A. I am aware hardened on sparc is not supported. Since it's not I decided to look at the sources instead of giving up. The problem is it appears that this is not hardened related. B. livecd linux # make CHK include/linux/version.h CC init/main.o In file included from include/linux/module.h:10, from init/main.c:16: include/linux/sched.h: In function `lock_need_resched': include/linux/sched.h:1186: error: request for member `break_lock' in something not a structure or union make[1]: *** [init/main.o] Error 1 make: *** [init] Error 2 So I go looking at sched.h /* * Does a critical section need to be broken due to another * task waiting?: */ #if defined(CONFIG_PREEMPT) && defined(CONFIG_SMP) # define need_lockbreak(lock) ((lock)->break_lock) #else # define need_lockbreak(lock) 0 #endif /* * Does a critical section need to be broken due to another * task waiting or preemption being signalled: */ static inline int lock_need_resched(spinlock_t *lock) { if (need_lockbreak(lock) || need_resched()) return 1; return 0; } Ok macro for spinlock_t, tries to access break_lock. Thats fine, lets go find spinlock_t and see if it has one. in /usr/src/linux/include/linux/spinlock.h /* * If CONFIG_SMP is set, pull in the _raw_* definitions */ #ifdef CONFIG_SMP #define assert_spin_locked(x) BUG_ON(!spin_is_locked(x)) #include <asm/spinlock.h> Thats me, so check asm/spinlock.h in /usr/src/linux/include/asm/spinlock.h #ifndef CONFIG_DEBUG_SPINLOCK typedef unsigned char spinlock_t; It's a char, and I am unaware of how a char can have break_lock member in C. livecd linux # cat .config | grep CONFIG_DEBUG_SPINLOCK # CONFIG_DEBUG_SPINLOCK is not set # CONFIG_DEBUG_SPINLOCK_SLEEP is not set livecd linux # cat .config | grep SMP CONFIG_SMP=y Rest of my config is attached.
Created attachment 56028 [details] Kernel config file Hopefully this helps
Don't wanna be rude, but unless the hardened team picks this up i doubt anyone on the sparc team will. For starters hardened-sources doesn't include the sparc patchset that makes 2.6 somewhat usable (like in works kinda OK for a UP server, mostly b0rked for SMP). Last chance would be some 2.4 kernel if they want to support it, or use sparc-sources (2.4-based) since this one includes grsec (but not selinux). Hardened team: ?
Gustavo Zacarias is correct. Hardened + Sparc are not really supported at this time. sparc-sources-2.4.x taking advantage of grsec is probably your best bet for now. It also might be helpful to make sure the grsec revisions are kept fairly upto date in it. Alec in the future it would be helpful if you also gave the output of 'emerge info' along with the exact version of what your reporting a bug for. UPSTREAM?
It looks like turning Preempt off will make it build fine. it's not a problem if you guys don't want to pick it up, I'm fine running w/o preempt. Filing it upstream would be good though. For completeness: livecd / # emerge info Gentoo Base System version 1.4.16 Portage 2.0.51.19 (selinux/2004.1/sparc64, gcc-3.3.5-20050130, glibc-2.3.3.20040 420-r2, 2.4.29-sparc-smp sparc64) ================================================================= System uname: 2.4.29-sparc-smp sparc64 sun4u Python: dev-lang/python-2.3.4-r1 [2.3.4 (#1, Apr 11 2005, 06:28:43) ] dev-lang/python: 2.3.4-r1 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.8.5-r3, 1.5, 1.7.9-r1, 1.6.3, 1.4_p6, 1.9.4 sys-devel/binutils: 2.15.92.0.2-r7 sys-devel/libtool: 1.5.10-r4 virtual/os-headers: 2.6.8.1-r4 ACCEPT_KEYWORDS="sparc" AUTOCLEAN="yes" CFLAGS="-mcpu=v9 -mtune=v9 -O2 -pipe" CHOST="sparc-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/ config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-mcpu=v9 -mtune=v9 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig distlocks sandbox selinux sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo http://distfiles.gentoo.org h ttp://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aalib apache2 bash-completion berkb berkdb bzlib caps cdparanoia cjk cryp t dio encode ethereal ffmpeg geoip gif imagemagick imap informix ingres jpeg ker beros krb4 ldap maildir matroska mp3 mpeg mysql nas ncurses nis nls offensive og g pam perl php pie png posix postgres python readline ruby samba sasl selinux sh aredmem soap sparc spell ssl tcpd unicode vhosts vorbis xml2 xmlrpc zlib" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS
That it builds doesn't mean it works. Sure, you can build 2.6 on sparc, it just won't work right for every piece of common hardware out there (specially SMP boxes). sparc-sources has grsec builtin, Joker keeps it in sync with upstream and clean from nasty security bugs - you can use that for hardened, just not selinux - this is our currently supported and stable kernel. Anything in the 2.6 area is experimental at the moment, mostly because upstream (vanilla) kernels just don't cut it for sparc. You need to apply heavy patches to get it somewhat working on some hardware (currently being applied by Eradicator on gentoo-sources), and this patches won't go into hardened-sources any time soon, hardened-sources isn't a playground. So as solar says, this will have to get solved upstream first, that is, make 2.6 kernels a real working thing(tm) on sparc first.
As a note, why is there an SElinux on sparc guide if there is no kernel available on Sparc? obviously it had to work at some time for a guide to be written?
The hardened team should answer about that. At some point they had something working, but it was never finished or released.