Applying (part of) the grsecurity patch with Ksplice

As a proof of concept, I pulled 4 features from the grsecurity patch and back-ported them to the CentOS 5.6 kernel. I built the resulting patch with ksplice and inserted the resulting tarball into the kernel. The features work brilliantly. It’s been running on my server the past few days with no issues so far.

The features I did it with are: Trusted Path Execution (TPE), dmesg restrictions, TCP/UDP blackhole, and disabled privileged IO.

Before I continue with this, I’d like to instead use a more current kernel, such as version 2.6.32 that both RHEL6 and Ubuntu 10.04 LTS both use. This kernel version also so happens to be the tree in which grsecurity follows as “stable”. However, I’ve ran into problems in trying to build ksplice with this kernel version. Today I sent the following email to their support email address:

Hello,

I spoke with Tim Hill over the phone and he directed me to you for
this question.

I'm having several problems building ksplice tarballs on Ubuntu
10.04 LTS (2.6.32-31-generic x86_64). I'm using the code here:

http://www.ksplice.com/git/ksplice.git

By the way, that was last updated August of 2009. I imagine the code
has been updated since then. Do you intend on updating this git
repo?

First error I get on ksplice-create is:

  LD      /tmp/ksplice-tmp-CZWVYL/kmodsrc/built-in.o
  CC      /tmp/ksplice-tmp-CZWVYL/kmodsrc/offsets.o
/tmp/ksplice-tmp-CZWVYL/kmodsrc/offsets.c:38:26: error:
linux/marker.h: No such file or directory
/tmp/ksplice-tmp-CZWVYL/kmodsrc/offsets.c:118: error: invalid
application of ‘sizeof’ to incomplete type ‘struct marker’
/tmp/ksplice-tmp-CZWVYL/kmodsrc/offsets.c:119: error: invalid
application of ‘__alignof__’ to incomplete type ‘struct marker’
/tmp/ksplice-tmp-CZWVYL/kmodsrc/offsets.c:121: error: invalid use of
undefined type ‘struct marker’
make[1]: *** [/tmp/ksplice-tmp-CZWVYL/kmodsrc/offsets.o] Error 1
make: *** [_module_/tmp/ksplice-tmp-CZWVYL/kmodsrc] Error 2

I did some searching, and found an upstream debian patch that solves
this issue:

https://launchpad.net/ubuntu/+archive/primary/+files/ksplice_0.9.9-4.diff.gz

In there is kernel-markers.diff which solves that issue.

It then compiles the kernel, but fails at the end with the same
problem that is illustrated here:

https://bugzilla.redhat.com/show_bug.cgi?id=523024

make: Entering directory `/usr/src/kernels/2.6.31-2.fc12.x86_64'
  LD      /tmp/ksplice-tmp-DQhqBz/kmodsrc/built-in.o
  CC      /tmp/ksplice-tmp-DQhqBz/kmodsrc/offsets.o
  CC [M]  /tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice.o
  RMSYMS  /tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice-rmsyms.o
/tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice.o: Unknown section type:
__mcount_loc
ksplice: died at objmanip.c:2902
Child exited with signal 6
Failed during: /usr/local/libexec/ksplice-objmanip
/tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice.o
/tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice.o.rmsyms rmsyms
  CC [M]  /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/itab.o
  CC [M]  /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/input.o
  CC [M]  /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/decode.o
  CC [M]  /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/syn.o
  CC [M]  /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/syn-intel.o
  CC [M]  /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/syn-att.o
  CC [M]  /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/udis86.o
  LD [M]  /tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice-ky0gpynu.o
ld: /tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice-rmsyms.o: No such file:
No such file or directory
make[1]: *** [/tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice-ky0gpynu.o]
Error 1

There has been no resolution to that ticket.

If I edit objmanip.c and add __mcount_loc as a text, data, or
ignored sections, I get past this error, but the build has these
warnings:

fs/compat.o: warning: ignoring change to nonpatchable section
__mcount_loc

And finishes with several of these:

WARNING: /tmp/ksplice-tmp-V70Mjp/kmodsrc/ksplice-tpe_vmlinux-old.o
(.ksplice_call_fail_reverse): unexpected non-allocatable section.
Did you forget to use "ax"/"aw" in a .S file?
Note that for example  contains
section definitions for use in .S files.

and I'm unable to apply it, which makes sense. Editing section data
in kernel code is a little over my head :)

Do you have a resolution to this issue? I imagine you do since you
do support the Ubuntu 10.04 LTS release.

I appreciate your time.

I hope to hear from them soon, as I’d like to keep working on this. But it is a 3 day weekend. So we’ll see.

2 thoughts on “Applying (part of) the grsecurity patch with Ksplice”

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>