aboutsummaryrefslogtreecommitdiffstats
path: root/main/linux-grsec/APKBUILD
blob: 4279a96070e12c436aed433af810d779bae7460c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>

_mainflavor=grsec
pkgname=linux-$_mainflavor
pkgver=4.1.39
case $pkgver in
*.*.*)	_kernver=${pkgver%.*};;
*.*)	_kernver=${pkgver};;
esac
pkgrel=0
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs"
makedepends="perl sed installkernel bash gmp-dev bc linux-headers mpfr-dev
	mpc1-dev"
options="!strip"
install=
source="https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-$_kernver.tar.xz
	https://cdn.kernel.org/pub/linux/kernel/v4.x/patch-$pkgver.xz
	https://distfiles.alpinelinux.org/distfiles/grsec-4.1.39-3.1-201509201149-alpine.patch

	fix-spi-nor-namespace-clash.patch
	imx6q-no-unclocked-sleep.patch
	keys-fixes.patch
	staging-dgnc-fix-info-leak-in-ioctl.patch
	via-velocity-length-check.patch
	xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
	xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
	xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
	xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
	xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
	xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
	xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch
	xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch
	xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch
	CVE-2016-10229.patch

	config-grsec.x86
	config-grsec.x86_64
	config-grsec.armhf

	config-virtgrsec.x86
	config-virtgrsec.x86_64
	"
subpackages="$pkgname-dev"
_flavors=
for _i in $source; do
	case $_i in
	config-*.$CARCH)
		_f=${_i%.$CARCH}
		_f=${_f#config-}
		_flavors="$_flavors ${_f}"
		if [ "linux-$_f" != "$pkgname" ]; then
			subpackages="$subpackages linux-${_f}"
		fi
		;;
	esac
done

arch="x86 x86_64 armhf"
license="GPL2"

# secfixes:
#   4.1.39-r0:
#   - CVE-2016-10229

prepare() {
	local _patch_failed=
	cd "$srcdir"/linux-$_kernver
	if [ "${pkgver%.0}" = "$pkgver" ]; then
		msg "Applying patch-$pkgver.xz"
		unxz -c < "$srcdir"/patch-$pkgver.xz | patch -p1 -N || return 1
	fi

	# first apply patches in specified order
	for i in $source; do
		local file=${i%::*}
		case $file in
		*.patch)
			msg "Applying $file..."
			if ! patch -s -p1 -N -i "$srcdir"/${file##*/}; then
				echo $file >>failed
				_patch_failed=1
			fi
			;;
		esac
	done

	if ! [ -z "$_patch_failed" ]; then
		error "The following patches failed:"
		cat failed
		return 1
	fi

	# remove localversion from patch if any
	rm -f localversion*

	for i in $_flavors; do
		local _config=config-$i.${CARCH}
		local _builddir="$srcdir"/build-$i
		mkdir -p "$_builddir"
		echo "-$pkgrel-$i" > "$srcdir"/build-$i/localversion-alpine \
			|| return 1

		cp "$srcdir"/$_config "$_builddir"/.config || return 1
		make -C "$srcdir"/linux-$_kernver \
			O="$_builddir" \
			HOSTCC="${CC:-gcc}" \
			silentoldconfig || return 1
	done
}

build() {
	export GCC_SPECS=hardenednopie.specs
	for i in $_flavors; do
		cd "$srcdir"/build-$i
		make CC="${CC:-gcc}" \
			KBUILD_BUILD_VERSION="$((pkgrel + 1 ))-Alpine" \
			|| return 1
	done
}

_package() {
	local _buildflavor="$1" _outdir="$2"
	local _abi_release=${pkgver}-${pkgrel}-${_buildflavor}

	cd "$srcdir"/build-$_buildflavor || return 1

	mkdir -p "$_outdir"/boot "$_outdir"/lib/modules

	local _install
	case "$CARCH" in
	arm*)
		local _dtbdir="$_outdir"/usr/lib/linux-${_abi_release}
		mkdir -p "$_dtbdir"
		for i in arch/arm/boot/dts/*.dtb ; do
			install -m644 "$i" "$_dtbdir"
		done

