Sat Nov 24 01:51:17 PST 2012

author: root <root@rshg054.dnsready.net> 2012-11-24 01:54:10 -0800
committer: root <root@rshg054.dnsready.net> 2012-11-24 01:54:10 -0800
commit: c65624e6d74bffd70dcd67cc28448b5a50596efb (patch)
tree: 06c1cbca31a798c4274030b52e9947fb57a1a889 /kernels
parent: 1fce42e9327109bd47dba5e3e690144a23bbbc19 (diff)
5 files changed, 208 insertions, 10 deletions
diff --git a/kernels/linux-libre-grsec/PKGBUILD b/kernels/linux-libre-grsec/PKGBUILD
index c22a208d5..c0f1eb2a9 100755
--- a/kernels/linux-libre-grsec/PKGBUILD
+++ b/kernels/linux-libre-grsec/PKGBUILD
@@ -11,9 +11,9 @@ pkgbase=linux-libre-grsec      # Build stock -LIBRE-GRSEC kernel
 _basekernel=3.6
 _sublevel=7
 _grsecver=2.9.1
-_timestamp=201211181105
+_timestamp=201211221000
 pkgver=${_basekernel}.${_sublevel}
-pkgrel=3
+pkgrel=4
 _lxopkgver=${_basekernel}.7 # nearly always the same as pkgver
 arch=('i686' 'x86_64' 'mips64el')
 url="http://linux-libre.fsfla.org/"
@@ -37,9 +37,9 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn
         "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.bz2")
 md5sums=('a2312edd0265b5b07bd4b50afae2b380'
          'a4e642180c7d757a642175fe32e4a264'
-         'af1f2097a6e26d36801188193d3eb185'
+         '25ad4a2c727ae5d0fcfe30008a6cce09'
          '508ce60a46a36c65d847c4759ac5f6c7'
-         'ec6b214e3744cc5fb38bcafb0c6218d6'
+         'e0df7f5866d6d74ecc339347ac58ea3b'
          '5f66bed97a5c37e48eb2f71b2d354b9a'
          '2967cecc3af9f954ccc822fd63dca6ff'
          '8267264d9a8966e57fdacd1fa1fc65c4'
@@ -161,7 +161,7 @@ build() {
 _package() {
   pkgdesc="The ${pkgbase} kernel and modules with grsecurity/PaX patches"
   [ "${pkgbase}" = "linux-libre" ] && groups=('base')
-  depends=('gradm' 'linux-libre-pax-flags' 'coreutils' 'linux-libre-firmware' 'kmod')
+  depends=('gradm' 'paxutils' 'coreutils' 'linux-libre-firmware' 'kmod')
   optdepends=('crda: to set the correct wireless channels of your country')
   provides=("kernel26${_kernelname}=${pkgver}" "linux${_kernelname}=${pkgver}")
   conflicts=("kernel26${_kernelname}" "kernel26-libre${_kernelname}" "linux${_kernelname}")
diff --git a/kernels/linux-libre-grsec/config.x86_64 b/kernels/linux-libre-grsec/config.x86_64
index 281b26f47..c1729bff5 100644
--- a/kernels/linux-libre-grsec/config.x86_64
+++ b/kernels/linux-libre-grsec/config.x86_64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 3.6.1-2 Kernel Configuration
+# Linux/x86_64 3.6.7-4 Kernel Configuration
 #
 CONFIG_64BIT=y
 # CONFIG_X86_32 is not set
@@ -5609,6 +5609,7 @@ CONFIG_PAX_USERCOPY=y
 #
 CONFIG_GRKERNSEC_KMEM=y
 # CONFIG_GRKERNSEC_IO is not set
+CONFIG_GRKERNSEC_JIT_HARDEN=y
 CONFIG_GRKERNSEC_PROC_MEMMAP=y
 CONFIG_GRKERNSEC_BRUTE=y
 CONFIG_GRKERNSEC_MODHARDEN=y
@@ -5690,7 +5691,6 @@ CONFIG_GRKERNSEC_BLACKHOLE=y
 # Sysctl Support
 #
 CONFIG_GRKERNSEC_SYSCTL=y
-# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
 CONFIG_GRKERNSEC_SYSCTL_ON=y
 
 #
diff --git a/kernels/linux-libre-grsec/linux-libre-grsec.install b/kernels/linux-libre-grsec/linux-libre-grsec.install
index ad209388f..4c65c9783 100755
--- a/kernels/linux-libre-grsec/linux-libre-grsec.install
+++ b/kernels/linux-libre-grsec/linux-libre-grsec.install
@@ -2,14 +2,14 @@
 # arg 2:  the old package version
 
 KERNEL_NAME=-grsec
-KERNEL_VERSION=3.6.7-1-LIBRE-GRSEC
+KERNEL_VERSION=3.6.7-4-LIBRE-GRSEC
 
 _fix_permissions() {
-  /usr/bin/linux-pax-flags
+  /usr/bin/paxutils
 
   echo
   echo You can repeat this process after updating or installing affected
-  echo binaries by running "linux-pax-flags".
+  echo binaries by running "paxutils".
 }
 
 _add_trusted_group() {
diff --git a/kernels/paxutils/PKGBUILD b/kernels/paxutils/PKGBUILD
new file mode 100644
index 000000000..3d6d1e772
--- /dev/null
+++ b/kernels/paxutils/PKGBUILD
@@ -0,0 +1,24 @@
+# Maintainer: André Silva <emulatorman@lavabit.com>
+# Maintainer: Márcio Silva <coadde@lavabit.com>
+
+pkgname=paxutils
+pkgdesc='PaX utilities to configure flags for several binaries to work with PaX kernels'
+pkgver=0.1.0
+pkgrel=2
+arch=(any)
+url='https://projects.parabolagnulinux.org/abslibre.git/tree/kernels/paxutils/'
+license=(GPL2)
+depends=(bash paxctl)
+replaces=('linux-pax-flags' 'linux-libre-pax-flags')
+conflicts=('linux-pax-flags' 'linux-libre-pax-flags')
+provides=('linux-pax-flags' 'linux-libre-pax-flags')
+source=($pkgname)
+sha256sums=(bf1fda4919e7ed8052711c91933d9da5d86945ba44133c94e1952dedb4d1759b)
+
+build() {
+  return 0
+}
+
+package() {
+  install -D -m755 $srcdir/$pkgname $pkgdir/usr/bin/$pkgname
+}
diff --git a/kernels/paxutils/paxutils b/kernels/paxutils/paxutils
new file mode 100755
index 000000000..22f5a8171
--- /dev/null
+++ b/kernels/paxutils/paxutils
@@ -0,0 +1,174 @@
+#!/bin/bash
+
+[ "$UID" = "0" ] || {
+	sudo $0
+	exit $!
+}
+
+function homedir() {
+	egrep ^$1 /etc/passwd | cut -d: -f 6
+}
+
+declare -A perms
+
+perms=(
+	# RANDMMAP off
+	['cPSMXEr']='
+		/usr/bin/grub-script-check
+	'
+	# MPROTECT and RANDMMAP off
+	['cPSmXEr']='
+		/usr/bin/elinks
+		/usr/bin/pyrogenesis
+		/usr/lib/iceweasel/iceweasel
+		/usr/lib/iceweasel/plugin-container
+		/usr/lib/icecat/icecat
+		/usr/lib/icecat/plugin-container
+		/usr/lib/polkit-1/polkitd
+		/usr/lib/icedove/icedove
+	'
+	# SEGMEXEC and MPROTECT off
+	# (RANDEXEC is not activatable for qemu. The binaries seem to be compiled
+	# with PIE enabled, though.)
+	['cPsmxER']='
+		/usr/bin/qemu-alpha
+		/usr/bin/qemu-arm
+		/usr/bin/qemu-armeb
+		/usr/bin/qemu-cris
+		/usr/bin/qemu-i386
+		/usr/bin/qemu-m68k
+		/usr/bin/qemu-microblaze
+		/usr/bin/qemu-microblazeel
+		/usr/bin/qemu-mips
+		/usr/bin/qemu-mipsel
+		/usr/bin/qemu-ppc
+		/usr/bin/qemu-ppc64
+		/usr/bin/qemu-ppc64abi32
+		/usr/bin/qemu-s390x
+		/usr/bin/qemu-sh4
+		/usr/bin/qemu-sh4eb
+		/usr/bin/qemu-sparc
+		/usr/bin/qemu-sparc32plus
+		/usr/bin/qemu-sparc64
+		/usr/bin/qemu-unicore32
+		/usr/bin/qemu-x86_64
+	'
+	# MPROTECT off
+	['cPSmXER']="
+		/usr/bin/blender
+		/usr/bin/clamscan
+		/usr/bin/freshclam
+		/usr/bin/glxdemo
+		/usr/bin/glxgears
+		/usr/bin/glxinfo
+		/usr/bin/kdeinit4
+		/usr/bin/kdenlive
+		/usr/bin/kmail
+		/usr/bin/kwin
+		/usr/bin/liferea
+		/usr/bin/mono
+		/usr/bin/mplayer
+		/usr/bin/okular
+		/usr/bin/qemu-system-alpha
+		/usr/bin/qemu-system-arm
+		/usr/bin/qemu-system-cris
+		/usr/bin/qemu-system-i386
+		/usr/bin/qemu-system-lm32
+		/usr/bin/qemu-system-m68k
+		/usr/bin/qemu-system-microblaze
+		/usr/bin/qemu-system-microblazeel
+		/usr/bin/qemu-system-mips
+		/usr/bin/qemu-system-mips64
+		/usr/bin/qemu-system-mips64el
+		/usr/bin/qemu-system-mipsel
+		/usr/bin/qemu-system-ppc
+		/usr/bin/qemu-system-ppc64
+		/usr/bin/qemu-system-ppcemb
+		/usr/bin/qemu-system-s390x
+		/usr/bin/qemu-system-sh4
+		/usr/bin/qemu-system-sh4eb
+		/usr/bin/qemu-system-sparc
+		/usr/bin/qemu-system-sparc64
+		/usr/bin/qemu-system-x86_64
+		/usr/bin/qemu-system-xtensa
+		/usr/bin/qemu-system-xtensaeb
+		/usr/bin/ruby
+		/usr/bin/systemsettings
+		/usr/bin/tcc
+		/usr/bin/valgrind
+		/usr/lib/erlang/erts-*/bin/beam
+		/usr/lib/erlang/erts-*/bin/beam.smp
+		/usr/lib/ghc-*/ghc
+		/usr/lib/valgrind/cachegrind-amd64-linux
+		/usr/lib/valgrind/cachegrind-x86-linux
+		/usr/lib/valgrind/callgrind-amd64-linux
+		/usr/lib/valgrind/callgrind-x86-linux
+		/usr/lib/valgrind/drd-amd64-linux
+		/usr/lib/valgrind/drd-x86-linux
+		/usr/lib/valgrind/exp-bbv-amd64-linux
+		/usr/lib/valgrind/exp-bbv-x86-linux
+		/usr/lib/valgrind/exp-dhat-amd64-linux
+		/usr/lib/valgrind/exp-dhat-x86-linux
+		/usr/lib/valgrind/exp-sgcheck-amd64-linux
+		/usr/lib/valgrind/exp-sgcheck-x86-linux
+		/usr/lib/valgrind/helgrind-amd64-linux
+		/usr/lib/valgrind/helgrind-x86-linux
+		/usr/lib/valgrind/lackey-amd64-linux
+		/usr/lib/valgrind/lackey-x86-linux
+		/usr/lib/valgrind/massif-amd64-linux
+		/usr/lib/valgrind/massif-x86-linux
+		/usr/lib/valgrind/memcheck-amd64-linux
+		/usr/lib/valgrind/memcheck-x86-linux
+		/usr/lib/valgrind/none-amd64-linux
+		/usr/lib/valgrind/none-x86-linux
+		/usr/lib/xbmc/xbmc.bin
+		/usr/sbin/clamd
+		/usr/sbin/grub-probe
+		/usr/sbin/vbetool
+	"
+	# PAGEEXEC, MPROTECT, EMUTRAMP and RANDMMAP off
+	['cpSmXer']='
+		/usr/bin/sbcl
+	'
+	# All off
+	['cpsmxer']='
+		/usr/bin/wine
+		/usr/bin/wine-preloader	
+		/usr/lib/jvm/java-6-openjdk/bin/java
+		/usr/lib/jvm/java-6-openjdk/bin/javac
+		/usr/lib/jvm/java-6-openjdk/jre/bin/java
+		/usr/lib/jvm/java-7-openjdk/bin/javac
+		/usr/lib/jvm/java-7-openjdk/jre/bin/java
+	'
+)
+
+echo Some programs do not work properly without deactivating some of the PaX
+echo features. Please close all instances of them if you want to change the
+echo configuration for the following binaries:
+
+for perm in ${!perms[@]}; do
+	for path in ${perms[$perm]}; do
+		[ -f $path ] && echo " * $path"
+	done
+done
+
+echo
+echo Continue writing PaX headers? \[Y/n\]
+
+read a
+
+case $a in
+	"Y"|"y"|"")
+		for perm in ${!perms[@]}; do
+			for path in ${perms[$perm]}; do
+				[ -f $path ] && {
+					echo $perm $path
+					paxctl -$perm $path
+				}
+			done
+		done
+		;;
+	*)
+		exit 0
+		;;
+esac
author	root <root@rshg054.dnsready.net>	2012-11-24 01:54:10 -0800
committer	root <root@rshg054.dnsready.net>	2012-11-24 01:54:10 -0800
commit	c65624e6d74bffd70dcd67cc28448b5a50596efb (patch)
tree	06c1cbca31a798c4274030b52e9947fb57a1a889 /kernels
parent	1fce42e9327109bd47dba5e3e690144a23bbbc19 (diff)