From d88edb002d66fe2b8d9f48c4ea5cb39314c2c39e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Fabian=20Silva=20Delgado?= Date: Mon, 3 Dec 2012 14:30:09 -0200 Subject: linux-libre-lts-grsec: adding new package to [kernels] repo --- .../linux-libre-lts-grsec.install | 69 ++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100755 kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install (limited to 'kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install') diff --git a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install new file mode 100755 index 000000000..87abae14c --- /dev/null +++ b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install @@ -0,0 +1,69 @@ +# arg 1: the new package version +# arg 2: the old package version + +KERNEL_NAME=-lts-grsec +KERNEL_VERSION=3.2.34-1-LIBRE-LTS-GRSEC + +# set a sane PATH to ensure that critical utils like depmod will be found +export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' + +post_install () { + # updating module dependencies + echo ">>> Updating module dependencies. Please wait ..." + depmod ${KERNEL_VERSION} + if command -v mkinitcpio 2>&1 > /dev/null; then + echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..." + mkinitcpio -p linux-libre${KERNEL_NAME} + fi + + # compat symlinks for the official kernels only + if [ -z "${KERNEL_NAME}" -o "${KERNEL_NAME}" = "-lts-rt" ]; then + loaders="$(find /boot -name syslinux.cfg -or -name extlinux.conf -or -name grub.cfg -or -name menu.lst)" + [ -f /etc/lilo.conf ] && loaders="$loaders /etc/lilo.conf" + if [ -n "${loaders}" ] && grep -q -e vmlinuz26 -e kernel26.img -e kernel26-fallback.img $loaders; then + # add compat symlinks for the initramfs images + ln -sf initramfs-linux-libre${KERNEL_NAME}.img boot/kernel26${KERNEL_NAME}.img + ln -sf initramfs-linux-libre${KERNEL_NAME}-fallback.img \ + boot/kernel26${KERNEL_NAME}-fallback.img + ln -sf vmlinuz-linux-libre${KERNEL_NAME} /boot/vmlinuz26${KERNEL_NAME} + fi + fi +} + +post_upgrade() { + pacman -Q grub &>/dev/null + hasgrub=$? + pacman -Q grub-common &>/dev/null + hasgrub2=$? + pacman -Q lilo &>/dev/null + haslilo=$? + # reminder notices + if [ $haslilo -eq 0 ]; then + echo ">>>" + if [ $hasgrub -eq 0 -o $hasgrub2 -eq 0 ]; then + echo ">>> If you use the LILO bootloader, you should run 'lilo' before rebooting." + else + echo ">>> You appear to be using the LILO bootloader. You should run" + echo ">>> 'lilo' before rebooting." + fi + echo ">>>" + fi + + if findmnt --fstab -uno SOURCE /boot &>/dev/null && ! mountpoint -q /boot; then + echo "WARNING: /boot appears to be a separate partition but is not mounted." + fi + + # updating module dependencies + echo ">>> Updating module dependencies. Please wait ..." + depmod ${KERNEL_VERSION} + if command -v mkinitcpio 2>&1 > /dev/null; then + echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..." + mkinitcpio -p linux-libre${KERNEL_NAME} + fi +} + +post_remove() { + # also remove the compat symlinks + rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}.img + rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}-fallback.img +} -- cgit v1.2.3-2-g168b From 1415841d617a9c7e792633cd004905bdecbc2e93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Fabian=20Silva=20Delgado?