Skip to content

How to build GrSecurity using Debian way?

Last year I have created a set of steps teaching how to build GrSecurity patch for the vanila Kernel following the Debian way.

Basically is to download both Kernel source and GrSecurity patch and apply it against the newest kernel tree.

patch -p1 < ../grsecurity-3.1-3.2.68-201503251805.patch

and run:

fakeroot make deb-pkg

Thus, for every new patch and kernel available, I needed to follow all those steps again. Since I don’t like to run the same command over and over again, I have created a simple shellscript  to automatically build GrSecurity patch for a given  Kernel version.

mydebiankernelgrsec.sh has the following options:

 -c     config file path (/boot/config-3.2.68)
 -k     kernel version to download (only numbers 3.2.69)
 -l     list all Kernel versions available for download
 -t     download testing patch according new GrSecurity Policy

By the time I write this post, the following Kernel versions are available:

$ ./mydebiankernelgrsec.sh -l
Available Kernel versions for download

     4.5-rc3
     4.4.1
     4.3.5
     4.1.17
     3.18.26
     3.14.60
     3.12.53
     3.10.96
     3.4.110
     3.2.76
     2.6.32.70
     next-20160212

It worth note that GrSecurity has changed its policy for patch download; we can only download the testing patch or stable (costumer only – paid support).

Based on GrSecurity page, Test Patch is available only for kernel version from 3.1 up to 4.3.5. Lets build for version 4.3.5

Install all dependencies.

$ sudo apt-get install libncurses5-dev
$ sudo apt-get install kernel-package
$ sudo apt-get install fakeroot build-essential devscripts

Since I am running Debian Jessie, I will use the default kernel config file:

bash ./mydebiankernelgrsec.sh -t -k 4.3.5 -c /boot/config-config-3.16.0-4-amd64

You should accept every change you think is needed for your new kernel and follow the final steps:

"You should now run  'make menuconfig' inside of linux-4.3.5 and select and save"
"Security Options -> GrSecurity -> Configuration Method - Automatic"
"run the following command to generate .deb kernel file"
"$ fakeroot make deb-pkg"

And you are good to go!

All *.deb are available one directory above your current path.

$ ls ../*.deb
../linux-firmware-image-4.3.5-grsec_4.3.5-grsec-1_amd64.deb
../linux-image-4.3.5-grsec_4.3.5-grsec-1_amd64.deb
../linux-libc-dev_4.3.5-grsec-1_amd64.deb
../linux-headers-4.3.5-grsec_4.3.5-grsec-1_amd64.deb
../linux-image-4.3.5-grsec-dbg_4.3.5-grsec-1_amd64.deb

#http://en.wikibooks.org/wiki/Grsecurity/Configuring_and_Installing_grsecurity
#http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-building

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.