As a proof of concept, I pulled 4 features from the grsecurity patch and back-ported them to the CentOS 5.6 kernel. I built the resulting patch with ksplice and inserted the resulting tarball into the kernel. The features work brilliantly. It’s been running on my server the past few days with no issues so far.
The features I did it with are: Trusted Path Execution (TPE), dmesg restrictions, TCP/UDP blackhole, and disabled privileged IO.
Before I continue with this, I’d like to instead use a more current kernel, such as version 2.6.32 that both RHEL6 and Ubuntu 10.04 LTS both use. This kernel version also so happens to be the tree in which grsecurity follows as “stable”. However, I’ve ran into problems in trying to build ksplice with this kernel version. Today I sent the following email to their support email address:
Hello, I spoke with Tim Hill over the phone and he directed me to you for this question. I'm having several problems building ksplice tarballs on Ubuntu 10.04 LTS (2.6.32-31-generic x86_64). I'm using the code here: http://www.ksplice.com/git/ksplice.git By the way, that was last updated August of 2009. I imagine the code has been updated since then. Do you intend on updating this git repo? First error I get on ksplice-create is: LD /tmp/ksplice-tmp-CZWVYL/kmodsrc/built-in.o CC /tmp/ksplice-tmp-CZWVYL/kmodsrc/offsets.o /tmp/ksplice-tmp-CZWVYL/kmodsrc/offsets.c:38:26: error: linux/marker.h: No such file or directory /tmp/ksplice-tmp-CZWVYL/kmodsrc/offsets.c:118: error: invalid application of ‘sizeof’ to incomplete type ‘struct marker’ /tmp/ksplice-tmp-CZWVYL/kmodsrc/offsets.c:119: error: invalid application of ‘__alignof__’ to incomplete type ‘struct marker’ /tmp/ksplice-tmp-CZWVYL/kmodsrc/offsets.c:121: error: invalid use of undefined type ‘struct marker’ make: *** [/tmp/ksplice-tmp-CZWVYL/kmodsrc/offsets.o] Error 1 make: *** [_module_/tmp/ksplice-tmp-CZWVYL/kmodsrc] Error 2 I did some searching, and found an upstream debian patch that solves this issue: https://launchpad.net/ubuntu/+archive/primary/+files/ksplice_0.9.9-4.diff.gz In there is kernel-markers.diff which solves that issue. It then compiles the kernel, but fails at the end with the same problem that is illustrated here: https://bugzilla.redhat.com/show_bug.cgi?id=523024 make: Entering directory `/usr/src/kernels/2.6.31-2.fc12.x86_64' LD /tmp/ksplice-tmp-DQhqBz/kmodsrc/built-in.o CC /tmp/ksplice-tmp-DQhqBz/kmodsrc/offsets.o CC [M] /tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice.o RMSYMS /tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice-rmsyms.o /tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice.o: Unknown section type: __mcount_loc ksplice: died at objmanip.c:2902 Child exited with signal 6 Failed during: /usr/local/libexec/ksplice-objmanip /tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice.o /tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice.o.rmsyms rmsyms CC [M] /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/itab.o CC [M] /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/input.o CC [M] /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/decode.o CC [M] /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/syn.o CC [M] /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/syn-intel.o CC [M] /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/syn-att.o CC [M] /tmp/ksplice-tmp-DQhqBz/kmodsrc/x86/libudis86/udis86.o LD [M] /tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice-ky0gpynu.o ld: /tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice-rmsyms.o: No such file: No such file or directory make: *** [/tmp/ksplice-tmp-DQhqBz/kmodsrc/ksplice-ky0gpynu.o] Error 1 There has been no resolution to that ticket. If I edit objmanip.c and add __mcount_loc as a text, data, or ignored sections, I get past this error, but the build has these warnings: fs/compat.o: warning: ignoring change to nonpatchable section __mcount_loc And finishes with several of these: WARNING: /tmp/ksplice-tmp-V70Mjp/kmodsrc/ksplice-tpe_vmlinux-old.o (.ksplice_call_fail_reverse): unexpected non-allocatable section. Did you forget to use "ax"/"aw" in a .S file? Note that for example contains section definitions for use in .S files. and I'm unable to apply it, which makes sense. Editing section data in kernel code is a little over my head :) Do you have a resolution to this issue? I imagine you do since you do support the Ubuntu 10.04 LTS release. I appreciate your time.
I hope to hear from them soon, as I’d like to keep working on this. But it is a 3 day weekend. So we’ll see.