Hi!
I'm trying to compile grsec, unofficial, by minipli[1]:
https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec
I think I got (maybe only) one serious hurdle (left to go) to install
grsec-hardened kernel in my Devuan machine[2].
I used the script that a lot of users followed in pre-corsac
grsecurity-packages for Debian, so actively until some two years ago,
passively still visited, and I'm (finally[3]) starting to adapt it for
Devuan[4]:
Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php?f=16&t=108616
and the very first poor-quality preview of Devuan-only script I attach:
grsec-dev1-compile.sh.gz (pls. note that's a preview even worse than my usual
poor-quality scripting, no time yet)
And with that script I have the following hurdle to overcome. It's at
the very end of the srcipt, at the run of:
fakeroot make deb-pkg
(line 258)
Here is the excerpt (and Dev1_170512_fakeroot_make_deb-pkg_ERROR.txt.gz
is a much larger stretch of):
...
CC lib/swiotlb.o
CC lib/iommu-helper.o
CC lib/iommu-common.o
CC lib/syscall.o
CC lib/nlattr.o
CC lib/cpu_rmap.o
CC lib/dynamic_queue_limits.o
CC lib/glob.o
...
CC lib/string.o
CC lib/timerqueue.o
CC lib/vsprintf.o
CC lib/win_minmax.o
AR lib/lib.a
EXPORTS lib/lib-ksyms.o
LD lib/built-in.o
CC arch/x86/lib/msr-smp.o
CC arch/x86/lib/cache-smp.o
CC arch/x86/lib/msr.o
AS arch/x86/lib/msr-reg.o
...
CC arch/x86/lib/usercopy.o
CC arch/x86/lib/usercopy_64.o
AR arch/x86/lib/lib.a
EXPORTS arch/x86/lib/lib-ksyms.o
LD arch/x86/lib/built-in.o
CC virt/lib/irqbypass.o
LD virt/lib/built-in.o
LD virt/built-in.o
LD vmlinux.o
MODPOST vmlinux.o
...
GEN .version
CHK include/generated/compile.h
UPD include/generated/compile.h
CC init/version.o
LD init/built-in.o
KSYM .tmp_kallsyms1.o
KSYM .tmp_kallsyms2.o
LD vmlinux
SORTEX vmlinux
SYSMAP System.map
CC arch/x86/boot/a20.o
AS arch/x86/boot/bioscall.o
CC arch/x86/boot/cmdline.o
AS arch/x86/boot/copy.o
HOSTCC arch/x86/boot/mkcpustr
CPUSTR arch/x86/boot/cpustr.h
CC arch/x86/boot/cpu.o
CC arch/x86/boot/cpuflags.o
CC arch/x86/boot/cpucheck.o
CC arch/x86/boot/early_serial_console.o
CC arch/x86/boot/edd.o
LDS arch/x86/boot/compressed/vmlinux.lds
AS arch/x86/boot/compressed/head_64.o
VOFFSET arch/x86/boot/compressed/../voffset.h
...
CC arch/x86/boot/video-vga.o
CC arch/x86/boot/video-vesa.o
CC arch/x86/boot/video-bios.o
LD arch/x86/boot/setup.elf
OBJCOPY arch/x86/boot/setup.bin
OBJCOPY arch/x86/boot/vmlinux.bin
HOSTCC arch/x86/boot/tools/build
BUILD arch/x86/boot/bzImage
Setup is 15596 bytes (padded to 15872 bytes).
System is 7291 kB
CRC b8db2ca1
Kernel: arch/x86/boot/bzImage is ready (#1)
Building modules, stage 2.
MODPOST 5 modules
...
CC drivers/video/backlight/lcd.mod.o
LD [M] drivers/video/backlight/lcd.ko
BUILDDEB
INSTALL arch/x86/kernel/test_nx.ko
INSTALL drivers/media/dvb-frontends/helene.ko
INSTALL drivers/media/dvb-frontends/mn88472.ko
INSTALL drivers/media/dvb-frontends/mn88473.ko
INSTALL drivers/video/backlight/lcd.ko
DEPMOD 4.9.27-unofficial_grsec170512-14
CHK include/generated/uapi/linux/version.h
HOSTCC scripts/unifdef
INSTALL usr/include/asm-generic/ (35 files)
INSTALL usr/include/drm/ (21 files)
INSTALL usr/include/linux/android/ (1 file)
...
INSTALL usr/include/xen/ (4 files)
INSTALL usr/include/uapi/ (0 file)
INSTALL usr/include/asm/ (65 files)
CHECK usr/include/asm-generic/ (35 files)
CHECK usr/include/drm/ (21 files)
CHECK usr/include/linux/android/ (1 files)
CHECK usr/include/linux/byteorder/ (2 files)
CHECK usr/include/linux/caif/ (2 files)
...
CHECK usr/include/sound/ (15 files)
CHECK usr/include/video/ (3 files)
CHECK usr/include/xen/ (4 files)
CHECK usr/include/uapi/ (0 files)
CHECK usr/include/asm/ (65 files)
CHK include/generated/uapi/linux/version.h
INSTALL debian/headertmp/usr/include/asm-generic/ (35 files)
INSTALL debian/headertmp/usr/include/drm/ (21 files)
INSTALL debian/headertmp/usr/include/linux/android/ (1 file)
INSTALL debian/headertmp/usr/include/linux/byteorder/ (2 files)
...
