:: [DNG] unoffic-grsec 4.9.27 kernel c…
Startseite
Nachricht löschen
Nachricht beantworten
Autor: Miroslav Rovis
Datum:  
To: dng
CC: Mathias Krause
Betreff: [DNG] unoffic-grsec 4.9.27 kernel compile, one last hurdle
Hi!

I'm trying to compile grsec, unofficial, by minipli[1]:
https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec

I think I got (maybe only) one serious hurdle (left to go) to install
grsec-hardened kernel in my Devuan machine[2].

I used the script that a lot of users followed in pre-corsac
grsecurity-packages for Debian, so actively until some two years ago,
passively still visited, and I'm (finally[3]) starting to adapt it for
Devuan[4]:

Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php?f=16&t=108616
and the very first poor-quality preview of Devuan-only script I attach:

grsec-dev1-compile.sh.gz (pls. note that's a preview even worse than my usual
            poor-quality scripting, no time yet)


And with that script I have the following hurdle to overcome. It's at
the very end of the srcipt, at the run of:

fakeroot make deb-pkg
(line 258)

Here is the excerpt (and Dev1_170512_fakeroot_make_deb-pkg_ERROR.txt.gz
is a much larger stretch of):

...
  CC      lib/swiotlb.o
  CC      lib/iommu-helper.o
  CC      lib/iommu-common.o
  CC      lib/syscall.o
  CC      lib/nlattr.o
  CC      lib/cpu_rmap.o
  CC      lib/dynamic_queue_limits.o
  CC      lib/glob.o
...
  CC      lib/string.o
  CC      lib/timerqueue.o
  CC      lib/vsprintf.o
  CC      lib/win_minmax.o
  AR      lib/lib.a
  EXPORTS lib/lib-ksyms.o
  LD      lib/built-in.o
  CC      arch/x86/lib/msr-smp.o
  CC      arch/x86/lib/cache-smp.o
  CC      arch/x86/lib/msr.o
  AS      arch/x86/lib/msr-reg.o
...
  CC      arch/x86/lib/usercopy.o
  CC      arch/x86/lib/usercopy_64.o
  AR      arch/x86/lib/lib.a
  EXPORTS arch/x86/lib/lib-ksyms.o
  LD      arch/x86/lib/built-in.o
  CC      virt/lib/irqbypass.o
  LD      virt/lib/built-in.o
  LD      virt/built-in.o
  LD      vmlinux.o
  MODPOST vmlinux.o
...
  GEN     .version
  CHK     include/generated/compile.h
  UPD     include/generated/compile.h
  CC      init/version.o
  LD      init/built-in.o
  KSYM    .tmp_kallsyms1.o
  KSYM    .tmp_kallsyms2.o
  LD      vmlinux
  SORTEX  vmlinux
  SYSMAP  System.map
  CC      arch/x86/boot/a20.o
  AS      arch/x86/boot/bioscall.o
  CC      arch/x86/boot/cmdline.o
  AS      arch/x86/boot/copy.o
  HOSTCC  arch/x86/boot/mkcpustr
  CPUSTR  arch/x86/boot/cpustr.h
  CC      arch/x86/boot/cpu.o
  CC      arch/x86/boot/cpuflags.o
  CC      arch/x86/boot/cpucheck.o
  CC      arch/x86/boot/early_serial_console.o
  CC      arch/x86/boot/edd.o
  LDS     arch/x86/boot/compressed/vmlinux.lds
  AS      arch/x86/boot/compressed/head_64.o
  VOFFSET arch/x86/boot/compressed/../voffset.h
...
  CC      arch/x86/boot/video-vga.o
  CC      arch/x86/boot/video-vesa.o
  CC      arch/x86/boot/video-bios.o
  LD      arch/x86/boot/setup.elf
  OBJCOPY arch/x86/boot/setup.bin
  OBJCOPY arch/x86/boot/vmlinux.bin
  HOSTCC  arch/x86/boot/tools/build
  BUILD   arch/x86/boot/bzImage
Setup is 15596 bytes (padded to 15872 bytes).
System is 7291 kB
CRC b8db2ca1
Kernel: arch/x86/boot/bzImage is ready  (#1)
  Building modules, stage 2.
  MODPOST 5 modules
...
  CC      drivers/video/backlight/lcd.mod.o
  LD [M]  drivers/video/backlight/lcd.ko
  BUILDDEB
  INSTALL arch/x86/kernel/test_nx.ko
  INSTALL drivers/media/dvb-frontends/helene.ko
  INSTALL drivers/media/dvb-frontends/mn88472.ko
  INSTALL drivers/media/dvb-frontends/mn88473.ko
  INSTALL drivers/video/backlight/lcd.ko
  DEPMOD  4.9.27-unofficial_grsec170512-14
  CHK     include/generated/uapi/linux/version.h
  HOSTCC  scripts/unifdef
  INSTALL usr/include/asm-generic/ (35 files)
  INSTALL usr/include/drm/ (21 files)
  INSTALL usr/include/linux/android/ (1 file)
...
  INSTALL usr/include/xen/ (4 files)
  INSTALL usr/include/uapi/ (0 file)
  INSTALL usr/include/asm/ (65 files)
  CHECK   usr/include/asm-generic/ (35 files)
  CHECK   usr/include/drm/ (21 files)
  CHECK   usr/include/linux/android/ (1 files)
  CHECK   usr/include/linux/byteorder/ (2 files)
  CHECK   usr/include/linux/caif/ (2 files)
...
  CHECK   usr/include/sound/ (15 files)
  CHECK   usr/include/video/ (3 files)
  CHECK   usr/include/xen/ (4 files)
  CHECK   usr/include/uapi/ (0 files)
  CHECK   usr/include/asm/ (65 files)
  CHK     include/generated/uapi/linux/version.h
  INSTALL debian/headertmp/usr/include/asm-generic/ (35 files)
  INSTALL debian/headertmp/usr/include/drm/ (21 files)
  INSTALL debian/headertmp/usr/include/linux/android/ (1 file)
  INSTALL debian/headertmp/usr/include/linux/byteorder/ (2 files)
...
  INSTALL debian/headertmp/usr/include/video/ (3 files)
  INSTALL debian/headertmp/usr/include/xen/ (4 files)
  INSTALL debian/headertmp/usr/include/uapi/ (0 file)
  INSTALL debian/headertmp/usr/include/asm/ (65 files)
Using default distribution of 'unstable' in the changelog
Install lsb-release or set $KDEB_CHANGELOG_DIST explicitly
dpkg-gencontrol: error: illegal package name 'linux-headers-4.9.27-unofficial_grsec170512-14': character '_' not allowed
scripts/package/Makefile:91: recipe for target 'deb-pkg' failed
make[1]: *** [deb-pkg] Error 255
Makefile:1334: recipe for target 'deb-pkg' failed
make: *** [deb-pkg] Error 2
...


