postmarketOS

Troubleshooting:grsec

TLDR: Grsec based kernels are not supported, because qemu user emulation appears to be broken and we couldn't fix this right away. But if you want to add support for a kernel based on the grsec patchset, please go ahead. See also: #107

---

Grsec is the name of a patchset, that used to be freely available to harden the Linux kernel. Alpine has a linux-hardened kernel for example, which uses a fork of that patchset. When you run a kernel based on that patchset on your host Linux system, you will probably run into problems with pmbootstrap because it does some things inside chroots, that is blocked by default in that patchset. One example is setting file permissions (#107).

You have two options now. Either run pmbootstrap with a regular kernel, or disable the grsec specific features with sysctl while running pmbootstrap (you will probably run into other issues though, which have not been resolved - the quick solution is really using the regular kernel).

Disable some grsec-specific features while running pmbootstrap

We don't really know all options, that need to be disabled. Please extend this wiki page, if you are interested in this and figure it out. However, user cmdr2 reported, that you can do the following to disable all grsec features, and pmbootstrap will work then:

To comprehensively disable grsec until the next reboot, I suggest: ls -1 /proc/sys/kernel/grsecurity | xargs -I '___' sudo sysctl -w kernel.grsecurity.___=0

Commands to non-native chroots hang

This can only be partially resolved as of now, see #140. For starters, disable the RANDMMAP PaX flag:

sudo apk add paxctl
sudo paxctl -C ~/.local/var/pmbootstrap/chroot_rootfs_samsung-s7562/usr/bin/qemu-arm-static
sudo paxctl -r ~/.local/var/pmbootstrap/chroot_rootfs_samsung-s7562/usr/bin/qemu-arm-static