You are not logged in.
This is a placeholder. I managed to do it, and I need the link before I go to sleep.
(
I'll be posting from Devuan, but my Mutt is only in Gentoo yet, and the link I need for this thread:
unoffic-grsec 4.9.27 kernel compile, one last hurdle
https://lists.dyne.org/lurker/message/2 … 31.en.html [1]
where I need to send an email to, just next... --and then go to sleep, so tired, but so happy!--
)
---
[1] EDIT: Unfortunately, Devuan DNG Mailing List appears to (currently) scrub all attachments. Another mail archive to the rescue! Pls., for now, advanced users can find useful tips if they study esp. this attachment:
grsec-dev1-compile.sh.gz
which is part of this email:
unoffic-grsec 4.9.27 kernel compile, one last hurdle
(which is the same email as in Devuan DNG ML, just the attachments are available)
(of course I hope that condition will be fixed in Devuan DNG; I did write a report --or here-- about it)
Last edited by miroR (2017-05-14 05:42:22)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
I successfully compiled grsecurity for my Gentoo, and also for my Devuan, from that git repo that you can read in that emal (on either location):
...grsec, unofficial, by minipli
https://github.com/minipli/linux-unoffi … cial_grsec
I have then used paxrat, which I haven't found in Devuan (could be my lack of understanding):
https://packages.debian.org/sid/paxrat
installed it:
# dpkg -i <the-package>
applied it, and now I browse and am posting this with Iceweasel.
$ uname -a
Linux localhost 4.9.27-unofficial+grsec170512-22 #1 SMP PREEMPT Fri May 12 22:33:08 UTC 2017 x86_64 GNU/Linux
$
Last edited by miroR (2017-05-14 05:48:14)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
Pls., find all in the script at:
https://github.com/miroR/grsec-dev1-compile
There is the config, with all modules just as the usual Devuan/Debian kernels at:
https://croatiafidelis.hr/gnu/deb/ (all there old, just the:
https://croatiafidelis.hr/gnu/deb/confi … l+grsec.gz
and
https://croatiafidelis.hr/gnu/deb/confi … +grsec.sig
are new)
but all is now much closer for even newbies.
Will try and post more about it, in the next post(s)...
Last edited by miroR (2017-09-15 14:06:29)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
Really good news [1].
E.g.:
A paravirt RAP violation got fixed as well:
https://twitter.com/_minipli/status/907226600244219904
And that's Devuan's own Parazyd contributing there
Yet more to say, but no more time. Learn (if you need to), and of course: enjoy!
---
[1] Well, the level of the geniuses spender and PaX Team was too high for even Linus the Mr. Linux guy... But Minipli, parazyd and friends seem to be doing well...
I have been using minipli's unofficial-grsec since around the time of creation of the repo, and I for one, can tell you it is good, it protected me well!!
Last edited by miroR (2017-09-15 14:05:27)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
One important note for users new to grsecurity is kind of urgent...
You will get, by default, huge logs.
It's because of these:
# grep -E 'GRKERNSEC' /boot/config-4.9.50-unofficial+grsec170915-04 | grep -E 'EXECLOG|AUDIT_CH'
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
( well, not the chroot in all cases, but the other two, yes! because of those )
So, if you don't want to have to cope with all that huge info, then when you are offered by the script that you downloaded from https://github.com/miroR/grsec-dev1-compile to modify you .config[/config, i.e. when it reaches to make menuconfig, set those to: =n, and you won't have the deluge.
However, those are great logging information. I can with certainty say that my Gentoo was attacked, because the logs say so (and you don't get such with anything but grsecurity):
https://croatiafidelis.hr/foss/cap/cap- … ange-bash/
https://lists.gt.net/gentoo/user/325985#325985
Regards!
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
This explanation is missing (due to political, and even criminal --morally so-- reasons grsec is not in widespread use [1]):
mr@gdOv:~$ sudo -s
[sudo] password for root:
root@gdOv:/home/mr# ls -l /proc/sys/kernel/grsecurity/^C
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/exec_logging ; echo 0 > /proc/sys/kernel/grsecurity/audit_chdir ;
root@gdOv:/home/mr# echo 1 > /proc/sys/kernel/grsecurity/exec_logging ; echo 1 > /proc/sys/kernel/grsecurity/audit_chdir ;
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/tpe ;
tpe tpe_gid tpe_restrict_all
root@gdOv:/home/mr# cat /proc/sys/kernel/grsecurity/tpe ;
1
root@gdOv:/home/mr# cat /proc/sys/kernel/grsecurity/tpe_restrict_all ;
1
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/tpe ; echo 0 > /proc/sys/kernel/grsecurity/tpe_restrict_all ;
root@gdOv:/home/mr#
The setting to disable exec_logging with "echo 0", and likewise the setting to disable of audit_chdir is if you compile with exec_logging and audit_chdir. Enable it again with the "echo 1 ..." line.
