Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian Kernel (http://www.linux-archive.org/debian-kernel/)
-   -   Bug#605090: Update on grsecurity featureset (http://www.linux-archive.org/debian-kernel/570760-bug-605090-update-grsecurity-featureset.html)

Ben Hutchings 09-01-2011 04:20 AM

Bug#605090: Update on grsecurity featureset
 
On Wed, 2011-08-31 at 18:33 +0200, Yves-Alexis Perez wrote:
> Ok, here's an updated patchset.
>
> Tarball can be found at
> http://molly.corsac.net/~corsac/debian/kernel-grsec/grsec-patches.tar.xz
> (and already extracted in grsec-patches/ folder).
>
> It's a folder with a quilt patche series
>
> * 01_support-linux-3.0.patch
>
> This is unrelated but needed to support linux3 naming scheme in
> genorig.py.

Already done on trunk.

> * 02_force-hostcc-version.patch
>
> This one is needed because grsecurity ships two gcc (>= 4.5) plugins.
> Those need to be built with the same compiler version as the rest of the
> kernel, but right now they're built with HOSTCC which is not set right
> now, so defaults to 'gcc' which is gcc-4.6 at that time. So export
> HOSTCC to the (non CROSS_COMPILE) version.

gcc plugins surely need to be built _for_ the compiler version used for
the kernel, not _by_ that version.

Also, you are changing HOSTCC for all build tools and not just these
plugins.

> 03_enable-strict-user-copy-check.patch
>
> This one in not directly involved with grsecurity. Could be enabled by
> itself (#639919)

Without the strict check, the crap code produces a compile-time warning
and a run-time warning and *no copying*. With the strict check, the
crap code results in FTBFS (but only on i386 and s390!). So how is this
an improvement for us?

> 04_add-linux-grsec-base-templates.patch
>
> This one adds basic templates for a linux-grsec-base binary packages to
> be built by linux-2.6 but I still didn't figured out how to patch
> genorig.py to make it do it.

Don't add such a package to linux-2.6. It should be a new source
package, like linux-base is now (after I initially made that mistake).

> 05_add-grsec-featureset.patch
>
> This is the main part, adding the featureset and config.

And linux-grsec-base, a second time!

> 06_grsecurity.patch
>
> The main grsecurity patch, not really readable since the quilt patch
> adds a patch :) It's basically the genuine grsecurity patch (right now
> grsecurity-2.2.2-3.0.4-201108301903.patch) with two little change:
>
> * removing the -grsec localversion
> * oneliner to make it apply against debian sources

You should provide a gen-patch script to help in regenerating the patch.

Ben.

Ben Hutchings 09-01-2011 04:20 AM

Bug#605090: Update on grsecurity featureset
 
On Wed, 2011-08-31 at 18:33 +0200, Yves-Alexis Perez wrote:
> Ok, here's an updated patchset.
>
> Tarball can be found at
> http://molly.corsac.net/~corsac/debian/kernel-grsec/grsec-patches.tar.xz
> (and already extracted in grsec-patches/ folder).
>
> It's a folder with a quilt patche series
>
> * 01_support-linux-3.0.patch
>
> This is unrelated but needed to support linux3 naming scheme in
> genorig.py.

Already done on trunk.

> * 02_force-hostcc-version.patch
>
> This one is needed because grsecurity ships two gcc (>= 4.5) plugins.
> Those need to be built with the same compiler version as the rest of the
> kernel, but right now they're built with HOSTCC which is not set right
> now, so defaults to 'gcc' which is gcc-4.6 at that time. So export
> HOSTCC to the (non CROSS_COMPILE) version.

gcc plugins surely need to be built _for_ the compiler version used for
the kernel, not _by_ that version.

Also, you are changing HOSTCC for all build tools and not just these
plugins.

> 03_enable-strict-user-copy-check.patch
>
> This one in not directly involved with grsecurity. Could be enabled by
> itself (#639919)

Without the strict check, the crap code produces a compile-time warning
and a run-time warning and *no copying*. With the strict check, the
crap code results in FTBFS (but only on i386 and s390!). So how is this
an improvement for us?

> 04_add-linux-grsec-base-templates.patch
>
> This one adds basic templates for a linux-grsec-base binary packages to
> be built by linux-2.6 but I still didn't figured out how to patch
> genorig.py to make it do it.

Don't add such a package to linux-2.6. It should be a new source
package, like linux-base is now (after I initially made that mistake).

> 05_add-grsec-featureset.patch
>
> This is the main part, adding the featureset and config.

And linux-grsec-base, a second time!

> 06_grsecurity.patch
>
> The main grsecurity patch, not really readable since the quilt patch
> adds a patch :) It's basically the genuine grsecurity patch (right now
> grsecurity-2.2.2-3.0.4-201108301903.patch) with two little change:
>
> * removing the -grsec localversion
> * oneliner to make it apply against debian sources

You should provide a gen-patch script to help in regenerating the patch.

Ben.


All times are GMT. The time now is 10:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.