summaryrefslogtreecommitdiff
path: root/kernels/linux-libre-grsec/linux-libre-grsec.install
blob: ad209388f8eb1d4068c8ecf31c44b382b5a20b5f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# arg 1:  the new package version
# arg 2:  the old package version

KERNEL_NAME=-grsec
KERNEL_VERSION=3.6.7-1-LIBRE-GRSEC

_fix_permissions() {
  /usr/bin/linux-pax-flags

  echo
  echo You can repeat this process after updating or installing affected
  echo binaries by running "linux-pax-flags".
}

_add_trusted_group() {
  if ! getent group grsec-trusted >/dev/null; then
    groupadd -g 9999 -r grsec-trusted
    useradd -g 9999 -r grsec-trusted
  fi
}

_help() {
  echo
  echo For group grsec-trusted, Trusted Path Execution is disabled and
  echo information about all processes from /proc is visible. Think carefully
  echo before adding a normal user to this group.
  echo
  echo This is controllable with the sysctl options \"kernel.grsecurity.tpe*\".
  echo
  echo There is an extensive wikibook on grsecurity:
  echo http://en.wikibooks.org/wiki/Grsecurity
}

# set a sane PATH to ensure that critical utils like depmod will be found
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

post_install () {
  # updating module dependencies
  echo ">>> Updating module dependencies. Please wait ..."
  depmod ${KERNEL_VERSION}
  if command -v mkinitcpio 2>&1 > /dev/null; then
    echo ">>> Generating initial ramdisk, using mkinitcpio.  Please wait..."
    mkinitcpio -p linux-libre${KERNEL_NAME}
  fi

  # compat symlinks for the official kernels only
  if [ -z "${KERNEL_NAME}" -o "${KERNEL_NAME}" = "-grsec" ]; then
    loaders="$(find /boot -name syslinux.cfg -or -name extlinux.conf -or -name grub.cfg -or -name menu.lst)"
    [ -f /etc/lilo.conf ] && loaders="$loaders /etc/lilo.conf"
    if [ -n "${loaders}" ] && grep -q -e vmlinuz26 -e kernel26.img -e kernel26-fallback.img $loaders; then
      # add compat symlinks for the initramfs images
      ln -sf initramfs-linux-libre${KERNEL_NAME}.img boot/kernel26${KERNEL_NAME}.img
      ln -sf initramfs-linux-libre${KERNEL_NAME}-fallback.img \
        boot/kernel26${KERNEL_NAME}-fallback.img
      ln -sf vmlinuz-linux-libre${KERNEL_NAME} /boot/vmlinuz26${KERNEL_NAME}
    fi
  fi

  _add_trusted_group
  _fix_permissions
  
  _help
}

post_upgrade() {
  pacman -Q grub &>/dev/null
  hasgrub=$?
  pacman -Q grub-common &>/dev/null
  hasgrub2=$?
  pacman -Q lilo &>/dev/null
  haslilo=$?
  # reminder notices
  if [ $haslilo -eq 0 ]; then
    echo ">>>"
    if [ $hasgrub -eq 0 -o $hasgrub2 -eq 0 ]; then
      echo ">>> If you use the LILO bootloader, you should run 'lilo' before rebooting."
    else
      echo ">>> You appear to be using the LILO bootloader. You should run"
      echo ">>> 'lilo' before rebooting."
    fi
    echo ">>>"
  fi

  if findmnt --fstab -uno SOURCE /boot &>/dev/null && ! mountpoint -q /boot; then
    echo "WARNING: /boot appears to be a separate partition but is not mounted."
  fi

  # updating module dependencies
  echo ">>> Updating module dependencies. Please wait ..."
  depmod ${KERNEL_VERSION}
  if command -v mkinitcpio 2>&1 > /dev/null; then
    echo ">>> Generating initial ramdisk, using mkinitcpio.  Please wait..."
    mkinitcpio -p linux-libre${KERNEL_NAME}
  fi

  _add_trusted_group
  _fix_permissions

  _help
}

post_remove() {
  # also remove the compat symlinks
  rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}.img
  rm -f boot/{initramfs-linux-libre,kernel26}${KERNEL_NAME}-fallback.img

  if getent group grsec-trusted >/dev/null; then
    groupdel grsec-trusted
  fi
}