# Maintainer: Natanael Copa _mainflavor=grsec pkgname=linux-$_mainflavor pkgver=4.1.39 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; esac pkgrel=0 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs" makedepends="perl sed installkernel bash gmp-dev bc linux-headers mpfr-dev mpc1-dev" options="!strip" install= source="https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-$_kernver.tar.xz https://cdn.kernel.org/pub/linux/kernel/v4.x/patch-$pkgver.xz https://distfiles.alpinelinux.org/distfiles/grsec-4.1.39-3.1-201509201149-alpine.patch fix-spi-nor-namespace-clash.patch imx6q-no-unclocked-sleep.patch keys-fixes.patch staging-dgnc-fix-info-leak-in-ioctl.patch via-velocity-length-check.patch xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch CVE-2016-10229.patch config-grsec.x86 config-grsec.x86_64 config-grsec.armhf config-virtgrsec.x86 config-virtgrsec.x86_64 " subpackages="$pkgname-dev" _flavors= for _i in $source; do case $_i in config-*.$CARCH) _f=${_i%.$CARCH} _f=${_f#config-} _flavors="$_flavors ${_f}" if [ "linux-$_f" != "$pkgname" ]; then subpackages="$subpackages linux-${_f}" fi ;; esac done arch="x86 x86_64 armhf" license="GPL2" # secfixes: # 4.1.39-r0: # - CVE-2016-10229 prepare() { local _patch_failed= cd "$srcdir"/linux-$_kernver if [ "${pkgver%.0}" = "$pkgver" ]; then msg "Applying patch-$pkgver.xz" unxz -c < "$srcdir"/patch-$pkgver.xz | patch -p1 -N || return 1 fi # first apply patches in specified order for i in $source; do local file=${i%::*} case $file in *.patch) msg "Applying $file..." if ! patch -s -p1 -N -i "$srcdir"/${file##*/}; then echo $file >>failed _patch_failed=1 fi ;; esac done if ! [ -z "$_patch_failed" ]; then error "The following patches failed:" cat failed return 1 fi # remove localversion from patch if any rm -f localversion* for i in $_flavors; do local _config=config-$i.${CARCH} local _builddir="$srcdir"/build-$i mkdir -p "$_builddir" echo "-$pkgrel-$i" > "$srcdir"/build-$i/localversion-alpine \ || return 1 cp "$srcdir"/$_config "$_builddir"/.config || return 1 make -C "$srcdir"/linux-$_kernver \ O="$_builddir" \ HOSTCC="${CC:-gcc}" \ silentoldconfig || return 1 done } build() { export GCC_SPECS=hardenednopie.specs for i in $_flavors; do cd "$srcdir"/build-$i make CC="${CC:-gcc}" \ KBUILD_BUILD_VERSION="$((pkgrel + 1 ))-Alpine" \ || return 1 done } _package() { local _buildflavor="$1" _outdir="$2" local _abi_release=${pkgver}-${pkgrel}-${_buildflavor} cd "$srcdir"/build-$_buildflavor || return 1 mkdir -p "$_outdir"/boot "$_outdir"/lib/modules local _install case "$CARCH" in arm*) local _dtbdir="$_outdir"/usr/lib/linux-${_abi_release} mkdir -p "$_dtbdir" for i in arch/arm/boot/dts/*.dtb ; do install -m644 "$i" "$_dtbdir" done _install=zinstall ;; *) _install=install ;; esac make -j1 modules_install firmware_install $_install \ INSTALL_MOD_PATH="$_outdir" \ INSTALL_PATH="$_outdir"/boot \ || return 1 rm -f "$_outdir"/lib/modules/${_abi_release}/build \ "$_outdir"/lib/modules/${_abi_release}/source rm -rf "$_outdir"/lib/firmware install -D include/config/kernel.release \ "$_outdir"/usr/share/kernel/$_buildflavor/kernel.release } # main flavor installs in $pkgdir package() { depends="$depends linux-firmware" _package grsec "$pkgdir" } # subflavors