-rw-r--r-- 1    1467 2017-01-16 22:22 4475_emutramp_default_on.patch
#

And then I issued:

tar cjf /usr/portage/distfiles/hardened-patches-4.9.27-1.extras.tar.bz2 4.9.27/

Similarly, looking up what 
tar xf /usr/portage/distfiles/genpatches-4.9-24.base.tar.xz
decompresses into, actually it needs a folder created before it does so:
tar xf /usr/portage/distfiles/genpatches-4.9-24.base.tar.xz -C linux
, I copied it to
[[ STOP, I found why the below, exactly because I didn't descend in that
directory when I created, be see further below ]]

However (and also logs are to follow), the patching didn't go right:
# find /usr/src/linux/ -name '*.rej'
/usr/src/linux/arch/x86/mm/init.c.rej
/usr/src/linux/arch/x86/entry/entry_32.S.rej
/usr/src/linux/mm/nommu.c.rej
/usr/src/linux/mm/memory.c.rej
/usr/src/linux/net/core/neighbour.c.rej
/usr/src/linux/net/packet/af_packet.c.rej
/usr/src/linux/net/unix/af_unix.c.rej
/usr/src/linux/net/mpls/af_mpls.c.rej
/usr/src/linux/include/linux/sched.h.rej
/usr/src/linux/include/linux/capability.h.rej
/usr/src/linux/include/linux/mm.h.rej
/usr/src/linux/fs/namespace.c.rej
/usr/src/linux/fs/exec.c.rej
/usr/src/linux/fs/splice.c.rej
/usr/src/linux/drivers/char/mem.c.rej
/usr/src/linux/drivers/hv/hv.c.rej
/usr/src/linux/kernel/ptrace.c.rej
/usr/src/linux/kernel/cpu.c.rej
#

So the above happened, but (and this is the "further belows") it
happened because, here's the paste:

# tar tf /usr/portage/distfiles/genpatches-4.9-27.base.tar.xz  | head
linux/
linux/1012_linux-4.9.13.patch
linux/1022_linux-4.9.23.patch
linux/1008_linux-4.9.9.patch
linux/1005_linux-4.9.6.patch
linux/1011_linux-4.9.12.patch
linux/2900_dev-root-proc-mount-fix.patch
linux/1009_linux-4.9.10.patch
linux/1024_linux-4.9.25.patch
linux/1016_linux-4.9.17.patch
# tar tf /usr/portage/distfiles/genpatches-4.9-24.base.tar.xz  | head
./0000_README
./1000_linux-4.9.1.patch
./1001_linux-4.9.2.patch
./1002_linux-4.9.3.patch
./1003_linux-4.9.4.patch
./1004_linux-4.9.5.patch
./1005_linux-4.9.6.patch
./1006_linux-4.9.7.patch
./1007_linux-4.9.8.patch
./1008_linux-4.9.9.patch
# 

# diff linux linux-4.9-24/
Only in linux: 1023_linux-4.9.24.patch
Only in linux: 1024_linux-4.9.25.patch
Only in linux: 1025_linux-4.9.26.patch
Only in linux: 1026_linux-4.9.27.patch
# 

And I'm sorry for mixed-up reporting, but I will leave it like this,
because I need to go to sleep, can't improve it...

And there are still issues. 

With the ebuild attached:

hardened-sources-4.9.27.ebuild

the kernel installs, but upon "make menuconfig" it looks like this:


 .config - Linux/x86 4.9.1-hardened Kernel Configuration
 ────────────────────────────────────────────────────────────────────────────────────────────
  ┌──────────────────── Linux/x86 4.9.1-hardened Kernel Configuration ────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty subme
...

And also the compiling fails. But first the *.rej. Less than the
previous time! See:

# find /usr/src/linux/ -name '*.rej'
/usr/src/linux/arch/x86/mm/init.c.rej
/usr/src/linux/arch/x86/entry/entry_32.S.rej
/usr/src/linux/net/core/neighbour.c.rej
/usr/src/linux/net/packet/af_packet.c.rej
/usr/src/linux/net/unix/af_unix.c.rej
/usr/src/linux/net/mpls/af_mpls.c.rej
/usr/src/linux/fs/namespace.c.rej
/usr/src/linux/drivers/char/mem.c.rej
/usr/src/linux/drivers/hv/hv.c.rej
/usr/src/linux/kernel/cpu.c.rej
#

And here's how it failed:

