I would like to patch my ArchLinux for Raspberry Pi with grsecurity.
This is what I've done so far:
I've downloaded the linux-raspberry directory (with the PKGBUILD) available here
https://github.com/archlinuxarm/PKGBUILDs/tree/master/core/linux-raspberrypi
I used the linux-raspberry directory.
There, I wget the patch: http://grsecurity.net/stable/grsecurity-3.0-3.2.58-201405112002.patch
To continue, I've applied the patch in the PKGBUILD, in the prepare() function:
patch -p1 < "${srcdir}/grsecurity-3.0-3.2.58-201405112002.patch"
Then:
makepkg
Unfortunately, at the line of the patch, I got an:
==> ERROR: A failure occurred in prepare().
I've applied the patch manually and I got things like that:
Hunk #10 succeeded at 3232 (offset 440 lines).
Hunk #11 succeeded at 3242 (offset 440 lines).
Hunk #12 FAILED at 2816.
1 out of 12 hunks FAILED -- saving rejects to file virt/kvm/kvm_main.c.rej
This file contains :
--- virt/kvm/kvm_main.c
+++ virt/kvm/kvm_main.c
## -2816,9 +2832,6 ##
register_syscore_ops(&kvm_syscore_ops);
- kvm_preempt_ops.sched_in = kvm_sched_in;
- kvm_preempt_ops.sched_out = kvm_sched_out;
-
kvm_init_debug();
return 0;
That is probably because I used a wrong version of grsecurity for my kernel which is :
3.12.20-1-ARCH
If you have any idea if it might be this, or something else, please let me know
Related
I'm getting below yocto build error and I'm not sure what is the problem.
I am trying to build yocto for my warpx board. Able to build headless image but not headfull.
Can you please anyone point out any issue ?
I have used yocto krogoth version with freescal platform bsp.
These are the commands I followed.
repo init -u https://github.com/Freescale/fsl-community-bsp-platform -b krogoth
repo sync
cd sources
git clone https://github.com/Kynetics/meta-warpx.git
cd meta-warpx
git checkout krogoth
cd ..
git clone https://github.com/meta-qt5/meta-qt5.git
cd meta-qt5
git checkout krogoth
cd ..
git clone https://github.com/sbabic/meta-swupdate.git
cd meta-swupdate
git checkout krogoth
cd ../../
cp -rf sources/meta-warpx/first-setup/setup-warpx-warp .
source setup-warpx-warp
ACCEPT the terms here (say 'y')
Now we are in "~/yocto/build-warpx-warp" location.
cp -rf ../sources/meta-warpx/first-setup/local.conf.sample conf/local.conf
cp -rf ../sources/meta-warpx/first-setup/bblayers.conf conf/
bitbake warpx-headfull-image-sdk
titus#titusPC:~/workdir/Titus/yocto/build-warpx-warp$ bitbake warpx-headfull-image
WARNING: Host distribution "Ubuntu-16.04" has not been validated with this version of the build system; you may possibly experience unexpected failures. It is recommended that you use a tested distribution.
Loading cache: 100% |################################################################| ETA: 00:00:00
Loaded 2562 entries from dependency cache.
