diff options
-rw-r--r-- | libre/linux-libre-grsec/PKGBUILD | 14 | ||||
-rw-r--r-- | libre/linux-libre-grsec/linux-libre-grsec.install | 45 | ||||
-rw-r--r-- | libre/linux-libre-grsec/sysctl.conf | 131 |
3 files changed, 5 insertions, 185 deletions
diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD index f905d06c5..fd6ee3d1f 100644 --- a/libre/linux-libre-grsec/PKGBUILD +++ b/libre/linux-libre-grsec/PKGBUILD @@ -1,3 +1,4 @@ +# $Id: PKGBUILD 116869 2014-08-04 21:40:54Z thestinger $ # Maintainer (Arch): Daniel Micay <danielmicay@gmail.com> # Contributor (Arch): Tobias Powalowski <tpowa@archlinux.org> # Contributor (Arch): Thomas Baechler <thomas@archlinux.org> @@ -15,10 +16,10 @@ pkgbase=linux-libre-grsec # Build stock -libre-grsec kernel _basekernel=3.15 _sublevel=8 _grsecver=3.0 -_timestamp=201408031129 +_timestamp=201408040708 _pkgver=${_basekernel}.${_sublevel} pkgver=${_basekernel}.${_sublevel}.${_timestamp} -pkgrel=1 +pkgrel=2 _lxopkgver=${_basekernel}.8 # nearly always the same as pkgver arch=('i686' 'x86_64' 'mips64el') url="https://grsecurity.net/" @@ -38,7 +39,6 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn 'boot-logo.patch' 'change-default-console-loglevel.patch' 'Revert-userns-Allow-unprivileged-users-to-create-use.patch' - 'sysctl.conf' "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz") sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688' '6dfa7e972f54feef3a40047704495c00b4e163d7f164c133aaaa70871ab61afe' @@ -52,7 +52,6 @@ sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688' 'f913384dd6dbafca476fcf4ccd35f0f497dda5f3074866022facdb92647771f6' 'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182' '1b3651558fcd497c72af3d483febb21fff98cbb9fbcb456da19b24304c40c754' - 'd4d4ae0b9c510547f47d94582e4ca08a7f12e9baf324181cb54d328027305e31' '2b514ce7d678919bc923fc3a4beef38f4a757a6275717dfe7147544c2e9964f0') if [ "$CARCH" != "mips64el" ]; then # don't use the Loongson-specific patches on non-mips64el arches. @@ -154,14 +153,14 @@ build() { _package() { pkgdesc="The ${pkgbase^} kernel and modules with grsecurity/PaX patches" [ "${pkgbase}" = "linux-libre" ] && groups=('base') - depends=('coreutils' 'linux-libre-firmware' 'kmod') + depends=('coreutils' 'linux-libre-firmware' 'kmod' 'grsec-common') optdepends=('crda: to set the correct wireless channels of your country' 'gradm: to configure and enable Role Based Access Control (RBAC)' 'paxd: to enable PaX exploit mitigations and apply exceptions automatically') provides=("kernel26${_kernelname}=${pkgver}" "linux${_kernelname}=${pkgver}") conflicts=("kernel26${_kernelname}" "kernel26-libre${_kernelname}" "linux${_kernelname}") replaces=("kernel26${_kernelname}" "kernel26-libre${_kernelname}" "linux${_kernelname}") - backup=("etc/mkinitcpio.d/${pkgbase}.preset" 'etc/sysctl.d/05-grsecurity.conf') + backup=("etc/mkinitcpio.d/${pkgbase}.preset") install=${pkgbase}.install if [ "$CARCH" = "mips64el" ]; then optdepends+=('mkinitcpio: to make the initramfs (needs reinstall of this package)') @@ -243,9 +242,6 @@ _package() { mkdir -p "$pkgdir/usr/lib/modules/${_kernver}/build/tools/gcc/size_overflow_plugin" install -m644 tools/gcc/size_overflow_plugin/Makefile tools/gcc/size_overflow_plugin/*.so \ "$pkgdir/usr/lib/modules/${_kernver}/build/tools/gcc/size_overflow_plugin" - - # install sysctl configuration for grsecurity switches - install -Dm600 "${srcdir}/sysctl.conf" "${pkgdir}/etc/sysctl.d/05-grsecurity.conf" } _package-headers() { diff --git a/libre/linux-libre-grsec/linux-libre-grsec.install b/libre/linux-libre-grsec/linux-libre-grsec.install index 22a798dfa..572c893d1 100644 --- a/libre/linux-libre-grsec/linux-libre-grsec.install +++ b/libre/linux-libre-grsec/linux-libre-grsec.install @@ -15,46 +15,6 @@ EOF fi } -_add_groups() { - if getent group tpe-trusted >/dev/null; then - groupmod -g 200 -n tpe tpe-trusted - fi - - if ! getent group tpe >/dev/null; then - groupadd -g 200 -r tpe - fi - - if ! getent group audit >/dev/null; then - groupadd -g 201 -r audit - fi - - if getent group socket-deny-all >/dev/null; then - groupmod -g 202 socket-deny-all - else - groupadd -g 202 -r socket-deny-all - fi - - if getent group socket-deny-client >/dev/null; then - groupmod -g 203 socket-deny-client - else - groupadd -g 203 -r socket-deny-client - fi - - if getent group socket-deny-server >/dev/null; then - groupmod -g 204 socket-deny-server - else - groupadd -g 204 -r socket-deny-server - fi -} - -_remove_groups() { - for group in tpe socket-deny-server socket-deny-client socket-deny-all; do - if getent group $group >/dev/null; then - groupdel $group - fi - done -} - post_install () { # updating module dependencies echo ">>> Updating module dependencies. Please wait ..." @@ -64,7 +24,6 @@ post_install () { mkinitcpio -p linux-libre${KERNEL_NAME} fi - _add_groups _uderef_warning } @@ -91,8 +50,6 @@ post_upgrade() { echo ">>> include the 'keyboard' hook in your mkinitcpio.conf." fi - _add_groups - if [[ $(vercmp $2 3.15.6.201407232200-2) -lt 0 ]]; then _uderef_warning fi @@ -102,6 +59,4 @@ post_remove() { # also remove the compat symlinks rm -f boot/initramfs-linux-libre${KERNEL_NAME}.img rm -f boot/initramfs-linux-libre${KERNEL_NAME}-fallback.img - - _remove_groups } diff --git a/libre/linux-libre-grsec/sysctl.conf b/libre/linux-libre-grsec/sysctl.conf deleted file mode 100644 index a5f6bf83e..000000000 --- a/libre/linux-libre-grsec/sysctl.conf +++ /dev/null @@ -1,131 +0,0 @@ -# All features in the kernel.grsecurity namespace are disabled by default in -# the kernel and must be enabled here. - -# -# Disable PaX enforcement by default. -# -# The `paxd` package sets softmode back to 0 in a configuration file loaded -# after this one. It automatically handles setting exceptions from the PaX -# exploit mitigations after Pacman operations. Altering the setting here rather -# than using `paxd` is not recommended. -# - -kernel.pax.softmode = 1 - -# -# Memory protections -# - -#kernel.grsecurity.disable_priv_io = 1 -kernel.grsecurity.deter_bruteforce = 1 - -# -# Race free SymLinksIfOwnerMatch for web servers -# -# symlinkown_gid: http group -# - -kernel.grsecurity.enforce_symlinksifowner = 1 -kernel.grsecurity.symlinkown_gid = 33 - -# -# FIFO restrictions -# -# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp), -# unless the owner of the FIFO is the same owner of the directory it's held in. -# - -kernel.grsecurity.fifo_restrictions = 1 - -# -# Deny any further rw mounts -# - -#kernel.grsecurity.romount_protect = 1 - -# -# chroot restrictions (the commented options will break containers) -# - -#kernel.grsecurity.chroot_caps = 1 -#kernel.grsecurity.chroot_deny_chmod = 1 -#kernel.grsecurity.chroot_deny_chroot = 1 -kernel.grsecurity.chroot_deny_fchdir = 1 -#kernel.grsecurity.chroot_deny_mknod = 1 -#kernel.grsecurity.chroot_deny_mount = 1 -#kernel.grsecurity.chroot_deny_pivot = 1 -kernel.grsecurity.chroot_deny_shmat = 1 -kernel.grsecurity.chroot_deny_sysctl = 1 -kernel.grsecurity.chroot_deny_unix = 1 -kernel.grsecurity.chroot_enforce_chdir = 1 -kernel.grsecurity.chroot_findtask = 1 -#kernel.grsecurity.chroot_restrict_nice = 1 - -# -# Kernel auditing -# -# audit_group: Restrict exec/chdir logging to a group. -# audit_gid: audit group -# - -#kernel.grsecurity.audit_group = 1 -kernel.grsecurity.audit_gid = 201 -#kernel.grsecurity.exec_logging = 1 -#kernel.grsecurity.resource_logging = 1 -#kernel.grsecurity.chroot_execlog = 1 -#kernel.grsecurity.audit_ptrace = 1 -#kernel.grsecurity.audit_chdir = 1 -#kernel.grsecurity.audit_mount = 1 -#kernel.grsecurity.signal_logging = 1 -#kernel.grsecurity.forkfail_logging = 1 -#kernel.grsecurity.timechange_logging = 1 -kernel.grsecurity.rwxmap_logging = 1 - -# -# Executable protections -# - -kernel.grsecurity.harden_ptrace = 1 -kernel.grsecurity.ptrace_readexec = 1 -kernel.grsecurity.consistent_setxid = 1 -kernel.grsecurity.harden_ipc = 1 - -# -# Trusted Path Execution -# -# tpe_gid: tpe group -# - -#kernel.grsecurity.tpe = 1 -kernel.grsecurity.tpe_gid = 200 -#kernel.grsecurity.tpe_invert = 1 -#kernel.grsecurity.tpe_restrict_all = 1 - -# -# Network protections -# -# socket_all_gid: socket-deny-all group -# socket_client_gid: socket-deny-client group -# socket_server_gid: socket-deny-server group -# - -#kernel.grsecurity.ip_blackhole = 1 -kernel.grsecurity.lastack_retries = 4 -kernel.grsecurity.socket_all = 1 -kernel.grsecurity.socket_all_gid = 202 -kernel.grsecurity.socket_client = 1 -kernel.grsecurity.socket_client_gid = 203 -kernel.grsecurity.socket_server = 1 -kernel.grsecurity.socket_server_gid = 204 - -# -# Prevent any new USB devices from being recognized by the OS. -# - -#kernel.grsecurity.deny_new_usb = 1 - -# -# Restrict grsec sysctl changes after this was set -# - -kernel.grsecurity.grsec_lock = 0 |