Re: [DNG] unoffic-grsec 4.9.27 kernel compile, one last hurdle

2017-05-12 Thread Miroslav Rovis 
On 170513-00:21+0200, Miroslav Rovis wrote:
> On 170512-22:49+0200, Mathias Krause wrote:
> > Hi Miroslav,
> > 
> > On 12 May 2017 at 22:06, Miroslav Rovis  
> > wrote:
> > > [...]
...
> > Thanks for testing!
> Very glad that I'm getting useful... Been working hard for years...
> > 
> > Regards,
> > Mathias
> > 
> > [1] 
> > https://github.com/minipli/linux-unofficial_grsec/commit/fc6850f573063e8b02a2b6d756abbe2c7ae8618f
> Right:
> 
> $ git describe fc6850f573063
> v4.9.27-unofficial_grsec-1-gfc6850f57306
> $
...
> $ git diff v4.9.27..v4.9.27-unofficial_grsec-1-gfc6850f57306 > \
> ~/Downloads/unofficial_grsec-v4.9.27-unofficial_grsec-1-gfc6850f57306.diff
> 
> And that is being built. And then, for my dear Devuaners, then (once it
> hopefully all works)
It works. I have installed that grsecurity-hardened kernel.

It's in the other boot available in this online machine.

Both my Air-Gapped and my for-online machine/the clone of it, are dual
booting to Gentoo and to Devuan, in encrypted root and encrypted swap,
and the Devuan feels so great!

> I make a tip on dev1galaxy.org. I have been wishing
> to teach newbies grsec for years!

I've created:

Grsecurity/Pax installation on Devuan GNU/Linux
https://dev1galaxy.org/viewtopic.php?id=596
(reason explained there)

and also:

Install Devuan into encrypted root and swap partitions
https://dev1galaxy.org/viewtopic.php?id=597

so I can go to sleep... and tomorrow I boot into Devuan and do the first
introductory revisions of those tips...

Good night!
-- 
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr


signature.asc
Description: Digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] unoffic-grsec 4.9.27 kernel compile, one last hurdle

2017-05-12 Thread Miroslav Rovis 
On 170512-22:49+0200, Mathias Krause wrote:
> Hi Miroslav,
> 
> On 12 May 2017 at 22:06, Miroslav Rovis  wrote:
> > [...]
> > dpkg-gencontrol: error: illegal package name 
> > 'linux-headers-4.9.27-unofficial_grsec170512-14': character '_' not allowed
> > scripts/package/Makefile:91: recipe for target 'deb-pkg' failed
> > make[1]: *** [deb-pkg] Error 255
> > Makefile:1334: recipe for target 'deb-pkg' failed
> > make: *** [deb-pkg] Error 2
> >
> > [...] Also I think I saw (but wasn't able to find it) that
> > Mathias Krause made a notice about it in his github (but he hasn't yet
> > fixed it in that minipli repo of his, the link way in the top;
> 
> well, this one *is* actually fixed in the git repo already, see [1].
> I haven't tagged that release, though. So maybe you just apply that
> patch locally? It's really just a 'sed s/_/+/ localversion-*'.
Yeah, I figured out. See below.

Yes, I hope so. It's churning on (slow machine). I hope so:
> After applying the diff, just re-do the 'make deb-pkg'. It should't
> rebuild everything, just a few files and the Debian packages.
> 
> Thanks for testing!
Very glad that I'm getting useful... Been working hard for years...
> 
> Regards,
> Mathias
> 
> [1] 
> https://github.com/minipli/linux-unofficial_grsec/commit/fc6850f573063e8b02a2b6d756abbe2c7ae8618f
Right:

$ git describe fc6850f573063
v4.9.27-unofficial_grsec-1-gfc6850f57306
$

which shows it:

$ diff ~/Downloads/unofficial_grsec-v4.9.27.diff 
~/Downloads/unofficial_grsec-v4.9.27-unofficial_grsec-1-gfc6850f57306.diff
153902c153902
< index ..3c4df767c6cd
---
> index ..ca785b0383c4
153906c153906
< +-unofficial_grsec
---
> +-unofficial+grsec
$

And then:

$ git diff v4.9.27..v4.9.27-unofficial_grsec-1-gfc6850f57306 > \
~/Downloads/unofficial_grsec-v4.9.27-unofficial_grsec-1-gfc6850f57306.diff

And that is being built. And then, for my dear Devuaners, then (once it
hopefully all works) I make a tip on dev1galaxy.org. I have been wishing
to teach newbies grsec for years!