Currently, and I don't know why, the tpe ([T]rusted [P]ath [E]xecution, pls. read in the kernel help when you issue "menu makeconfig" about it), just does not work right in Devuan/Debian/Ubuntu. E.g. I couldn't run any scripts from /usr/local/bin because of it. So, disabling it with issuing the two "echo 0 ..." lines.
---
[1] Pls. see my sig for that... BTW, my current sig links to:
https://forums.grsecurity.net/viewtopic … 699#p17127
https://lists.dyne.org/lurker/message/2 … 4b.en.html
in case that should change in the future.
Last edited by miroR (2017-09-18 03:47:56)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
There's great evidence (in worrying circumstances, for me) of the goodness of grsec's exec_logging and audit_chdir features at my recent investigation at:
Strange Bash under grsecurity's exec logging
https://dev1galaxy.org/viewtopic.php?id=1598
Regards!
Last edited by miroR (2017-09-18 14:48:26)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
Those who are willing to risk somewhat, the new page with the freshly compiled packages at:
https://croatiafidelis.hr/gnu/deb/linux … 170923-22/
says it all openly. Pls. read the big fat warning there.
IOW, at your own risk, you can try your luck and install my packages from above.
Regards!
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
Cleaner script available now:
https://github.com/miroR/grsec-dev1-com … /tag/v0.15
(that's what I sign, the tags, but that's latest branch in master)
Or from:
https://github.com/miroR/grsec-dev1-compile/tags
Or, of course, once you clone grsec-dev1-compile repo, the old non-GUI way. Something to this effect:
you@yr-machine:~$ git clone https://github.com/miroR/grsec-dev1-compile
Cloning into 'grsec-dev1-compile'...
remote: Counting objects: 14, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 14 (delta 3), reused 14 (delta 3), pack-reused 0
Unpacking objects: 100% (14/14), done.
you@yr-machine:~$ cd grsec-dev1-compile/
you@yr-machine:~/grsec-dev1-compile$ git tag --list
v0.01
v0.1
v0.15
you@yr-machine:~/grsec-dev1-compile$ git tag --verify v0.15
object 888fb7a5024139f14b024eb0a2cff6bd34054d2a
type commit
tag v0.15
tagger Miroslav Rovis <miro.rovis@croatiafidelis.hr> 1506259462 +0000
comments sorted
gpg: Signature made Sun 24 Sep 2017 13:24:37 UTC
gpg: using RSA key FCF13245ED247DCE443855B7EA9884884FBAF0AE
gpg: Good signature from "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FCF1 3245 ED24 7DCE 4438 55B7 EA98 8488 4FBA F0AE
you@yr-machine:~/grsec-dev1-compile$
I thought I'd explain this, for newbies that are still learning. Advanced users, thank you for your patience.
Last edited by miroR (2017-09-24 13:46:20)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
If I don't fix the warnings by user downloading of the new packages, the warnings are here;
https://www.croatiafidelis.hr/gnu/deb/l … 170923-22/
( but don't use those old packages )
And the packages are here:
linux-deb-4.9.52-unofficial+grsec170929-07
https://www.croatiafidelis.hr/gnu/deb/l … 170929-07/
I think it's a good kernel... Barring some tests and some research/advice that I've been seeking as per the warnings page...
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
There is new patch, and new packages available:
https://www.croatiafidelis.hr/gnu/deb/l … 171114-19/
I just explained it on Debian Forums:
http://forums.debian.net/viewtopic.php? … 53#p658753
( because there was a little discussion there, so they took precedence this time )
Regards!
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
I'm still not sure if grsec is actually worth the effort these days, especially in view of this: https://grsecurity.net/passing_the_baton.php
i.e. in the future you'll have to pay for it...
I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at this stage.
And the attitudes of certain people, mean kernel security is never going to be anything more than a retroactive approach anyway: http://lkml.iu.edu/hypermail/linux/kern … 06228.html (nothing unusual there, it's just the usual dismissive disdain for "security people")
I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at the moment...
Offline
I'm still not sure if grsec is actually worth the effort these days, especially in view of this: https://grsecurity.net/passing_the_baton.php
My views on it are in my signature. (important: the ripoff by Google, but read there spender's statement or roll back for more verbose view of mine
i.e. in the future you'll have to pay for it...
Not in the future, you already have to pay for it. But not the unofficial-grsecurity which is completely open, and which I talk about and post packages of, since the closure of free official grsecurity.