install in $subpkgdir virtgrsec() { _package virtgrsec "$subpkgdir" } # we only provide -dev for main flavor for now dev() { local _abi_release=${pkgver}-${pkgrel}-$_mainflavor # copy the only the parts that we really need for build 3rd party # kernel modules and install those as /usr/src/linux-headers, # simlar to what ubuntu does # # this way you dont need to install the 300-400 kernel sources to # build a tiny kernel module # pkgdesc="Headers and script for third party modules for grsec kernel" depends="gmp-dev bash" local dir="$subpkgdir"/usr/src/linux-headers-${_abi_release} # first we import config, run prepare to set up for building # external modules, and create the scripts mkdir -p "$dir" cp "$srcdir"/config-grsec.${CARCH} "$dir"/.config echo "-$pkgrel-grsec" > "$dir"/localversion-alpine \ || return 1 make -j1 -C "$srcdir"/linux-$_kernver O="$dir" HOSTCC="${CC:-gcc}" \ silentoldconfig prepare modules_prepare scripts # remove the stuff that poits to real sources. we want 3rd party # modules to believe this is the soruces rm "$dir"/Makefile "$dir"/source # copy the needed stuff from real sources # # this is taken from ubuntu kernel build script # http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-jaunty.git;a=blob;f=debian/rules.d/3-binary-indep.mk;hb=HEAD cd "$srcdir"/linux-$_kernver find . -path './include/*' -prune -o -path './scripts/*' -prune \ -o -type f \( -name 'Makefile*' -o -name 'Kconfig*' \ -o -name 'Kbuild*' -o -name '*.sh' -o -name '*.pl' \ -o -name '*.lds' \) | cpio -pdm "$dir" cp -a drivers/media/dvb/dvb-core/*.h "$dir"/drivers/media/dvb/dvb-core cp -a drivers/media/video/*.h "$dir"/drivers/media/video cp -a drivers/media/dvb/frontends/*.h "$dir"/drivers/media/dvb/frontends cp -a scripts include "$dir" find $(find arch -name include -type d -print) -type f \ | cpio -pdm "$dir" install -Dm644 "$srcdir"/build-$_mainflavor/Module.symvers \ "$dir"/Module.symvers mkdir -p "$subpkgdir"/lib/modules/${_abi_release} ln -sf /usr/src/linux-headers-${_abi_release} \ "$subpkgdir"/lib/modules/${_abi_release}/build } md5sums="fe9dc0f6729f36400ea81aa41d614c37 linux-4.1.tar.xz 899a9b178d49c145de7df9712aaafefc patch-4.1.39.xz 82283070e21c043bd2b838080f77863f grsec-4.1.39-3.1-201509201149-alpine.patch b0337a2a9abed17c37eae5db332522d2 fix-spi-nor-namespace-clash.patch 1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch 04f93023c13c5cf3d9d5cbdf5c2a3ab3 keys-fixes.patch 6c48221dbad6928f2b9f6c1f521c5844 staging-dgnc-fix-info-leak-in-ioctl.patch 073d3b8947c33abf715a0e505f144a7e via-velocity-length-check.patch 7139ce0106f489a71474b2196cd70edc xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch 484f3e18e22f6b7c06dabaaf5d5ed274 xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch 0bf4e9b42ff4c7feb968ab0e5b4a8be0 xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch f57e383a744db7ea6eb64d6a9e6fd5b0 xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch 6b41c3dbec8f4897bc9014d2a1ed9e66 xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch 70ae93ddef7c9832ecde037c81009099 xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch 56607a45cf844386189a42ce432f0ce2 xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch 0d045adaa831dc6b56c8a2528a96de9b xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch a4b81926f3c77b5466de2934f989dabf xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch 8d81969d7c85cfb913e53f6cc83aba82 CVE-2016-10229.patch 8592323596689e3ef967ff96d1190d1b config-grsec.x86 81aab21a18c16cf96d0fa719564281ec config-grsec.x86_64 c4c15b3ba79bb557a67cd9356b56d7c4 config-grsec.armhf 28754e558f94f3b3e0b0fcc27c1c955f config-virtgrsec.x86 ae802ba9bdf0dfa50e7506a08bbf929d config-virtgrsec.x86_64" sha256sums="caf51f085aac1e1cea4d00dbbf3093ead07b551fc07b31b2a989c05f8ea72d9f linux-4.1.tar.xz 398c201891d4f7942458caab8c8af5d058c62e6a8f6058b06363fad462e83154 patch-4.1.39.xz 113346a07ed7aa5dce5dc99852a56c9deaf2c10af7be6853010e8ec645e12cc4 grsec-4.1.39-3.1-201509201149-alpine.patch 01279cfb93273d99670c56e2465957ecde3d03693beeb929a743f03afa0b7bdc fix-spi-nor-namespace-clash.patch 21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch 246119a70831c0c01aabdbb31f75d0476883cfbc172e2a749655ec569569440f keys-fixes.patch 144886917b2c5ff880c4beb11ca8743b98ea5ed49bbd10a54a98e1d76cfe23b5 staging-dgnc-fix-info-leak-in-ioctl.patch 25f174ca77217399a82e59740f60ea75db31a624578cba9ee501b5b7b7ae4cc7 via-velocity-length-check.patch 2bd18632178e09394c5cd06aded2c14bcc6b6e360ad6e81827d24860fe3e8ca4 xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch cecdeccb8e2551252c81fc5f164a8298005df714a574a7ba18b84e8ed5f2bb70 xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch 3916b847243047f0e1053233ade742c14a7f29243584e60bf5db4842a8068855 xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch 746c8eb0aeb200d76156c88dfbbd49db79f567b88b07eda70f7c7d095721f05a xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch 2e6d556d25b1cc16e71afde665ae3908f4fa8eab7e0d96283fc78400301baf92 xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch 590656d83ad7b6052b54659eccb3469658b3942c0dc1366423a66f2f5ac643e1 xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch 0cb2d1729f17e640e33f11945f2e12eba85071238fab2dcc42f81b5d942c159b xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch 7c39b33d0e2d751970bbe56f463661c50aa5e4addc8eee35b80e9e1378e97b02 xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch 1acfd6f4ea13db6a146d547640f50d0ad40480b914b021760a518ac82e8e4c71 xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch 3963632b41220998b12efb7b20a7e8811af927758d3c3698f5ac55e691b24e49 CVE-2016-10229.patch fbc303521afbecbe2dccbe9955d108af53aaaa3388f2ca0962fc93f26a535a56 config-grsec.x86 0d770dbef70ec200e9f0341f7840847c228ac5e5061401614aaa27db59922614 config-grsec.x86_64 01b4f4e7eae350d40749f34e916e69c101f2fb5b3b7c2bd1917c29b8df3c2668 config-grsec.armhf fcfeedde29606b94f79f79ceb9351bd5d018aca6a76bba04459d85e4ad94939f config-virtgrsec.x86 91bb0c7e6ad7b438daba3be79117007ecd68afb89857381034467837247edd56 config-virtgrsec.x86_64" sha512sums="168ef84a4e67619f9f53f3574e438542a5747f9b43443363cb83597fcdac9f40d201625c66e375a23226745eaada9176eb006ca023613cec089349e91751f3c0 linux-4.1.tar.xz a5ed73e8a473f8b374d9762947e79efb83a9713af08d10869997a16ab51c357cac7c96f99f942496fad1ed0589051f2a5d97c8e72f4ab15648c12c1a5d6ff1f2 patch-4.1.39.xz 6b48f1da703ba64d7e4f42f3b62d1fd6de8ea600a0e0c354a73890754c511c0bcc86a7f60cfb6168ca437e89ba7c84f596bd40d0c379ab2e1eca072f1329849b grsec-4.1.39-3.1-201509201149-alpine.patch 