Building an RPM package for the latest Linux kernel and grsecurity
What are we building?
We are going to add one set of patches to the Linux kernel:
- grsecurity which is a collection of patches to the Linux kernel targeted to increase security
How to create the custom-configured kernel RPM?
- Download spec file to /usr/src/redhat/SPEC/
cd /usr/src/redhat/SPEC/ ; wget http://cpc.freeshell.org/linux/kernel-grsec-2.4.21.spec
- Download all the patches and sources to /usr/src/redhat/SOURCE/
- Create an empty kernel config file (you can also copy an existing one to speed up the kernel configuration)
- Prepare the kernel (unpacking the sources and applying the patches)
cd /usr/src/redhat/SPEC ; rpm -bp kernel-grsec-2.4.spec
- Tweak the kernel config
cd /usr/src/redhat/BUILD/linux-2.4.21 ; make oldconfig/menuconfig/xconfig
- Copy the resulting config to the source of the RPM
cp /usr/src/redhat/BUILD/linux-2.4.21/.config /usr/src/redhat/SOURCE/kernel-2.4.21-i686-1grsec.config
- Compile the kernel and have a cup of tea/coffee/...
cd /usr/src/redhat/SPEC ; rpm -ba kernel-grsec-2.4.spec
- Done! Easy, wasn't it ?
Why is there no binary RPM to download?
I think that it would be bad to give a binary RPM for that kernel for the following reasons:
- a secure kernel should be tightened down to your specific needs
- a lot of people won't be happy if they end up with PaX
- you should not trust strangers ;-)
Why isn't there the O(1)/low latency/... patch included?
What I am looking forward is to get a stable kernel, so I prefer to limit the amount of patching as I don't have an unlimited number of QAs to test it.
Nicolas Lidzborski (cpc at freeshell.org) on August 14 2003
Previous version: kernel-grsec.2.4.20.html