I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at this stage.
And the attitudes of certain people, mean kernel security is never going to be anything more than a retroactive approach anyway: http://lkml.iu.edu/hypermail/linux/kern … 06228.html (nothing unusual there, it's just the usual dismissive disdain for "security people")
I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at the moment...
You do point to another... erhm...historical remark by Linus... Appreciated!
But no time for discussion here on my part, too many things to solve are on my hands instead.
The patches, I believe, are still good, the unofficial ones, but surely more testing would be needed by more people!
Last edited by miroR (2017-11-16 12:45:40)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
There's corsac's grsecurity packages (with the new grsecunoff patches, and all the necessary recommends in Ceres.
So updating to Ceres, one can install them, probably something like:
# apt-get install linux-image-4.9.0-4-grsec-amd64
Updating to Ceres is first I'll do, and then report about it.
The news I was told on Debian Forums in the llink I gave two or so posts above.
Regards!
Last edited by miroR (2017-11-16 21:23:43)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
I've decided to offer packages that, according to the latest realization --but that may change, therefore the warning in the download page--:
NULL pointer deref in do_blockdev_direct_IO()
https://github.com/minipli/linux-unoffi … -350482590
protect my system, while the vanilla kernel does not.
Pls. feel free to test:
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
4.9.70 under:
https://www.croatiafidelis.hr/gnu/deb/l … c-current/
(i.e. https://www.croatiafidelis.hr/gnu/deb/l … 171220-11/ )
For those who verify, ls-1.sum.asc is missing. Busy, but it's coming later.
EDIT 2017-12-21 09:30:44+00:00, there now:
https://www.croatiafidelis.hr/gnu/deb/l … -1.sum.asc
Last edited by miroR (2017-12-21 09:30:28)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
New grsecunoff kernel is available for the brave:
https://www.croatiafidelis.hr/gnu/deb/l … 171228-16/
Last edited by miroR (2017-12-29 11:45:02)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
Wishing you a happy new year MiroR. And everyone else too of course . . .
Online
Wishing you a happy new year MiroR. And everyone else too of course . . .
Thanks! To everyone Happy New Year (and Merry Xmas for those who wish)!
Last edited by miroR (2017-12-29 17:31:24)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
Retpoline-patched grsecunoff (AMD, butno meltdown protection yet for Intel) available under the "current" link, or:
https://www.croatiafidelis.hr/gnu/deb/l … 180203-22/
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
It might be worth trying (and reporting if you can install and load amd64-microcode with):
https://www.croatiafidelis.hr/gnu/deb/l … 180204-21/
Pls. read there, and the links, for the details.
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
The:
https://www.croatiafidelis.hr/gnu/deb/l … c-current/
now points to:
https://www.croatiafidelis.hr/gnu/deb/l … 180601-06/
That is the kernel package for Debian/Devuan that _may_ be worth trying out, bearing in mind the caveats of Dapper Linux patchset:
https://dapperlinux.com/
I.e. no meltdown protection, no spectre protection, currently no retpoline.
However, all the othe usual protection that grsec offered are there. And the kernel is up to date.
I am testing that kernel right now, it appears to be fine.
If you want to use it, pls. see previous posts, there are a lot of info how to dowload it, how to verify it, etc.
Regards!
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
The offered packages in the previous post (no issues have I had so far) are for any system hardware (well: x86_64 arch only).
The best way is surely, to compile. Nothing wrong with the other option. It's only that tailoring the compiled kernel for only your hardware reduces the huge attack surface.
While Dapper Secure Kernel Patchset (
https://github.com/dapperlinux/dapper-s … e/releases
) is still grsecurity, my script for newbies has changed to help new GNU-Debianers/Devuaners who want to look into kernel compiling.
So pls. look up:
https://github.com/miroR/grsec-dapper-compile/
I'm not sure, you might need to get dapper-linux PGP key from:
https://dapperlinux.com/contact.html
https://dapperlinux.com/matthew_gpg_public_key.asc
Regards!
Last edited by miroR (2018-06-01 13:30:35)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
New stable packages:
https://www.croatiafidelis.hr/gnu/deb/l … 180710-21/
( https://www.croatiafidelis.hr/gnu/deb/l … c-current/ )
Any difficulty installing, pls. review previous long posts... (I'm probably too short on time currently)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
https://www.croatiafidelis.hr/gnu/deb/l … 180727-10/ (under https://www.croatiafidelis.hr/gnu/deb/l … -current/)
Tested on three machines (but MBO are of only two kinds). No issues.
Refer to previous post for tips if needed.
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline