summaryrefslogtreecommitdiff
path: root/kernels/linux-libre-grsec/linux-libre-grsec.install
diff options
context:
space:
mode:
authorNicolás Reynolds <fauno@endefensadelsl.org>2014-02-18 01:56:34 +0000
committerNicolás Reynolds <fauno@endefensadelsl.org>2014-02-18 01:56:34 +0000
commit8185891e28635bdb83fdf4ba4391030912dae596 (patch)
tree66a946535bdd228514750233b2cc99dd1866ff64 /kernels/linux-libre-grsec/linux-libre-grsec.install
parent60a11f87366fdfbd114cdc91ff813518858e5f8d (diff)
Tue Feb 18 01:56:27 UTC 2014
Diffstat (limited to 'kernels/linux-libre-grsec/linux-libre-grsec.install')
-rw-r--r--kernels/linux-libre-grsec/linux-libre-grsec.install115
1 files changed, 115 insertions, 0 deletions
diff --git a/kernels/linux-libre-grsec/linux-libre-grsec.install b/kernels/linux-libre-grsec/linux-libre-grsec.install
new file mode 100644
index 000000000..dfdf39530
--- /dev/null
+++ b/kernels/linux-libre-grsec/linux-libre-grsec.install
@@ -0,0 +1,115 @@
+# arg 1: the new package version
+# arg 2: the old package version
+
+KERNEL_NAME=-grsec
+KERNEL_VERSION=
+
+_fix_permissions() {
+ /usr/bin/pax-flags-libre -y
+
+ echo
+ echo You can repeat this process after updating or installing affected
+ echo binaries by running "pax-flags-libre".
+}
+
+_add_proc_group() {
+ if ! getent group proc-trusted >/dev/null; then
+ groupadd -g 9998 -r proc-trusted
+ fi
+}
+
+_add_tpe_group() {
+ if getent group grsec-trusted >/dev/null; then
+ groupmod -n tpe-trusted grsec-trusted
+ fi
+
+ if ! getent group tpe-trusted >/dev/null; then
+ groupadd -g 9999 -r tpe-trusted
+ fi
+}
+
+_add_socket_deny_groups() {
+ if ! getent group socket-deny-server >/dev/null; then
+ groupadd -g 9997 -r socket-deny-server
+ fi
+
+ if ! getent group socket-deny-client >/dev/null; then
+ groupadd -g 9996 -r socket-deny-client
+ fi
+
+ if ! getent group socket-deny-all >/dev/null; then
+ groupadd -g 9995 -r socket-deny-all
+ fi
+}
+
+_add_groups() {
+ _add_proc_group
+ _add_tpe_group
+ _add_socket_deny_groups
+}
+
+_remove_groups() {
+ for group in grsec-trusted proc-trusted tpe-trusted socket-deny-server socket-deny-client socket-deny-all; do
+ if getent group $group >/dev/null; then
+ groupdel $group
+ fi
+ done
+}
+
+_help() {
+cat <<EOF
+
+Configuration of grsecurity features via sysctl is possible in
+"/etc/sysctl.d/05-grsecurity.conf".
+
+For group tpe-trusted, Trusted Path Execution is disabled. For group
+proc-trusted, the access to /proc is not restricted. Think carefully before
+adding a normal user to these groups.
+
+To prevent certain socket access to users, there are three groups:
+socket-deny-server, socket-deny-client and socket-deny-all.
+
+EOF
+}
+
+post_install () {
+ # updating module dependencies
+ echo ">>> Updating module dependencies. Please wait ..."
+ depmod ${KERNEL_VERSION}
+ if command -v mkinitcpio 2>&1 > /dev/null; then
+ echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..."
+ mkinitcpio -p linux-libre${KERNEL_NAME}
+ fi
+
+ _add_groups
+ _fix_permissions
+
+ _help
+}
+
+post_upgrade() {
+ if findmnt --fstab -uno SOURCE /boot &>/dev/null && ! mountpoint -q /boot; then
+ echo "WARNING: /boot appears to be a separate partition but is not mounted."
+ fi
+
+ # updating module dependencies
+ echo ">>> Updating module dependencies. Please wait ..."
+ depmod ${KERNEL_VERSION}
+ if command -v mkinitcpio 2>&1 > /dev/null; then
+ echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..."
+ mkinitcpio -p linux-libre${KERNEL_NAME}
+ fi
+
+ _add_groups
+ _fix_permissions
+
+ _help
+}
+
+post_remove() {
+ # also remove the compat symlinks
+ rm -f boot/initramfs-linux-libre${KERNEL_NAME}.img
+ rm -f boot/initramfs-linux-libre${KERNEL_NAME}-fallback.img
+
+ _remove_groups
+}