From 9538b5f99dccbd78a9c334d2c430723da9d60d16 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Tue, 31 Dec 2019 18:15:55 +0000 Subject: sys-kernel/linux-{image,sources}-redcore : relax some hardening --- .../linux-image-redcore/files/5.4-amd64.config | 19 +-- .../linux-image-redcore-5.4.5-r1.ebuild | 168 +++++++++++++++++++++ .../linux-image-redcore-5.4.5.ebuild | 168 --------------------- 3 files changed, 175 insertions(+), 180 deletions(-) create mode 100644 sys-kernel/linux-image-redcore/linux-image-redcore-5.4.5-r1.ebuild delete mode 100644 sys-kernel/linux-image-redcore/linux-image-redcore-5.4.5.ebuild (limited to 'sys-kernel/linux-image-redcore') diff --git a/sys-kernel/linux-image-redcore/files/5.4-amd64.config b/sys-kernel/linux-image-redcore/files/5.4-amd64.config index 123bf569..a9fab76a 100644 --- a/sys-kernel/linux-image-redcore/files/5.4-amd64.config +++ b/sys-kernel/linux-image-redcore/files/5.4-amd64.config @@ -9185,24 +9185,19 @@ CONFIG_LSM="apparmor" # # Kernel hardening options # -CONFIG_GCC_PLUGIN_STRUCTLEAK=y # # Memory initialization # -# CONFIG_INIT_STACK_NONE is not set +CONFIG_INIT_STACK_NONE=y # CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set -CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y -# CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set -CONFIG_GCC_PLUGIN_STACKLEAK=y -CONFIG_STACKLEAK_TRACK_MIN_SIZE=100 -CONFIG_STACKLEAK_METRICS=y -CONFIG_STACKLEAK_RUNTIME_DISABLE=y -CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y -CONFIG_INIT_ON_FREE_DEFAULT_ON=y -CONFIG_PAGE_SANITIZE_VERIFY=y -CONFIG_SLAB_SANITIZE_VERIFY=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set +# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set +# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set +# CONFIG_PAGE_SANITIZE_VERIFY is not set +# CONFIG_SLAB_SANITIZE_VERIFY is not set # end of Memory initialization # end of Kernel hardening options # end of Security options diff --git a/sys-kernel/linux-image-redcore/linux-image-redcore-5.4.5-r1.ebuild b/sys-kernel/linux-image-redcore/linux-image-redcore-5.4.5-r1.ebuild new file mode 100644 index 00000000..ca6654a2 --- /dev/null +++ b/sys-kernel/linux-image-redcore/linux-image-redcore-5.4.5-r1.ebuild @@ -0,0 +1,168 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit eutils + +EXTRAVERSION="redcore-r1" +KV_FULL="${PV}-${EXTRAVERSION}" +KV_MAJOR="5.4" + +DESCRIPTION="Official Redcore Linux Kernel Image" +HOMEPAGE="https://redcorelinux.org" +SRC_URI="https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-${PV}.tar.xz" + +KEYWORDS="amd64" +LICENSE="GPL-2" +SLOT="${PVR}" +IUSE="+cryptsetup +dmraid +dracut +dkms +mdadm" + +RESTRICT="binchecks strip mirror" +DEPEND=" + app-arch/lz4 + app-arch/xz-utils + sys-devel/autoconf + sys-devel/bc + sys-devel/make + cryptsetup? ( sys-fs/cryptsetup ) + dmraid? ( sys-fs/dmraid ) + dracut? ( >=sys-kernel/dracut-0.44-r8 ) + dkms? ( sys-kernel/dkms sys-kernel/linux-sources-redcore:${SLOT} ) + mdadm? ( sys-fs/mdadm ) + >=sys-kernel/linux-firmware-20180314" +RDEPEND="${DEPEND}" + +PATCHES=( + "${FILESDIR}"/"${KV_MAJOR}"-enable_alx_wol.patch + "${FILESDIR}"/"${KV_MAJOR}"-drop_ancient-and-wrong-msg.patch + "${FILESDIR}"/"${KV_MAJOR}"-ata-fix-NCQ-LOG-strings-and-move-to-debug.patch + "${FILESDIR}"/"${KV_MAJOR}"-radeon_dp_aux_transfer_native-no-ratelimited_debug.patch + "${FILESDIR}"/"${KV_MAJOR}"-acpi-use-kern_warning_even_when_error.patch + "${FILESDIR}"/"${KV_MAJOR}"-ath10k-be-quiet.patch + "${FILESDIR}"/"${KV_MAJOR}"-Unknow-SSD-HFM128GDHTNG-8310B-QUIRK_NO_APST.patch + "${FILESDIR}"/"${KV_MAJOR}"-nvme-suspend-resume-workaround.patch + "${FILESDIR}"/"${KV_MAJOR}"-nvme-pci-more-info.patch + "${FILESDIR}"/"${KV_MAJOR}"-acer-wmi-silence-unknow-functions-messages.patch + "${FILESDIR}"/"${KV_MAJOR}"-amdgpu-dc_link-drop-some-asserts.patch + "${FILESDIR}"/"${KV_MAJOR}"-nvme-hwmon.patch + "${FILESDIR}"/"${KV_MAJOR}"-0001-linux-hardened.patch + "${FILESDIR}"/"${KV_MAJOR}"-0001-uksm-linux-hardened.patch + "${FILESDIR}"/"${KV_MAJOR}"-0001-MultiQueue-Skiplist-Scheduler-v0.196-linux-hardened.patch + "${FILESDIR}"/"${KV_MAJOR}"-0002-Make-preemptible-kernel-default.patch + "${FILESDIR}"/"${KV_MAJOR}"-0003-Expose-vmsplit-for-our-poor-32-bit-users.patch + "${FILESDIR}"/"${KV_MAJOR}"-0004-Create-highres-timeout-variants-of-schedule_timeout-.patch + "${FILESDIR}"/"${KV_MAJOR}"-0005-Special-case-calls-of-schedule_timeout-1-to-use-the-.patch + "${FILESDIR}"/"${KV_MAJOR}"-0006-Convert-msleep-to-use-hrtimers-when-active.patch + "${FILESDIR}"/"${KV_MAJOR}"-0007-Replace-all-schedule-timeout-1-with-schedule_min_hrt.patch + "${FILESDIR}"/"${KV_MAJOR}"-0008-Replace-all-calls-to-schedule_timeout_interruptible-.patch + "${FILESDIR}"/"${KV_MAJOR}"-0009-Replace-all-calls-to-schedule_timeout_uninterruptibl.patch + "${FILESDIR}"/"${KV_MAJOR}"-0010-Don-t-use-hrtimer-overlay-when-pm_freezing-since-som.patch + "${FILESDIR}"/"${KV_MAJOR}"-0011-Make-threaded-IRQs-optionally-the-default-which-can-.patch + "${FILESDIR}"/"${KV_MAJOR}"-0012-Reinstate-default-Hz-of-100-in-combination-with-MuQS.patch + "${FILESDIR}"/"${KV_MAJOR}"-0013-Swap-sucks.patch +) + +S="${WORKDIR}"/linux-"${PV}" + +pkg_setup() { + export KBUILD_BUILD_USER="nexus" + export KBUILD_BUILD_HOST="nexus.redcorelinux.org" + + export REAL_ARCH="$ARCH" + unset ARCH ; unset LDFLAGS #will interfere with Makefile if set +} + +src_prepare() { + default + emake mrproper + sed -ri "s|^(EXTRAVERSION =).*|\1 -${EXTRAVERSION}|" Makefile + cp "${FILESDIR}"/"${KV_MAJOR}"-amd64.config .config + rm -rf $(find . -type f|grep -F \.orig) +} + +src_compile() { + emake prepare modules_prepare bzImage modules +} + +src_install() { + dodir boot + insinto boot + newins .config config-"${KV_FULL}" + newins System.map System.map-"${KV_FULL}" + newins arch/x86/boot/bzImage vmlinuz-"${KV_FULL}" + + dodir usr/src/linux-"${KV_FULL}" + insinto usr/src/linux-"${KV_FULL}" + doins Module.symvers + doins System.map + exeinto usr/src/linux-"${KV_FULL}" + doexe vmlinux + + emake INSTALL_MOD_PATH="${D}" modules_install + + rm -f "${D}"lib/modules/"${KV_FULL}"/build + rm -f "${D}"lib/modules/"${KV_FULL}"/source + export local KSYMS + for KSYMS in build source ; do + dosym ../../../usr/src/linux-"${KV_FULL}" lib/modules/"${KV_FULL}"/"${KSYMS}" + done +} + +_grub2_update_grubcfg() { + if [[ -x $(which grub2-mkconfig) ]]; then + elog "Updating GRUB-2 bootloader configuration, please wait" + grub2-mkconfig -o "${ROOT}"boot/grub/grub.cfg + else + elog "It looks like you're not using GRUB-2, you must update bootloader configuration by hand" + fi +} + +_dracut_initrd_create() { + if [[ -x $(which dracut) ]]; then + elog "Generating initrd for "${KV_FULL}", please wait" + addpredict /etc/ld.so.cache~ + dracut -N -f --kver="${KV_FULL}" "${ROOT}"boot/initrd-"${KV_FULL}" + else + elog "It looks like you're not using dracut, you must generate an initrd by hand" + fi +} + +_dracut_initrd_delete() { + rm -rf "${ROOT}"boot/initrd-"${KV_FULL}" +} + +_dkms_modules_delete() { + if [[ -x $(which dkms) ]] ; then + export local DKMSMOD + for DKMSMOD in $(dkms status | cut -d " " -f1,2 | sed -e 's/,//g' | sed -e 's/ /\//g' | sed -e 's/://g') ; do + dkms remove "${DKMSMOD}" -k "${KV_FULL}" + done + fi +} + +_kernel_modules_delete() { + rm -rf "${ROOT}"lib/modules/"${KV_FULL}" +} + +pkg_postinst() { + if [ $(stat -c %d:%i /) == $(stat -c %d:%i /proc/1/root/.) ]; then + if use dracut; then + _dracut_initrd_create + fi + _grub2_update_grubcfg + fi +} + +pkg_postrm() { + if [ $(stat -c %d:%i /) == $(stat -c %d:%i /proc/1/root/.) ]; then + if use dracut; then + _dracut_initrd_delete + fi + _grub2_update_grubcfg + fi + if use dkms; then + _dkms_modules_delete + fi + _kernel_modules_delete +} diff --git a/sys-kernel/linux-image-redcore/linux-image-redcore-5.4.5.ebuild b/sys-kernel/linux-image-redcore/linux-image-redcore-5.4.5.ebuild deleted file mode 100644 index 0e7bc9ad..00000000 --- a/sys-kernel/linux-image-redcore/linux-image-redcore-5.4.5.ebuild +++ /dev/null @@ -1,168 +0,0 @@ -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -inherit eutils - -EXTRAVERSION="redcore" -KV_FULL="${PV}-${EXTRAVERSION}" -KV_MAJOR="5.4" - -DESCRIPTION="Official Redcore Linux Kernel Image" -HOMEPAGE="https://redcorelinux.org" -SRC_URI="https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-${PV}.tar.xz" - -KEYWORDS="amd64" -LICENSE="GPL-2" -SLOT="${PVR}" -IUSE="+cryptsetup +dmraid +dracut +dkms +mdadm" - -RESTRICT="binchecks strip mirror" -DEPEND=" - app-arch/lz4 - app-arch/xz-utils - sys-devel/autoconf - sys-devel/bc - sys-devel/make - cryptsetup? ( sys-fs/cryptsetup ) - dmraid? ( sys-fs/dmraid ) - dracut? ( >=sys-kernel/dracut-0.44-r8 ) - dkms? ( sys-kernel/dkms sys-kernel/linux-sources-redcore:${SLOT} ) - mdadm? ( sys-fs/mdadm ) - >=sys-kernel/linux-firmware-20180314" -RDEPEND="${DEPEND}" - -PATCHES=( - "${FILESDIR}"/"${KV_MAJOR}"-enable_alx_wol.patch - "${FILESDIR}"/"${KV_MAJOR}"-drop_ancient-and-wrong-msg.patch - "${FILESDIR}"/"${KV_MAJOR}"-ata-fix-NCQ-LOG-strings-and-move-to-debug.patch - "${FILESDIR}"/"${KV_MAJOR}"-radeon_dp_aux_transfer_native-no-ratelimited_debug.patch - "${FILESDIR}"/"${KV_MAJOR}"-acpi-use-kern_warning_even_when_error.patch - "${FILESDIR}"/"${KV_MAJOR}"-ath10k-be-quiet.patch - "${FILESDIR}"/"${KV_MAJOR}"-Unknow-SSD-HFM128GDHTNG-8310B-QUIRK_NO_APST.patch - "${FILESDIR}"/"${KV_MAJOR}"-nvme-suspend-resume-workaround.patch - "${FILESDIR}"/"${KV_MAJOR}"-nvme-pci-more-info.patch - "${FILESDIR}"/"${KV_MAJOR}"-acer-wmi-silence-unknow-functions-messages.patch - "${FILESDIR}"/"${KV_MAJOR}"-amdgpu-dc_link-drop-some-asserts.patch - "${FILESDIR}"/"${KV_MAJOR}"-nvme-hwmon.patch - "${FILESDIR}"/"${KV_MAJOR}"-0001-linux-hardened.patch - "${FILESDIR}"/"${KV_MAJOR}"-0001-uksm-linux-hardened.patch - "${FILESDIR}"/"${KV_MAJOR}"-0001-MultiQueue-Skiplist-Scheduler-v0.196-linux-hardened.patch - "${FILESDIR}"/"${KV_MAJOR}"-0002-Make-preemptible-kernel-default.patch - "${FILESDIR}"/"${KV_MAJOR}"-0003-Expose-vmsplit-for-our-poor-32-bit-users.patch - "${FILESDIR}"/"${KV_MAJOR}"-0004-Create-highres-timeout-variants-of-schedule_timeout-.patch - "${FILESDIR}"/"${KV_MAJOR}"-0005-Special-case-calls-of-schedule_timeout-1-to-use-the-.patch - "${FILESDIR}"/"${KV_MAJOR}"-0006-Convert-msleep-to-use-hrtimers-when-active.patch - "${FILESDIR}"/"${KV_MAJOR}"-0007-Replace-all-schedule-timeout-1-with-schedule_min_hrt.patch - "${FILESDIR}"/"${KV_MAJOR}"-0008-Replace-all-calls-to-schedule_timeout_interruptible-.patch - "${FILESDIR}"/"${KV_MAJOR}"-0009-Replace-all-calls-to-schedule_timeout_uninterruptibl.patch - "${FILESDIR}"/"${KV_MAJOR}"-0010-Don-t-use-hrtimer-overlay-when-pm_freezing-since-som.patch - "${FILESDIR}"/"${KV_MAJOR}"-0011-Make-threaded-IRQs-optionally-the-default-which-can-.patch - "${FILESDIR}"/"${KV_MAJOR}"-0012-Reinstate-default-Hz-of-100-in-combination-with-MuQS.patch - "${FILESDIR}"/"${KV_MAJOR}"-0013-Swap-sucks.patch -) - -S="${WORKDIR}"/linux-"${PV}" - -pkg_setup() { - export KBUILD_BUILD_USER="nexus" - export KBUILD_BUILD_HOST="nexus.redcorelinux.org" - - export REAL_ARCH="$ARCH" - unset ARCH ; unset LDFLAGS #will interfere with Makefile if set -} - -src_prepare() { - default - emake mrproper - sed -ri "s|^(EXTRAVERSION =).*|\1 -${EXTRAVERSION}|" Makefile - cp "${FILESDIR}"/"${KV_MAJOR}"-amd64.config .config - rm -rf $(find . -type f|grep -F \.orig) -} - -src_compile() { - emake prepare modules_prepare bzImage modules -} - -src_install() { - dodir boot - insinto boot - newins .config config-"${KV_FULL}" - newins System.map System.map-"${KV_FULL}" - newins arch/x86/boot/bzImage vmlinuz-"${KV_FULL}" - - dodir usr/src/linux-"${KV_FULL}" - insinto usr/src/linux-"${KV_FULL}" - doins Module.symvers - doins System.map - exeinto usr/src/linux-"${KV_FULL}" - doexe vmlinux - - emake INSTALL_MOD_PATH="${D}" modules_install - - rm -f "${D}"lib/modules/"${KV_FULL}"/build - rm -f "${D}"lib/modules/"${KV_FULL}"/source - export local KSYMS - for KSYMS in build source ; do - dosym ../../../usr/src/linux-"${KV_FULL}" lib/modules/"${KV_FULL}"/"${KSYMS}" - done -} - -_grub2_update_grubcfg() { - if [[ -x $(which grub2-mkconfig) ]]; then - elog "Updating GRUB-2 bootloader configuration, please wait" - grub2-mkconfig -o "${ROOT}"boot/grub/grub.cfg - else - elog "It looks like you're not using GRUB-2, you must update bootloader configuration by hand" - fi -} - -_dracut_initrd_create() { - if [[ -x $(which dracut) ]]; then - elog "Generating initrd for "${KV_FULL}", please wait" - addpredict /etc/ld.so.cache~ - dracut -N -f --kver="${KV_FULL}" "${ROOT}"boot/initrd-"${KV_FULL}" - else - elog "It looks like you're not using dracut, you must generate an initrd by hand" - fi -} - -_dracut_initrd_delete() { - rm -rf "${ROOT}"boot/initrd-"${KV_FULL}" -} - -_dkms_modules_delete() { - if [[ -x $(which dkms) ]] ; then - export local DKMSMOD - for DKMSMOD in $(dkms status | cut -d " " -f1,2 | sed -e 's/,//g' | sed -e 's/ /\//g' | sed -e 's/://g') ; do - dkms remove "${DKMSMOD}" -k "${KV_FULL}" - done - fi -} - -_kernel_modules_delete() { - rm -rf "${ROOT}"lib/modules/"${KV_FULL}" -} - -pkg_postinst() { - if [ $(stat -c %d:%i /) == $(stat -c %d:%i /proc/1/root/.) ]; then - if use dracut; then - _dracut_initrd_create - fi - _grub2_update_grubcfg - fi -} - -pkg_postrm() { - if [ $(stat -c %d:%i /) == $(stat -c %d:%i /proc/1/root/.) ]; then - if use dracut; then - _dracut_initrd_delete - fi - _grub2_update_grubcfg - fi - if use dkms; then - _dkms_modules_delete - fi - _kernel_modules_delete -} -- cgit v1.2.3