Hi, I'm using the hardened-2.6.7-r10 kernel and everything compiles just fine, however at the end of `make modules_install` I get: WARNING: /lib/modules/2.6.7-hardened-r10/kernel/security/commoncap.ko needs unknown symbol gr_check_user_change WARNING: /lib/modules/2.6.7-hardened-r10/kernel/security/commoncap.ko needs unknown symbol gr_check_group_change WARNING: /lib/modules/2.6.7-hardened-r10/kernel/security/commoncap.ko needs unknown symbol gr_handle_chroot_caps In my USE flags in /etc/make.conf I have "hardened" (installed my system with that), except for gcc which I have set to -hardened in /etc/portage/package.use. To start named I need the capability module which however depends on commoncap. When I do `modprobe capability` it returns: WARNING: Error inserting commoncap (/lib/modules/2.6.7-hardened-r10/kernel/security/commoncap.ko): Unknown symbol in module, or unknown parameter (see dmesg) FATAL: Error inserting capability (/lib/modules/2.6.7-hardened-r10/kernel/security/capability.ko): Unknown symbol in module, or unknown parameter (see dmesg) Dmesg returns the following (which seems to give the impression that not only commoncap but capability itself has some problems aswell): Code: commoncap: Unknown symbol gr_check_user_change commoncap: Unknown symbol gr_check_group_change commoncap: Unknown symbol gr_handle_chroot_caps capability: Unknown symbol cap_ptrace capability: Unknown symbol cap_inode_setxattr capability: Unknown symbol cap_syslog capability: Unknown symbol cap_capget capability: Unknown symbol cap_task_reparent_to_init capability: Unknown symbol cap_task_post_setuid capability: Unknown symbol cap_bprm_set_security capability: Unknown symbol cap_bprm_secureexec capability: Unknown symbol cap_capset_check capability: Unknown symbol cap_bprm_apply_creds capability: Unknown symbol cap_capable capability: Unknown symbol cap_capset_set capability: Unknown symbol cap_vm_enough_memory capability: Unknown symbol cap_inode_removexattr Anybody got any idea what's going ? Reproducible: Always Steps to Reproduce: 1. emerge hardened-dev-sources 2. enable grsecurity, pax and compile Default Linux Capabilities as a module 3. make && make modules_install Actual Results: See details. Expected Results: No warnings whatsoever, the symbols should've been known. Portage 2.0.51-r3 (default-linux/x86/2004.3, gcc-3.3.4, glibc-2.3.4.20040808- r1, 2.6.7-hardened-r10 i686) ================================================================= System uname: 2.6.7-hardened-r10 i686 AMD Athlon(tm) Processor Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.14.90.0.8-r1 Headers: sys-kernel/linux26-headers-2.6.7-r4 Libtools: sys-devel/libtool-1.5.2-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=athlon-tbird -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3 /env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /us r/lib/mozilla/defaults/pref /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=athlon-tbird -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://ftp.easynet.nl/mirror/gentoo/ http://www.gigaload.org/gentoo.org/ http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dfx X acl acpi alsa apache2 apm arts avi bitmap-fonts bzlib canna crypt divx4linux doc encode esd fam fortran ftp gdbm gif gnome gpm gstreamer gtk gtk2 hardened iconv imlib ipv6 java jpeg kde libg++ libwww mad mikmod mime mozilla mpeg mysql ncurses nls odbc oggvorbis opengl pam pda pdflib perl php png python qt quicktime readline recode samba sdl session slang sockets socks5 spell sqlite ssl svga tcltk tcpd tiff truetype unicode usb vhost wxwindows x86 xml xml2 xv xvid zlib"
It appears that you have resolved this issue: http://forums.grsecurity.net/viewtopic.php?t=987
No, I just thought that it was a bug in grsecurity and the reply pointed out that it wasn't. I just didn't want to bother them with a bug that isn't theirs. I eventually "fixed" my problem by compiling the "Default Linux Capabilities" directly into the kernel instead of making it a module, however the bug is still there (also in the new -r16 release). When I compile it as a module (which I'd prefer) I still get the unknown symbol error.
For future hardened-dev-sources kernels, building "Default Linux Capabilities" as a module will not be supported. The reason for this is due to both it being a bad security idea in general, and because of the recent kernel vulnerability in the capability module. (see bug 75963 for more information)