blob: 8062840405afa3673a712251c5e46665d2ad387f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
|
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
_mainflavor=grsec
pkgname=linux-$_mainflavor
pkgver=4.1.15
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
pkgrel=4
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs"
makedepends="perl sed installkernel bash gmp-dev bc linux-headers mpfr-dev
mpc1-dev"
options="!strip"
install=
source="http://ftp.kernel.org/pub/linux/kernel/v4.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v4.x/patch-$pkgver.xz
http://dev.alpinelinux.org/~tteras/grsec/pax-linux-4.1.15-test24-alpine.patch
http://dev.alpinelinux.org/~tteras/grsec/grsec-4.1.15-3.1-201509112213-alpine.patch
fix-spi-nor-namespace-clash.patch
imx6q-no-unclocked-sleep.patch
add-checks-for-allocation-failure-isdn_ppp_open.patch
validate-vj-compression-slot-parameters-completely.patch
kvm-svm-unconditionally-intercept-#db.patch
vivid-osd-fix-info-leak-in-ioctl.patch
staging-dgnc-fix-info-leak-in-ioctl.patch
net-add-validation-socket-syscall-protocol-argument.patch
pptp-verify-sockaddr_len.patch
ovl-fix-permission-checking-for-setattr.patch
0001-ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
keys-fixes.patch
config-grsec.x86
config-grsec.x86_64
config-grsec.armhf
config-virtgrsec.x86
config-virtgrsec.x86_64
"
subpackages="$pkgname-dev"
_flavors=
for _i in $source; do
case $_i in
config-*.$CARCH)
_f=${_i%.$CARCH}
_f=${_f#config-}
_flavors="$_flavors ${_f}"
if [ "linux-$_f" != "$pkgname" ]; then
subpackages="$subpackages linux-${_f}"
fi
;;
esac
done
arch="x86 x86_64 armhf"
license="GPL2"
prepare() {
local _patch_failed=
cd "$srcdir"/linux-$_kernver
if [ "${pkgver%.0}" = "$pkgver" ]; then
msg "Applying patch-$pkgver.xz"
unxz -c < "$srcdir"/patch-$pkgver.xz | patch -p1 -N || return 1
fi
# first apply patches in specified order
for i in $source; do
case $i in
*.patch)
msg "Applying $i..."
if ! patch -s -p1 -N -i "$srcdir"/${i##*/}; then
echo $i >>failed
_patch_failed=1
fi
;;
esac
done
if ! [ -z "$_patch_failed" ]; then
error "The following patches failed:"
cat failed
return 1
fi
# remove localversion from patch if any
rm -f localversion*
for i in $_flavors; do
local _config=config-$i.${CARCH}
local _builddir="$srcdir"/build-$i
mkdir -p "$_builddir"
echo "-$pkgrel-$i" > "$srcdir"/build-$i/localversion-alpine \
|| return 1
cp "$srcdir"/$_config "$_builddir"/.config || return 1
make -C "$srcdir"/linux-$_kernver \
O="$_builddir" \
HOSTCC="${CC:-gcc}" \
silentoldconfig || return 1
done
}
build() {
export GCC_SPECS=hardenednopie.specs
for i in $_flavors; do
cd "$srcdir"/build-$i
make CC="${CC:-gcc}" \
KBUILD_BUILD_VERSION="$((pkgrel + 1 ))-Alpine" \
|| return 1
done
}
_package() {
local _buildflavor="$1" _outdir="$2"
local _abi_release=${pkgver}-${pkgrel}-${_buildflavor}
cd "$srcdir"/build-$_buildflavor || return 1
mkdir -p "$_outdir"/boot "$_outdir"/lib/modules
local _install
case "$CARCH" in
arm*)
local _dtbdir="$_outdir"/usr/lib/linux-${_abi_release}
mkdir -p "$_dtbdir"
for i in arch/arm/boot/dts/*.dtb ; do
install -m644 "$i" "$_dtbdir"
done
_install=zinstall
;;
*)
_install=install
;;
esac
make -j1 modules_install firmware_install $_install \
INSTALL_MOD_PATH="$_outdir" \
INSTALL_PATH="$_outdir"/boot \
|| return 1
rm -f "$_outdir"/lib/modules/${_abi_release}/build \
"$_outdir"/lib/modules/${_abi_release}/source
rm -rf "$_outdir"/lib/firmware
install -D include/config/kernel.release \
"$_outdir"/usr/share/kernel/$_buildflavor/kernel.release
}
# main flavor installs in $pkgdir
package() {
depends="$depends linux-firmware"
_package grsec "$pkgdir"
}
# subflavors install in $subpkgdir
virtgrsec() {
_package virtgrsec "$subpkgdir"
}
# we only provide -dev for main flavor for now
dev() {
local _abi_release=${pkgver}-${pkgrel}-$_mainflavor
# copy the only the parts that we really need for build 3rd party
# kernel modules and install those as /usr/src/linux-headers,
# simlar to what ubuntu does
#
# this way you dont need to install the 300-400 kernel sources to
# build a tiny kernel module
#
pkgdesc="Headers and script for third party modules for grsec kernel"
depends="gmp-dev bash"
local dir="$subpkgdir"/usr/src/linux-headers-${_abi_release}
# first we import config, run prepare to set up for building
# external modules, and create the scripts
mkdir -p "$dir"
cp "$srcdir"/config-grsec.${CARCH} "$dir"/.config
echo "-$pkgrel-grsec" > "$dir"/localversion-alpine \
|| return 1
make -j1 -C "$srcdir"/linux-$_kernver O="$dir" HOSTCC="${CC:-gcc}" \
silentoldconfig prepare modules_prepare scripts
# remove the stuff that poits to real sources. we want 3rd party
# modules to believe this is the soruces
rm "$dir"/Makefile "$dir"/source
# copy the needed stuff from real sources
#
# this is taken from ubuntu kernel build script
# http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-jaunty.git;a=blob;f=debian/rules.d/3-binary-indep.mk;hb=HEAD
cd "$srcdir"/linux-$_kernver
find . -path './include/*' -prune -o -path './scripts/*' -prune \
-o -type f \( -name 'Makefile*' -o -name 'Kconfig*' \
-o -name 'Kbuild*' -o -name '*.sh' -o -name '*.pl' \
-o -name '*.lds' \) | cpio -pdm "$dir"
cp -a drivers/media/dvb/dvb-core/*.h "$dir"/drivers/media/dvb/dvb-core
cp -a drivers/media/video/*.h "$dir"/drivers/media/video
cp -a drivers/media/dvb/frontends/*.h "$dir"/drivers/media/dvb/frontends
cp -a scripts include "$dir"
find $(find arch -name include -type d -print) -type f \
| cpio -pdm "$dir"
install -Dm644 "$srcdir"/build-$_mainflavor/Module.symvers \
"$dir"/Module.symvers
mkdir -p "$subpkgdir"/lib/modules/${_abi_release}
ln -sf /usr/src/linux-headers-${_abi_release} \
"$subpkgdir"/lib/modules/${_abi_release}/build
}
md5sums="fe9dc0f6729f36400ea81aa41d614c37 linux-4.1.tar.xz
5ec05841161a172f8ae1a7f38bb382b0 patch-4.1.15.xz
d23ac8110941baf0f37f9e3a011e3720 pax-linux-4.1.15-test24-alpine.patch
ba5670790e9ee117227024cb4b187756 grsec-4.1.15-3.1-201509112213-alpine.patch
b0337a2a9abed17c37eae5db332522d2 fix-spi-nor-namespace-clash.patch
1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch
4bf3d4e28a3318ea7251f862aa35dc95 add-checks-for-allocation-failure-isdn_ppp_open.patch
9b150b8017a25fb6c9e9e29b1f1e791f validate-vj-compression-slot-parameters-completely.patch
c02b7d642341d3b82cff47d801813254 kvm-svm-unconditionally-intercept-#db.patch
b52be7e646d3572687e4d26d4291233e vivid-osd-fix-info-leak-in-ioctl.patch
6c48221dbad6928f2b9f6c1f521c5844 staging-dgnc-fix-info-leak-in-ioctl.patch
730439fc2751795dc00f1fb3ec810b12 net-add-validation-socket-syscall-protocol-argument.patch
e4590e034252bb838220d2bedc19be2e pptp-verify-sockaddr_len.patch
5f27a173424a42db509b46372c200e85 ovl-fix-permission-checking-for-setattr.patch
0ac0bfd35d8d857b790f3cf55028d967 0001-ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
0526ef5b0cb5c8b697ab8fcd337d303e keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
370b4498d0dc52eb8a85a23a5973bebf keys-fixes.patch
8592323596689e3ef967ff96d1190d1b config-grsec.x86
81aab21a18c16cf96d0fa719564281ec config-grsec.x86_64
c4c15b3ba79bb557a67cd9356b56d7c4 config-grsec.armhf
28754e558f94f3b3e0b0fcc27c1c955f config-virtgrsec.x86
ae802ba9bdf0dfa50e7506a08bbf929d config-virtgrsec.x86_64"
sha256sums="caf51f085aac1e1cea4d00dbbf3093ead07b551fc07b31b2a989c05f8ea72d9f linux-4.1.tar.xz
0ffca8557f1aa191da2f2260ad279c9cc858e6308a8af8a76f7ca3d3c0540344 patch-4.1.15.xz
5cb29b9a0ffb72c11ff17a0c68a9bb6452ca15b79eb1fc00c179cdf1748f2d48 pax-linux-4.1.15-test24-alpine.patch
a92b81dbd4fa4fbee28cebad93b0bd623820c809e98e8841151842341b9626eb grsec-4.1.15-3.1-201509112213-alpine.patch
01279cfb93273d99670c56e2465957ecde3d03693beeb929a743f03afa0b7bdc fix-spi-nor-namespace-clash.patch
21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch
78ca4ba9863d43ba498db628f2dfc2cf00427236745636025bd24513bdf05189 add-checks-for-allocation-failure-isdn_ppp_open.patch
d2670dc40c47de365d36ba1e1bbef0ea3e6381f5d4c38e88a4c5db2eb4383925 validate-vj-compression-slot-parameters-completely.patch
eb787ea2e4637708475569f7498c1ef0fa5e4e80ae22df5c5f44092615f86ebd kvm-svm-unconditionally-intercept-#db.patch
4070f46003fb5e1a16474f682da78d989809272a7aa209f794caa8d0b941e2c0 vivid-osd-fix-info-leak-in-ioctl.patch
144886917b2c5ff880c4beb11ca8743b98ea5ed49bbd10a54a98e1d76cfe23b5 staging-dgnc-fix-info-leak-in-ioctl.patch
180af96ce8310913f6662be50ca69c9737af250ef8dd3fdefdc58bef5f55ca9e net-add-validation-socket-syscall-protocol-argument.patch
5d3f0311176addb6cbbe0739736962cdb3826816e5cc0384f52d34cbd7c2c2a0 pptp-verify-sockaddr_len.patch
79fa593d628d740c7bc2b68398ab381ad978293102d1f282919ee69aeab6a17d ovl-fix-permission-checking-for-setattr.patch
464fbfe582c2b841c629c78508d117108505aafdcc6fec8a2ae0b34193d04bbe 0001-ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
c3a7a6d1ca5c23c98ea703c716144dc88b5bcf5052416a7ff3c766beed78d7db keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
653bdfac4fdac0fed19b60c8ae34afe97a699bbabe0e00888584c1ef52a626e1 keys-fixes.patch
fbc303521afbecbe2dccbe9955d108af53aaaa3388f2ca0962fc93f26a535a56 config-grsec.x86
0d770dbef70ec200e9f0341f7840847c228ac5e5061401614aaa27db59922614 config-grsec.x86_64
01b4f4e7eae350d40749f34e916e69c101f2fb5b3b7c2bd1917c29b8df3c2668 config-grsec.armhf
fcfeedde29606b94f79f79ceb9351bd5d018aca6a76bba04459d85e4ad94939f config-virtgrsec.x86
91bb0c7e6ad7b438daba3be79117007ecd68afb89857381034467837247edd56 config-virtgrsec.x86_64"
sha512sums="168ef84a4e67619f9f53f3574e438542a5747f9b43443363cb83597fcdac9f40d201625c66e375a23226745eaada9176eb006ca023613cec089349e91751f3c0 linux-4.1.tar.xz
646daf16c01fb8c3013c7c9919c18c3635eb6bd37560623cb56cc7a6d0b22fb13290cee8865dfbcc435cd8544cc3ecb6f3aae538d10c9e0b1098806f233155a3 patch-4.1.15.xz
e5bb53ac77a4b285fa4dd52cf50856669cb932669c2c8b1b9cd14d2384375d1ce9e997a760848c2c2e2c428e5d3c1c41aad890ee4009c9c4653d3a13721eab7a pax-linux-4.1.15-test24-alpine.patch
c737219a382206894889ddf8e807836a6fd08bb983b5e2327fae9f8427a0fa591c17f896b6e3f8dab4e356ae2d5f2aaa1cb642dea162eddc0c53c3a494928d52 grsec-4.1.15-3.1-201509112213-alpine.patch
4e3aeb70712f9838afea75fe9e6c1389414d833a89286ea55441d6a8d54ce74b0e39b565721e3153443af0a614bff57c767251b7e5b81faa5e0784eddfcd2164 fix-spi-nor-namespace-clash.patch
87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch
2fac663732ec9f5d0089b7bfdc31e4166028b381da328aef405f4a2c9102486139bc759dccc704293d9fbc0d4a19d9682e31e62f913bfa5fd22a4ef77e4b2255 add-checks-for-allocation-failure-isdn_ppp_open.patch
528604f2296bd1a67e32b465b4885ddba8ccf50925909e80cc523186ab03439c47eb5c016c133f3e3f27b0666f234f88a9c33399d7550867a448e12c73f878c2 validate-vj-compression-slot-parameters-completely.patch
5d9628e59117b9b0e464bfdac4249663a8c46f8c0ac5f521e19bbb1d59ad3a0dc0d97de34a1f011033d31c792452e6b20a70081ec8cc208bf0671fb50017ab6c kvm-svm-unconditionally-intercept-#db.patch
98bd4ef55ce0b7c4b4fee638ba079555a7363f1b34bc415135bd2fcbd12957ef45d569d7bf85edcbf322638f9951e01951807279279e729bbc13bee3be5d2b45 vivid-osd-fix-info-leak-in-ioctl.patch
51bdf43837e0bc24771b6dd67e4f5f49ae77716a49155b2b04ca17aa84a7aea65f858733795a91d8c5c3221a77c576370c0ccc7e711c32edaa87210cf55974ec staging-dgnc-fix-info-leak-in-ioctl.patch
d41f3b7c30d59a0fb43f877fff5a311c7fad8e12dfb51c519af368e8d1511202e6cceace3e051620a90e30f3c4b170847172764db045c9a5777663e2e9f2116c net-add-validation-socket-syscall-protocol-argument.patch
9454738454abee92200c7025a5b19e6870056ee71faf7e78dc10c0e7317e2d27c940ab031e2e53db856e1bea3b3fe5e32ce5aaa7c29dc833aa0f75d35bbf7a79 pptp-verify-sockaddr_len.patch
061d58353e8d8eb83a10ae1cdfd16ff5d982ee594decd115d42f438293747b9f4ea3cb16ce242685b34d52ca57feb3b8e9f344adc425e1894f0283abe47ef355 ovl-fix-permission-checking-for-setattr.patch
928492c522cc376abc244f9aec25b10abf0efc4cf19e5f3b7130ed8efed904e674975a05b70f3f46343dba5aa324c46981cb98eea7a619defbb7235742a3333e 0001-ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
d4d65eacdac1d9baed2ddf926f09a6d66b4dc42ea40ac9b118ad69dfd8dcc06052afb742aaf906fad54d70182d2243bdc1f0649eea7754a2402fc94447d568b1 keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
2611db9cca53ac6851beb9f48e51651090e6b97a644d260671d6f4aa2b2d75ff71276b6d14d0b2e5908bc261c86fc6c2dc4bd88e093fdd74e144983c720f0a2b keys-fixes.patch
819ff2d16b5c15399de9b3c254d4ed6b7ef580a5b7cdacb209d90d35d178e93e34a5d6159b0edfab4afec9decf404901a7504f7b106c62c3dba0cdb4f0951a61 config-grsec.x86
61b2f6b1264e51548c657b337a23592d7bdf0fe730f71e9039af098dd9ebd1b2bd7dbff1811ccb36c7c50b4cfef4cf19534a1f25ef05048a404fd6a6c3120a59 config-grsec.x86_64
3be2587ca157eff3910ad1cd4dd9013c699e08d6f8fdde22458caa423f17591a7b386aad5f592f79baac4da6b32f5965483c3080c1cf2bc906fdffbe33a16bf7 config-grsec.armhf
caec0c97bfd25c9cc6921addc8b39941284a38746d5b9c5f19c0f1fe679d9f4c6ee7881a2eb95a16dcfbb082486435f467d27d539405ee6094b70d13b3bf2276 config-virtgrsec.x86
3a8dbd0bdf8c1a46b6ced0b70e60bd830f46cb9752af12759b7ba8d8b041c117de1b25496f98653e65aa3828ab8644982f10807bf18ab60afaa778fde7711544 config-virtgrsec.x86_64"
|
