Compiling a grsec kernel on a
laptop/workstation is a good way to add protection against wide classes
of attacks. However, while the options may be easy to choose on a
server, this may be difficult because a typical desktop needs more
privileges. Here are a few points:
- Xorg (wants privileged I/O, unless you use KMS) conflicts with
PAX_NOEXEC and GRKERNSEC_IO
- power management: applets to display the battery level want
(non-root) read permission on /sys, this will conflict with
GRKERNSEC_SYSFS_RESTRICT. You can enable SYSFS_DEPRECATED as a workaround.
- power management: ACPI is required for a laptop (if you want to be
able to use suspend/resume, control fan speed, etc.)
- power management: suspend/restore conflicts with some options
(
PAX_MEMORY_UDEREF and PAX_KERNEXEC)
- virtualization:
PAX_KERNEXEC conflicts with kvm/vmx
If you have other points to add/corrections, just send them to me !
Now, another problem I have is that I must use the proprietary kernel.
Not that I really want to, but it is the only driver with proper support
for my graphics card (GT555M), since the nouveau driver has some
problems here: breaks suspend to ram/disk, sucks battery (I have 2h30 of
autonomy with nouveau, and about 5 with Nvidia ..), and the card is
almost supported except a bug that prevents changing the brightness ! So
clearly, even if I don’t want to use the Nvidia stuff (proprietary, bad
code, no optimus support), I have little choice
And of course, the Nvidia module does not build with a grsec kernel. I
had to add patches taken and adapted from other sites, could not
remember which ones). Here is a recipe to build a Debian package for
module-assistant (*).
(*) Why should you build a Debian package ?Nothing forces you to do so
! That said, using a packages makes things clean when you uninstall it,
does not break dependencies, allow smooth upgrades, and also allow to
deploy the module on a set of machines if you have many.
0. Prerequisites
You will need a compiler and tools to build Debian packages. Install (at
least) build-essential, fakeroot and devscripts
1. Get the sources of the Nvidia package
Run the following as a non-privileged user !
apt-get source nvidia-graphics-drivers
cd nvidia-graphics-drivers-295.20
2. Add patches to the build system
The Debian package is compiled to create several other packages. One of
them is the nvidia-kernel-source package, which is the one we want to
contain the patches. This package has to be rebuilt each time you
compile a kernel, so it is interesting to use a package to make things
automatic.Copy the two attached patches 991-pax-usercopy.patch and
992-pax-const.patch
in the module directory, and add their names to
the
quilt patchset:
cp ../99*.patch debian/module/debian/patches
cd debian/module/debian/patches
ls -1 99*.patch >> series
cd -
The series file in the directory contains the patch names (one per
line) in the order to be applied.
3. Add a changelog entry
dch -l+grsec1 "Add pax/grsec patches"
This changes the debian/changelog file to add a new entry, set the
commit message and date, and the Debian package version.
4. Build the package
This may fail if you don’t have the build dependencies (add them and
re-run the command).
5. Install the source package
cd ..
sudo dpkg -i nvidia-kernel-source_295.20-1+grsec11_amd64.deb
Voila ! Now, each time you need to re-build the module, just run
module-assistant as usual:
n. Build the module
As root:
m-a -t clean nvidia-kernel
m-a -t -f build nvidia-kernel
The compilation makes tons of warnings about signed/unsigned,
always-true comparisons etc (what did you expect).If this succeeds, you
will now have a shining deb package containing the binary module.
Finish the installation:
m-a -t install nvidia-kernel
and install the libgl1-nvidia-glx etc. packages with the exact same
version, to avoid problems.
Reboot, and if you’re lucky you should now have a GUI :) Otherwise,
check your /var/log/syslog for messages and your PaX/grsec options.
Links
