From cf4686d9b73ce6a1a1c677f18b56e829d1c01369 Mon Sep 17 00:00:00 2001
From: André Fabian Silva Delgado <emulatorman@parabola.nu>
Date: Tue, 5 Aug 2014 15:23:48 -0300
Subject: linux-libre-grsec-3.15.8.201408040708-2: updating version

* move linux-libre-grsec config / groups to grsec-common
---
 libre/linux-libre-grsec/PKGBUILD                  |  14 +--
 libre/linux-libre-grsec/linux-libre-grsec.install |  45 --------
 libre/linux-libre-grsec/sysctl.conf               | 131 ----------------------
 3 files changed, 5 insertions(+), 185 deletions(-)
 delete mode 100644 libre/linux-libre-grsec/sysctl.conf

(limited to 'libre/linux-libre-grsec')

diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD
index f905d06c5..fd6ee3d1f 100644
--- a/libre/linux-libre-grsec/PKGBUILD
+++ b/libre/linux-libre-grsec/PKGBUILD
@@ -1,3 +1,4 @@
+# $Id: PKGBUILD 116869 2014-08-04 21:40:54Z thestinger $
 # Maintainer (Arch): Daniel Micay <danielmicay@gmail.com>
 # Contributor (Arch): Tobias Powalowski <tpowa@archlinux.org>
 # Contributor (Arch): Thomas Baechler <thomas@archlinux.org>
@@ -15,10 +16,10 @@ pkgbase=linux-libre-grsec   # Build stock -libre-grsec kernel
 _basekernel=3.15
 _sublevel=8
 _grsecver=3.0
-_timestamp=201408031129
+_timestamp=201408040708
 _pkgver=${_basekernel}.${_sublevel}
 pkgver=${_basekernel}.${_sublevel}.${_timestamp}
-pkgrel=1
+pkgrel=2
 _lxopkgver=${_basekernel}.8 # nearly always the same as pkgver
 arch=('i686' 'x86_64' 'mips64el')
 url="https://grsecurity.net/"
@@ -38,7 +39,6 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn
         'boot-logo.patch'
         'change-default-console-loglevel.patch'
         'Revert-userns-Allow-unprivileged-users-to-create-use.patch'
-        'sysctl.conf'
         "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz")
 sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688'
             '6dfa7e972f54feef3a40047704495c00b4e163d7f164c133aaaa70871ab61afe'
@@ -52,7 +52,6 @@ sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688'
             'f913384dd6dbafca476fcf4ccd35f0f497dda5f3074866022facdb92647771f6'
             'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182'
             '1b3651558fcd497c72af3d483febb21fff98cbb9fbcb456da19b24304c40c754'
-            'd4d4ae0b9c510547f47d94582e4ca08a7f12e9baf324181cb54d328027305e31'
             '2b514ce7d678919bc923fc3a4beef38f4a757a6275717dfe7147544c2e9964f0')
 if [ "$CARCH" != "mips64el" ]; then
     # don't use the Loongson-specific patches on non-mips64el arches.
@@ -154,14 +153,14 @@ build() {
 _package() {
   pkgdesc="The ${pkgbase^} kernel and modules with grsecurity/PaX patches"
   [ "${pkgbase}" = "linux-libre" ] && groups=('base')
-  depends=('coreutils' 'linux-libre-firmware' 'kmod')
+  depends=('coreutils' 'linux-libre-firmware' 'kmod' 'grsec-common')
   optdepends=('crda: to set the correct wireless channels of your country'
               'gradm: to configure and enable Role Based Access Control (RBAC)'
               'paxd: to enable PaX exploit mitigations and apply exceptions automatically')
   provides=("kernel26${_kernelname}=${pkgver}" "linux${_kernelname}=${pkgver}")
   conflicts=("kernel26${_kernelname}" "kernel26-libre${_kernelname}" "linux${_kernelname}")
   replaces=("kernel26${_kernelname}" "kernel26-libre${_kernelname}" "linux${_kernelname}")
-  backup=("etc/mkinitcpio.d/${pkgbase}.preset" 'etc/sysctl.d/05-grsecurity.conf')
+  backup=("etc/mkinitcpio.d/${pkgbase}.preset")
   install=${pkgbase}.install
   if [ "$CARCH" = "mips64el" ]; then
       optdepends+=('mkinitcpio: to make the initramfs (needs reinstall of this package)')
@@ -243,9 +242,6 @@ _package() {
   mkdir -p "$pkgdir/usr/lib/modules/${_kernver}/build/tools/gcc/size_overflow_plugin"
   install -m644 tools/gcc/size_overflow_plugin/Makefile tools/gcc/size_overflow_plugin/*.so \
     "$pkgdir/usr/lib/modules/${_kernver}/build/tools/gcc/size_overflow_plugin"
-
-  # install sysctl configuration for grsecurity switches
-  install -Dm600 "${srcdir}/sysctl.conf" "${pkgdir}/etc/sysctl.d/05-grsecurity.conf"
 }
 
