Linux kernel 2.6.32 with grsecurity

2016-01-04 19:00 +0100 by Micu (0 comments)

This page contains latest kernel from 2.6.32 tree. Main difference from vanilla (original) version is that it is grsecurity-enabled.

Official grsecurity support for 2.6 kernels ends with version Latest applicable grsecurity patch that I was able to find was with timestamp 20131226. Kernel with this patch has become the base for applying incremental patches from vanilla tree with adjustments for grsecurity compatibility.

Please note that I'm neither kernel nor grsecurity developer, I also have limited testing capabilities. However I do my best to analyze and implement incremental changes in a consistent way. Each modification is checked separately - I do not apply kernel changes 'automatically', some (although very few) have even been skipped when I decided that grsecurity handles certain tasks in a more secure manner. Fortunately this kernel version is longterm and stable, so new versions come out not so frequently and they contain bug fixes only which are much easier to merge with security fixes than new functions or devices.

This kernel works very well for devices running linux distributions based on late v2.6 kernels (for example Slackware 13.1) that require increased security (ie. router).

How to apply

Please use GCC versions 4.8 for building listed sources.
Slackware Linux 14.1 with stock GCC 4.8.2 and up to GCC 4.8.5 are confirmed to work.

0. Get kernel source: linux

1. Get and apply grsecurity patch: from mirror or local copy here.

2. Apply all patches (in listed order, see sources section).

3. Configure.

4. Build.


These patches are unofficial.
They are not supported by kernel developers or grsecurity authors.
Kernel 2.6.32 has reached End of Life (EOL) with version

00-grsecurity-2.9.1- (sha256 = 1bbdb091242d03d41ba3523374155d709358f9018a414d968da31d359e69e1df)
latest grsecurity patch for kernel (also available here)
01-kernel- (sha256 = 80a3779464f7969128d199262ff983f26fe0468d2311fab2138eba4a25ec8e2c)
incremental patch from version .61 to .62
02-kernel- (sha256 = 379492086ffa696103bf83e64439a3738f6401df3d161464b8dfc47c8f472850)
incremental patch from version .62 to .63
03-kernel- (sha256 = caf230c9b1dc55b1fefc877ebdfa137475a6d67befc85f5ae2bbbe29ea6ba95f))
incremental patch from version .63 to .64
04-kernel- (sha256 = cd65c12afbf38a3500e5170e43f93137383476e1bf39ed58e9d914bf1fb2996c)
incremental patch from version .64 to .65
05-net_mac80211_rx-warn.patch.xz (sha256 = 74c848b80cb75908bfe6cc39d3e6e3bae500f2f5a6d858a49be6c60123146b5b)
patch backported from kernel 3.x, it adds explanation for kernel error in ieee80211_rx function regarding invalid value of wireless MCS rate index (shows that error is caused by device firmware not internal bug); see example lines from kernel log below:

WARNING: at net/mac80211/rx.c:2519 ieee80211_rx+0xe7/0x736()
Hardware name:
Rate marked as an HT rate but passed status->rate_idx is not an MCS index [0-76]: 126 (0x7e)
Pid: 0, comm: swapper Not tainted #1
Call Trace:

06-kernel- (sha256 = 6930137b4196475896fd50a5c082651cde28d48d6ad30a82c95179d3894ec716)
incremental patch from version .65 to .66
07-kernel- (sha256 = 3f82f8cab70a22be1922b529a2db85656f11671987725f3df6b536a0d9d4adaa)
incremental patch from version .66 to .67
08-kernel- (sha256 = 02f6116f9a0ed7d05d81cc8ca0b68431c7bb2638c164628c03b15e97fccf2c14)
incremental patch from version .67 to .68
09-kernel- (sha256 = 47ca3a8fbb5e84065c09a9794da3a910b4facdf341dfc4c746f3cae243ef694b)
incremental patch from version .68 to .69
10-kernel- (sha256 = 151665d4ed81b535ea28ba91b8deec05ea6ac913a57ed78d2f71b8954132174e)
incremental patch from version .69 to .70
11-kernel- (sha256 = 3ff74d760c05ce4c1af9b10cd96216066be84508000e2f411d16cfcf350425e9)
incremental patch from version .70 to .71