From 9c76e361e991b9281e07f94863fd5058561a38ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Fabian=20Silva=20Delgado?=
 <emulatorman@parabola.nu>
Date: Mon, 26 May 2014 12:57:54 -0300
Subject: linux-libre-grsec-3.14.4.201405252047-1: updating version

* add optional dependencies on gradm and paxd
* enable rwxmap_logging by default (this logging feature never has any false positives. it indicates that PAX_MPROTECT denied an `mprotect` call.)
* update the sysctl configuration file to mention paxd
---
 libre/linux-libre-grsec/PKGBUILD    | 10 ++++++----
 libre/linux-libre-grsec/sysctl.conf | 14 ++++++++------
 2 files changed, 14 insertions(+), 10 deletions(-)

(limited to 'libre/linux-libre-grsec')

diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD
index 6f7e20edf..38427a6a5 100644
--- a/libre/linux-libre-grsec/PKGBUILD
+++ b/libre/linux-libre-grsec/PKGBUILD
@@ -14,7 +14,7 @@ pkgbase=linux-libre-grsec   # Build stock -LIBRE-GRSEC kernel
 _basekernel=3.14
 _sublevel=4
 _grsecver=3.0
-_timestamp=201405141623
+_timestamp=201405252047
 _pkgver=${_basekernel}.${_sublevel}
 pkgver=${_basekernel}.${_sublevel}.${_timestamp}
 pkgrel=1
@@ -51,7 +51,7 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn
         "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz")
 sha256sums=('477555c709b9407fe37dbd70d3331ff9dde1f9d874aba2741f138d07ae6f281b'
             '01de5e15a2081197859e617c441de5cac9ddf60bed6fcf4dcff7a54e210e7815'
-            'e41e5dea54db4311655ccc68b371ac15dcc48f8767ca0a02150af70e831d2e4d'
+            'dceb3a6aeb9ba71e68835e37d2add6c6d4c60f6e253b4bd9c20b6a8e82ec0a96'
             'SKIP'
             '0b6dbdf4d1677a39b9a0d55e8d7c66fe644fa77d769e3b673064181222b17467'
             '8207a533f4fbad05ad26061f924957a7a92436d44a5dd7ca10e61d730c5e0ef9'
@@ -71,7 +71,7 @@ sha256sums=('477555c709b9407fe37dbd70d3331ff9dde1f9d874aba2741f138d07ae6f281b'
             '79359454c9d8446eb55add2b1cdbf8332bd67dafb01fefb5b1ca090225f64d18'
             'f2a5e22c1ba6e9b8a32a7bd4a5327ee95538aa10edcee3cd12578f8ff49bf6be'
             '384dd13fd4248fd6809da8c6ae29ced55d4a5cacc33ac2ae7522093ec0fb26d4'
-            'a37823f0cdf3f318ec3f486f6e4035a7a8f887522d3a563d4dfe155f143ba24f'
+            '19e59be36d3649fa72f93dc2a942df711935e7cb695632c4818f983363806eca'
             '3cd53473e049a4809d9dde8ebef73307ce87076d707f3fd5c100844d4a9e8255')
 if [ "$CARCH" != "mips64el" ]; then
     # don't use the Loongson-specific patches on non-mips64el arches.
@@ -214,7 +214,9 @@ _package() {
   pkgdesc="The ${pkgbase^} kernel and modules with grsecurity/PaX patches"
   [ "${pkgbase}" = "linux-libre" ] && groups=('base')
   depends=('coreutils' 'linux-libre-firmware' 'kmod')
-  optdepends=('crda: to set the correct wireless channels of your country')
+  optdepends=('crda: to set the correct wireless channels of your country'
+              'gradm: to configure and enable Role Based Access Control (RBAC)'
+              'paxd: to enable PaX exploit mitigations and apply exceptions automatically')
   provides=("kernel26${_kernelname}=${pkgver}" "linux${_kernelname}=${pkgver}")
   conflicts=("kernel26${_kernelname}" "kernel26-libre${_kernelname}" "linux${_kernelname}")
   replaces=("kernel26${_kernelname}" "kernel26-libre${_kernelname}" "linux${_kernelname}")
diff --git a/libre/linux-libre-grsec/sysctl.conf b/libre/linux-libre-grsec/sysctl.conf
index a1af2c48e..bef8e350d 100644
--- a/libre/linux-libre-grsec/sysctl.conf
+++ b/libre/linux-libre-grsec/sysctl.conf
@@ -1,11 +1,13 @@
-# All features in the kernel.grsecurity namespace are disabled by default.
+# All features in the kernel.grsecurity namespace are disabled by default in
+# the kernel and must be enabled here.
 
 #
-# Disable PaX enforcement by default, due to lacking integration with packages.
+# Disable PaX enforcement by default.
 #
-# This is considered a major flaw in this package and will be corrected in the
-# future. Many binaries need to be flagged as requiring an exception from the
-# PaX rules.
+# The `paxd` package sets softmode back to 0 in a configuration file loaded
+# after this one. It automatically handles setting exceptions from the PaX
+# exploit mitigations after Pacman operations. Altering the setting here rather
+# than using `paxd` is not recommended.
 #
 
 kernel.pax.softmode = 1
@@ -77,7 +79,7 @@ kernel.grsecurity.audit_gid = 201
 #kernel.grsecurity.signal_logging = 1
 #kernel.grsecurity.forkfail_logging = 1
 #kernel.grsecurity.timechange_logging = 1
-#kernel.grsecurity.rwxmap_logging = 1
+kernel.grsecurity.rwxmap_logging = 1
 
 #
 # Executable protections
-- 
cgit v1.2.3-2-g168b