summaryrefslogtreecommitdiff
path: root/libre/linux-libre-grsec/linux-libre-grsec.install
blob: 22a798dfa4d9680ecdbcfe96065c0436f2039f29 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# arg 1:  the new package version
# arg 2:  the old package version

KERNEL_NAME=-grsec
KERNEL_VERSION=

_uderef_warning() {
  if [[ $(uname -m) = x86_64 ]]; then
    cat <<EOF
CONFIG_PAX_MEMORY_UDEREF is now enabled on x86_64 and can be disabled by
passing \`pax_nouderef\` on the kernel line. UDEREF's PCID support on Sandy
Bridge and later is known to have issues with recent kernel versions and can be
disabled by passing \`nopcid\` to use the legacy implementation.
EOF
  fi
}

_add_groups() {
  if getent group tpe-trusted >/dev/null; then
    groupmod -g 200 -n tpe tpe-trusted
  fi

  if ! getent group tpe >/dev/null; then
    groupadd -g 200 -r tpe
  fi

  if ! getent group audit >/dev/null; then
    groupadd -g 201 -r audit
  fi

  if getent group socket-deny-all >/dev/null; then
    groupmod -g 202 socket-deny-all
  else
    groupadd -g 202 -r socket-deny-all
  fi

  if getent group socket-deny-client >/dev/null; then
    groupmod -g 203 socket-deny-client
  else
    groupadd -g 203 -r socket-deny-client
  fi

  if getent group socket-deny-server >/dev/null; then
    groupmod -g 204 socket-deny-server
  else
    groupadd -g 204 -r socket-deny-server
  fi
}

_remove_groups() {
  for group in tpe socket-deny-server socket-deny-client socket-deny-all; do
    if getent group $group >/dev/null; then
      groupdel $group
    fi
  done
}

post_install () {
  # updating module dependencies
  echo ">>> Updating module dependencies. Please wait ..."
  depmod ${KERNEL_VERSION}
  if command -v mkinitcpio 2>&1 > /dev/null; then
    echo ">>> Generating initial ramdisk, using mkinitcpio.  Please wait..."
    mkinitcpio -p linux-libre${KERNEL_NAME}
  fi

  _add_groups
  _uderef_warning
}

post_upgrade() {
  if findmnt --fstab -uno SOURCE /boot &>/dev/null && ! mountpoint -q /boot; then
    echo "WARNING: /boot appears to be a separate partition but is not mounted."
  fi

  if getent group proc-trusted >/dev/null; then
    groupdel proc-trusted
  fi

  # updating module dependencies
  echo ">>> Updating module dependencies. Please wait ..."
  depmod ${KERNEL_VERSION}
  if command -v mkinitcpio 2>&1 > /dev/null; then
    echo ">>> Generating initial ramdisk, using mkinitcpio.  Please wait..."
    mkinitcpio -p linux-libre${KERNEL_NAME}
  fi

  if [ $(vercmp $2 3.13) -lt 0 ]; then
    echo ">>> WARNING: AT keyboard support is no longer built into the kernel."
    echo ">>>          In order to use your keyboard during early init, you MUST"
    echo ">>>          include the 'keyboard' hook in your mkinitcpio.conf."
  fi

  _add_groups

  if [[ $(vercmp $2 3.15.6.201407232200-2) -lt 0 ]]; then
    _uderef_warning
  fi
}

post_remove() {
  # also remove the compat symlinks
  rm -f boot/initramfs-linux-libre${KERNEL_NAME}.img
  rm -f boot/initramfs-linux-libre${KERNEL_NAME}-fallback.img

  _remove_groups
}