How to go about mixing kernel patches...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I hope no one minds tme posting this here, if you do, flame away. My first difficulty is applying the SE Linux patch to the SuSE-patched kernel. I applied lsm-2.4-2002050211.patch.gz to vanila 2.4.18 and they apply perfectly. I applied it to linux-2.4.18-SuSE and got some errors, producing the following rejects: linux-2.4.18.SuSE/fs/dquot.c.rej linux-2.4.18.SuSE/fs/namei.c.rej linux-2.4.18.SuSE/fs/inode.c.rej linux-2.4.18.SuSE/mm/memory.c.rej linux-2.4.18.SuSE/mm/mprotect.c.rej linux-2.4.18.SuSE/mm/filemap.c.rej linux-2.4.18.SuSE/net/socket.c.rej linux-2.4.18.SuSE/arch/i386/kernel/entry.S.rej linux-2.4.18.SuSE/arch/ia64/kernel/entry.S.rej linux-2.4.18.SuSE/init/main.c.rej linux-2.4.18.SuSE/kernel/fork.c.rej linux-2.4.18.SuSE/kernel/sched.c.rej linux-2.4.18.SuSE/Makefile.rej linux-2.4.18.SuSE/include/linux/fs.h.rej Or if this helps any: jw:/work/dl/se_linux/se_build/linux-2.4.18.SuSE # zcat ../../opt5/all-opt-4-together/patches/lsm-2.4-2002050211.patch.gz | patch -s -p1 1 out of 3 hunks FAILED -- saving rejects to file Makefile.rej 1 out of 1 hunk FAILED -- saving rejects to file arch/i386/kernel/entry.S.rej 1 out of 1 hunk FAILED -- saving rejects to file arch/ia64/kernel/entry.S.rej Reversed (or previously applied) patch detected! Assume -R? [n] Apply anyway? [n] 1 out of 1 hunk ignored -- saving rejects to file fs/binfmt_elf.c.rej 1 out of 2 hunks FAILED -- saving rejects to file fs/dquot.c.rej 1 out of 3 hunks FAILED -- saving rejects to file fs/inode.c.rej 1 out of 22 hunks FAILED -- saving rejects to file fs/namei.c.rej 1 out of 6 hunks FAILED -- saving rejects to file include/linux/fs.h.rej 1 out of 2 hunks FAILED -- saving rejects to file init/main.c.rej 1 out of 4 hunks FAILED -- saving rejects to file kernel/fork.c.rej 1 out of 7 hunks FAILED -- saving rejects to file kernel/sched.c.rej 1 out of 3 hunks FAILED -- saving rejects to file mm/filemap.c.rej 1 out of 1 hunk FAILED -- saving rejects to file mm/memory.c.rej 1 out of 2 hunks FAILED -- saving rejects to file mm/mprotect.c.rej 1 out of 15 hunks FAILED -- saving rejects to file net/socket.c.rej At this point I'm presuming the the correct course of action is to diff those files one at a time between the "good" patched {.c|.h} files and the "bad" suse-patched {.c|.h} files. Would there be any benefit to try to do the opposite, i.e. apply the LSM patches first, and the SuSE patches second? I'm a little worried since I have to mix 3 patches actually. I suppose there's not much chance of the actual se-linux patches applying to my mixed lsm/suse kernel? Sorry to ask such basic questions, I've never had to do something like this before -- but I'm detirmined to do it right. If any one has advise as far as how to go about this, I'd really appreciate hearing from you. Thanks! - - -- - - ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8+DebQ5u80xXOLBcRAnC3AJ0WJLFJ5BBvH+O1QR7vDKlrAjHj5QCgl7bT ptAtzKpfP4CohTP4UE7pwO4= =YSt4 -----END PGP SIGNATURE-----
On Friday 31 May 2002 06:55 pm, JW wrote:
I applied it to linux-2.4.18-SuSE and got some errors, producing the following rejects:
Not to digress too far afield here,,, Where did you get a 2.4.18 SuSE kernel? I've been sniffing around the ftp servers and the latest i could find was 2.4.16 (For SuSE 7.3). -- _________________________________________________ No I Don't Yahoo! And I'm getting pretty sick of being asked if I do. _________________________________________________ John Andersen / Juneau Alaska
On Friday 31 May 2002 11:42 pm, you wrote:
On Friday 31 May 2002 06:55 pm, JW wrote: Not to digress too far afield here,,, Where did you get a 2.4.18 SuSE kernel? I've been sniffing around the ftp servers and the latest i could find was 2.4.16 (For SuSE 7.3).
?? I'm at home now (7.3) so I can't double-check myself but I'm quite sure that's what 8.0 comes with. kernel_sources rpm. IIRC. WIll verify this tomorow, or whenever I'm back out at work.
On Friday 31 May 2002 11:42 pm, John Andersen wrote:
On Friday 31 May 2002 06:55 pm, JW wrote:
I applied it to linux-2.4.18-SuSE and got some errors, producing the following rejects:
Not to digress too far afield here,,, Where did you get a 2.4.18 SuSE kernel? I've been sniffing around the ftp servers and the latest i could find was 2.4.16 (For SuSE 7.3).
Well actually you confirmed it... you can't find it because 8.0 rpms aren't up on FTP yet. OTOH, check mentel's directoy... would not be supprised if it's in there. /pub/people/mental/next , IIRC, on the ftp server... search SLE archives for "mantel kernel", you'll find a link there somewhere. If it's not there, it's not on FTP anywhere. JW
At Saturday 01 June 2002 07:46 JW wrote:
[about the 2.4.18 kernel, which came with SuSE 8.0) Well actually you confirmed it... you can't find it because 8.0 rpms aren't up on FTP yet.
