Beware - grsecurity kernel is not booting

Discussion in 'all things UNIX' started by amarildojr, Oct 18, 2015.

  1. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,983
    Location:
    Brasil
    There is a problem in grsecurity that is preventing the system from booting up, and this problem is here for the past 1 or 2 days. This is not an Arch-specific problem, but a problem in upstream grsecurity that also affects Debian and probably other distros: https://forums.grsecurity.net/viewtopic.php?f=3&t=4277

    If you must use linux-grsec on Arch and don't have a backup of an older Kernel that works, you might want to use an older Kernel from the Archive:

    Code:
    wget http://ala.seblu.net/repos/2015/10/13/community/os/x86_64/linux-grsec-4.2.3.201510072230-1-x86_64.pkg.tar.xz
    Code:
    pacman -U linux-grsec-4.2.3.201510072230-1-x86_64.pkg.tar.xz 
    You can use paxd, checksec, pax-utils, and paxtest from the regular Arch repos.

    Don't forget to ignore the package linux-grsec in your '/etc/pacman.conf':
    Code:
    # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
    IgnorePkg   = linux-grsec
     
    Last edited: Oct 19, 2015
  2. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Thank you, when I tried to setuo linux-grsec + pax on my arch setup a few days ago I was already getting a kernel panic error when booting up, maybe it is because of the issue you just pointed out. How can I find out when grsec will boot again / is fixed ? By checking the package on archlinux.com or is there any other "newsfeed" for it ?

    @Edit: I get this output/error when updating linux-gresec

    Code:
    (13/22) upgrading linux-grsec                      [----------------------] 100%
    >>> Updating module dependencies. Please wait ...
    >>> Generating initial ramdisk, using mkinitcpio. Please wait...
    ==> Building image from preset: /etc/mkinitcpio.d/linux-grsec.preset: 'default'
      -> -k /boot/vmlinuz-linux-grsec -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-grsec.img
    ==> Starting build: 4.2.3.201510191935-1-grsec
      -> Running build hook: [base]
      -> Running build hook: [udev]
      -> Running build hook: [autodetect]
      -> Running build hook: [modconf]
      -> Running build hook: [block]
      -> Running build hook: [filesystems]
      -> Running build hook: [keyboard]
      -> Running build hook: [fsck]
    ==> ERROR: module not found: `bbswitch'
    ==> Generating module dependencies
    ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-grsec.img
    ==> WARNING: errors were encountered during the build. The image may not be complete.
    ==> Building image from preset: /etc/mkinitcpio.d/linux-grsec.preset: 'fallback'
      -> -k /boot/vmlinuz-linux-grsec -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-grsec-fallback.img -S autodetect
    ==> Starting build: 4.2.3.201510191935-1-grsec
      -> Running build hook: [base]
      -> Running build hook: [udev]
      -> Running build hook: [modconf]
      -> Running build hook: [block]
    ==> WARNING: Possibly missing firmware for module: aic94xx
    ==> WARNING: Possibly missing firmware for module: wd719x
      -> Running build hook: [filesystems]
      -> Running build hook: [keyboard]
      -> Running build hook: [fsck]
    ==> ERROR: module not found: `bbswitch'
    ==> Generating module dependencies
    ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-grsec-fallback.img
    ==> WARNING: errors were encountered during the build. The image may not be complete.
    
     
    Last edited: Oct 20, 2015
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,983
    Location:
    Brasil
    I really don't know when, I haven't tried this new kernel yet.

    I assume you're getting those errors because you're trying to build the NVIDIA Bumblebee, and you can't do that in grsecurity unless you disable PAX_USERCOPY at compile time.
     
  4. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Mhh kay and how to do that? :eek:
     
  5. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,983
    Location:
    Brasil
    https://web.archive.org/web/2014082...n-secure-linux-kernel-with-pax-and-grsecurity

    If I remember correctly, you have to unckeck "Harden heap object copies between kernel and userland" in order to disable PAX_USERCOPY.

    I don't remember if the NVIDIA drivers need this, but you might want to disable UDEREF too by unchecking "Prevent invalid userland pointer dereference".

    You could build the grsec kernel that arch uses. Look at the source files, there will be a ".confg" file. In there, edit what you need.

    Let's get back on topic now.
     
    Last edited: Oct 20, 2015
  6. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    You shouldn't delete all your package cache in Arch. Keep at least 2 recent versions of the installed packages. Are you aware of the paccache command? Instead of doing # pacman -Sc or -Scc, you should do # pacache -rk2 or -rk3.
     
  7. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,983
    Location:
    Brasil
    I always keep the cache, but I had re-installed the system.
    It's actually pretty easy to find older versions.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Actually paccache -r is sufficient if you want to keep the last 3 versions as this is the default. However, in order to also delete all cached versions of uninstalled packages you have to re-run paccache with paccache -ruk0.
     
  9. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,983
    Location:
    Brasil
    I've been away from Linux fore a few months and YET AGAIN the same problem is happening. Such a disappointment.

    Does any one know the lest linux-grsec that works?
     
  10. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
  11. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,983
    Location:
    Brasil
    Last edited: Dec 7, 2015
Loading...