diff options
-rw-r--r-- | .SRCINFO | 18 | ||||
-rw-r--r-- | 4.14.15.a--ReadMe | 7 | ||||
-rw-r--r-- | PKGBUILD | 29 | ||||
-rw-r--r-- | config.x86_64 | 17 |
4 files changed, 27 insertions, 44 deletions
@@ -1,5 +1,5 @@ pkgbase = linux-hardened-apparmor - pkgver = 4.14.14.a + pkgver = 4.14.15.a pkgrel = 1 url = https://github.com/copperhead/linux-hardened arch = x86_64 @@ -11,12 +11,7 @@ pkgbase = linux-hardened-apparmor makedepends = libelf replaces = linux-grsec options = !strip - source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.xz - source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.sign - source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.14.xz - source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.14.sign - source = https://github.com/thestinger/linux-hardened/releases/download/4.14.14.a/linux-hardened-4.14.14.a.patch - source = https://github.com/thestinger/linux-hardened/releases/download/4.14.14.a/linux-hardened-4.14.14.a.patch.sig + source = https://github.com/copperhead/linux-hardened/archive/4.14.15.a.tar.gz source = config.x86_64 source = 60-linux.hook source = 90-linux.hook @@ -29,13 +24,8 @@ pkgbase = linux-hardened-apparmor validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E validpgpkeys = 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A - sha256sums = f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7 - sha256sums = SKIP - sha256sums = 62d656b98f0dc143216cb9650bd9b96cd83d92925731e9f0bec5eb4d6358e603 - sha256sums = SKIP - sha256sums = 0ee89f7c93da3708047467041d4fed7f2f19e07d2a46c3184f61d8ba5d36a80a - sha256sums = SKIP - sha256sums = a5f733c271b5f11049efe5d100e97e424716d0f3cc7ae7267ad440424ca5b4b5 + sha256sums = b0889785c19533708d29ff559d414a19fd7115973e6e61c614c5f7dae0990fd7 + sha256sums = f7a481a87ba85c8a2dc31abd9df1b77263e49de66f0ec2af979c24d589288adb sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919 sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65 diff --git a/4.14.15.a--ReadMe b/4.14.15.a--ReadMe new file mode 100644 index 000000000000..b0135562951d --- /dev/null +++ b/4.14.15.a--ReadMe @@ -0,0 +1,7 @@ +Note: Upstream didn't provided the usual linux-hardened patch for 4.14.15. So, this release is being built directly from the source code found at https://github.com/copperhead/linux-hardened/releases/tag/4.14.15.a Also, upstream failed to sign the above release.... + +However, on the plus side, I have calculated the proper sha256sum for the release, and also applied the appropriate Arch patch sets. + +If upstream updates the release with a rolling patch and/or signatures, I will update the PKGBUILD accordingly + +See https://github.com/copperhead/linux-hardened/releases @@ -1,8 +1,8 @@ # Maintainer: Irvine <irvinemcminn_at_that gmail_place> pkgbase=linux-hardened-apparmor -_srcname=linux-4.14 -_pkgver=4.14.14 +_srcname=linux-hardened-4.14.15.a +_pkgver=4.14.15 pkgver=${_pkgver}.a pkgrel=1 url='https://github.com/copperhead/linux-hardened' @@ -10,11 +10,7 @@ arch=('x86_64') license=('GPL2') makedepends=('xmlto' 'kmod' 'inetutils' 'bc' 'libelf') options=('!strip') -source=(https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz - https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.sign - https://www.kernel.org/pub/linux/kernel/v4.x/patch-${_pkgver}.xz - https://www.kernel.org/pub/linux/kernel/v4.x/patch-${_pkgver}.sign - https://github.com/thestinger/linux-hardened/releases/download/${pkgver}/linux-hardened-${pkgver}.patch{,.sig} +source=(https://github.com/copperhead/linux-hardened/archive/4.14.15.a.tar.gz config.x86_64 # the main kernel config files 60-linux.hook # pacman hook for depmod 90-linux.hook # pacman hook for initramfs regeneration @@ -30,13 +26,8 @@ source=(https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch ) replaces=('linux-grsec') -sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7' - 'SKIP' - '62d656b98f0dc143216cb9650bd9b96cd83d92925731e9f0bec5eb4d6358e603' - 'SKIP' - '0ee89f7c93da3708047467041d4fed7f2f19e07d2a46c3184f61d8ba5d36a80a' - 'SKIP' - 'a5f733c271b5f11049efe5d100e97e424716d0f3cc7ae7267ad440424ca5b4b5' +sha256sums=('b0889785c19533708d29ff559d414a19fd7115973e6e61c614c5f7dae0990fd7' + 'f7a481a87ba85c8a2dc31abd9df1b77263e49de66f0ec2af979c24d589288adb' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' @@ -55,12 +46,6 @@ _kernelname=${pkgbase#linux} prepare() { cd ${_srcname} - # add upstream patch - msg2 "Applying upstream patch" - patch -Np1 < ../patch-${_pkgver} - # XXX: GNU patch doesn't support git-style file mode - chmod +x tools/objtool/sync-check.sh - # apply all patches for _patch in "${source[@]}"; do _patch=${_patch%%::*} @@ -72,10 +57,6 @@ prepare() { fi done - # linux hardened patch - msg2 "Applying hardened patch" - patch -Np1 < ../linux-hardened-${pkgver}.patch - # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git diff --git a/config.x86_64 b/config.x86_64 index c4f124023ebc..26c4bf66c344 100644 --- a/config.x86_64 +++ b/config.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.14 Kernel Configuration +# Linux/x86 4.14.15 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -53,7 +53,7 @@ CONFIG_THREAD_INFO_IN_TASK=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" # CONFIG_COMPILE_TEST is not set -CONFIG_LOCALVERSION="-hardened" +CONFIG_LOCALVERSION="-hardened-apparmor" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y @@ -674,7 +674,7 @@ CONFIG_HOTPLUG_CPU=y # CONFIG_LEGACY_VSYSCALL_EMULATE is not set CONFIG_LEGACY_VSYSCALL_NONE=y CONFIG_CMDLINE_BOOL=y -CONFIG_CMDLINE="audit=0" +CONFIG_CMDLINE="audit=1" # CONFIG_CMDLINE_OVERRIDE is not set # CONFIG_MODIFY_LDT_SYSCALL is not set CONFIG_HAVE_LIVEPATCH=y @@ -8122,7 +8122,11 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set -# CONFIG_SECURITY_APPARMOR is not set +CONFIG_SECURITY_APPARMOR=y +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 +CONFIG_SECURITY_APPARMOR_HASH=y +CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y +# CONFIG_SECURITY_APPARMOR_DEBUG is not set # CONFIG_SECURITY_LOADPIN is not set CONFIG_SECURITY_YAMA=y CONFIG_INTEGRITY=y @@ -8131,8 +8135,9 @@ CONFIG_INTEGRITY_AUDIT=y # CONFIG_IMA is not set # CONFIG_EVM is not set # CONFIG_DEFAULT_SECURITY_SELINUX is not set -CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_DEFAULT_SECURITY="" +CONFIG_DEFAULT_SECURITY_APPARMOR=y +# CONFIG_DEFAULT_SECURITY_DAC is not set +CONFIG_DEFAULT_SECURITY="apparmor" CONFIG_XOR_BLOCKS=m CONFIG_ASYNC_CORE=m CONFIG_ASYNC_MEMCPY=m |