diff options
Diffstat (limited to 'kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install')
-rwxr-xr-x | kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install | 58 |
1 files changed, 57 insertions, 1 deletions
diff --git a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install index 18b408248..05662cb18 100755 --- a/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install +++ b/kernels/linux-libre-lts-grsec/linux-libre-lts-grsec.install @@ -2,7 +2,45 @@ # arg 2: the old package version KERNEL_NAME=-lts-grsec -KERNEL_VERSION=3.2.35-1-LIBRE-LTS-GRSEC +KERNEL_VERSION=3.2.35-2-LIBRE-LTS-GRSEC + +_fix_permissions() { + /usr/bin/paxutils + + echo + echo You can repeat this process after updating or installing affected + echo binaries by running "paxutils". +} + +_add_proc_group() { + if ! getent group proc-trusted >/dev/null; then + groupadd -g 9998 -r proc-trusted + useradd -g 9998 -r proc-trusted + fi +} + +_add_tpe_group() { + if getent group grsec-trusted >/dev/null; then + groupmod -n tpe-trusted grsec-trusted + fi + + if ! getent group tpe-trusted >/dev/null; then + groupadd -g 9999 -r tpe-trusted + useradd -g 9999 -r tpe-trusted + fi +} + +_help() { + echo + echo For group tpe-trusted, Trusted Path Execution is disabled. For group + echo proc-trusted, the access to /proc is not restricted. Think carefully + echo before adding a normal user to this group. + echo + echo This is controllable with the sysctl options \"kernel.grsecurity.tpe*\". + echo + echo There is an extensive wikibook on grsecurity: + echo http://en.wikibooks.org/wiki/Grsecurity +} # set a sane PATH to ensure that critical utils like depmod will be found export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' @@ -28,6 +66,12 @@ post_install () { ln -sf vmlinuz-linux-libre${KERNEL_NAME} /boot/vmlinuz26${KERNEL_NAME} fi fi + + _add_proc_group + _add_tpe_group + _fix_permissions + + _help } post_upgrade() { @@ -60,10 +104,22 @@ post_upgrade() { echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..." mkinitcpio -p linux-libre${KERNEL_NAME} fi + + _add_proc_group + _add_tpe_group + _fix_permissions + + _help } post_remove() { # also remove the compat symlinks rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}.img rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}-fallback.img + + for group in grsec-trusted proc-trusted tpe-trusted; do + if getent group $group >/dev/null; then + groupdel $group + fi + done } |