My thanks to you, Mathias!

Ah, for everybody who is interested in the KSPP[*] and grsecurity
long standing controversy, here's a must read:

It looks like there will be no more public versions of PaX and Grsec
http://openwall.com/lists/kernel-hardening/2017/05/11/2
(it's the reply by PaX Team :) and it's delicious, has shut some mouths
stiff closed, as I see it; repent, rippers in the shadows, if you can,
you --in your mind and in appearance, but you're small-- big guys... I
don't have it so much with the servants of yours... )
---
[*] Kernel Self Protection Project, basically, regarded by many as
some kind of a ripoff of grsecurity's code

Regards!
-- 
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr


signature.asc
Description: Digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] unoffic-grsec 4.9.27 kernel compile, one last hurdle

2017-05-12 Thread Miroslav Rovis 
On 170512-22:32+0200, Jaromil wrote:
> dear Miroslav,
> 
> On Fri, 12 May 2017, Miroslav Rovis wrote:
> 
> > [4] Will git.devuan.org be getting more reliable in availability, is
> > that expected? I wouldn't mind that it couldn't possibly be as
> > perfect and fast as gihub, for that the Team would need to
> > collude with the mighty, which I hope they never will (some
> > distros do...), but just solidly reliably available, any hope
> > for that? Because I would prefer using git.devuan.org instead of
> > github...
> 
> yes, our intention is to move it from the current location to a bigger
> host which is going to make it more scalable. after that we can debate
> if gitlab is really the best solution or not, however for the time
> being the goal is to make it more reliable, despite its rather high
> demand of resources (gitlab is in ruby...)
> 

I see. Thanks for a quick reply!

-- 
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr


signature.asc
Description: Digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] unoffic-grsec 4.9.27 kernel compile, one last hurdle

2017-05-12 Thread Jaromil 
dear Miroslav,

On Fri, 12 May 2017, Miroslav Rovis wrote:

> [4] Will git.devuan.org be getting more reliable in availability, is
> that expected? I wouldn't mind that it couldn't possibly be as
> perfect and fast as gihub, for that the Team would need to
> collude with the mighty, which I hope they never will (some
> distros do...), but just solidly reliably available, any hope
> for that? Because I would prefer using git.devuan.org instead of
> github...

yes, our intention is to move it from the current location to a bigger
host which is going to make it more scalable. after that we can debate
if gitlab is really the best solution or not, however for the time
being the goal is to make it more reliable, despite its rather high
demand of resources (gitlab is in ruby...)

ciao

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] unoffic-grsec 4.9.27 kernel compile, one last hurdle

2017-05-12 Thread Miroslav Rovis 
Hi!

I'm trying to compile grsec, unofficial, by minipli[1]:
https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec

I think I got (maybe only) one serious hurdle (left to go) to install
grsec-hardened kernel in my Devuan machine[2].

I used the script that a lot of users followed in pre-corsac
grsecurity-packages for Debian, so actively until some two years ago,
passively still visited, and I'm (finally[3]) starting to adapt it for
Devuan[4]:

Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php?f=16=108616
and the very first poor-quality preview of Devuan-only script I attach:

grsec-dev1-compile.sh.gz (pls. note that's a preview even worse than my usual
poor-quality scripting, no time yet)

And with that script I have the following hurdle to overcome. It's at
the very end of the srcipt, at the run of:

fakeroot make deb-pkg
(line 258)

Here is the excerpt (and Dev1_170512_fakeroot_make_deb-pkg_ERROR.txt.gz
is a much larger stretch of):

