diff options
Diffstat (limited to 'kernels/linux-libre-grsec/linux-libre-grsec.install')
-rw-r--r-- | kernels/linux-libre-grsec/linux-libre-grsec.install | 121 |
1 files changed, 0 insertions, 121 deletions
diff --git a/kernels/linux-libre-grsec/linux-libre-grsec.install b/kernels/linux-libre-grsec/linux-libre-grsec.install deleted file mode 100644 index 68eb041c0..000000000 --- a/kernels/linux-libre-grsec/linux-libre-grsec.install +++ /dev/null @@ -1,121 +0,0 @@ -# arg 1: the new package version -# arg 2: the old package version - -KERNEL_NAME=-grsec -KERNEL_VERSION= - -_fix_permissions() { - /usr/bin/pax-flags-libre -y - - echo - echo You can repeat this process after updating or installing affected - echo binaries by running "pax-flags-libre". -} - -_add_proc_group() { - if ! getent group proc-trusted >/dev/null; then - groupadd -g 9998 -r proc-trusted - fi -} - -_add_tpe_group() { - if getent group grsec-trusted >/dev/null; then - groupmod -n tpe-trusted grsec-trusted - fi - - if ! getent group tpe-trusted >/dev/null; then - groupadd -g 9999 -r tpe-trusted - fi -} - -_add_socket_deny_groups() { - if ! getent group socket-deny-server >/dev/null; then - groupadd -g 9997 -r socket-deny-server - fi - - if ! getent group socket-deny-client >/dev/null; then - groupadd -g 9996 -r socket-deny-client - fi - - if ! getent group socket-deny-all >/dev/null; then - groupadd -g 9995 -r socket-deny-all - fi -} - -_add_groups() { - _add_proc_group - _add_tpe_group - _add_socket_deny_groups -} - -_remove_groups() { - for group in grsec-trusted proc-trusted tpe-trusted socket-deny-server socket-deny-client socket-deny-all; do - if getent group $group >/dev/null; then - groupdel $group - fi - done -} - -_help() { -cat <<EOF - -Configuration of grsecurity features via sysctl is possible in -"/etc/sysctl.d/05-grsecurity.conf". - -For group tpe-trusted, Trusted Path Execution is disabled. For group -proc-trusted, the access to /proc is not restricted. Think carefully before -adding a normal user to these groups. - -To prevent certain socket access to users, there are three groups: -socket-deny-server, socket-deny-client and socket-deny-all. - -EOF -} - -post_install () { - # updating module dependencies - echo ">>> Updating module dependencies. Please wait ..." - depmod ${KERNEL_VERSION} - if command -v mkinitcpio 2>&1 > /dev/null; then - echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..." - mkinitcpio -p linux-libre${KERNEL_NAME} - fi - - _add_groups - _fix_permissions - - _help -} - -post_upgrade() { - if findmnt --fstab -uno SOURCE /boot &>/dev/null && ! mountpoint -q /boot; then - echo "WARNING: /boot appears to be a separate partition but is not mounted." - fi - - # updating module dependencies - echo ">>> Updating module dependencies. Please wait ..." - depmod ${KERNEL_VERSION} - if command -v mkinitcpio 2>&1 > /dev/null; then - echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..." - mkinitcpio -p linux-libre${KERNEL_NAME} - fi - - if [ $(vercmp $2 3.13) -lt 0 ]; then - echo ">>> WARNING: AT keyboard support is no longer built into the kernel." - echo ">>> In order to use your keyboard during early init, you MUST" - echo ">>> include the 'keyboard' hook in your mkinitcpio.conf." - fi - - _add_groups - _fix_permissions - - _help -} - -post_remove() { - # also remove the compat symlinks - rm -f boot/initramfs-linux-libre${KERNEL_NAME}.img - rm -f boot/initramfs-linux-libre${KERNEL_NAME}-fallback.img - - _remove_groups -} |