blob: cff18d0203b6b4ab7021d916ae24782ac7b44863 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
# arg 1: the new package version
# arg 2: the old package version
KERNEL_NAME=-grsec
KERNEL_VERSION=
_add_groups() {
if getent group tpe-trusted >/dev/null; then
groupmod -g 200 -n tpe tpe-trusted
fi
if ! getent group tpe >/dev/null; then
groupadd -g 200 -r tpe
fi
if ! getent group audit >/dev/null; then
groupadd -g 201 -r audit
fi
if getent group socket-deny-all >/dev/null; then
groupmod -g 202 socket-deny-all
else
groupadd -g 202 -r socket-deny-all
fi
if getent group socket-deny-client >/dev/null; then
groupmod -g 203 socket-deny-client
else
groupadd -g 203 -r socket-deny-client
fi
if getent group socket-deny-server >/dev/null; then
groupmod -g 204 socket-deny-server
else
groupadd -g 204 -r socket-deny-server
fi
}
_remove_groups() {
for group in tpe socket-deny-server socket-deny-client socket-deny-all; do
if getent group $group >/dev/null; then
groupdel $group
fi
done
}
_help() {
cat <<EOF
Configuration of grsecurity features via sysctl is possible in
"/etc/sysctl.d/05-grsecurity.conf".
Trusted Path Execution is disabled by default and can be enabled via the
kernel.grsecurity.tpe sysctl option. The tpe group can be used either to build
a whitelist for users free from the restrictions (tpe_invert = 1) or a
blacklist of users with the restrictions (tpe_invert = 0).
To prevent certain socket access to users, there are three groups:
socket-deny-server, socket-deny-client and socket-deny-all.
There is an extensive wikibook on grsecurity and some documentation in the
Parabola GNU/Linux-libre Wiki:
https://en.wikibooks.org/wiki/Grsecurity
https://wiki.parabolagnulinux.org/Grsecurity
EOF
}
post_install () {
# updating module dependencies
echo ">>> Updating module dependencies. Please wait ..."
depmod ${KERNEL_VERSION}
if command -v mkinitcpio 2>&1 > /dev/null; then
echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..."
mkinitcpio -p linux-libre${KERNEL_NAME}
fi
_add_groups
_help
}
post_upgrade() {
if findmnt --fstab -uno SOURCE /boot &>/dev/null && ! mountpoint -q /boot; then
echo "WARNING: /boot appears to be a separate partition but is not mounted."
fi
if getent group proc-trusted >/dev/null; then
groupdel proc-trusted
fi
# updating module dependencies
echo ">>> Updating module dependencies. Please wait ..."
depmod ${KERNEL_VERSION}
if command -v mkinitcpio 2>&1 > /dev/null; then
echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..."
mkinitcpio -p linux-libre${KERNEL_NAME}
fi
if [ $(vercmp $2 3.13) -lt 0 ]; then
echo ">>> WARNING: AT keyboard support is no longer built into the kernel."
echo ">>> In order to use your keyboard during early init, you MUST"
echo ">>> include the 'keyboard' hook in your mkinitcpio.conf."
fi
_add_groups
_help
}
post_remove() {
# also remove the compat symlinks
rm -f boot/initramfs-linux-libre${KERNEL_NAME}.img
rm -f boot/initramfs-linux-libre${KERNEL_NAME}-fallback.img
_remove_groups
}
|