...
  CC  lib/swiotlb.o
  CC  lib/iommu-helper.o
  CC  lib/iommu-common.o
  CC  lib/syscall.o
  CC  lib/nlattr.o
  CC  lib/cpu_rmap.o
  CC  lib/dynamic_queue_limits.o
  CC  lib/glob.o
...
  CC  lib/string.o
  CC  lib/timerqueue.o
  CC  lib/vsprintf.o
  CC  lib/win_minmax.o
  AR  lib/lib.a
  EXPORTS lib/lib-ksyms.o
  LD  lib/built-in.o
  CC  arch/x86/lib/msr-smp.o
  CC  arch/x86/lib/cache-smp.o
  CC  arch/x86/lib/msr.o
  AS  arch/x86/lib/msr-reg.o
...
  CC  arch/x86/lib/usercopy.o
  CC  arch/x86/lib/usercopy_64.o
  AR  arch/x86/lib/lib.a
  EXPORTS arch/x86/lib/lib-ksyms.o
  LD  arch/x86/lib/built-in.o
  CC  virt/lib/irqbypass.o
  LD  virt/lib/built-in.o
  LD  virt/built-in.o
  LD  vmlinux.o
  MODPOST vmlinux.o
...
  GEN .version
  CHK include/generated/compile.h
  UPD include/generated/compile.h
  CC  init/version.o
  LD  init/built-in.o
  KSYM.tmp_kallsyms1.o
  KSYM.tmp_kallsyms2.o
  LD  vmlinux
  SORTEX  vmlinux
  SYSMAP  System.map
  CC  arch/x86/boot/a20.o
  AS  arch/x86/boot/bioscall.o
  CC  arch/x86/boot/cmdline.o
  AS  arch/x86/boot/copy.o
  HOSTCC  arch/x86/boot/mkcpustr
  CPUSTR  arch/x86/boot/cpustr.h
  CC  arch/x86/boot/cpu.o
  CC  arch/x86/boot/cpuflags.o
  CC  arch/x86/boot/cpucheck.o
  CC  arch/x86/boot/early_serial_console.o
  CC  arch/x86/boot/edd.o
  LDS arch/x86/boot/compressed/vmlinux.lds
  AS  arch/x86/boot/compressed/head_64.o
  VOFFSET arch/x86/boot/compressed/../voffset.h
...
  CC  arch/x86/boot/video-vga.o
  CC  arch/x86/boot/video-vesa.o
  CC  arch/x86/boot/video-bios.o
  LD  arch/x86/boot/setup.elf
  OBJCOPY arch/x86/boot/setup.bin
  OBJCOPY arch/x86/boot/vmlinux.bin
  HOSTCC  arch/x86/boot/tools/build
  BUILD   arch/x86/boot/bzImage
Setup is 15596 bytes (padded to 15872 bytes).
System is 7291 kB
CRC b8db2ca1
Kernel: arch/x86/boot/bzImage is ready  (#1)
  Building modules, stage 2.
  MODPOST 5 modules
...
  CC  drivers/video/backlight/lcd.mod.o
  LD [M]  drivers/video/backlight/lcd.ko
  BUILDDEB
  INSTALL arch/x86/kernel/test_nx.ko
  INSTALL drivers/media/dvb-frontends/helene.ko
  INSTALL drivers/media/dvb-frontends/mn88472.ko
  INSTALL drivers/media/dvb-frontends/mn88473.ko
  INSTALL drivers/video/backlight/lcd.ko
  DEPMOD  4.9.27-unofficial_grsec170512-14
  CHK include/generated/uapi/linux/version.h
  HOSTCC  scripts/unifdef
  INSTALL usr/include/asm-generic/ (35 files)
  INSTALL usr/include/drm/ (21 files)
  INSTALL usr/include/linux/android/ (1 file)
...
  INSTALL usr/include/xen/ (4 files)
  INSTALL usr/include/uapi/ (0 file)
  INSTALL usr/include/asm/ (65 files)
  CHECK   usr/include/asm-generic/ (35 files)
  CHECK   usr/include/drm/ (21 files)
  CHECK   usr/include/linux/android/ (1 files)
  CHECK   usr/include/linux/byteorder/ (2 files)
  CHECK   usr/include/linux/caif/ (2 files)
...
  CHECK   usr/include/sound/ (15 files)
  CHECK   usr/include/video/ (3 files)
  CHECK   usr/include/xen/ (4 files)
  CHECK   usr/include/uapi/ (0 files)
  CHECK   usr/include/asm/ (65 files)
  CHK include/generated/uapi/linux/version.h
  INSTALL debian/headertmp/usr/include/asm-generic/ (35 files)
  INSTALL debian/headertmp/usr/include/drm/ (21 files)
  INSTALL debian/headertmp/usr/include/linux/android/ (1 file)
  INSTALL debian/headertmp/usr/include/linux/byteorder/ (2 files)
...
  INSTALL debian/headertmp/usr/include/video/ (3 files)
  INSTALL debian/headertmp/usr/include/xen/ (4 files)
  INSTALL debian/headertmp/usr/include/uapi/ (0 file)
  INSTALL debian/headertmp/usr/include/asm/ (65 files)
Using default distribution of 'unstable' in the changelog
Install lsb-release or set $KDEB_CHANGELOG_DIST explicitly
dpkg-gencontrol: error: illegal package name 
'linux-headers-4.9.27-unofficial_grsec170512-14': character '_' not allowed
scripts/package/Makefile:91: recipe for target