r105 - trunk/text/chapter07

robert at linuxfromscratch.org robert at linuxfromscratch.org
Mon Jan 17 08:46:29 PST 2005


Author: robert
Date: 2005-01-17 09:46:28 -0700 (Mon, 17 Jan 2005)
New Revision: 105

Modified:
   trunk/text/chapter07/10-kernel.txt
Log:
Added more help comments for configuring a Grsec kernel

Modified: trunk/text/chapter07/10-kernel.txt
===================================================================
--- trunk/text/chapter07/10-kernel.txt	2005-01-17 10:57:28 UTC (rev 104)
+++ trunk/text/chapter07/10-kernel.txt	2005-01-17 16:46:28 UTC (rev 105)
@@ -38,10 +38,36 @@
 patch -Np1 -i ../grsecurity-2.1.0-2.6.10-200501081640.patch &&
 patch -Np1 -i ../linux-2.6.10-secfix-200501071130.patch
 
-# And begin building the kernel. Configuring the kernel with menuconfig is
-# another document. All the Grsec and PaX options can be enabled.
-# Sysctl is needed to use Frandom properly with SSP.
+# Next configure the kernel. Sysctl is needed to use Frandom properly with SSP,
+# make sure sysctl and frandom are built in, not modules.
 
+# All the Grsec and PaX options can be enabled, but some should be disabled
+# for the best security.
+#
+# Do _NOT_ enable the following:
+# CONFIG_PAX_SOFTMODE
+# CONFIG_PAX_EI_PAX
+# CONFIG_PAX_EMUTRAMP
+# The SOFTMODE means settings will not be enforced; this is for curious users
+# or for debugging problems. EI_PAX is for supporting legacy markings which
+# we do not have (see below). PAX_EMUTRAMP is for supporting old code which
+# we do not have. These three options reduce security.
+#
+# Do enable the following:
+# CONFIG_PAX_PT_PAX_FLAGS
+# This option tells the PaX kernel that we have PaX elf header markings, which
+# are placed by our patched version of Binutils. This is the preferred method
+# which replaces EI_PAX.
+#
+# All the rest of the options will increase system security. If you plan to
+# use this system to rebuild LFS or HLFS again then you should consider
+# enabling the Grsecurity sysctl option. With the Grsecurity sysctl option
+# you will be able to enforce all the chroot jail restrictions during normal
+# operation, and you can disable them while preforming a chapter 6 (chroot)
+# build. Some of the chroot options will disallow mknod and mounts inside
+# a chroot. Almost everything will be able to build and install with all
+# options enabled, please report any problems.
+
 make mrproper &&
 make menuconfig
 




More information about the hlfs-dev mailing list