Parsing recipes: 100% |##############################################################| Time: 00:00:00
Parsing of 1997 .bb files complete (1996 cached, 1 parsed). 2562 targets, 192 skipped, 0 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies
Build Configuration:
BB_VERSION = "1.30.0"
BUILD_SYS = "x86_64-linux"
NATIVELSBSTRING = "universal"
TARGET_SYS = "arm-poky-linux-gnueabi"
MACHINE = "warp"
DISTRO = "poky"
DISTRO_VERSION = "2.1.3"
TUNE_FEATURES = "arm armv7a vfp thumb neon callconvention-hard cortexa9"
TARGET_FPU = "hard"
meta
meta-poky = "HEAD:3565a9697f53ba975a1b7235b802f659418746c3"
meta-oe
meta-multimedia
meta-networking
meta-python = "krogoth:55c8a76da5dc099a7bc3838495c672140cedb78e"
meta-fsl-arm = "HEAD:e2254e7b2ded0c2b66b1226f879b3a6d52037b2d"
meta-fsl-arm-extra = "HEAD:2c28e636ec15c2cfd49bc9cebe0bbbcfde95bc7b"
meta-qt5 = "krogoth:1100037b9becaaa5749602bca9d63693119c4585"
meta-warpx = "krogoth:b2110ade3cd53f3b98a8f057d508c075b4d691e2"
meta-swupdate = "krogoth:712d4aee92ea3a23952a3e7fb812e5c4df7492ec"
NOTE: Preparing RunQueue
NOTE: Executing SetScene Tasks
NOTE: Executing RunQueue Tasks
ERROR: python-pyqt-5.3.1-r1 do_generate: Error calling sip on QtCore
ERROR: python-pyqt-5.3.1-r1 do_generate: Function failed: do_generate (log file is located at /home/titus/workdir/Titus/yocto/build-warpx-warp/tmp/work/cortexa9hf-neon-poky-linux-gnueabi/python-pyqt/5.3.1-r1/temp/log.do_generate.2080)
ERROR: Logfile of failure stored in: /home/titus/workdir/Titus/yocto/build-warpx-warp/tmp/work/cortexa9hf-neon-poky-linux-gnueabi/python-pyqt/5.3.1-r1/temp/log.do_generate.2080
Log data follows:
| DEBUG: Executing shell function do_generate
| NOTE: using modules 'QtCore QtGui QtQml QtQuick QtSvg QtWebKit QtWidgets QtOpenGL QtXmlPatterns' and tags '-tWS_X11 -tQt_5_3_1 -xVendorID -xPyQt_Accessibility -xPyQt_Desktop_OpenGL -xPyQt_SessionManager'
| calling 'sip4 -I sip -I /home/titus/workdir/Titus/yocto/build-warpx-warp/tmp/sysroots/x86_64-linux/usr/share/sip -tWS_X11 -tQt_5_3_1 -xVendorID -xPyQt_Accessibility -xPyQt_Desktop_OpenGL -xPyQt_SessionManager -c QtCore -b QtCore/QtCore.pro.in sip/QtCore/QtCoremod.sip'
| /home/titus/workdir/Titus/yocto/build-warpx-warp/tmp/work/cortexa9hf-neon-poky-linux-gnueabi/python-pyqt/5.3.1-r1/temp/run.do_generate.2080: 137: /home/titus/workdir/Titus/yocto/build-warpx-warp/tmp/work/cortexa9hf-neon-poky-linux-gnueabi/python-pyqt/5.3.1-r1/temp/run.do_generate.2080: sip4: not found
| WARNING: exit code 1 from a shell command.
| ERROR: Error calling sip on QtCore
| ERROR: Function failed: do_generate (log file is located at /home/titus/workdir/Titus/yocto/build-warpx-warp/tmp/work/cortexa9hf-neon-poky-linux-gnueabi/python-pyqt/5.3.1-r1/temp/log.do_generate.2080)
ERROR: Task 3512 (/home/titus/workdir/Titus/yocto/sources/meta-warpx/recipes-devtools/python/python-pyqt_5.3.1.bb, do_generate) failed with exit code '1'
NOTE: Tasks Summary: Attempted 3319 tasks of which 2678 didn't need to be rerun and 1 failed.
Waiting for 0 running tasks to finish:
Summary: 1 task failed:
/home/titus/workdir/Titus/yocto/sources/meta-warpx/recipes-devtools/python/python-pyqt_5.3.1.bb, do_generate
Summary: There was 1 WARNING message shown.
Summary: There were 2 ERROR messages shown, returning a non-zero exit code.
titus#titusPC:~/workdir/Titus/yocto/build-warpx-warp$
Its seems to doesn't have the sip recipe in your yocto source.
python-pyqt depends on sip add the sip recipe and compile again.
I've set up a packer template to generate vagrant base image of FreeBSD 10.3 and it was working well at least Mon Oct 3 00:34:41 2016 +0300.
Yesterday I was going to continue my work on this project and it turned out this is not working anymore. So here come details.
