Grsecurity Linux kernel for Ubuntu 9.04 Jaunty

Hi, for my first blog post, I will not introduce myself, but make you a little gift that may save you some time (am I not nice ? hu ?).


Recently I have become interested in Ubuntu Linux, mainly because I don’t have much time to play with linux too much any more and want something that “just works”. But I could not find the kernel I wanted… I want a kernel that:

  • is designed for “the Desktop”
  • enables all Ubuntu functionalities (so you need the Ubuntu kernel patch set)
  • adds some out-of-the-box security without the SELinux hassle, go for Grsecurity with PaX (so you need the Grsecurity patch set and a few add-ons from the Gentoo Hardened project)

The Grsecurity website points to a site supposed to have the latest Linux kernels with Grsecurity for Debian, but the site is outdated now. I could not find any other resources on that matter.


It is not really hard to do, just applying and merging patch conflicts (can take some time), then choosing your Grsecurity policy. Basically:

  • Enable all security features provided by Grsecurity 2.1.13
  • Add some Gentoo Hardened project patches made for Grsecurity 2.1.13
    • 2100_block-fix-performance-regression-in-sync_dirty_buffer.patch
    • 4421_grsec-remove-localversion-grsec.patch
    • 4430_grsec-kconfig-default-gids.patch
    • 4435_grsec-kconfig-gentoo.patch
    • 4440_selinux-avc_audit-log-curr_ip.patch
    • 4445_disable-compat_vdso.patch
  • Disable those security features that are not fit for Desktop use (basically won’t let Xorg start or those ati/nvidia blobs work)
  • Disable Grsecurity sysctl support. For this to be secure you need to set “echo 1 > /proc/sys/kernel/grsecurity/grsec_lock”, for the Grsecurity configuration to become static… indeed you don’t want people to deactivate these security features you have worked so hard to activate ! I have never really used that feature and see it more as a good test feature, also for the sake of you people who always forget things, I’ve made it easy on you by not enabling this πŸ˜‰
  • Disable one or two features that block or dramatically reduce virtualization systems, as a host. So this kernel works for VMWare and definitively works for KVM hosting.
  • Remember this kernel is for Desktop use, a server configuration could/would be much stricter with no X and no virtualization (?) and less modules (monolithic kernels are still a good thing).

So there you are, a brand new Linux kernel with Ubuntu patches and grsecurity. I have been running with this for a while and it is pretty stable for me and with really no visible performance impact.

I know really paranoid people won’t use the DEB file I provide here, so for them I provide the actual patch used to build this kernel (including .config file). Afterall, paranoid people are humans too… hu?


So if you want to try this kernel, you can:

How to install from source:

Start your best terminal and try those:

apt-get install linux-source-2.6.28
cd /usr/src/linux-source-2.6.28
patch -p1 < grsecurity-2.1.13-
make-kpkg clean
make-kpkg –bzimage –revision grsec.686.01 –initrd kernel_image
dpkg -i ../linux-image-*grsec.686.01*.deb

Edit from the beach: I will update this page for the new Ubuntu 9.10 in the beginning of january 2010 when I update my own system πŸ™‚

This entry was posted in Hardening, Security and tagged , , , , , , , , , , . Bookmark the permalink.

3 Responses to Grsecurity Linux kernel for Ubuntu 9.04 Jaunty

  1. Locks Free says:

    Neat one pal. I’ll be trying it although I’m not sure to qualify as human πŸ˜‰

  2. Crazy Bunta says:

    heh ^^

  3. Pingback: Grsecurity Linux kernel for Ubuntu 9.04 Jaunty | BH-Server

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s