summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xkernels/linux-libre-lts-grsec/PKGBUILD6
-rwxr-xr-xkernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install58
2 files changed, 60 insertions, 4 deletions
diff --git a/kernels/linux-libre-lts-grsec/PKGBUILD b/kernels/linux-libre-lts-grsec/PKGBUILD
index e6ea24827..55b6c41f5 100755
--- a/kernels/linux-libre-lts-grsec/PKGBUILD
+++ b/kernels/linux-libre-lts-grsec/PKGBUILD
@@ -10,9 +10,9 @@ pkgbase=linux-libre-lts-grsec # Build stock -LIBRE-LTS-GRSEC kernel
#pkgbase=linux-libre-custom # Build kernel with a different name
_basekernel=3.2
_grsecver=2.9.1
-_timestamp=201212061818
+_timestamp=201212151420
pkgver=${_basekernel}.35
-pkgrel=1
+pkgrel=2
_lxopkgver=${_basekernel}.34 # nearly always the same as pkgver
arch=('i686' 'x86_64' 'mips64el')
url="http://linux-libre.fsfla.org/"
@@ -35,7 +35,7 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn
"http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.bz2")
md5sums=('65c669b6e4888db84a80882461851867'
'11cd72c1febacfa98e3c6162fee86ba9'
- '27c45c7b29406bea785a8bef77ebfaf2'
+ 'cb8b68478cd26bcdef1aba5617aa4cb2'
'9cdc3506425c2f5ca4a05493c0c8dec9'
'969fb7ac31e86521d1d854b7d5a3fa18'
'243221bb1898f996dcf2020c015f6fd0'
diff --git a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install
index 18b408248..05662cb18 100755
--- a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install
+++ b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install
@@ -2,7 +2,45 @@
# arg 2: the old package version
KERNEL_NAME=-lts-grsec
-KERNEL_VERSION=3.2.35-1-LIBRE-LTS-GRSEC
+KERNEL_VERSION=3.2.35-2-LIBRE-LTS-GRSEC
+
+_fix_permissions() {
+ /usr/bin/paxutils
+
+ echo
+ echo You can repeat this process after updating or installing affected
+ echo binaries by running "paxutils".
+}
+
+_add_proc_group() {
+ if ! getent group proc-trusted >/dev/null; then
+ groupadd -g 9998 -r proc-trusted
+ useradd -g 9998 -r proc-trusted
+ fi
+}
+
+_add_tpe_group() {
+ if getent group grsec-trusted >/dev/null; then
+ groupmod -n tpe-trusted grsec-trusted
+ fi
+
+ if ! getent group tpe-trusted >/dev/null; then
+ groupadd -g 9999 -r tpe-trusted
+ useradd -g 9999 -r tpe-trusted
+ fi
+}
+
+_help() {
+ echo
+ echo For group tpe-trusted, Trusted Path Execution is disabled. For group
+ echo proc-trusted, the access to /proc is not restricted. Think carefully
+ echo before adding a normal user to this group.
+ echo
+ echo This is controllable with the sysctl options \"kernel.grsecurity.tpe*\".
+ echo
+ echo There is an extensive wikibook on grsecurity:
+ echo http://en.wikibooks.org/wiki/Grsecurity
+}
# set a sane PATH to ensure that critical utils like depmod will be found
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
@@ -28,6 +66,12 @@ post_install () {
ln -sf vmlinuz-linux-libre${KERNEL_NAME} /boot/vmlinuz26${KERNEL_NAME}
fi
fi
+
+ _add_proc_group
+ _add_tpe_group
+ _fix_permissions
+
+ _help
}
post_upgrade() {
@@ -60,10 +104,22 @@ post_upgrade() {
echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..."
mkinitcpio -p linux-libre${KERNEL_NAME}
fi
+
+ _add_proc_group
+ _add_tpe_group
+ _fix_permissions
+
+ _help
}
post_remove() {
# also remove the compat symlinks
rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}.img
rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}-fallback.img
+
+ for group in grsec-trusted proc-trusted tpe-trusted; do
+ if getent group $group >/dev/null; then
+ groupdel $group
+ fi
+ done
}