Hi, I'm filing this bug in anticipation of a forthcoming grsecurity-2.1.8 release which could necessitate a hardened-sources revision bump. At present, a grsecurity-2.1.8-2.6.14.5-200601052238 patch is available for *testing* purposes. I'm attaching an ebuild here to facilitate such testing for any interested parties. It relies upon a "hardened-patches-2.6.14-4.extras.tar.bz" tarball which I've uploaded to http://www.recruit2recruit.net/kerframil/patches/ (md5sum: fcbbac541bbd64efb7ad9e0a295b0306). The only change is that #4905 in the set has been updated accordingly (with the usual removal of the hunk that affects the kernel's Makefile).
Created attachment 76452 [details] hardened-sources-2.6.14-r4.ebuild (pre)
Latest snapshot available is now "grsecurity-2.1.8-2.6.14.6-200601081947" which, as the name suggests, was synced with the new 2.6.14.6 release. I've updated the tarballs in my webspace. I'll attach a new ebuild which also relies upon "genpatches-2.6.14-9.base.tar.bz2". See bug 118351 for more information.
Created attachment 76587 [details] hardened-sources-2.6.14-r5.ebuild
Please also note that in order to correctly use and admister the RBAC mechanism provided in the 2.1.8 grsecurity patch one should be sure to use the latest version of gradm; the sources are available here: http://www.grsecurity.net/~spender/gradm-2.1.8-200601081938.tar.gz
Oops, I made a mistake when preparing the hardened-extras tarball which would result in compile failures. I've now uploaded a fixed instance (md5: d5f7e4659f91690a7779219ce5b43e3b).
Renamed the test ebuild to -r5 because an -r4 has been committed to portage recently. Furthemore, a "genpatches-2.6.14-9" set has been officially commited so it's again only necessary to download the "hardened-patches-2.6.14-4.extras" tarball.
*** Bug 118991 has been marked as a duplicate of this bug. ***
Bumped the tarball to incorporate the very latest grsec-2.1.8-2.6.14.6-200601171750 patch.
Created attachment 77402 [details] files/digest-hardened-sources-2.6.14-r5 Here's a digest for the ebuild as it currently stands.
Now including the grsecurity-2.1.8-2.6.14.6-200601211647 patch which has reached release status upstream. Therefore I'm requesting that this now be added to the tree. Note that both "sys-apps/gradm-2.1.8.200601212342" and "hardened-sources-2.4.32-r2" are in the tree now for grsec-2.1.8 support (albeit in ~testing). All pre-requisite ebuilds/tarballs and the split-out patches can currently be found in my webspace. Will attach new ebuild/digest here in any case.
Created attachment 78285 [details] hardened-sources-2.6.14-r5.ebuild (stable release)
Created attachment 78286 [details] files/digest-hardened-sources-2.6.14-r5 (updated)
Note also that the current ebuild relies on a maintenance genpatches release which is not in the tree. If committed this will add the following patches: 1006_Q_01_irq-affinity-broken-with-msi.patch 1006_Q_02_bridge-netfilter-ip-fragments.patch 1006_Q_03_sparc64-ptrace.patch 1006_Q_04_sparc64-fstat64.patch 1006_Q_05_netfilter-pptp-crash-1.patch 1006_Q_06_netfilter-pptp-crash-2.patch 1090_15.1_01_ppc-ml300-ep405-boot.patch 1090_15.1_02_vgacon-doublescan.patch 1090_15.1_03_netlink-oops-fix.patch 1090_15.1_04_moxa-capability-check.patch 1090_15.1_05_sparc64-64k-hugetlb-depends.patch 1091_15.Q_01_kill-blk_attempt_remerge.patch 1091_15.Q_02_input-hid-oops-fix.patch 1091_15.Q_03_sys_mq_open-double-decrement.patch (bug 119087) 1091_15.Q_04_ufs-mount-oops-fix.patch 1091_15.Q_05_sparc64-timekeeping-fix.patch 1091_15.Q_06_skb_reserve-signed-len.patch 1091_15.Q_07_pci-gart-mask-gpf-flags.patch 1115_sys_mq_open-double-decrement.patch 1115_dm-crypt-zero-key-material.patch (bug 119562) 1120_dvb-dst-buffer-overflow-fix.patch (bug 119561) 4000_intel-ich8.patch (in -extras) I have personally tested this on two x86 systems and one amd64 system.
Oops, the "1115_sys_mq_open-double-decrement.patch" line in the previous comment is erroneous ;)
Note: all of my work is hosted here now: http://brianw.org/kerframil/kernel/ and http://brianw.org/kerframil/ebuilds/.
The stable queues have reached review stage upstream. Added two remaining 2.6.15 queue fixes and added/backported properly a patch that I had previous glossed over from 2.6.15.1 (which is 1090_15.1_03). Thanks to plasmaroo for helping out on that one. Tested to the same extent as before and working well. Last modification I reckon :) + 1090_15.1_03_workqueue-oops-during-cpu-offline.patch R 1090_15.1_04_netlink-oops-fix.patch R 1090_15.1_05_moxa-capability-check.patch R 1090_15.1_06_sparc64-64k-hugetlb-depends.patch + 1091_15.Q_08_reiserfs-mount-options-fix.patch + 1091_15.Q_09_i2o-scsi-abort-oops.patch
Created attachment 78529 [details] files/digest-hardened-sources-2.6.14-r5 (30-01-2006)
I've just upgraded from -r3 to -r5. There one new option was added in -r5: GRKERNSEC_MODSTOP. I've enabled it and found small bug: disabling module (un)loading also automatically disable changing other grsec options. I've these two lines at bottom of /etc/sysctl.conf: kernel.grsecurity.disable_modules = 1 kernel.grsecurity.grsec_lock = 1 and after executing first line sysctl unable to execute second line. Here is what I see in console: home /proc/sys/kernel/grsecurity # cat disable_modules 1 home /proc/sys/kernel/grsecurity # cat grsec_lock 0 home /proc/sys/kernel/grsecurity # echo 0 > disable_modules home /proc/sys/kernel/grsecurity # cat disable_modules 1 home /proc/sys/kernel/grsecurity # echo 1 > grsec_lock home /proc/sys/kernel/grsecurity # cat grsec_lock 0 And here is what was added into log file while I run these commands: 2006-02-02_02:49:04.79450 kern.alert: grsec: denied modification of grsecurity sysctl value : disable_modules by /bin/bash[bash:29081] uid/euid:0/0 gid/egid:0/0, parent /bin/su[su:13200] uid/euid:0/0 gid/egid:0/0 2006-02-02_02:49:16.37100 kern.alert: grsec: denied modification of grsecurity sysctl value : grsec_lock by /bin/bash[bash:29081] uid/euid:0/0 gid/egid:0/0, parent /bin/su[su:13200] uid/euid:0/0 gid/egid:0/0
(In reply to comment #18) This seems reproduceable here with hardened-sources-2.4.32-r2 also. Mail sent to spender@grsec about this.
I've moved the information in the previous 2 comments over to a new bug (bug 121250) where it belongs. Closing this one as hardened-sources-2.6.14-r5 has been committed.