summaryrefslogtreecommitdiff
path: root/libre/linux-libre-grsec
diff options
context:
space:
mode:
Diffstat (limited to 'libre/linux-libre-grsec')
-rw-r--r--libre/linux-libre-grsec/PKGBUILD14
-rw-r--r--libre/linux-libre-grsec/linux-libre-grsec.install45
-rw-r--r--libre/linux-libre-grsec/sysctl.conf131
3 files changed, 5 insertions, 185 deletions
diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD
index f905d06c5..fd6ee3d1f 100644
--- a/libre/linux-libre-grsec/PKGBUILD
+++ b/libre/linux-libre-grsec/PKGBUILD
@@ -1,3 +1,4 @@
+# $Id: PKGBUILD 116869 2014-08-04 21:40:54Z thestinger $
# Maintainer (Arch): Daniel Micay <danielmicay@gmail.com>
# Contributor (Arch): Tobias Powalowski <tpowa@archlinux.org>
# Contributor (Arch): Thomas Baechler <thomas@archlinux.org>
@@ -15,10 +16,10 @@ pkgbase=linux-libre-grsec # Build stock -libre-grsec kernel
_basekernel=3.15
_sublevel=8
_grsecver=3.0
-_timestamp=201408031129
+_timestamp=201408040708
_pkgver=${_basekernel}.${_sublevel}
pkgver=${_basekernel}.${_sublevel}.${_timestamp}
-pkgrel=1
+pkgrel=2
_lxopkgver=${_basekernel}.8 # nearly always the same as pkgver
arch=('i686' 'x86_64' 'mips64el')
url="https://grsecurity.net/"
@@ -38,7 +39,6 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn
'boot-logo.patch'
'change-default-console-loglevel.patch'
'Revert-userns-Allow-unprivileged-users-to-create-use.patch'
- 'sysctl.conf'
"http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz")
sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688'
'6dfa7e972f54feef3a40047704495c00b4e163d7f164c133aaaa70871ab61afe'
@@ -52,7 +52,6 @@ sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688'
'f913384dd6dbafca476fcf4ccd35f0f497dda5f3074866022facdb92647771f6'
'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182'
'1b3651558fcd497c72af3d483febb21fff98cbb9fbcb456da19b24304c40c754'
- 'd4d4ae0b9c510547f47d94582e4ca08a7f12e9baf324181cb54d328027305e31'
'2b514ce7d678919bc923fc3a4beef38f4a757a6275717dfe7147544c2e9964f0')
if [ "$CARCH" != "mips64el" ]; then
# don't use the Loongson-specific patches on non-mips64el arches.
@@ -154,14 +153,14 @@ build() {
_package() {
pkgdesc="The ${pkgbase^} kernel and modules with grsecurity/PaX patches"
[ "${pkgbase}" = "linux-libre" ] && groups=('base')
- depends=('coreutils' 'linux-libre-firmware' 'kmod')
+ depends=('coreutils' 'linux-libre-firmware' 'kmod' 'grsec-common')
optdepends=('crda: to set the correct wireless channels of your country'
'gradm: to configure and enable Role Based Access Control (RBAC)'
'paxd: to enable PaX exploit mitigations and apply exceptions automatically')
provides=("kernel26${_kernelname}=${pkgver}" "linux${_kernelname}=${pkgver}")
conflicts=("kernel26${_kernelname}" "kernel26-libre${_kernelname}" "linux${_kernelname}")
replaces=("kernel26${_kernelname}" "kernel26-libre${_kernelname}" "linux${_kernelname}")
- backup=("etc/mkinitcpio.d/${pkgbase}.preset" 'etc/sysctl.d/05-grsecurity.conf')
+ backup=("etc/mkinitcpio.d/${pkgbase}.preset")
install=${pkgbase}.install
if [ "$CARCH" = "mips64el" ]; then
optdepends+=('mkinitcpio: to make the initramfs (needs reinstall of this package)')
@@ -243,9 +242,6 @@ _package() {
mkdir -p "$pkgdir/usr/lib/modules/${_kernver}/build/tools/gcc/size_overflow_plugin"
install -m644 tools/gcc/size_overflow_plugin/Makefile tools/gcc/size_overflow_plugin/*.so \
"$pkgdir/usr/lib/modules/${_kernver}/build/tools/gcc/size_overflow_plugin"
-
- # install sysctl configuration for grsecurity switches
- install -Dm600 "${srcdir}/sysctl.conf" "${pkgdir}/etc/sysctl.d/05-grsecurity.conf"
}
_package-headers() {
diff --git a/libre/linux-libre-grsec/linux-libre-grsec.install b/libre/linux-libre-grsec/linux-libre-grsec.install
index 22a798dfa..572c893d1 100644
--- a/libre/linux-libre-grsec/linux-libre-grsec.install
+++ b/libre/linux-libre-grsec/linux-libre-grsec.install
@@ -15,46 +15,6 @@ EOF
fi
}
-_add_groups() {
- if getent group tpe-trusted >/dev/null; then
- groupmod -g 200 -n tpe tpe-trusted
- fi
-
- if ! getent group tpe >/dev/null; then
- groupadd -g 200 -r tpe
- fi
-
- if ! getent group audit >/dev/null; then
- groupadd -g 201 -r audit
- fi
-
- if getent group socket-deny-all >/dev/null; then
- groupmod -g 202 socket-deny-all
- else
- groupadd -g 202 -r socket-deny-all
- fi
-
- if getent group socket-deny-client >/dev/null; then
- groupmod -g 203 socket-deny-client
- else
- groupadd -g 203 -r socket-deny-client
- fi
-
- if getent group socket-deny-server >/dev/null; then
- groupmod -g 204 socket-deny-server
- else
- groupadd -g 204 -r socket-deny-server
- fi
-}
-
-_remove_groups() {
- for group in tpe socket-deny-server socket-deny-client socket-deny-all; do
- if getent group $group >/dev/null; then
- groupdel $group
- fi
- done
-}
-
post_install () {
# updating module dependencies
echo ">>> Updating module dependencies. Please wait ..."