		_install=zinstall
		;;
	*)
		_install=install
		;;
	esac

	make -j1 modules_install firmware_install $_install \
		INSTALL_MOD_PATH="$_outdir" \
		INSTALL_PATH="$_outdir"/boot \
		|| return 1

	rm -f "$_outdir"/lib/modules/${_abi_release}/build \
		"$_outdir"/lib/modules/${_abi_release}/source
	rm -rf "$_outdir"/lib/firmware

	install -D include/config/kernel.release \
		"$_outdir"/usr/share/kernel/$_buildflavor/kernel.release
}

# main flavor installs in $pkgdir
package() {
	depends="$depends linux-firmware"
	_package grsec "$pkgdir"
}

# subflavors install in $subpkgdir
virtgrsec() {
	_package virtgrsec "$subpkgdir"
}

# we only provide -dev for main flavor for now
dev() {
	local _abi_release=${pkgver}-${pkgrel}-$_mainflavor
	# copy the only the parts that we really need for build 3rd party
	# kernel modules and install those as /usr/src/linux-headers,
	# simlar to what ubuntu does
	#
	# this way you dont need to install the 300-400 kernel sources to
	# build a tiny kernel module
	#
	pkgdesc="Headers and script for third party modules for grsec kernel"
	depends="gmp-dev bash"
	local dir="$subpkgdir"/usr/src/linux-headers-${_abi_release}

	# first we import config, run prepare to set up for building
	# external modules, and create the scripts
	mkdir -p "$dir"
	cp "$srcdir"/config-grsec.${CARCH} "$dir"/.config
	echo "-$pkgrel-grsec" > "$dir"/localversion-alpine \
		|| return 1
	make -j1 -C "$srcdir"/linux-$_kernver O="$dir" HOSTCC="${CC:-gcc}" \
		silentoldconfig prepare modules_prepare scripts

	# remove the stuff that poits to real sources. we want 3rd party
	# modules to believe this is the soruces
	rm "$dir"/Makefile "$dir"/source

	# copy the needed stuff from real sources
	#
	# this is taken from ubuntu kernel build script
	# http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-jaunty.git;a=blob;f=debian/rules.d/3-binary-indep.mk;hb=HEAD
	cd "$srcdir"/linux-$_kernver
	find . -path './include/*' -prune -o -path './scripts/*' -prune \
		-o -type f \( -name 'Makefile*' -o -name 'Kconfig*' \
		-o -name 'Kbuild*' -o -name '*.sh' -o -name '*.pl' \
		-o -name '*.lds' \) | cpio -pdm "$dir"
	cp -a drivers/media/dvb/dvb-core/*.h "$dir"/drivers/media/dvb/dvb-core
	cp -a drivers/media/video/*.h "$dir"/drivers/media/video
	cp -a drivers/media/dvb/frontends/*.h "$dir"/drivers/media/dvb/frontends
	cp -a scripts include "$dir"
	find $(find arch -name include -type d -print) -type f \
		| cpio -pdm "$dir"

	install -Dm644 "$srcdir"/build-$_mainflavor/Module.symvers \
		"$dir"/Module.symvers

	mkdir -p "$subpkgdir"/lib/modules/${_abi_release}
	ln -sf /usr/src/linux-headers-${_abi_release} \
		"$subpkgdir"/lib/modules/${_abi_release}/build
}

