summaryrefslogtreecommitdiff
path: root/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install
diff options
context:
space:
mode:
Diffstat (limited to 'kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install')
-rwxr-xr-xkernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install58
1 files changed, 57 insertions, 1 deletions
diff --git a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install
index 18b408248..05662cb18 100755
--- a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install
+++ b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install
@@ -2,7 +2,45 @@
# arg 2: the old package version
KERNEL_NAME=-lts-grsec
-KERNEL_VERSION=3.2.35-1-LIBRE-LTS-GRSEC
+KERNEL_VERSION=3.2.35-2-LIBRE-LTS-GRSEC
+
+_fix_permissions() {
+ /usr/bin/paxutils
+
+ echo
+ echo You can repeat this process after updating or installing affected
+ echo binaries by running "paxutils".
+}
+
+_add_proc_group() {
+ if ! getent group proc-trusted >/dev/null; then
+ groupadd -g 9998 -r proc-trusted
+ useradd -g 9998 -r proc-trusted
+ fi
+}
+
+_add_tpe_group() {
+ if getent group grsec-trusted >/dev/null; then
+ groupmod -n tpe-trusted grsec-trusted
+ fi
+
+ if ! getent group tpe-trusted >/dev/null; then
+ groupadd -g 9999 -r tpe-trusted
+ useradd -g 9999 -r tpe-trusted
+ fi
+}
+
+_help() {
+ echo
+ echo For group tpe-trusted, Trusted Path Execution is disabled. For group
+ echo proc-trusted, the access to /proc is not restricted. Think carefully
+ echo before adding a normal user to this group.
+ echo
+ echo This is controllable with the sysctl options \"kernel.grsecurity.tpe*\".
+ echo
+ echo There is an extensive wikibook on grsecurity:
+ echo http://en.wikibooks.org/wiki/Grsecurity
+}
# set a sane PATH to ensure that critical utils like depmod will be found
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
@@ -28,6 +66,12 @@ post_install () {
ln -sf vmlinuz-linux-libre${KERNEL_NAME} /boot/vmlinuz26${KERNEL_NAME}
fi
fi
+
+ _add_proc_group
+ _add_tpe_group
+ _fix_permissions
+
+ _help
}
post_upgrade() {
@@ -60,10 +104,22 @@ post_upgrade() {
echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..."
mkinitcpio -p linux-libre${KERNEL_NAME}
fi
+
+ _add_proc_group
+ _add_tpe_group
+ _fix_permissions
+
+ _help
}
post_remove() {
# also remove the compat symlinks
rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}.img
rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}-fallback.img
+
+ for group in grsec-trusted proc-trusted tpe-trusted; do
+ if getent group $group >/dev/null; then
+ groupdel $group
+ fi
+ done
}