@@ -64,7 +24,6 @@ post_install () {
mkinitcpio -p linux-libre${KERNEL_NAME}
fi
- _add_groups
_uderef_warning
}
@@ -91,8 +50,6 @@ post_upgrade() {
echo ">>> include the 'keyboard' hook in your mkinitcpio.conf."
fi
- _add_groups
-
if [[ $(vercmp $2 3.15.6.201407232200-2) -lt 0 ]]; then
_uderef_warning
fi
@@ -102,6 +59,4 @@ post_remove() {
# also remove the compat symlinks
rm -f boot/initramfs-linux-libre${KERNEL_NAME}.img
rm -f boot/initramfs-linux-libre${KERNEL_NAME}-fallback.img
-
- _remove_groups
}
diff --git a/libre/linux-libre-grsec/sysctl.conf b/libre/linux-libre-grsec/sysctl.conf
deleted file mode 100644
index a5f6bf83e..000000000
--- a/libre/linux-libre-grsec/sysctl.conf
+++ /dev/null
@@ -1,131 +0,0 @@
-# All features in the kernel.grsecurity namespace are disabled by default in
-# the kernel and must be enabled here.
-
-#
-# Disable PaX enforcement by default.
-#
-# The `paxd` package sets softmode back to 0 in a configuration file loaded
-# after this one. It automatically handles setting exceptions from the PaX
-# exploit mitigations after Pacman operations. Altering the setting here rather
-# than using `paxd` is not recommended.
-#
-
-kernel.pax.softmode = 1
-
-#
-# Memory protections
-#
-
-#kernel.grsecurity.disable_priv_io = 1
-kernel.grsecurity.deter_bruteforce = 1
-
-#
-# Race free SymLinksIfOwnerMatch for web servers
-#
-# symlinkown_gid: http group
-#
-
-kernel.grsecurity.enforce_symlinksifowner = 1
-kernel.grsecurity.symlinkown_gid = 33
-
-#
-# FIFO restrictions
-#
-# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp),
-# unless the owner of the FIFO is the same owner of the directory it's held in.
-#
-
-kernel.grsecurity.fifo_restrictions = 1
-
-#
-# Deny any further rw mounts
-#
-
-#kernel.grsecurity.romount_protect = 1
-
-#
-# chroot restrictions (the commented options will break containers)
-#
-
-#kernel.grsecurity.chroot_caps = 1
-#kernel.grsecurity.chroot_deny_chmod = 1
-#kernel.grsecurity.chroot_deny_chroot = 1
-kernel.grsecurity.chroot_deny_fchdir = 1
-#kernel.grsecurity.chroot_deny_mknod = 1
-#kernel.grsecurity.chroot_deny_mount = 1
-#kernel.grsecurity.chroot_deny_pivot = 1
-kernel.grsecurity.chroot_deny_shmat = 1
-kernel.grsecurity.chroot_deny_sysctl = 1
-kernel.grsecurity.chroot_deny_unix = 1
-kernel.grsecurity.chroot_enforce_chdir = 1
-kernel.grsecurity.chroot_findtask = 1
-#kernel.grsecurity.chroot_restrict_nice = 1
-
-#
-# Kernel auditing
-#
-# audit_group: Restrict exec/chdir logging to a group.
-# audit_gid: audit group
-#
-
-#kernel.grsecurity.audit_group = 1
-kernel.grsecurity.audit_gid = 201
-#kernel.grsecurity.exec_logging = 1
-#kernel.grsecurity.resource_logging = 1
-#kernel.grsecurity.chroot_execlog = 1
-#kernel.grsecurity.audit_ptrace = 1
-#kernel.grsecurity.audit_chdir = 1
-#kernel.grsecurity.audit_mount = 1
-#kernel.grsecurity.signal_logging = 1
-#kernel.grsecurity.forkfail_logging = 1
-#kernel.grsecurity.timechange_logging = 1
-kernel.grsecurity.rwxmap_logging = 1
-
-#
-# Executable protections
-#
-
-kernel.grsecurity.harden_ptrace = 1
-kernel.grsecurity.ptrace_readexec = 1
-kernel.grsecurity.consistent_setxid = 1
-kernel.grsecurity.harden_ipc = 1
-
-#
-# Trusted Path Execution
-#
-# tpe_gid: tpe group
-#
-
-#kernel.grsecurity.tpe = 1
-kernel.grsecurity.tpe_gid = 200
-#kernel.grsecurity.tpe_invert = 1
-#kernel.grsecurity.tpe_restrict_all = 1
-
-#
-# Network protections
-#
-# socket_all_gid: socket-deny-all group
-# socket_client_gid: socket-deny-client group
-# socket_server_gid: socket-deny-server group
-#
-
-#kernel.grsecurity.ip_blackhole = 1
-kernel.grsecurity.lastack_retries = 4
-kernel.grsecurity.socket_all = 1
-kernel.grsecurity.socket_all_gid = 202
-kernel.grsecurity.socket_client = 1
-kernel.grsecurity.socket_client_gid = 203
-kernel.grsecurity.socket_server = 1
-kernel.grsecurity.socket_server_gid = 204
-
-#
-# Prevent any new USB devices from being recognized by the OS.
-#
-
-#kernel.grsecurity.deny_new_usb = 1
-
-#
-# Restrict grsec sysctl changes after this was set
-#
-
-kernel.grsecurity.grsec_lock = 0