coldkernel is an automated build tool for grsec-enabled kernels on Debian, Ubuntu and CentOS. It also includes experimental support for Qubes TemplateVMs.
You will need (at least) 4GB of free disk space before starting the build.
sudo apt install paxctl bc wget gnupg fakeroot build-essential devscripts libfile-fcntllock-perl git
sudo apt-get build-dep linux
gcc --version
sudo apt install gcc-4.9-plugin-dev (for GCC 4.9)
sudo apt install gcc-5-plugin-dev (for GCC 5.x)
sudo apt install gcc-6-plugin-dev (for GCC 6.x)
sudo yum groupinstall "Development Tools"
sudo yum install hmaccalc zlib-devel binutils-devel elfutils-libelf-devel ncurses-devel gcc-plugin-devel wget git gnupg2 bc
In dom0:
sudo qubes-dom0-update grub2-xen
In Debian TemplateVM:
sudo apt install qubes-kernel-vm-support grub2-common
sudo apt install paxctl bc wget gnupg fakeroot build-essential devscripts libfile-fcntllock-perl git gcc-4.9-plugin-dev
Edit /etc/apt/sources.list
and uncomment the lines starting with deb-src
.
sudo apt-get build-dep linux
wget "https://coldhak.ca/coldhak/keys/coldhak.asc" -O coldhak.asc
gpg --import coldhak.asc
git clone https://github.com/coldhakca/coldkernel
cd coldkernel
git verify-tag coldkernel-0.9a-4.9.20
git checkout tags/coldkernel-0.9a-4.9.20
Run make
without arguments to build without hypervisor support. Otherwise, select the option below that best describes
your setup.
make kvm-host
make kvm-guest
make virtualbox-host
make virtualbox-guest
make xen-host
make xen-guest
make vmware-host
make vmware-guest
make hyperv-guest
make qubes-guest (EXPERIMENTAL)
From the coldkernel build directory:
wget https://grsecurity.net/paxctld/paxctld_1.2.1-1_amd64.{deb,deb.sig}
gpg --homedir=.gnupg --verify paxctld_1.2.1-1_amd64.{deb.sig,deb}
sudo dpkg -i paxctld_1.2.1-1_amd64.deb
sudo make install-deb
sudo cp paxctld.conf /etc/paxctld.conf
sudo paxctld -d
sudo systemctl enable paxctld
sudo reboot
From the coldkernel build directory:
wget https://grsecurity.net/paxctld/paxctld-systemd-1.2.1-1.x86_64.{rpm,rpm.sig}
gpg --homedir=.gnupg --verify paxctld-systemd-1.2.1-1.x86_64.{rpm.sig,rpm}
sudo yum localinstall paxctld-systemd-1.2.1-1.x86_64.rpm
sudo make install-rpm
sudo cp paxctld.conf /etc/paxctld.conf
sudo paxctld -d
sudo systemctl enable paxctld
sudo reboot
From the coldkernel build directory:
wget https://grsecurity.net/paxctld/paxctld_1.2.1-1_amd64.{deb,deb.sig}
gpg --homedir=.gnupg --verify paxctld_1.2.1-1_amd64.{deb.sig,deb}
sudo dpkg -i paxctld_1.2.1-1_amd64.deb
sudo make install-deb
sudo cp paxctld.conf /etc/paxctld.conf
sudo paxctld -d
sudo systemctl enable paxctld
sudo mkdir /boot/grub
sudo update-grub2
sudo shutdown -h now
Once the TemplateVM has been shutdown, you can change the kernel in the Qubes VM manager to pvgrub
and start the VM.
Users in this group are exempted from grsecurity's /proc restrictions.
Users in this group will not be able to execute any files that are not in root-owned directories writable only by root.
Users in this group will be unable to connect to other hosts from your machine or run server applications from your machine.
sudo groupadd -g 9001 grsecproc
sudo groupadd -g 9002 tpeuntrusted
sudo groupadd -g 9003 denysockets
This is still extremely alpha. If it breaks, you get to keep the pieces. There is currently support for x86_64 only.