Building an RPM package for the latest Linux kernel and grsecurity
What are we building?
We are going to add two groups of patches to the Linux kernel:
- grsecurity which is a collection of patches to the Linux kernel targeted to increase security
- ext3 patches to fix the serious issues from ext3 in the 2.4.20 kernel
How to create the custom-configured kernel RPM?
- Download spec file to /usr/src/redhat/SPEC/
cd /usr/src/redhat/SPEC/ ; wget http://cpc.freeshell.org/linux/kernel-grsec-2.4.20.spec
- Download all the patches and sources to /usr/src/redhat/SOURCE/
- Create an empty kernel config file (you can also copy an existing one to speed up the kernel configuration)
- Prepare the kernel (unpacking the sources and applying the patches)
cd /usr/src/redhat/SPEC ; rpm -bp kernel-grsec-2.4.spec
- Tweak the kernel config
cd /usr/src/redhat/BUILD/linux-2.4.20 ; make oldconfig/menuconfig/xconfig
- Copy the resulting config to the source of the RPM
cp /usr/src/redhat/BUILD/linux-2.4.20/.config /usr/src/redhat/SOURCE/kernel-2.4.20-i686-8grsec.config
- Compile the kernel and have a cup of tea/coffee/...
cd /usr/src/redhat/SPEC ; rpm -ba kernel-grsec-2.4.spec
- Done! Easy, wasn't it ?
Why is there no binary RPM to download?
I think that it would be bad to give a binary RPM for that kernel for the following reasons:
- a secure kernel should be tightened down to your specific needs
- a lot of people won't be happy if they end up with PaX
- you should not trust strangers ;-)
Why isn't there the O(1)/low latency/... patch included?
What I am looking forward is to get a stable kernel, so I prefer to limit the amount of patching as I don't have an ulimited of QA to test it.
Nicolas Lidzborski (cpc at freeshell.org) on Apr 24 2003