4e3aeb70712f9838afea75fe9e6c1389414d833a89286ea55441d6a8d54ce74b0e39b565721e3153443af0a614bff57c767251b7e5b81faa5e0784eddfcd2164 fix-spi-nor-namespace-clash.patch 87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch 8d4646d564e6beb60925724ca4cdef06ac08a4909629330f0e3c5cf1701dc82ca4bc9b809cdbf1f2229a30cc700106733cb77fea12885a44a0c4a65a1d5656d5 keys-fixes.patch 51bdf43837e0bc24771b6dd67e4f5f49ae77716a49155b2b04ca17aa84a7aea65f858733795a91d8c5c3221a77c576370c0ccc7e711c32edaa87210cf55974ec staging-dgnc-fix-info-leak-in-ioctl.patch 0be40b94b99f0fa0ab975c833e50a121e45b057c812e229a3d175a7bc8b03472eb6ab4a1273988971db89625f55b9fc4a35b7696acb21709887294fcf8a7c48d via-velocity-length-check.patch a8a0a152638f9125274f9933c90cf2459b941ac5f6b860dcba1f35179eaa8f303eb7c392da360f423534c015ffba8818fb79fdb4a7b82a65d42415a7bd2beeb2 xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch e85369cec62f0b249362930bf32e03f277cfc7d9844e5250b5fd73a22dcc09720f1920bb5c5f1063a4ee51a146fe9c8eb5f180b58a41cd833916904fdc230e90 xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch 8814d694c2196ee4c8bcf52522622c56a166e6b77b414e9298190f23ed86c1e205410d3ba257a323d008c59df25496e2161d828bc99a34d445430115769495a8 xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch a79f354c4e82c0eefc9b346215a2e993508f139095a197565aa5c56b1e0981f06c66c4796d0fd97800ac25f1ff21f6921cb25a7dd455254fb446cf6845d8e0a3 xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch 7640585542d6970d2d35d728091c770daab7ea24c4a5d61e268d27b4b4bc9742d5fa04a11cbff9ac890376397f0b39f693e433639325470f6e39cea7a283810e xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch 2c5246a7c0a8fb19b8adf70162501f0af111ad3d1816e6719ae61b28c2b11565b1bd7a82c04ab50dce1ed88ec2259de0903222976d8cdf4b17ad1e5002e101bd xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch 672508160104509406ea2a0a9a605224366876d256e6b6e8312e3f166672524cdaaa60905aa475980f55b9fa6c7c88656219f651afabfa68e38ba22375788176 xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch 09b8a301e326f97f2e6de6e98f0bf835aeaa631272224ba006ce312576e510e260807f0149855630b3449ec7d6728129f3170f8e05b9b815ca7d9a6f1cf6a75d xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch 95abf6b5d92c322fbb318d40249f8bd0303b4848f70ad42250cac0768fe86129aaf2864031febd78a0b7171a54885e0fa44e6a28994b35b8f6f04e5b5198fb6f xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch 946bb48acc7d34056426ae171f73450b58b4a1288630e77168e317e0f5cb59141a7548f79ffd4e142cdb8978387e3c1f9bd372e996f2801ae39c6d32e11d0016 CVE-2016-10229.patch 819ff2d16b5c15399de9b3c254d4ed6b7ef580a5b7cdacb209d90d35d178e93e34a5d6159b0edfab4afec9decf404901a7504f7b106c62c3dba0cdb4f0951a61 config-grsec.x86 61b2f6b1264e51548c657b337a23592d7bdf0fe730f71e9039af098dd9ebd1b2bd7dbff1811ccb36c7c50b4cfef4cf19534a1f25ef05048a404fd6a6c3120a59 config-grsec.x86_64 3be2587ca157eff3910ad1cd4dd9013c699e08d6f8fdde22458caa423f17591a7b386aad5f592f79baac4da6b32f5965483c3080c1cf2bc906fdffbe33a16bf7 config-grsec.armhf caec0c97bfd25c9cc6921addc8b39941284a38746d5b9c5f19c0f1fe679d9f4c6ee7881a2eb95a16dcfbb082486435f467d27d539405ee6094b70d13b3bf2276 config-virtgrsec.x86 3a8dbd0bdf8c1a46b6ced0b70e60bd830f46cb9752af12759b7ba8d8b041c117de1b25496f98653e65aa3828ab8644982f10807bf18ab60afaa778fde7711544 config-virtgrsec.x86_64"