I understand some of that error just above, and I think I see what needs
to be different. Also I think I saw (but wasn't able to find it) that
Mathias Krause made a notice about it in his github (but he hasn't yet
fixed it in that minipli repo of his, the link way in the top; hi,
Mathias, I decide to send this question to you as well[5]). Here:

# find linux-4.9.27 -name 'control'
linux-4.9.27/debian/control
#
( see attachment control.gz, it's full of
4.9.27-unofficial_grsec170512-14 where underscore is the illegal
character )

and:

# find linux-4.9.27 -name '*linux-headers-4.9.27-unofficial_grsec170512-14*'
linux-4.9.27/debian/hdrtmp/usr/share/doc/linux-headers-4.9.27-unofficial_grsec170512-14
linux-4.9.27/debian/hdrtmp/usr/src/linux-headers-4.9.27-unofficial_grsec170512-14
#

(
see attachment changelog.Debian.gz, same issue; the second find is only
in the name:
# find linux-4.9.27/debian/hdrtmp/usr/src/ -name '*unofficial_grsec*'
linux-4.9.27/debian/hdrtmp/usr/src/linux-headers-4.9.27-unofficial_grsec170512-14
#
)

So my hope is, if I fix those files, rename that one just above, and sed
's/_/-/g' (or so) on the other ones, manually, should dpkg-gencontrol
accept to go on and would dpkg-gencontrol be able to roll up its part
and then... Ha!, that's another issue here, that's actually my real
issue...! And then what, how to finish creating the packages?

I hope I've explained the issue... Can this be fixed, post-error, after
the erroring out of the compilation process as in the
Dev1_170512_fakeroot_make_deb-pkg_ERROR.txt.gz (or the above briefer
excerpt)? I mean, without recompiling. With the source as it is right
after that error, but with these deficiencies manually fixed?

---
[1] Mathias Krause, one of the Mempo creators, and also a contributors
    to KSPP and a critic of it (KSPP is under umbrella of the big
    Schmoog, and lots of us will consider it a defeat of the free
    software if those fragments and pieces of grsecurity/PaX that KSPP
    will be allowed to get into the kernel by the few (sic!) who decide
    what gets and what doesn't into the kernel should one day be all
    that has remained of the great grsecurity project), and I really
    prefer to hope that his/his team's/other adopters' unofficial
    grsecurity patches to vanilla kernel should take the baton (
    https://grsecurity.net/passing_the_baton.php ) and move on with a
    post-grsecurity, but who knows, only genii can continue from where
    spender and PaX Team left...


[2] which I installed in Air-Gapped. No jokes in the (censorial/intrusional)
    environment for me. Have a look at what some subject(s)/something
    turned my Gentoo into, even though I was building in Air-Gapped, and
    used only cloned system for online:
    Strange script planted with Bash
    https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/


[3] That has become possible for me only with the availability of verifiably
    available-in-offline repo (
    which is the Devuan Jessie RC2 DVD; in pre-systemDestruction Debian
    I used to build from Debian Weekly Testing, which used to be some
    50G or so, some 12 DVDs, by using jigdo with my own
    jigdo-automate-scripts:
    https://github.com/miroR/jigdo-automate-scripts
    ) because I build my systems in Air-Gapped, the Gentoo of the
    cap-170504-strange-bash above lasted some four years, and it is only
    now limitedly (I believe) broken into, and if I weren't building it
    in Air-Gapped, it wouldn't have lasted even only a few
    weeks/months... Any plans to get a Testing Weekly Devuan PGP-signed
    media and to be getting it with jigdo? But I am patient... and happy
    already... I finally installed Devuan proper, and with encrypted
    root and swap...


[4] Will git.devuan.org be getting more reliable in availability, is that
    expected? I wouldn't mind that it couldn't possibly be as perfect and
    fast as gihub, for that the Team would need to collude with the mighty,
    which I hope they never will (some distros do...), but just solidly
    reliably available, any hope for that? Because I would prefer using
    git.devuan.org instead of github...


[5]    Mathias has already been kind to teach me with a quick tip how to
build his unoffic-grsec in Gentoo:
    Technical repercussions of grsecurity removal
    https://lists.gt.net/gentoo/hardened/326262#326262
    and readers should read that thread, to learn things about KSPP and
    kernel and the very few who decide for us all, recently even openly
    but quietly against free software:
    < same subject >
    https://lists.gt.net/gentoo/hardened/326254#326254
    and the links from there, esp.: find "Shawn", and "Karen Sandler"


Sincere regards!
--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr