Monday, February 28, 2011

grsecurity patched kernel for Ubuntu server (LTS)

This is a quick 'howto' recompile a grsecurity patched kernel for Ubuntu servers (at the time of this writings the latest Ubuntu LTS is 10.04.2). This guide, with some modifications, might work (or fail miserably) for the latest kernels. But since I am running servers (web, mail, dns) I do not need any fancy kernel support for the latest video/audio features. I won't discuss any grsecurity or kernel configuration options here. I assume you know what you're doing.

Ingredients:


Preparation:

We are going to use the Ubuntu overlay during compilation since I have found this way to work 100% with a grsecurity patched kernel even when we have the root partition inside a virtual group. When I was not using this method I had random kernel panic attacks and fits of rage.

Make sure you have the tools of the trade:

# apt-get install build-essential libncurses5-dev kernel-package

Now you need to get the overlay (for lucid in my case):

# apt-get install git-core
# git clone git://kernel.ubuntu.com/ubuntu/ubuntu-lucid.git

The last step will take a while... when everything has downloaded we need to prepare the overlay:

# cp -a /usr/share/kernel-package ubuntu-package
# cp ubuntu-lucid/debian/control-scripts/{postinst,postrm,preinst,prerm} \ 
ubuntu-package/pkg/image/
# cp ubuntu-lucid/debian/control-scripts/headers-postinst \ 
ubuntu-package/pkg/headers/

OK! we are halfway there... ooooh oh, livin' on a prayer!
Now we need to get the grsecurity patch and, of course, the kernel. Just wget the patch and the kernel.

Patch the kernel:

# patch -p0 < grsecurity####.patch

Time to configure the kernel, cd into the kernel source directory and copy your kernel configuration here.

# cp -vi /boot/config-(uname -r) .config

Bring the config up-to-date with the kernel:

# yes "" | make oldconfig

Adapt the configuration to your system (the localmodconfig target is only available for kernels>=2.6.32)

# make localmodconfig

localmodconfig will use lsmod (and other things) in order to customize the kernel configuration to mirror the running system. Unfortunately, it will not work 100%. If, for example, you need USB support but you have not any USB device plugged in, localmodconfig might actually not select USB support for your kernel. So use it with care and after it has finished run:

# make menuconfig

And check that everything is OK for your system.

Now we are ready to cook our kernel! I assume that your kernel source directory resides together with your overlay directory.

# make-kpgk clean
# sed -rie 's/echo "\+"/#echo "\+"/' scripts/setlocalversion 
# rm localversion-grsec
# make-kpkg --initrd --overlay-dir=../ubuntu-package \ 
kernel_image kernel_headers

You could add --append-to-version=-grsec to the last command in order to personalize the kernel version :) (or just do not remove localversion-grsec.)
When the compilation has finished you will find a couple of .deb packages where the kernel source directory resides.

# cd .. && ls -l *.deb
linux-headers-2.6.32-grsec_2.6.32-grsec-10.00.Custom_amd64.deb
linux-image-2.6.32-grsec_2.6.32-grsec-10.00.Custom_amd64.deb

Package names may vary of course.

Install the packages :

# dpkg -i *.deb 

This will create a initrd image for us (thanks to our overlay trick.)

Now here is a trick I use before rebooting into a new kernel...

# vi /etc/default/grub

Comment out GRUB_HIDDEN_TIMEOUT and change GRUB_TIMEOUT to something like 15 or 20 seconds. This way the grub menu will always display for 15/20 seconds upon reboot... this is useful if the new kernel craps out. We can easily reboot into a working kernel without much trouble because we have plenty of time to choose one from the menu.

... reboot:

# shutdown -r now

Bon Appetit! Enjoy your grsecurity patched kernel (or maybe not :D)

---

Useful links:

grsecurity wiki
Ubuntu Kernel Compile (official)
Another Kernel Compile Guide

---

No comments:

Post a Comment