Packer does what it have to do, then runs my script to install FreeBSD by using bsdinstall(8) with the following script:
PARTITIONS="ada0 { 29G freebsd-ufs /, 5G freebsd-swap, 10G freebsd-ufs /var }"
DISTRIBUTIONS="base.txz kernel.txz"
#!/bin/sh
echo 'WITHOUT_X11="YES"' >> /etc/make.conf
echo 'OPTIONS_UNSET=X11' >> /etc/make.conf
echo 'nameserver 8.8.8.8' >> /etc/resolv.conf
cat >> /etc/rc.conf <<EOF
ifconfig_em0="DHCP"
sshd_enable="YES"
dumpdev="NO"
EOF
env ASSUME_ALWAYS_YES=1 pkg bootstrap # <<stops here
pkg update
pkg install -y sudo
[.....snip.....]
reboot
This stops at bootstrapping pkg with the message:
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait...
Signature for pkg not available.
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly/Latest/pkg.txz.sig: Connection reset by peer
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.
If I stop the bsdinstall script and chroot /mnt /bin/sh I can fetch pkg.txz.sig from the above URL without any problems.
Any ideas what could be the reason of the "connection reset by peer"? Something was changed on the pkg.FreeBSD.org recently?
I couldn't find anything about the issue.
UPD1
Looking at the captured traffic -- the site really answers 200OK and then drops the connection for the pkg.txz.sig file.
But this 200OK packet contains the signature file and they are identical for both manual fetch (which succeeds) and pkg bootstrap (which fails)
Both sessions are identical, so this is likely not a networking problem.
UPD2
The truss was not helpful either.
So as a workaround I've just modified my bsdinstall script to fetch files manually:
[.....snip.....]
#env ASSUME_ALWAYS_YES=1 pkg bootstrap
fetch http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly/Latest/pkg.txz
fetch http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly/Latest/pkg.txz.sig
pkg add pkg.txz
pkg update
[.....snip.....]
PS: The only thing that I can suspect now is the virtualbox version update... anyway downgrading is not an option. (ISO checksum is hardcoded into the template, the template and scripts are in git repository, so accidential changes are impossible)
UPD3
I've set up a debugging environment, for the moment I only isolated the function where the error is raised.
It's the second buffer refill from the http connection (while the first one has already read 727 bytes - it should be EOF)...
Here is small gdb log with backtrace and breakpoints to get there.
Added tcpdump capture made on the system (wireshark compatible).
As I found out, partially the problem was with pkg -- they try to read 10240 bytes from the connection, expecting the EOF if file will be smaller, but somehow on my system EOF is not set when whole remote file was already read out.
# /release/10.3.0/usr.sbin/pkg/pkg.c
185 char buf[10240];
242 while ((r = fread(buf, 1, sizeof(buf), remote)) > 0) {
and the following loops twice -- first time reading the file, second time getting connection reset error instead of EOF
# /release/10.3.0/lib/libc/stdio/fread.c
94 resid = count * size; # == 10240 here
100 while (resid > (r = fp->_r)) {
101 (void)memcpy((void *)p, (void *)fp->_p, (size_t)r);
102 fp->_p += r;
103 /* fp->_r = 0 ... done in __srefill */
104 p += r;
105 resid -= r;
106 if (__srefill(fp)) {
107 /* no more input: return partial result */
108 return ((total - resid) / size);
109 }
110 }
While manual fetch succeeds because the size is adjusted for small chunks and they only ask 727 bytes to read:
# /release/10.3.0/usr.bin/fetch/fetch.c
720 if (us.size != -1 && us.size - count < B_size &&
721 us.size - count >= 0)
722 size = us.size - count;
723 else
724 size = B_size;
733 if ((readcnt = fread(buf, 1, size, f)) < size) {
...but why EOF is not set is still a question.
Posted this to freebsd-pkg mailing list.
UPD1
Downgraded Virtualbox from 5.028 to 5.026 and EOF is set, _sread() on libc/stdio/refill.c:135 returns 0 and it sets EOF on line 138.
So something was changed in Virtualbox networking too. Added pcap file for Virtualbox 5.026 to the gist. 5.028 really was the culprit of connection reset - here is captures comparison.
Virtualbox 5.1.8 has this bug too. Version 5.1.6 works ok.
Opened ticket #16141 in their bugtracker.
My host is:
cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
The host setup was done as described here: http://docs.openstack.org/developer/tripleo-docs/environments/environments.html#virtual-environment up to the "Continue with Undercloud ..." step
The result:
sudo virsh list --all
Id Name State
----------------------------------------------------
3 baremetalbrbm_0 running
4 instack running
- baremetalbrbm_1 shut off
The undercloud setup was done as described here: http://docs.openstack.org/developer/tripleo-docs/installation/installation.html
The installation was attempted on the instack VM. Did the SSL setup as well.
Running
openstack undercloud install
fails with
+ puppet apply --detailed-exitcodes /etc/puppet/manifests/puppet-stack-config.pp Notice: Scope(Class[Tripleo::Firewall::Post]): At this stage, all network traffic is blocked. Warning: Scope(Class[Swift]): swift_hash_suffix has been deprecated and should be replaced with swift_hash_path_suffix, this will be removed Warning: Scope(Class[Nova::Keystone::Auth]): Note that service_name parameter default value will be changed to "Compute Service" (according future release. In case you use different value, please update your manifests accordingly. Warning: Scope(Class[Nova::Keystone::Auth]): Note that service_name_v3 parameter default value will be changed to "Compute Service v3" (acco in a future release. In case you use different value, please update your manifests accordingly. Warning: Scope(Class[Glance::Api]): The known_stores parameter is deprecated, use stores instead Warning: Scope(Class[Glance::Api]): default_store not provided, it will be automatically set to glance.store.filesystem.Store Warning: Scope(Class[Nova::Api]): In N cycle, enabled_apis will have to be an array of APIs to enable. Warning: Scope(Class[Neutron::Server]): identity_uri, auth_tenant, auth_user, auth_password, auth_region configuration options are deprecateted options Warning: Scope(Class[Neutron::Agents::Dhcp]): The dhcp_domain parameter is deprecated and will be removed in future releases Warning: Scope(Class[Heat]): Default value for rabbit_heartbeat_timeout_threshold parameter is different from OpenStack project defaults Warning: Scope(Class[Heat]): "admin_user", "admin_password", "admin_tenant_name" configuration options are deprecated in favor of auth_plugi Warning: Scope(Class[Nova::Network::Neutron]): neutron_auth_plugin parameter is deprecated and will be removed in a future release, use neut Error: Could not find class ::ironic::drivers::deploy for instack on node instack Error: Could not find class ::ironic::drivers::deploy for instack on node instack
+ rc=1
+ set -e
+ echo 'puppet apply exited with exit code 1' puppet apply exited with exit code 1
+ '[' 1 '!=' 2 -a 1 '!=' 0 ']'
+ exit 1 [2016-05-19 15:32:29,361] (os-refresh-config) [ERROR] during configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/cot status 1]
[2016-05-19 15:32:29,362] (os-refresh-config) [ERROR] Aborting... Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 987, in install
_run_orc(instack_env) File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 866, in _run_orc
_run_live_command(args, instack_env, 'os-refresh-config') File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 444, in _run_live_command
raise RuntimeError('%s failed. See log for details.' % name) RuntimeError: os-refresh-config failed. See log for details. Command 'instack-install-undercloud' returned non-zero exit status 1
Tried to install the ironic api as described here http://docs.openstack.org/developer/ironic/deploy/install-guide.html although to my understanding, this should not be necessary, since the undercloud was not installed on a baremetal machine.
Same result.
Some hours of Puppet readings later, I went into the /etc/puppet/modules/ironic/manifests/drivers folder and found, to no surprise, that the deploy class was not there. Perhaps it should not have been needed? I copied it from https://github.com/openstack/puppet-ironic/blob/master/manifests/drivers/deploy.pp and it seems to have got past the error originally reported. Fingers crossed.