 _package-headers() {
diff --git a/libre/linux-libre-grsec/linux-libre-grsec.install b/libre/linux-libre-grsec/linux-libre-grsec.install
index 22a798dfa..572c893d1 100644
--- a/libre/linux-libre-grsec/linux-libre-grsec.install
+++ b/libre/linux-libre-grsec/linux-libre-grsec.install
@@ -15,46 +15,6 @@ EOF
   fi
 }
 
-_add_groups() {
-  if getent group tpe-trusted >/dev/null; then
-    groupmod -g 200 -n tpe tpe-trusted
-  fi
-
-  if ! getent group tpe >/dev/null; then
-    groupadd -g 200 -r tpe
-  fi
-
-  if ! getent group audit >/dev/null; then
-    groupadd -g 201 -r audit
-  fi
-
-  if getent group socket-deny-all >/dev/null; then
-    groupmod -g 202 socket-deny-all
-  else
-    groupadd -g 202 -r socket-deny-all
-  fi
-
-  if getent group socket-deny-client >/dev/null; then
-    groupmod -g 203 socket-deny-client
-  else
-    groupadd -g 203 -r socket-deny-client
-  fi
-
-  if getent group socket-deny-server >/dev/null; then
-    groupmod -g 204 socket-deny-server
-  else
-    groupadd -g 204 -r socket-deny-server
-  fi
-}
-
-_remove_groups() {
-  for group in tpe socket-deny-server socket-deny-client socket-deny-all; do
-    if getent group $group >/dev/null; then
-      groupdel $group
-    fi
-  done
-}
-
 post_install () {
   # updating module dependencies
   echo ">>> Updating module dependencies. Please wait ..."
@@ -64,7 +24,6 @@ post_install () {
     mkinitcpio -p linux-libre${KERNEL_NAME}
   fi
 
-  _add_groups
   _uderef_warning
 }
 
@@ -91,8 +50,6 @@ post_upgrade() {
     echo ">>>          include the 'keyboard' hook in your mkinitcpio.conf."
   fi
 
