Last year I have created a set of steps teaching how to build GrSecurity patch for the vanila Kernel following the Debian way.
Basically is to download both Kernel source and GrSecurity patch and apply it against the newest kernel tree.
patch -p1 < ../grsecurity-3.1-3.2.68-201503251805.patch
fakeroot make deb-pkg
Thus, for every new patch and kernel available, I needed to follow all those steps again. Since I don’t like to run the same command over and over again, I have created a simple shellscript to automatically build GrSecurity patch for a given Kernel version.
mydebiankernelgrsec.sh has the following options:
-c config file path (/boot/config-3.2.68) -k kernel version to download (only numbers 3.2.69) -l list all Kernel versions available for download -t download testing patch according new GrSecurity Policy
By the time I write this post, the following Kernel versions are available:
$ ./mydebiankernelgrsec.sh -l Available Kernel versions for download 4.5-rc3 4.4.1 4.3.5 4.1.17 3.18.26 3.14.60 3.12.53 3.10.96 3.4.110 3.2.76 18.104.22.168 next-20160212
It worth note that GrSecurity has changed its policy for patch download; we can only download the testing patch or stable (costumer only – paid support).
Based on GrSecurity page, Test Patch is available only for kernel version from 3.1 up to 4.3.5. Lets build for version 4.3.5
Install all dependencies.
$ sudo apt-get install libncurses5-dev $ sudo apt-get install kernel-package $ sudo apt-get install fakeroot build-essential devscripts
Since I am running Debian Jessie, I will use the default kernel config file:
bash ./mydebiankernelgrsec.sh -t -k 4.3.5 -c /boot/config-config-3.16.0-4-amd64
You should accept every change you think is needed for your new kernel and follow the final steps:
"You should now run 'make menuconfig' inside of linux-4.3.5 and select and save" "Security Options -> GrSecurity -> Configuration Method - Automatic"
"run the following command to generate .deb kernel file" "$ fakeroot make deb-pkg"
And you are good to go!
All *.deb are available one directory above your current path.
$ ls ../*.deb ../linux-firmware-image-4.3.5-grsec_4.3.5-grsec-1_amd64.deb ../linux-image-4.3.5-grsec_4.3.5-grsec-1_amd64.deb ../linux-libc-dev_4.3.5-grsec-1_amd64.deb ../linux-headers-4.3.5-grsec_4.3.5-grsec-1_amd64.deb ../linux-image-4.3.5-grsec-dbg_4.3.5-grsec-1_amd64.deb