INSTALL debian/headertmp/usr/include/video/ (3 files)
INSTALL debian/headertmp/usr/include/xen/ (4 files)
INSTALL debian/headertmp/usr/include/uapi/ (0 file)
INSTALL debian/headertmp/usr/include/asm/ (65 files)
Using default distribution of 'unstable' in the changelog
Install lsb-release or set $KDEB_CHANGELOG_DIST explicitly
dpkg-gencontrol: error: illegal package name 'linux-headers-4.9.27-unofficial_grsec170512-14': character '_' not allowed
scripts/package/Makefile:91: recipe for target 'deb-pkg' failed
make[1]: *** [deb-pkg] Error 255
Makefile:1334: recipe for target 'deb-pkg' failed
make: *** [deb-pkg] Error 2
...
I understand some of that error just above, and I think I see what needs
to be different. Also I think I saw (but wasn't able to find it) that
Mathias Krause made a notice about it in his github (but he hasn't yet
fixed it in that minipli repo of his, the link way in the top; hi,
Mathias, I decide to send this question to you as well[5]). Here:
# find linux-4.9.27 -name 'control'
linux-4.9.27/debian/control
#
( see attachment control.gz, it's full of
4.9.27-unofficial_grsec170512-14 where underscore is the illegal
character )
and:
# find linux-4.9.27 -name '*linux-headers-4.9.27-unofficial_grsec170512-14*'
linux-4.9.27/debian/hdrtmp/usr/share/doc/linux-headers-4.9.27-unofficial_grsec170512-14
linux-4.9.27/debian/hdrtmp/usr/src/linux-headers-4.9.27-unofficial_grsec170512-14
#
(
see attachment changelog.Debian.gz, same issue; the second find is only
in the name:
# find linux-4.9.27/debian/hdrtmp/usr/src/ -name '*unofficial_grsec*'
linux-4.9.27/debian/hdrtmp/usr/src/linux-headers-4.9.27-unofficial_grsec170512-14
#
)
So my hope is, if I fix those files, rename that one just above, and sed
's/_/-/g' (or so) on the other ones, manually, should dpkg-gencontrol
accept to go on and would dpkg-gencontrol be able to roll up its part
and then... Ha!, that's another issue here, that's actually my real
issue...! And then what, how to finish creating the packages?
I hope I've explained the issue... Can this be fixed, post-error, after
the erroring out of the compilation process as in the
Dev1_170512_fakeroot_make_deb-pkg_ERROR.txt.gz (or the above briefer
excerpt)? I mean, without recompiling. With the source as it is right
after that error, but with these deficiencies manually fixed?
---
[1] Mathias Krause, one of the Mempo creators, and also a contributors
to KSPP and a critic of it (KSPP is under umbrella of the big
Schmoog, and lots of us will consider it a defeat of the free
software if those fragments and pieces of grsecurity/PaX that KSPP
will be allowed to get into the kernel by the few (sic!) who decide
what gets and what doesn't into the kernel should one day be all
that has remained of the great grsecurity project), and I really
prefer to hope that his/his team's/other adopters' unofficial
grsecurity patches to vanilla kernel should take the baton (
https://grsecurity.net/passing_the_baton.php ) and move on with a
post-grsecurity, but who knows, only genii can continue from where
spender and PaX Team left...
[2] which I installed in Air-Gapped. No jokes in the (censorial/intrusional)
environment for me. Have a look at what some subject(s)/something
turned my Gentoo into, even though I was building in Air-Gapped, and
used only cloned system for online:
Strange script planted with Bash
https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/
[3] That has become possible for me only with the availability of verifiably
available-in-offline repo (
which is the Devuan Jessie RC2 DVD; in pre-systemDestruction Debian
I used to build from Debian Weekly Testing, which used to be some
50G or so, some 12 DVDs, by using jigdo with my own
jigdo-automate-scripts:
https://github.com/miroR/jigdo-automate-scripts
) because I build my systems in Air-Gapped, the Gentoo of the
cap-170504-strange-bash above lasted some four years, and it is only
now limitedly (I believe) broken into, and if I weren't building it
in Air-Gapped, it wouldn't have lasted even only a few
weeks/months... Any plans to get a Testing Weekly Devuan PGP-signed
media and to be getting it with jigdo? But I am patient... and happy
already... I finally installed Devuan proper, and with encrypted
root and swap...
[4] Will git.devuan.org be getting more reliable in availability, is that
expected? I wouldn't mind that it couldn't possibly be as perfect and
fast as gihub, for that the Team would need to collude with the mighty,
which I hope they never will (some distros do...), but just solidly
reliably available, any hope for that? Because I would prefer using
git.devuan.org instead of github...
[5] Mathias has already been kind to teach me with a quick tip how to
build his unoffic-grsec in Gentoo:
Technical repercussions of grsecurity removal
https://lists.gt.net/gentoo/hardened/326262#326262
and readers should read that thread, to learn things about KSPP and
kernel and the very few who decide for us all, recently even openly
but quietly against free software:
< same subject >
https://lists.gt.net/gentoo/hardened/326254#326254
and the links from there, esp.: find "Shawn", and "Karen Sandler"
Sincere regards!
--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr
::
[DNG] unoffic-grsec 4.9.27 kernel c…