I'm trying to get ns-3-dev release by the following way:
[root#localhost ns-3-allinone]# ./download.py -n ns-3-dev
#
# Get NS-3
#
Cloning ns-3 branch
=> hg clone http://code.nsnam.org/ns-3-dev ns-3-dev
requesting all changes
adding changesets
adding manifests
transaction abort!
rollback completed
abort: consistency error in delta!
Traceback (most recent call last):
File "./download.py", line 316, in
sys.exit(main())
File "./download.py", line 261, in main
ns3_dir = get_ns3(options.ns3_branch)
File "./download.py", line 26, in get_ns3
run_command(['hg', 'clone', ns3_branch_url, ns3_dir])
File "/mercurial/mercurial-2.5.1/mercurial/repos/ns-3-allinone/util.py", line 24, in run_command
raise CommandError("Command %r exited with code %i" % (argv, retval))
util.CommandError: Command ['hg', 'clone', 'http://code.nsnam.org/ns-3-dev', 'ns-3-dev'] exited with code 255
However, I can clone the directory ns-3-allinone:
[root#localhost repos]# hg clone http://code.nsnam.org/ns-3-allinone
destination directory: ns-3-allinone
requesting all changes
adding changesets
adding manifests
adding file changes
added 55 changesets with 78 changes to 7 files
updating to branch default
7 files updated, 0 files merged, 0 files removed, 0 files unresolved
Why I can't get a copy of ns-3-dev?
It looks like the upstream ns-3-dev repository might be corrupted. Whoever runs it should be sure to run hg verify on it.
I wanna write a small script that identifies which function is using the mmap syscall:
#! /usr/bin/env stap
probe syscall.mmap.return {
if ( execname()=="java")
printf ("%s mmap caller\n", caller())
}
But it returns:
[root#gclimo01 stap]# stap -v mmap_caller.stp
Pass 1: parsed user script and 85 library script(s) using 198360virt/26732res/2944shr kb, in 210usr/50sys/264real ms.
Pass 2: analyzed script: 1 probe(s), 4 function(s), 4 embed(s), 0 global(s) using 355384virt/51680res/4048shr kb, in 650usr/350sys/1000real ms.
Pass 3: translated to C into "/tmp/stapwIxSzq/stap_a1823a5a24071fdf3118f618597b4ab6_7801_src.c" using 352824virt/54320res/6828shr kb, in 190usr/80sys/283real ms.
/tmp/stapwIxSzq/stap_a1823a5a24071fdf3118f618597b4ab6_7801_src.c: In function 'function_caller_addr':
/tmp/stapwIxSzq/stap_a1823a5a24071fdf3118f618597b4ab6_7801_src.c:646: error: dereferencing pointer to incomplete type
make[1]: *** [/tmp/stapwIxSzq/stap_a1823a5a24071fdf3118f618597b4ab6_7801_src.o] Error 1
make: *** [_module_/tmp/stapwIxSzq] Error 2
WARNING: make exited with status: 2
Pass 4: compiled C into "stap_a1823a5a24071fdf3118f618597b4ab6_7801.ko" in 1170usr/1120sys/2207real ms.
Pass 4: compilation failed. Try again with another '--vp 0001' option.
My systems is RHEL 6.3, Linux xxxxxxxxx 2.6.32-279.1.1.el6.x86_64 #1 SMP Wed Jun 20 11:41:22 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
any tip ?
This was http://sourceware.org/bugzilla/show_bug.cgi?id=14079, fixed in systemtap 1.8 with
commit 4107dbc2c88536c3374a68948c7344af8c8e75aa
Author: Mark Wielaard <mjw#redhat.com>
Date: Tue May 8 19:59:07 2012 +0200
PR14079 - caller() pass-4 error if no uretprobes in script
caller() is odd in that it tries to do both kernel and user caller.
There is no ucaller(). Move it into its own tapset and include the
right uprobes related structures.
* runtime/uprobes-inc.h: New include file to be included in ...
* runtime/stack.c: here and ...
* tapset/context-caller.stp: here. New tapset, with just the caller context
function, removed from ...
* tapset/context-unwind.stp: here.
* doc/SystemTap_Tapset_Reference/tapsets.tmpl: Also include context-caller.stp.