search

minipli / linux-unofficial_grsec

Unofficial forward ports of the last publicly available grsecurity patch
Other
150 stars 30 forks source link

chmod 0700 while make #16

Closed powerman closed 7 years ago

powerman commented 7 years ago

Sorry if this has nothing with grsec, but I never have seen such behaviour on official kernels before:

web /usr/src/linux-unofficial_grsec # ls -ld .
drwx------ 27 root root 4096 Nov 23 15:39 .
web /usr/src/linux-unofficial_grsec # chmod 0755 .
web /usr/src/linux-unofficial_grsec # ls -ld .
drwxr-xr-x 27 root root 4096 Nov 23 15:39 .
web /usr/src/linux-unofficial_grsec # make
  CHK     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  CHK     include/generated/bounds.h
  CHK     include/generated/timeconst.h
  CHK     include/generated/asm-offsets.h
  CALL    scripts/checksyscalls.sh
  DESCEND  objtool
  CHK     include/generated/compile.h
  CHK     kernel/config_data.h
make[1]: [grsecurity/Makefile:48: grsecurity/grsec_hidesym.o] Error 1 (ignored)
make[1]: [grsecurity/Makefile:49: grsecurity/grsec_hidesym.o] Error 1 (ignored)
make[1]: [grsecurity/Makefile:50: grsecurity/grsec_hidesym.o] Error 1 (ignored)
  grsec: protected kernel image paths
  LD      arch/x86/boot/compressed/vmlinux
ld: arch/x86/boot/compressed/head_64.o: warning: relocation in readonly section `.head.text'
ld: warning: creating a DT_TEXTREL in a shared object.
  ZOFFSET arch/x86/boot/zoffset.h
  AS      arch/x86/boot/header.o
  LD      arch/x86/boot/setup.elf
  OBJCOPY arch/x86/boot/setup.bin
  OBJCOPY arch/x86/boot/vmlinux.bin
  BUILD   arch/x86/boot/bzImage
Setup is 16348 bytes (padded to 16384 bytes).
System is 4877 kB
CRC 32a230c7
Kernel: arch/x86/boot/bzImage is ready  (#1)
web /usr/src/linux-unofficial_grsec # ls -ld .
drwx------ 27 root root 4096 Nov 23 15:40 .

Problem is 0700 permissions prevent building external kernel modules using non-root account (like it happens in Gentoo while emerge nvidia-drivers, for example).

minipli commented 7 years ago

That's CONFIG_GRKERNSEC_HIDESYM in action ;) It protects the build directory to ensure it's effective, i.e. prevent non-root users from getting kernel addresses by peeking at the objects files. But that feature has always been this way, so that's not new.

As I'm no gentoo user, you might ask in #gentoo-hardened on FreeNode how to get the NVidia drivers working -- or build them as root?

minipli commented 7 years ago

Btw., that's what you're seeing: https://github.com/minipli/linux-unofficial_grsec/blob/linux-4.9.x-unofficial_grsec/grsecurity/Makefile#L44-L54

powerman commented 7 years ago

I suppose it was patched in Gentoo package "hardened-sources", this is why I never seen this effect before with enabled CONFIG_GRKERNSEC_HIDESYM. I don't like to disable it because it does more than just this, so it looks like chmod 0755 /usr/src/linux in /etc/kernel/postinst.d/50-module_rebuild is good enough workaround.

Thanks!

minipli commented 7 years ago

You might want to give one of the various overlays a try. I've listed a few here (might be outdated, though): https://lwn.net/Articles/731605/

powerman commented 7 years ago

I've own overlay, and I've already asked about this on gentoo-hardened@lists.gentoo.org in August, but the answer "git pull is just enough" sounds reasonable to me. If I'll need some extra patches then adding ebuild to my overlay or using someone else's may make sense, but I rarely use custom patches for kernel.