headers
Roy Lanek | 2 May 2007 04:59

undefined reference to ipt_[un]register_match

Hi,

Trying to build kernel 2.6.20.1 after having applied
grsecurity-2.1.10-2.6.21-200704301822.patch ...

I get:

net/built-in.o: In function `init':
ipt_stealth.c:(.init.text+0x23d2): undefined reference to
`ipt_register_match'
net/built-in.o: In function `fini':
ipt_stealth.c:(.exit.text+0x58a): undefined reference to
`ipt_unregister_match'
make: *** [.tmp_vmlinux1] Error 1

     grep "ipt_register_match" \
     grsecurity-2.1.10-2.6.21-200704301822.patch
     +       return ipt_register_match(&stealth_match);

     (Ditto for "ipt_unregister_match.")

Cheers,

/Roy Lanek (West Sumatra)

--

-- 
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS   bagai air di daun talas--as if water on a
SSSSS . s l a c k w a r e  SSSSSS   leaf of talas [two things that never get
SSSSS +------------ linux  SSSSSS   along ... talas has a thin waxy layer and
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS   therefore is waterproof]
(Continue reading)

Permalink | Reply | 0 comments |
headers
Roy Lanek | 2 May 2007 19:18

undefined reference to ipt_[un]register_match--fixed

Applied new grsecurity-2.1.10-2.6.21-200705012327.patch
...

Works!

Thanks. Cheers,

/Roy Lanek

--

-- 
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS   tak bisa menari dikatakan lantai yang
SSSSS . s l a c k w a r e  SSSSSS   berjungkit--cannot dance but blame the
SSSSS +------------ linux  SSSSSS   floor as uneven [blaming the wrong reason]
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Permalink | Reply | 0 comments |
headers
Wolfram Schlich | 10 May 2007 13:51

proc restrictions + /proc/net/if_inet6

Hi,

with activated proc restrictions, IPv6 enabled services/daemons
(like apache, bind, postfix) are prevented from functioning
properly, as they rely on information they read from
/proc/net/if_inet6.

See this: http://forums.grsecurity.net/viewtopic.php?p=6575

Adding those daemon users to the grsec_proc/1001 group is
unreasonable, as those users would have far more permissions
than needed.

Currently, I can do a "chmod a+rx /proc/net", but I don't
like it having to put a line like the above into some sort
of init script.

I'd rather prefer grsecurity to take care about this, either
as a user definable option through .config (for example
CONFIG_GRKERNSEC_PROC_NET) or as a "new default" setting.

Comments, please :)
--

-- 
Regards,
Wolfram Schlich <wschlich@...>
Gentoo Linux * http://dev.gentoo.org/~wschlich/
Permalink | Reply | 0 comments |
headers
Wolfram Schlich | 10 May 2007 19:21

Re: proc restrictions + /proc/net/if_inet6

* Christian Schmidt <lkml@...> [2007-05-10 14:44]:
> Wolfram Schlich schrieb:
> > Hi,
> > 
> > with activated proc restrictions, IPv6 enabled services/daemons
> > (like apache, bind, postfix) are prevented from functioning
> > properly, as they rely on information they read from
> > /proc/net/if_inet6.
> > 
> > See this: http://forums.grsecurity.net/viewtopic.php?p=6575
> 
> One could say: design error.
> This broken IPV6 support is basically the same reason you need to mount
> /proc in a chroot() environment for bind.
> Modifying the source to use the netlink interface makes it go away. I'm
> atm working on a patch for bind at least to remove dependency on /proc.

Ah, interesting. As I said, that also applies to apache and postfix.
When your patch is ready, it might be a good idea to show it to the
apache and postfix developer(s) as well so they get a clue on
how to fix it in their own programs.

> > Adding those daemon users to the grsec_proc/1001 group is
> > unreasonable, as those users would have far more permissions
> > than needed.
> > 
> > Currently, I can do a "chmod a+rx /proc/net", but I don't
> > like it having to put a line like the above into some sort
> > of init script.
> >
(Continue reading)

Permalink | Reply | 0 comments |

Gmane