-  _add_groups
-
   if [[ $(vercmp $2 3.15.6.201407232200-2) -lt 0 ]]; then
     _uderef_warning
   fi
@@ -102,6 +59,4 @@ post_remove() {
   # also remove the compat symlinks
   rm -f boot/initramfs-linux-libre${KERNEL_NAME}.img
   rm -f boot/initramfs-linux-libre${KERNEL_NAME}-fallback.img
-
-  _remove_groups
 }
diff --git a/libre/linux-libre-grsec/sysctl.conf b/libre/linux-libre-grsec/sysctl.conf
deleted file mode 100644
index a5f6bf83e..000000000
--- a/libre/linux-libre-grsec/sysctl.conf
+++ /dev/null
@@ -1,131 +0,0 @@
-# All features in the kernel.grsecurity namespace are disabled by default in
-# the kernel and must be enabled here.
-
-#
-# Disable PaX enforcement by default.
-#
-# The `paxd` package sets softmode back to 0 in a configuration file loaded
-# after this one. It automatically handles setting exceptions from the PaX
-# exploit mitigations after Pacman operations. Altering the setting here rather
-# than using `paxd` is not recommended.
-#
-
-kernel.pax.softmode = 1
-
-#
-# Memory protections
-#
-
-#kernel.grsecurity.disable_priv_io = 1
-kernel.grsecurity.deter_bruteforce = 1
-
-#
-# Race free SymLinksIfOwnerMatch for web servers
-#
-# symlinkown_gid: http group
-#
-
-kernel.grsecurity.enforce_symlinksifowner = 1
-kernel.grsecurity.symlinkown_gid = 33
-
-#
-# FIFO restrictions
-#
-# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp),
-# unless the owner of the FIFO is the same owner of the directory it's held in.
-#
-
-kernel.grsecurity.fifo_restrictions = 1
-
-#
-# Deny any further rw mounts
-#
-
-#kernel.grsecurity.romount_protect = 1
-
-#
-# chroot restrictions (the commented options will break containers)
-#
-
-#kernel.grsecurity.chroot_caps = 1
-#kernel.grsecurity.chroot_deny_chmod = 1
-#kernel.grsecurity.chroot_deny_chroot = 1
-kernel.grsecurity.chroot_deny_fchdir = 1
-#kernel.grsecurity.chroot_deny_mknod = 1
-#kernel.grsecurity.chroot_deny_mount = 1
-#kernel.grsecurity.chroot_deny_pivot = 1
-kernel.grsecurity.chroot_deny_shmat = 1
-kernel.grsecurity.chroot_deny_sysctl = 1
-kernel.grsecurity.chroot_deny_unix = 1
-kernel.grsecurity.chroot_enforce_chdir = 1
-kernel.grsecurity.chroot_findtask = 1
-#kernel.grsecurity.chroot_restrict_nice = 1
-
-#
-# Kernel auditing
-#
-# audit_group: Restrict exec/chdir logging to a group.
-# audit_gid: audit group
-#
-
-#kernel.grsecurity.audit_group = 1
-kernel.grsecurity.audit_gid = 201
-#kernel.grsecurity.exec_logging = 1
-#kernel.grsecurity.resource_logging = 1
-#kernel.grsecurity.chroot_execlog = 1
-#kernel.grsecurity.audit_ptrace = 1
-#kernel.grsecurity.audit_chdir = 1
-#kernel.grsecurity.audit_mount = 1
-#kernel.grsecurity.signal_logging = 1
-#kernel.grsecurity.forkfail_logging = 1
-#kernel.grsecurity.timechange_logging = 1
-kernel.grsecurity.rwxmap_logging = 1
-
-#
-# Executable protections
-#
-
-kernel.grsecurity.harden_ptrace = 1
-kernel.grsecurity.ptrace_readexec = 1
-kernel.grsecurity.consistent_setxid = 1
-kernel.grsecurity.harden_ipc = 1
-
-#
-# Trusted Path Execution
-#
-# tpe_gid: tpe group
-#
-
-#kernel.grsecurity.tpe = 1
-kernel.grsecurity.tpe_gid = 200
-#kernel.grsecurity.tpe_invert = 1
-#kernel.grsecurity.tpe_restrict_all = 1
-
-#
-# Network protections
-#
-# socket_all_gid:    socket-deny-all group
-# socket_client_gid: socket-deny-client group
-# socket_server_gid: socket-deny-server group
-#
-
-#kernel.grsecurity.ip_blackhole = 1
-kernel.grsecurity.lastack_retries = 4
-kernel.grsecurity.socket_all = 1
-kernel.grsecurity.socket_all_gid = 202
-kernel.grsecurity.socket_client = 1
-kernel.grsecurity.socket_client_gid = 203
-kernel.grsecurity.socket_server = 1
-kernel.grsecurity.socket_server_gid = 204
-
-#
-# Prevent any new USB devices from being recognized by the OS.
-#
-
-#kernel.grsecurity.deny_new_usb = 1
-
-#
-# Restrict grsec sysctl changes after this was set
-#
-
-kernel.grsecurity.grsec_lock = 0
-- 
cgit v1.2.3-54-g00ecf