= Date: Fri, 7 Dec 2012 17:23:58 -0200 Subject: linux-libre-lts-grsec-3.2.35-1: updating version --- kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install') diff --git a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install index 87abae14c..18b408248 100755 --- a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install +++ b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install @@ -2,7 +2,7 @@ # arg 2: the old package version KERNEL_NAME=-lts-grsec -KERNEL_VERSION=3.2.34-1-LIBRE-LTS-GRSEC +KERNEL_VERSION=3.2.35-1-LIBRE-LTS-GRSEC # set a sane PATH to ensure that critical utils like depmod will be found export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' @@ -17,7 +17,7 @@ post_install () { fi # compat symlinks for the official kernels only - if [ -z "${KERNEL_NAME}" -o "${KERNEL_NAME}" = "-lts-rt" ]; then + if [ -z "${KERNEL_NAME}" -o "${KERNEL_NAME}" = "-lts-grsec" ]; then loaders="$(find /boot -name syslinux.cfg -or -name extlinux.conf -or -name grub.cfg -or -name menu.lst)" [ -f /etc/lilo.conf ] && loaders="$loaders /etc/lilo.conf" if [ -n "${loaders}" ] && grep -q -e vmlinuz26 -e kernel26.img -e kernel26-fallback.img $loaders; then -- cgit v1.2.3-2-g168b From 5b097c43838ac6cdffb71e6e26d7ff3a98ca4211 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Fabian=20Silva=20Delgado?= Date: Sun, 23 Dec 2012 12:32:33 -0200 Subject: linux-libre-lts-grsec-3.2.35-2: updating revision --- .../linux-libre-lts-grsec.install | 58 +++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) (limited to 'kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install') diff --git a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install index 18b408248..05662cb18 100755 --- a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install +++ b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install @@ -2,7 +2,45 @@ # arg 2: the old package version KERNEL_NAME=-lts-grsec -KERNEL_VERSION=3.2.35-1-LIBRE-LTS-GRSEC +KERNEL_VERSION=3.2.35-2-LIBRE-LTS-GRSEC + +_fix_permissions() { + /usr/bin/paxutils + + echo + echo You can repeat this process after updating or installing affected + echo binaries by running "paxutils". +} + +_add_proc_group() { + if ! getent group proc-trusted >/dev/null; then + groupadd -g 9998 -r proc-trusted + useradd -g 9998 -r proc-trusted + fi +} + +_add_tpe_group() { + if getent group grsec-trusted >/dev/null; then + groupmod -n tpe-trusted grsec-trusted + fi + + if ! getent group tpe-trusted >/dev/null; then + groupadd -g 9999 -r tpe-trusted + useradd -g 9999 -r tpe-trusted + fi +} + +_help() { + echo + echo For group tpe-trusted, Trusted Path Execution is disabled. For group + echo proc-trusted, the access to /proc is not restricted. Think carefully + echo before adding a normal user to this group. + echo + echo This is controllable with the sysctl options \"kernel.grsecurity.tpe*\". + echo + echo There is an extensive wikibook on grsecurity: + echo http://en.wikibooks.org/wiki/Grsecurity +} # set a sane PATH to ensure that critical utils like depmod will be found export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' @@ -28,6 +66,12 @@ post_install () { ln -sf vmlinuz-linux-libre${KERNEL_NAME} /boot/vmlinuz26${KERNEL_NAME} fi fi + + _add_proc_group + _add_tpe_group + _fix_permissions + + _help } post_upgrade() { @@ -60,10 +104,22 @@ post_upgrade() { echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..." mkinitcpio -p linux-libre${KERNEL_NAME} fi + + _add_proc_group + _add_tpe_group + _fix_permissions + + _help } post_remove() { # also remove the compat symlinks rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}.img rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}-fallback.img + + for group in grsec-trusted proc-trusted tpe-trusted; do + if getent group $group >/dev/null; then + groupdel $group + fi + done } -- cgit v1.2.3-2-g168b From ac9b0c15630b9a5c62bb8ca1d6a617acb1dc91c7 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Sat, 22 Dec 2012 00:44:04 -0500 Subject: manually audit file permissions I looked at the files found by: find . -type f -not -perm 644|egrep -v '/(src|pkg|\.git)/'|sort --- kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install (limited to 'kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install') diff --git a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install old mode 100755 new mode 100644 -- cgit v1.2.3-2-g168b