Kernel 2.6 grsecurity RPMs maintained by cormander NOTICE TO USERS THERE IS NO WARRANTY FOR THESE RPMS. Use them at your own risk. These files are released under the terms of the GNU GPL. Package names, directory paths, and other structural components of this site are subject to change without notice. If an exact URL that used to exist doesn't anymore, it's likely that it's been moved, renamed, or discontinued. These were built on a CentOS 5.1 x86_64 machine, but have been tested on CentOS 4, Centos 5, Fedora 8, Fedora 9, and openSUSE 10.3. If you succeed in installing/booting other systems with these RPMs, please let me know and I'll list them here. I suspect that earlier versions of these distros will boot with the kernel, but they have not been tested. KERNELS There are two versions of the linux kernel on this site: 1) The 2.6.24 tree is "stable" - the grsecurity patch for it doesn't change, and the kernel itself is only updated when a known security issue is made public. 2) The 2.6.25 tree is "testing" - this kernel is updated as often as a new PaX or grsecurity patch come out, and may be updated as often as twice in a single day; or could possibly go a whole two weeks without so much as a peep. In each of these trees there are different kernel packages: 1) kernel-grsec : Kernel with the full grsecurity patch 2) kernel-grsec-nopax : Kernel with the grsecurity patch, no PaX 3) kernel-pax : Kernel with the PaX patch, no grsecurity 4) kernel-vanilla : Kernel with no patches; vanilla 5) kernel-chocolate : Kernel with no grsecurity or PaX, but not vanilla You only need one of them, but you're welcome to install them all so you can boot with the different varients if a problem occurs, to see which are affected and which aren't. See the BUGS section below. Note on the "chocolate" - it only exists in the "stable" tree and contains back-ported patches from the upstream kernel release that are applicable to the 2.6.24 tree. These patches go in on top of the grsec and pax kernels as well. As far as the name for it goes - chocolate is generally accepted as the opposite of vanilla and thought the name was appropriate. Oh, and I happen to like chocolate a lot. SECURITY I should note that for stability reasons, I have locked the version of these kernels to the 2.6.24.x tree of the Linux kernel - mainly because that is the "stable" version of grsecurity. This is no longer the latest stable tree of the Linux Kernel, nor is it the latest testing version of the grsecurity/PaX patches, but I am making a very active effort to keep an eye out for public security disclosures in the CVE database for items that this kernel is affected by. As of the time of this writting, the spec file for the stable RPMs contain at least five CVE patches that were back-ported from the 2.6.25 kernel tree, and a few hundred bug-fix related patches. The current testing version of grsecurity is still with the latest kernel, 2.6.25, and RPMs for this exist in the "testing" directory. Also a matter of note - the simple act of installing a grsecurity kernel on your system isn't a security guarantee. It does certainly help, but I very highly recommend that you also use the RBAC system that is available via the gradm utility. INSTALLATION The kernel RPMs have no "dependancies" as far as the RPM db is concerned. But make sure an initrd is created for you when you install them (the new-kernel-pkg command is called upon installation, if it exists). If you do not have the new-kernel-pkg command (normally located in /sbin) you will need to run the mkinitrd command in order for your machine to be able to boot with the new kernel. Three methods of installation: 1) via yum, download the ravencore-grsecurity.repo file and follow the directions in that file; then "yum install kernel-grsec" 2) download the .rpm file with wget or another fetching tool and install via the rpm command then check your grub or lilo configuration files to make sure it got added, and it has an initrd that exists along side it in the /boot directory. It is likely that you will still have to change the default value to boot the kernel-grsec kernel automatically. 3) for non-rpm distributions, you can use the "rpm2cpio" utility to unpack the .rpm file in the root of your server like this: cd / && rpm2cpio /path/to/kernel-grsec-2.6.24.7-200805121951.i686.rpm | cpio -id then you will have to run your mkinitrd (or mkinitramfs) utilities and update your bootloader configuration manually in order to boot with it. DESKTOPS These kernels are built with nearly all options enabled in the grsecurity and PaX patches to maximize security enhancement, and are designed for servers. If you run your linux machine as a desktop (KDE, Gnome, etc) these kernels won't allow your X server to start, because of the options in grsecurity to disable the writing to /dev/mem and /dev/kmem, and denied ioctl calls. To turn off these restrictions, you will have to download the source RPM and rebuild it with the "desktop" option: rpmbuild --rebuild --with desktop kernel-grsec-2.6.24.7-200805121951.src.rpm This changes the config file to turn off these two options: 1) CONFIG_GRKERNSEC_KMEM 2) CONFIG_GRKERNSEC_IO Install the resulting RPMs on your machine, and contact me. If demand for grsecurity desktop kernels is high enough then I'll consider maintaining a desktop set of RPMs so you won't have to rebuild them. TOOLS To administer the RBAC system of grsecurity, you need the gradm package. Due to the nature of linux binary packages, the package has to be built for each flavor of linux you want to install it on. As of this writting, the systems I built gradm for are CentOS, Fedora, and openSUSE: http://www.ravencore.com/grsec/centos/ http://www.ravencore.com/grsec/fedora/ http://www.ravencore.com/grsec/opensuse/ The RPMs may install and work for other similar distributions, because they share the same glibc and pam libraries, but it won't work for all. If this RPM doesn't install on your system, then get the gradm source in the SRPMS directory and rebuild it: rpmbuild --rebuild gradm-2.1.11-200804142058.src.rpm and install the resulting RPM file. Building this package doesn't take more then a minute, because it's small. RPMs in these directories do depend on things provided by my grsecurity kernel RPMs listed on this site. These include, but are not limited to; grsecurity, pax-linux, etc. I encourage you to read the gradm(8) man page to learn how to administer the grsecurity RBAC system. BUILDING The only three reasons (that I can think of) that you should have to rebuild these RPMs from source are: 1) you need to change the .config options in the kernel, particularly the grsecurity/PaX options, to better fill your needs 2) you want to use a newer or older grsecurity patch and/or kernel source and want them in binary packages 3) these have been built and tested on only x86 CPUs. Any architecture other then i686 or x86_64 may not boot, or even compile at all. If you have a ppc, sparc, or otherwise and want to build these sources, some minor changes to the .spec file may be required. The most simple way to rebuild the RPM is from the src.rpm file itself: rpmbuild --rebuild kernel-grsec-2.6.24.7-200805121951.src.rpm Since this changes nothing in the package, there shouldn't be a reason for doing it this way. At minimum you should be passing --with and --without options to it (see the DESKTOP section above and the XEN section below for details on this). If you need to make changes to the kernel source, you can instead install the src.rpm into your RPM build tree like this: rpm -Uvh kernel-grsec-2.6.24.7-200805121951.src.rpm then edit the file in SPECS/kernel.spec and make nessesary changes. After changes to the spec file, build the RPM with a command line this: rpmbuild -ba SPECS/kernel.spec To request that any changes be made to these RPMs, please see the CONTACT section later on in this document. XEN If you would like a kernel image that is able to boot as a Xen domU kernel, then you will currently need to use the "nopax" version of these kernels. This is due to the PaX patch breaking Xen's ability to load and execute the vmlinuz image. I have included in the sources a grsecurity patch which has the PaX patch completly removed so that you can still use many of grsecurity's other features in a Xen paravirtualized enviroment. The .xen vmlinuz image is created when you build the src.rpm like this: rpmbuild --rebuild --without pax kernel-grsec-2.6.24.7-200805121951.src.rpm Please note that this nopax build creates two vmlinuz images: one suitable for the booting of a physical machine, and one for Xen domU Paravirtualization; they BOTH lack PaX. Again, if you need to make further modifications to the kernel, and still build a Xen domU kernel, you can install the sources via "rpm -Uvh" and then build your altered spec file like so: rpmbuild -ba --without pax SPECS/kernel.spec If you need to use grsecurity on your dom0 kernel, then I have some experimental stuff in the /xen directory on this server. Amazingly PaX works with it, but only on 64bit platforms so far, and only on the old 2.6.18 kernel. BUGS Depends on which kernel you're using ;) I currently maintain a locked version of the kernel at a fairly stable point in it's development, and I only back-port issues that apply to that kernel tree. I keep a local log of all commits to the stable git tree for the Linux Kernel, and anything that doesn't apply I keep in an archive so there is a full audit trail of what does and doesn't go in. If you like to keep up-to-date on the latest test patches of grsecurity, which likes to keep up-to-date on the latest kernel, you're more likely to run into problems. They go through quite a bit of regression testing, but there is a reason why major Linux Vendors (and myself) choose to freeze their kernel versions (and most of their packages for that matter). If you installed a kernel from this site and it crashes your machine, you only have yourself to blame. Just kidding. There are various kernel packages you can install and boot with to try to duplicate the problem on to narrow it down: 1) If the problem exists on the grsec kernel but not the pax kernel, then it's a grsecurity problem. 2) If the problem exists on pax and on grsec but not on grsec-nopax, then it's a pax problem. 3) If the problem exists on the chocolate kernel but not the vanilla, then it's probably one of my back-ported patches causing the issue. 4) If the problem exists on the vanilla kernel but not the chocolate, then my time spent on back-ports have paid off. 5) If the problem is happening on all of them, then it's likely a problem with that version of the kernel in general. If you've narrowed down a problem to something in the chocolate kernel, you can always rebuild your source RPM --without chocolate and it won't include any of the patch back-ports. You still can get a grsec, pax, and grsec-nopax combination w/o including the chocolate. If a appears to be caused by grsecurity or PaX, submit a bug report on the grsecurity website. If it's a problem with the chocolate kernel, send it over to me. Otherwise, send it over to the kernel.org dev guys. If you are having a problem with building the RPM yourself, or installing it on your system; you're welcome to drop me a line. If you've narrowed down a problem to something in the chocolate kernel, you can always rebuild your source RPM "--without chocolate" and it won't include any of the patch back-ports. You still can get a grsec, pax, and grsec-nopax combination w/o including the chocolate. Please let me know if you do happen to run into a problem related to the patch back-ports. CONTACT To request changes to the build process (ie; edits to the .spec file) please contact me with a list of specific changes (prefferably unified .patch format), the reasons for your changes, and why you think I should make them (because then everyone else who uses these will have to live with it too). If your change is regarding disabling/enabling specific GRKERNSEC/PAX options, you'll probably just be told to rebuild the rpm from source yourself; however I will accept patches that add --with and --without to the .spec file to enable/disable options at build time. To contact me, please see my website at: http://www.cormander.com/ CREDITS Many thanks to Brad and the PaX Team for making grsecurity a reality: http://www.grsecurity.net/ http://pax.grsecurity.net/ Thanks to Linus Torvalds and the Linux Kernel Dev Team for the Linux Kernel: http://www.kernel.org/ Thanks to the CentOS Team for maintaining the OS flavor I love and use the most: http://www.centos.org/ And of course, thanks to me for building these RPMs! http://www.cormander.com/