diff options
author | Irvine | 2018-01-26 03:34:55 +0000 |
---|---|---|
committer | Irvine | 2018-01-26 03:34:55 +0000 |
commit | 57d1a79326eb6a79dbbdf2ad08e11713a2c5e04f (patch) | |
tree | da44256ba134494b71ab9d6e8277eb71a1e38e4a | |
parent | 5cb9877086f17b5f63f4d0ea4aa4aa8f2ea4ad07 (diff) | |
download | aur-57d1a79326eb6a79dbbdf2ad08e11713a2c5e04f.tar.gz |
Upstream signed patch, (see 4.14.15--ReadMe)
-rw-r--r-- | .SRCINFO | 18 | ||||
-rw-r--r-- | 4.14.15.a--ReadMe | 13 | ||||
-rw-r--r-- | PKGBUILD | 29 | ||||
-rw-r--r-- | config.x86_64 | 1 |
4 files changed, 51 insertions, 10 deletions
@@ -1,6 +1,6 @@ pkgbase = linux-hardened-apparmor pkgver = 4.14.15.a - pkgrel = 1 + pkgrel = 2 url = https://github.com/copperhead/linux-hardened arch = x86_64 license = GPL2 @@ -11,7 +11,12 @@ pkgbase = linux-hardened-apparmor makedepends = libelf replaces = linux-grsec options = !strip - source = https://github.com/copperhead/linux-hardened/archive/4.14.15.a.tar.gz + source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.xz + source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.sign + source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.15.xz + source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.15.sign + source = https://github.com/thestinger/linux-hardened/releases/download/4.14.15.a/linux-hardened-4.14.15.a.patch + source = https://github.com/thestinger/linux-hardened/releases/download/4.14.15.a/linux-hardened-4.14.15.a.patch.sig source = config.x86_64 source = 60-linux.hook source = 90-linux.hook @@ -24,8 +29,13 @@ pkgbase = linux-hardened-apparmor validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E validpgpkeys = 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A - sha256sums = b0889785c19533708d29ff559d414a19fd7115973e6e61c614c5f7dae0990fd7 - sha256sums = f7a481a87ba85c8a2dc31abd9df1b77263e49de66f0ec2af979c24d589288adb + sha256sums = f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7 + sha256sums = SKIP + sha256sums = 54a6359ed333e619db8c5c88020ff20f1e25635337f01f50a7488ec2fc0fe030 + sha256sums = SKIP + sha256sums = 55f4dfaf88a98368f29c7503b8a67a35105a11376cd91a1096ed18eabed5a288 + sha256sums = SKIP + sha256sums = 2fdd2497e3df02a0624a068605007dc91d92304562977279d54b3381ad6e2ef0 sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919 sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65 diff --git a/4.14.15.a--ReadMe b/4.14.15.a--ReadMe index b0135562951d..55cb349c7644 100644 --- a/4.14.15.a--ReadMe +++ b/4.14.15.a--ReadMe @@ -1,7 +1,18 @@ -Note: Upstream didn't provided the usual linux-hardened patch for 4.14.15. So, this release is being built directly from the source code found at https://github.com/copperhead/linux-hardened/releases/tag/4.14.15.a Also, upstream failed to sign the above release.... +Note: Upstream didn't provided the usual linux-hardened patch for 4.14.15. So, the initial release was built directly from the source code found at https://github.com/copperhead/linux-hardened/releases/tag/4.14.15.a Also, upstream failed to sign the above release.... However, on the plus side, I have calculated the proper sha256sum for the release, and also applied the appropriate Arch patch sets. If upstream updates the release with a rolling patch and/or signatures, I will update the PKGBUILD accordingly See https://github.com/copperhead/linux-hardened/releases + +UPDATE: +The signed patch was finally released, and I have updated the PKGBUILD accordingly. However, possibly because linux-hardened-apparmor is now slightly ahead of linux-hardened, I had to make a choice about whether or not to enable "CONFIG_LOCAL_SANITIZE", which zero-fills uninitialized local variables. The default is 'NO'. and since the option requires compiler support, I went with this choice. If this is a problem, let me know. (Note: When linux-hardened is next updated, whether or not this option is enabled will be up to @Anthrax) + +Hopefully, 4.14.16 will see a return to the normal release cycle and linux-hardened-apparmor will be fully in sync with linux-hardened... I apologise for any inconvenience, but it was brought about by things beyond my control and the only alternative would have been to delay the update. + +Irvine + + + + @@ -1,16 +1,20 @@ # Maintainer: Irvine <irvinemcminn_at_that gmail_place> pkgbase=linux-hardened-apparmor -_srcname=linux-hardened-4.14.15.a +_srcname=linux-4.14 _pkgver=4.14.15 pkgver=${_pkgver}.a -pkgrel=1 +pkgrel=2 url='https://github.com/copperhead/linux-hardened' arch=('x86_64') license=('GPL2') makedepends=('xmlto' 'kmod' 'inetutils' 'bc' 'libelf') options=('!strip') -source=(https://github.com/copperhead/linux-hardened/archive/4.14.15.a.tar.gz +source=(https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz + https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.sign + https://www.kernel.org/pub/linux/kernel/v4.x/patch-${_pkgver}.xz + https://www.kernel.org/pub/linux/kernel/v4.x/patch-${_pkgver}.sign + https://github.com/thestinger/linux-hardened/releases/download/${pkgver}/linux-hardened-${pkgver}.patch{,.sig} config.x86_64 # the main kernel config files 60-linux.hook # pacman hook for depmod 90-linux.hook # pacman hook for initramfs regeneration @@ -26,8 +30,13 @@ source=(https://github.com/copperhead/linux-hardened/archive/4.14.15.a.tar.gz CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch ) replaces=('linux-grsec') -sha256sums=('b0889785c19533708d29ff559d414a19fd7115973e6e61c614c5f7dae0990fd7' - 'f7a481a87ba85c8a2dc31abd9df1b77263e49de66f0ec2af979c24d589288adb' +sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7' + 'SKIP' + '54a6359ed333e619db8c5c88020ff20f1e25635337f01f50a7488ec2fc0fe030' + 'SKIP' + '55f4dfaf88a98368f29c7503b8a67a35105a11376cd91a1096ed18eabed5a288' + 'SKIP' + '2fdd2497e3df02a0624a068605007dc91d92304562977279d54b3381ad6e2ef0' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' @@ -46,6 +55,12 @@ _kernelname=${pkgbase#linux} prepare() { cd ${_srcname} + # add upstream patch + msg2 "Applying upstream patch" + patch -Np1 < ../patch-${_pkgver} + # XXX: GNU patch doesn't support git-style file mode + chmod +x tools/objtool/sync-check.sh + # apply all patches for _patch in "${source[@]}"; do _patch=${_patch%%::*} @@ -57,6 +72,10 @@ prepare() { fi done + # linux hardened patch + msg2 "Applying hardened patch" + patch -Np1 < ../linux-hardened-${pkgver}.patch + # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git diff --git a/config.x86_64 b/config.x86_64 index 26c4bf66c344..8645e3cdf5e3 100644 --- a/config.x86_64 +++ b/config.x86_64 @@ -197,6 +197,7 @@ CONFIG_RD_LZO=y CONFIG_RD_LZ4=y CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set +# CONFIG_LOCAL_SANITIZE is not set CONFIG_SYSCTL=y CONFIG_ANON_INODES=y CONFIG_HAVE_UID16=y |