Merge branch 'master' of ssh://gparabola/srv/git/abslibre

1 files changed, 125 insertions, 0 deletions

diff --git a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install
new file mode 100644
index 000000000..05662cb18
--- /dev/null
+++ b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install
@@ -0,0 +1,125 @@
+# arg 1:  the new package version
+# arg 2:  the old package version
+
+KERNEL_NAME=-lts-grsec
+KERNEL_VERSION=3.2.35-2-LIBRE-LTS-GRSEC
+
+_fix_permissions() {
+  /usr/bin/paxutils
+
+  echo
+  echo You can repeat this process after updating or installing affected
+  echo binaries by running "paxutils".
+}
+
+_add_proc_group() {
+  if ! getent group proc-trusted >/dev/null; then
+    groupadd -g 9998 -r proc-trusted
+    useradd -g 9998 -r proc-trusted
+  fi
+}
+
+_add_tpe_group() {
+  if getent group grsec-trusted >/dev/null; then
+    groupmod -n tpe-trusted grsec-trusted
+  fi
+
+  if ! getent group tpe-trusted >/dev/null; then
+    groupadd -g 9999 -r tpe-trusted
+    useradd -g 9999 -r tpe-trusted
+  fi
+}
+
+_help() {
+  echo
+  echo For group tpe-trusted, Trusted Path Execution is disabled. For group
+  echo proc-trusted, the access to /proc is not restricted. Think carefully
+  echo before adding a normal user to this group.
+  echo
+  echo This is controllable with the sysctl options \"kernel.grsecurity.tpe*\".
+  echo
+  echo There is an extensive wikibook on grsecurity:
+  echo http://en.wikibooks.org/wiki/Grsecurity
+}
+
+# set a sane PATH to ensure that critical utils like depmod will be found
+export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
+
+post_install () {
+  # updating module dependencies
+  echo ">>> Updating module dependencies. Please wait ..."
+  depmod ${KERNEL_VERSION}
+  if command -v mkinitcpio 2>&1 > /dev/null; then
+    echo ">>> Generating initial ramdisk, using mkinitcpio.  Please wait..."
+    mkinitcpio -p linux-libre${KERNEL_NAME}
+  fi
+
+  # compat symlinks for the official kernels only
+  if [ -z "${KERNEL_NAME}" -o "${KERNEL_NAME}" = "-lts-grsec" ]; then
+    loaders="$(find /boot -name syslinux.cfg -or -name extlinux.conf -or -name grub.cfg -or -name menu.lst)"
+    [ -f /etc/lilo.conf ] && loaders="$loaders /etc/lilo.conf"
+    if [ -n "${loaders}" ] && grep -q -e vmlinuz26 -e kernel26.img -e kernel26-fallback.img $loaders; then
+      # add compat symlinks for the initramfs images
+      ln -sf initramfs-linux-libre${KERNEL_NAME}.img boot/kernel26${KERNEL_NAME}.img
+      ln -sf initramfs-linux-libre${KERNEL_NAME}-fallback.img \
+        boot/kernel26${KERNEL_NAME}-fallback.img
+      ln -sf vmlinuz-linux-libre${KERNEL_NAME} /boot/vmlinuz26${KERNEL_NAME}
+    fi
+  fi
+
+  _add_proc_group
+  _add_tpe_group
+  _fix_permissions
+  
+  _help
+}
+
+post_upgrade() {
+  pacman -Q grub &>/dev/null
+  hasgrub=$?
+  pacman -Q grub-common &>/dev/null
+  hasgrub2=$?
+  pacman -Q lilo &>/dev/null
+  haslilo=$?
+  # reminder notices
+  if [ $haslilo -eq 0 ]; then
+    echo ">>>"
+    if [ $hasgrub -eq 0 -o $hasgrub2 -eq 0 ]; then
+      echo ">>> If you use the LILO bootloader, you should run 'lilo' before rebooting."
+    else
+      echo ">>> You appear to be using the LILO bootloader. You should run"
+      echo ">>> 'lilo' before rebooting."
+    fi
+    echo ">>>"
+  fi
+
+  if findmnt --fstab -uno SOURCE /boot &>/dev/null && ! mountpoint -q /boot; then
+    echo "WARNING: /boot appears to be a separate partition but is not mounted."
+  fi
+
+  # updating module dependencies
+  echo ">>> Updating module dependencies. Please wait ..."
+  depmod ${KERNEL_VERSION}
+  if command -v mkinitcpio 2>&1 > /dev/null; then
+    echo ">>> Generating initial ramdisk, using mkinitcpio.  Please wait..."
+    mkinitcpio -p linux-libre${KERNEL_NAME}
+  fi
+
+  _add_proc_group
+  _add_tpe_group
+  _fix_permissions
+
+  _help
+}
+
+post_remove() {
+  # also remove the compat symlinks
+  rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}.img
+  rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}-fallback.img
+
+  for group in grsec-trusted proc-trusted tpe-trusted; do
+    if getent group $group >/dev/null; then
+	  groupdel $group
+    fi
+  done
+}