Wednesday, 5 August 2009

Kernel 2.6.30.4 with Grsecurity patch

The latest stable patch for the 2.6 branch on the grsecurity.net website is for 2.6.27 kernel and the latest available gentoo hardened-sources ebuild that includes grsecurity is for 2.6.29 but the latest kernel is 2.6.30.4 so... ;)

NOTE: This info applies to a testing version of the grsecurity patch and is very likely to harm your system and eat your hamster (possibly). I wouldn't use it on a production system at all...Also it does not seem to work properly on amd64 architecture at the moment. It didn't work for me on x86_64 but it seems fine on x86. Ya've been warned!

NOTE2: I mainly followed this information which includes much more details about the installation process and Grsecurity and PAX itself. Definitely a recommended reading!

Ok, here we go...first, the kernel sources:

# cd /usr/src
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.30.4.tar.bz2
# http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.30.4.tar.bz2.sign


As recommended on the aforementioned guide, it's always good idea to verify your sources. It doesn't really matter that much if you have downloaded the archive from the main kernel website (unless you don't trust your ISP ;)). Of course someone could plant a backdoor in the source tree before it got packaged, but...anyway! Latest information about kernel signature (and key) can be found here. Verification time! But first the actual key is needed:

# gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E
gpg: requesting key 517D0F0E from hkp server wwwkeys.pgp.net
gpg: key 517D0F0E: public key "Linux Kernel Archives Verification Key " imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1

...and verification follows...:

# gpg --verify linux-2.6.30.4.tar.bz2.sign
gpg: Signature made Fri Jul 31 00:13:44 2009 BST using DSA key ID 517D0F0E
gpg: Good signature from "Linux Kernel Archives Verification Key "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C75D C40A 11D7 AF88 9981 ED5B C86B A06A 517D 0F0E

Looks good...unpack the sources:

# tar jxf linux-2.6.30.4.tar.bz2

And time for patch - including key to verify it of course! ;]

# wget http://grsecurity.net/spender-gpg-key.asc
# wget http://grsecurity.net/test/grsecurity-2.1.14-2.6.30.4-200908041752.patch
# wget http://grsecurity.net/test/grsecurity-2.1.14-2.6.30.4-200908041752.patch.sig

Again - import the key and verify the patch:

# gpg --import spender-gpg-key.asc
gpg: key 4245D46A: public key "Bradley Spengler (spender) " imported
gpg: Total number processed: 1
gpg: imported: 1

# gpg --verify grsecurity-2.1.14-2.6.30.4-200908041752.patch.sig
gpg: Signature made Tue Aug 4 22:56:17 2009 BST using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500 E778 9879 B649 4245 D46A

If you already have symlink to linux you need to update it to point to new kernel tree. Or create new one if it doesn't exist:

# ln -s linux-2.6.30.4 linux

Patch the sources and get ready for kernel configuration! ;)

# patch -p0 < ./grsecurity-2.1.14-2.6.30.4-200908041752.patch
# cd linux

You can use your current kernel configuration by copying relevant file that is corresponding with your kernel version from /boot/config-X.X.X to
/usr/src/linux/.config. Alternatively:

# zcat /proc/config.gz > /usr/src/linux/.config

Now the beast itself. Run your favourite kernel configuration variant (make oldconfig ;)) and enable grsecurity along with PAX. Use one of the predefined security levels or just choose custom and read this.

# make menuconfig

I use genkernel wrapper - it creates initramfs automatically that will work with my LUKS encrypted partition:

# genkernel --luks all

Update bootloader to use the new kernel and rewrite MBR -reboot, choose your new kernel and pray! If it have worked:

# uname -srv
Linux 2.6.30.4-grsec #1 SMP Wed Aug 5 15:29:37 BST 2009

And just to be on a safe side:

# paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser
Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux 2.6.30.4-grsec #1 SMP Wed Aug 5 15:29:37 BST 2009 i686 GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 17 bits (guessed)
Heap randomisation test (ET_EXEC) : 23 bits (guessed)
Heap randomisation test (ET_DYN) : 23 bits (guessed)
Main executable randomisation (ET_EXEC) : 15 bits (guessed)
Main executable randomisation (ET_DYN) : 15 bits (guessed)
Shared library randomisation test : 17 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : *** buffer overflow detected ***: rettofunc1 - terminated
rettofunc1: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Return to function (memcpy) : *** buffer overflow detected ***: rettofunc2 - terminated
rettofunc2: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Return to function (strcpy, RANDEXEC) : *** buffer overflow detected ***: rettofunc1x - terminated
rettofunc1x: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Return to function (memcpy, RANDEXEC) : *** buffer overflow detected ***: rettofunc2x - terminated
rettofunc2x: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Executable shared library bss : Killed
Executable shared library data : Killed


Yuppie! ;]

No comments:

Post a Comment

Have your say: