Upstream signed patch, (see 4.14.15--ReadMe)

author: Irvine 2018-01-26 03:34:55 +0000
committer: Irvine 2018-01-26 03:34:55 +0000
commit: 57d1a79326eb6a79dbbdf2ad08e11713a2c5e04f (patch)
tree: da44256ba134494b71ab9d6e8277eb71a1e38e4a
parent: 5cb9877086f17b5f63f4d0ea4aa4aa8f2ea4ad07 (diff)
download: aur-57d1a79326eb6a79dbbdf2ad08e11713a2c5e04f.tar.gz
4 files changed, 51 insertions, 10 deletions
diff --git a/.SRCINFO b/.SRCINFO
index bae31bb9926e..4ceba845f1e9 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
 pkgbase = linux-hardened-apparmor
 	pkgver = 4.14.15.a
-	pkgrel = 1
+	pkgrel = 2
 	url = https://github.com/copperhead/linux-hardened
 	arch = x86_64
 	license = GPL2
@@ -11,7 +11,12 @@ pkgbase = linux-hardened-apparmor
 	makedepends = libelf
 	replaces = linux-grsec
 	options = !strip
-	source = https://github.com/copperhead/linux-hardened/archive/4.14.15.a.tar.gz
+	source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.xz
+	source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.sign
+	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.15.xz
+	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.15.sign
+	source = https://github.com/thestinger/linux-hardened/releases/download/4.14.15.a/linux-hardened-4.14.15.a.patch
+	source = https://github.com/thestinger/linux-hardened/releases/download/4.14.15.a/linux-hardened-4.14.15.a.patch.sig
 	source = config.x86_64
 	source = 60-linux.hook
 	source = 90-linux.hook
@@ -24,8 +29,13 @@ pkgbase = linux-hardened-apparmor
 	validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
 	validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
 	validpgpkeys = 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A
-	sha256sums = b0889785c19533708d29ff559d414a19fd7115973e6e61c614c5f7dae0990fd7
-	sha256sums = f7a481a87ba85c8a2dc31abd9df1b77263e49de66f0ec2af979c24d589288adb
+	sha256sums = f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7
+	sha256sums = SKIP
+	sha256sums = 54a6359ed333e619db8c5c88020ff20f1e25635337f01f50a7488ec2fc0fe030
+	sha256sums = SKIP
+	sha256sums = 55f4dfaf88a98368f29c7503b8a67a35105a11376cd91a1096ed18eabed5a288
+	sha256sums = SKIP
+	sha256sums = 2fdd2497e3df02a0624a068605007dc91d92304562977279d54b3381ad6e2ef0
 	sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21
 	sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919
 	sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65
diff --git a/4.14.15.a--ReadMe b/4.14.15.a--ReadMe
index b0135562951d..55cb349c7644 100644
--- a/4.14.15.a--ReadMe
+++ b/4.14.15.a--ReadMe
@@ -1,7 +1,18 @@
-Note: Upstream didn't provided the usual linux-hardened patch for 4.14.15. So, this release is being built directly from the source code found at https://github.com/copperhead/linux-hardened/releases/tag/4.14.15.a   Also, upstream failed to sign the above release....
+Note: Upstream didn't provided the usual linux-hardened patch for 4.14.15. So, the initial release was built directly from the source code found at https://github.com/copperhead/linux-hardened/releases/tag/4.14.15.a   Also, upstream failed to sign the above release....
 
 However, on the plus side, I have calculated the proper sha256sum for the release, and also applied the appropriate Arch patch sets.
 
 If upstream updates the release with a rolling patch and/or signatures, I will update the PKGBUILD accordingly
 