# make && make install &
  HOSTCC  scripts/kconfig/conf.o
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf  --silentoldconfig Kconfig
  HOSTCC  arch/x86/tools/relocs_32.o
  HOSTCC  arch/x86/tools/relocs_64.o
  HOSTLD  arch/x86/tools/relocs
  CHK     include/config/kernel.release
  UPD     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  UPD     include/generated/utsrelease.h
  HOSTCXX -fPIC scripts/gcc-plugins/rap_plugin/rap_plugin.o
scripts/gcc-plugins/rap_plugin/rap_plugin.c: In function ‘bool rap_cgraph_indirectly_callable(cgraph_node_ptr)’:
scripts/gcc-plugins/rap_plugin/rap_plugin.c:132:87: error: ‘cgraph_for_node_and_aliases’ was not declared in this scope
  return cgraph_for_node_and_aliases(node, __rap_cgraph_indirectly_callable, NULL, true);
                                                                                       ^
make[2]: *** [scripts/Makefile.host:158: scripts/gcc-plugins/rap_plugin/rap_plugin.o] Error 1
make[1]: *** [scripts/Makefile.build:544: scripts/gcc-plugins/rap_plugin] Error 2
make: *** [scripts/Makefile.gcc-plugins:129: gcc-plugins] Error 2

#

Good night. In case somebody wants to look up why it failed, and should
I ask Mathias or file a bug, or something else, here is also my emerge
--info, gzip'd:

Good night!
-- 
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr

[-- Attachment #1.2: hardened-sources-4.9.27.ebuild --]
[-- Type: text/plain, Size: 1332 bytes --]

# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

EAPI="5"

ETYPE="sources"
K_WANT_GENPATCHES="base"
K_GENPATCHES_VER="27"
K_DEBLOB_AVAILABLE="0"
K_FROM_GIT="27"

inherit kernel-2
detect_version

HGPV="${KV_MAJOR}.${KV_MINOR}.${KV_PATCH}-1"
HGPV_URI="http://dev.gentoo.org/~blueness/hardened-sources/hardened-patches/hardened-patches-${HGPV}.extras.tar.bz2"
SRC_URI="${KERNEL_URI} ${HGPV_URI} ${GENPATCHES_URI} ${ARCH_URI}"

UNIPATCH_LIST="${DISTDIR}/hardened-patches-${HGPV}.extras.tar.bz2"
UNIPATCH_EXCLUDE="
	1500_XATTR_USER_PREFIX.patch
	1520_CVE-2017-6074-dccp-skb-freeing-fix.patch
	2900_dev-root-proc-mount-fix.patch"

DESCRIPTION="Hardened kernel sources (kernel series ${KV_MAJOR}.${KV_MINOR})"
HOMEPAGE="http://www.gentoo.org/proj/en/hardened/"
IUSE="deblob"

KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"

RDEPEND=">=sys-devel/gcc-4.5"

pkg_postinst() {
	kernel-2_pkg_postinst

	local GRADM_COMPAT="sys-apps/gradm-3.1*"

	ewarn
	ewarn "Users of grsecurity's RBAC system must ensure they are using"
	ewarn "${GRADM_COMPAT}, which is compatible with ${PF}."
	ewarn "It is strongly recommended that the following command is issued"
	ewarn "prior to booting a ${PF} kernel for the first time:"
	ewarn
	ewarn "emerge -na =${GRADM_COMPAT}"
	ewarn
}

[-- Attachment #1.3: emerge--info.gz --]
[-- Type: application/octet-stream, Size: 6584 bytes --]

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2017-05-08 23:32 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-01  9:38 [gentoo-hardened] Technical repercussions of grsecurity removal Sven Vermeulen
2017-05-01  9:50 ` Sven Vermeulen
2017-05-01 10:24 ` Daniel Cegiełka
2017-05-01 11:00   ` Andrew Savchenko
2017-05-01 12:25     ` Daniel Cegiełka
2017-05-01 10:28 ` Andrew Savchenko
2017-05-01 13:58   ` Sven Vermeulen
2017-05-01 14:20     ` SK
2017-05-01 14:53       ` Daniel Cegiełka
2017-05-01 15:21         ` SK
2017-05-02  8:28           ` Daniel Cegiełka
2017-05-08 18:08             ` Miroslav Rovis
2017-05-08 18:57               ` Luis Ressel
2017-05-08 20:07               ` Mathias Krause
2017-05-08 20:49                 ` Miroslav Rovis
2017-05-08 23:31                   ` Miroslav Rovis [this message]
2017-05-09 14:28                     ` [gentoo-hardened] Unofficial grsec kernel install WAS: " Miroslav Rovis
2017-05-08 21:12     ` [gentoo-hardened] " Andrew Savchenko
2017-05-12 19:10       ` "Tóth Attila"
2017-05-12 23:38         ` Alex Efros
2017-05-13  0:17           ` Max R.D. Parmer
2017-05-02 15:28 ` Luis Ressel
2017-05-02 15:56   ` Daniel Cegiełka
2017-05-02 16:02     ` Luis Ressel
2017-05-02 16:59       ` Daniel Cegiełka
2017-05-02 17:23         ` "Tóth Attila"
2017-05-02 19:58           ` Daniel Cegiełka
2017-05-02 20:41             ` Alex Efros

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170508233103.GA27111@g0n.xdwgrp \
    --to=miro.rovis@croatiafidelis.hr \
    --cc=gentoo-hardened@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox