diff options
Diffstat (limited to 'libre/linux-libre-grsec/linux-libre-grsec.install')
| -rw-r--r-- | libre/linux-libre-grsec/linux-libre-grsec.install | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/libre/linux-libre-grsec/linux-libre-grsec.install b/libre/linux-libre-grsec/linux-libre-grsec.install new file mode 100644 index 000000000..cff18d020 --- /dev/null +++ b/libre/linux-libre-grsec/linux-libre-grsec.install @@ -0,0 +1,116 @@ +# arg 1: the new package version +# arg 2: the old package version + +KERNEL_NAME=-grsec +KERNEL_VERSION= + +_add_groups() { + if getent group tpe-trusted >/dev/null; then + groupmod -g 200 -n tpe tpe-trusted + fi + + if ! getent group tpe >/dev/null; then + groupadd -g 200 -r tpe + fi + + if ! getent group audit >/dev/null; then + groupadd -g 201 -r audit + fi + + if getent group socket-deny-all >/dev/null; then + groupmod -g 202 socket-deny-all + else + groupadd -g 202 -r socket-deny-all + fi + + if getent group socket-deny-client >/dev/null; then + groupmod -g 203 socket-deny-client + else + groupadd -g 203 -r socket-deny-client + fi + + if getent group socket-deny-server >/dev/null; then + groupmod -g 204 socket-deny-server + else + groupadd -g 204 -r socket-deny-server + fi +} + +_remove_groups() { + for group in tpe socket-deny-server socket-deny-client socket-deny-all; do + if getent group $group >/dev/null; then + groupdel $group + fi + done +} + +_help() { +cat <<EOF + +Configuration of grsecurity features via sysctl is possible in +"/etc/sysctl.d/05-grsecurity.conf". + +Trusted Path Execution is disabled by default and can be enabled via the +kernel.grsecurity.tpe sysctl option. The tpe group can be used either to build +a whitelist for users free from the restrictions (tpe_invert = 1) or a +blacklist of users with the restrictions (tpe_invert = 0). + +To prevent certain socket access to users, there are three groups: +socket-deny-server, socket-deny-client and socket-deny-all. + +There is an extensive wikibook on grsecurity and some documentation in the +Parabola GNU/Linux-libre Wiki: + +https://en.wikibooks.org/wiki/Grsecurity +https://wiki.parabolagnulinux.org/Grsecurity + +EOF +} + +post_install () { + # updating module dependencies + echo ">>> Updating module dependencies. Please wait ..." + depmod ${KERNEL_VERSION} + if command -v mkinitcpio 2>&1 > /dev/null; then + echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..." + mkinitcpio -p linux-libre${KERNEL_NAME} + fi + + _add_groups + _help +} + +post_upgrade() { + if findmnt --fstab -uno SOURCE /boot &>/dev/null && ! mountpoint -q /boot; then + echo "WARNING: /boot appears to be a separate partition but is not mounted." + fi + + if getent group proc-trusted >/dev/null; then + groupdel proc-trusted + fi + + # updating module dependencies + echo ">>> Updating module dependencies. Please wait ..." + depmod ${KERNEL_VERSION} + if command -v mkinitcpio 2>&1 > /dev/null; then + echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..." + mkinitcpio -p linux-libre${KERNEL_NAME} + fi + + if [ $(vercmp $2 3.13) -lt 0 ]; then + echo ">>> WARNING: AT keyboard support is no longer built into the kernel." + echo ">>> In order to use your keyboard during early init, you MUST" + echo ">>> include the 'keyboard' hook in your mkinitcpio.conf." + fi + + _add_groups + _help +} + +post_remove() { + # also remove the compat symlinks + rm -f boot/initramfs-linux-libre${KERNEL_NAME}.img + rm -f boot/initramfs-linux-libre${KERNEL_NAME}-fallback.img + + _remove_groups +} |