diff options
-rwxr-xr-x | kernels/linux-libre-lts-grsec/PKGBUILD | 6 | ||||
-rwxr-xr-x | kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install | 58 |
2 files changed, 60 insertions, 4 deletions
diff --git a/kernels/linux-libre-lts-grsec/PKGBUILD b/kernels/linux-libre-lts-grsec/PKGBUILD index e6ea24827..55b6c41f5 100755 --- a/kernels/linux-libre-lts-grsec/PKGBUILD +++ b/kernels/linux-libre-lts-grsec/PKGBUILD @@ -10,9 +10,9 @@ pkgbase=linux-libre-lts-grsec # Build stock -LIBRE-LTS-GRSEC kernel #pkgbase=linux-libre-custom # Build kernel with a different name _basekernel=3.2 _grsecver=2.9.1 -_timestamp=201212061818 +_timestamp=201212151420 pkgver=${_basekernel}.35 -pkgrel=1 +pkgrel=2 _lxopkgver=${_basekernel}.34 # nearly always the same as pkgver arch=('i686' 'x86_64' 'mips64el') url="http://linux-libre.fsfla.org/" @@ -35,7 +35,7 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.bz2") md5sums=('65c669b6e4888db84a80882461851867' '11cd72c1febacfa98e3c6162fee86ba9' - '27c45c7b29406bea785a8bef77ebfaf2' + 'cb8b68478cd26bcdef1aba5617aa4cb2' '9cdc3506425c2f5ca4a05493c0c8dec9' '969fb7ac31e86521d1d854b7d5a3fa18' '243221bb1898f996dcf2020c015f6fd0' diff --git a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install index 18b408248..05662cb18 100755 --- a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install +++ b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install @@ -2,7 +2,45 @@ # arg 2: the old package version KERNEL_NAME=-lts-grsec -KERNEL_VERSION=3.2.35-1-LIBRE-LTS-GRSEC +KERNEL_VERSION=3.2.35-2-LIBRE-LTS-GRSEC + +_fix_permissions() { + /usr/bin/paxutils + + echo + echo You can repeat this process after updating or installing affected + echo binaries by running "paxutils". +} + +_add_proc_group() { + if ! getent group proc-trusted >/dev/null; then + groupadd -g 9998 -r proc-trusted + useradd -g 9998 -r proc-trusted + fi +} + +_add_tpe_group() { + if getent group grsec-trusted >/dev/null; then + groupmod -n tpe-trusted grsec-trusted + fi + + if ! getent group tpe-trusted >/dev/null; then + groupadd -g 9999 -r tpe-trusted + useradd -g 9999 -r tpe-trusted + fi +} + +_help() { + echo + echo For group tpe-trusted, Trusted Path Execution is disabled. For group + echo proc-trusted, the access to /proc is not restricted. Think carefully + echo before adding a normal user to this group. + echo + echo This is controllable with the sysctl options \"kernel.grsecurity.tpe*\". + echo + echo There is an extensive wikibook on grsecurity: + echo http://en.wikibooks.org/wiki/Grsecurity +} # set a sane PATH to ensure that critical utils like depmod will be found export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' @@ -28,6 +66,12 @@ post_install () { ln -sf vmlinuz-linux-libre${KERNEL_NAME} /boot/vmlinuz26${KERNEL_NAME} fi fi + + _add_proc_group + _add_tpe_group + _fix_permissions + + _help } post_upgrade() { @@ -60,10 +104,22 @@ post_upgrade() { echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..." mkinitcpio -p linux-libre${KERNEL_NAME} fi + + _add_proc_group + _add_tpe_group + _fix_permissions + + _help } post_remove() { # also remove the compat symlinks rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}.img rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}-fallback.img + + for group in grsec-trusted proc-trusted tpe-trusted; do + if getent group $group >/dev/null; then + groupdel $group + fi + done } |