OTOH, check mentel's directoy... would not be supprised if it's in there.
/pub/people/mental/next , IIRC, on the ftp server... search SLE archives for "mantel kernel", you'll find a link there somewhere.
If it's not there, it's not on FTP anywhere.
Probably this 50 $ or so for an 8.0 update set of CDs is too much to ask? That's the main income for the people doing the work, providing free ftp-services, running this list (and helping here with their expertise). I call that the Inverse Microsoft Syndrome - wanting everything for free. I know, I'm off topic, but I have my feelings also. Michael -- Michael Zimmermann (Vegaa Safety and Security for Internet Services) <zim@vegaa.de> phone +49 89 6283 7632 hotline +49 163 823 1195 Key fingerprint = 1E47 7B99 A9D3 698D 7E35 9BB5 EF6B EEDB 696D 5811
On Friday 31 May 2002 11:24 pm, Michael Zimmermann wrote:
At Saturday 01 June 2002 07:46 JW wrote:
[about the 2.4.18 kernel, which came with SuSE 8.0) Well actually you confirmed it... you can't find it because 8.0 rpms aren't up on FTP yet.
OTOH, check mentel's directoy... would not be supprised if it's in there.
/pub/people/mental/next , IIRC, on the ftp server... search SLE archives for "mantel kernel", you'll find a link there somewhere.
If it's not there, it's not on FTP anywhere.
Probably this 50 $ or so for an 8.0 update set of CDs is too much to ask?
Hey now... I wanted to update my 7.3 to 2.4.18, not go to 8.0. I'm waiting for 8.1 when Suse gets the bugs out, and the KDE3 is stable. I always purchase boxed sets of the enterprise ca $75 for each workstation and then use the older releases for routers or mail servers etc. I pay my SuSE dues. -- _________________________________________________ No I Don't Yahoo! And I'm getting pretty sick of being asked if I do. _________________________________________________ John Andersen / Juneau Alaska
JW (by way of JW ) wrote:
My first difficulty is applying the SE Linux patch to the SuSE-patched kernel.
I applied lsm-2.4-2002050211.patch.gz to vanila 2.4.18 and they apply perfectly.
I applied it to linux-2.4.18-SuSE and got some errors, producing the following rejects: Hello,
I would not do this, because this means unecessary work. I don't know if and what SuSE changed to the kernel (maybe someone from SuSE could clear that point), but using a vanilla kernel and applying LSM is a better solution. It works and it is not necessary to update every SuSE kernel in order to have the latest SuSE *and* LSM/SELinux enhancements. Better stick with a normal kernel, make adjustments with make menuconfig before compiling and let's wait until LSM finds its way into the standard kernel. Then SuSE will have LSM by default - no need for patching anymore. Mark
Hi,
My first difficulty is applying the SE Linux patch to the SuSE-patched kernel.
I applied lsm-2.4-2002050211.patch.gz to vanila 2.4.18 and they apply perfectly.
I applied it to linux-2.4.18-SuSE and got some errors, producing the following rejects: Hello,
I would not do this, because this means unecessary work. I don't know if and what SuSE changed to the kernel (maybe someone from SuSE could clear that point), but using a vanilla kernel and applying LSM is a better solution. It works and it is not necessary to update every SuSE kernel in order to have the latest SuSE *and* LSM/SELinux enhancements.
Better stick with a normal kernel, make adjustments with make menuconfig before compiling and let's wait until LSM finds its way into the standard kernel. Then SuSE will have LSM by default - no need for patching anymore.
Mark
This is correct - I don't know of any difficulties when running a vanilla kernel on a SuSE product. Exceptions: reiserfs (in the past), alsa, DRM g/x modules, minor ISDN glitches and some other minor problems that only show up in corner cases. The SuSE kernel is different in two ways: * It has additional drivers that are not included in the mainstream kernel because of licensing issues, because people didn't argue with Linus enough yet (including drivers is a political issue), or due to some other more political rather than technical problem. * It has modifications that we thought are beneficial for the kernel as a whole. In particular, Andrea's memory management changes usually find their way into the SuSE kernel. He also sends these patches to Linus and Alan at the same time, but here at SuSE his guessing is trusted more than many other people's advice. Therefore, the stuff gets added at once without any delay. You can see the most intrusive changes in the rejects: mm, vfs, scheduler and architecture dependent asm code. Here you can see the influence of SuSE's kernel people. It would be interesting to see how the latest patch applies to a SuSE kernel of an older version. I used to install a vanilla kernel on a fresh SuSE installation, basically as the first thing I did. That was at a time when some kB made a difference, both in RAM and on disk. Today, with machines of more than 64MB RAM, I don't think it makes a difference. Most drivers are contained in modules, and most modules don't consume memory as long as they are not loaded. The few bytes for symbols that are registered in the core don't really count. Since some bright people found out how to patch/alter a running (monolithic!) kernel without any modules support, it doesn't make a difference any more in terms of security. If you are in a postition where you can load kernel modules, you have already passed the root of your security problem. Then: The LSM patch. The patch is very intrusive, but it is easy to see that it barely does anything. Applying it is a matter of plain work, and this can be done. I can't make any promises - there may turn up a reason that we couldn't see in advance. But I am quite sure that we'll have it in the future. Hubert is prepared... Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
participants (5)
-
John Andersen -
JW -
Mark Müller -
Michael Zimmermann -
Roman Drahtmueller