 See https://github.com/copperhead/linux-hardened/releases
+
+UPDATE:
+The signed patch was finally released, and I have updated the PKGBUILD accordingly. However, possibly because linux-hardened-apparmor is now slightly ahead of linux-hardened, I had to make a choice about whether or not to enable "CONFIG_LOCAL_SANITIZE", which zero-fills uninitialized local variables. The default is 'NO'. and since the option requires compiler support, I went with this choice. If this is a problem, let me know. (Note: When linux-hardened is next updated, whether or not this option is enabled will be up to @Anthrax)
+
+Hopefully, 4.14.16 will see a return to the normal release cycle and linux-hardened-apparmor will be fully in sync with linux-hardened... I apologise for any inconvenience, but it was brought about by things beyond my control and the only alternative would have been to delay the update.
+
+Irvine
+
+
+
+
diff --git a/PKGBUILD b/PKGBUILD
index 2ad760a2f596..f67ee3a65786 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,16 +1,20 @@
 # Maintainer: Irvine <irvinemcminn_at_that gmail_place>
 
 pkgbase=linux-hardened-apparmor
-_srcname=linux-hardened-4.14.15.a
+_srcname=linux-4.14
 _pkgver=4.14.15
 pkgver=${_pkgver}.a
-pkgrel=1
+pkgrel=2
 url='https://github.com/copperhead/linux-hardened'
 arch=('x86_64')
 license=('GPL2')
 makedepends=('xmlto' 'kmod' 'inetutils' 'bc' 'libelf')
 options=('!strip')
-source=(https://github.com/copperhead/linux-hardened/archive/4.14.15.a.tar.gz
+source=(https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz
+        https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.sign
+        https://www.kernel.org/pub/linux/kernel/v4.x/patch-${_pkgver}.xz
+        https://www.kernel.org/pub/linux/kernel/v4.x/patch-${_pkgver}.sign
+        https://github.com/thestinger/linux-hardened/releases/download/${pkgver}/linux-hardened-${pkgver}.patch{,.sig}
         config.x86_64  # the main kernel config files
         60-linux.hook  # pacman hook for depmod
         90-linux.hook  # pacman hook for initramfs regeneration
@@ -26,8 +30,13 @@ source=(https://github.com/copperhead/linux-hardened/archive/4.14.15.a.tar.gz
         CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
 )
 replaces=('linux-grsec')
-sha256sums=('b0889785c19533708d29ff559d414a19fd7115973e6e61c614c5f7dae0990fd7'
-            'f7a481a87ba85c8a2dc31abd9df1b77263e49de66f0ec2af979c24d589288adb'
+sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
+            'SKIP'
+            '54a6359ed333e619db8c5c88020ff20f1e25635337f01f50a7488ec2fc0fe030'
+            'SKIP'
+            '55f4dfaf88a98368f29c7503b8a67a35105a11376cd91a1096ed18eabed5a288'
+            'SKIP'
+            '2fdd2497e3df02a0624a068605007dc91d92304562977279d54b3381ad6e2ef0'
             'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
             '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
@@ -46,6 +55,12 @@ _kernelname=${pkgbase#linux}
 prepare() {
   cd ${_srcname}
 
+  # add upstream patch
+  msg2 "Applying upstream patch"
+  patch -Np1 < ../patch-${_pkgver}
+  # XXX: GNU patch doesn't support git-style file mode
+  chmod +x tools/objtool/sync-check.sh
+
   # apply all patches
   for _patch in "${source[@]}"; do
     _patch=${_patch%%::*}
@@ -57,6 +72,10 @@ prepare() {
     fi
   done
 
+  # linux hardened patch
+  msg2 "Applying hardened patch"
+  patch -Np1 < ../linux-hardened-${pkgver}.patch
+
   # add latest fixes from stable queue, if needed
   # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
 
diff --git a/config.x86_64 b/config.x86_64
index 26c4bf66c344..8645e3cdf5e3 100644
--- a/config.x86_64
+++ b/config.x86_64
@@ -197,6 +197,7 @@ CONFIG_RD_LZO=y
 CONFIG_RD_LZ4=y
 CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
 # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
+# CONFIG_LOCAL_SANITIZE is not set
 CONFIG_SYSCTL=y
 CONFIG_ANON_INODES=y
 CONFIG_HAVE_UID16=y
author	Irvine	2018-01-26 03:34:55 +0000
committer	Irvine	2018-01-26 03:34:55 +0000
commit	57d1a79326eb6a79dbbdf2ad08e11713a2c5e04f (patch)
tree	da44256ba134494b71ab9d6e8277eb71a1e38e4a
parent	5cb9877086f17b5f63f4d0ea4aa4aa8f2ea4ad07 (diff)
download	aur-57d1a79326eb6a79dbbdf2ad08e11713a2c5e04f.tar.gz