md5sums="fe9dc0f6729f36400ea81aa41d614c37  linux-4.1.tar.xz
899a9b178d49c145de7df9712aaafefc  patch-4.1.39.xz
82283070e21c043bd2b838080f77863f  grsec-4.1.39-3.1-201509201149-alpine.patch
b0337a2a9abed17c37eae5db332522d2  fix-spi-nor-namespace-clash.patch
1a307fc1d63231bf01d22493a4f14378  imx6q-no-unclocked-sleep.patch
04f93023c13c5cf3d9d5cbdf5c2a3ab3  keys-fixes.patch
6c48221dbad6928f2b9f6c1f521c5844  staging-dgnc-fix-info-leak-in-ioctl.patch
073d3b8947c33abf715a0e505f144a7e  via-velocity-length-check.patch
7139ce0106f489a71474b2196cd70edc  xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
484f3e18e22f6b7c06dabaaf5d5ed274  xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
0bf4e9b42ff4c7feb968ab0e5b4a8be0  xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
f57e383a744db7ea6eb64d6a9e6fd5b0  xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
6b41c3dbec8f4897bc9014d2a1ed9e66  xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
70ae93ddef7c9832ecde037c81009099  xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
56607a45cf844386189a42ce432f0ce2  xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch
0d045adaa831dc6b56c8a2528a96de9b  xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch
a4b81926f3c77b5466de2934f989dabf  xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch
8d81969d7c85cfb913e53f6cc83aba82  CVE-2016-10229.patch
8592323596689e3ef967ff96d1190d1b  config-grsec.x86
81aab21a18c16cf96d0fa719564281ec  config-grsec.x86_64
c4c15b3ba79bb557a67cd9356b56d7c4  config-grsec.armhf
28754e558f94f3b3e0b0fcc27c1c955f  config-virtgrsec.x86
ae802ba9bdf0dfa50e7506a08bbf929d  config-virtgrsec.x86_64"
sha256sums="caf51f085aac1e1cea4d00dbbf3093ead07b551fc07b31b2a989c05f8ea72d9f  linux-4.1.tar.xz
398c201891d4f7942458caab8c8af5d058c62e6a8f6058b06363fad462e83154  patch-4.1.39.xz
113346a07ed7aa5dce5dc99852a56c9deaf2c10af7be6853010e8ec645e12cc4  grsec-4.1.39-3.1-201509201149-alpine.patch
01279cfb93273d99670c56e2465957ecde3d03693beeb929a743f03afa0b7bdc  fix-spi-nor-namespace-clash.patch
21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3  imx6q-no-unclocked-sleep.patch
246119a70831c0c01aabdbb31f75d0476883cfbc172e2a749655ec569569440f  keys-fixes.patch
144886917b2c5ff880c4beb11ca8743b98ea5ed49bbd10a54a98e1d76cfe23b5  staging-dgnc-fix-info-leak-in-ioctl.patch
25f174ca77217399a82e59740f60ea75db31a624578cba9ee501b5b7b7ae4cc7  via-velocity-length-check.patch
2bd18632178e09394c5cd06aded2c14bcc6b6e360ad6e81827d24860fe3e8ca4  xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
cecdeccb8e2551252c81fc5f164a8298005df714a574a7ba18b84e8ed5f2bb70  xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
3916b847243047f0e1053233ade742c14a7f29243584e60bf5db4842a8068855  xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
746c8eb0aeb200d76156c88dfbbd49db79f567b88b07eda70f7c7d095721f05a  xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
2e6d556d25b1cc16e71afde665ae3908f4fa8eab7e0d96283fc78400301baf92  xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
590656d83ad7b6052b54659eccb3469658b3942c0dc1366423a66f2f5ac643e1  xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
0cb2d1729f17e640e33f11945f2e12eba85071238fab2dcc42f81b5d942c159b  xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch
7c39b33d0e2d751970bbe56f463661c50aa5e4addc8eee35b80e9e1378e97b02  xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch
1acfd6f4ea13db6a146d547640f50d0ad40480b914b021760a518ac82e8e4c71  xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch
3963632b41220998b12efb7b20a7e8811af927758d3c3698f5ac55e691b24e49  CVE-2016-10229.patch
fbc303521afbecbe2dccbe9955d108af53aaaa3388f2ca0962fc93f26a535a56  config-grsec.x86
0d770dbef70ec200e9f0341f7840847c228ac5e5061401614aaa27db59922614  config-grsec.x86_64
01b4f4e7eae350d40749f34e916e69c101f2fb5b3b7c2bd1917c29b8df3c2668  config-grsec.armhf
fcfeedde29606b94f79f79ceb9351bd5d018aca6a76bba04459d85e4ad94939f  config-virtgrsec.x86
91bb0c7e6ad7b438daba3be79117007ecd68afb89857381034467837247edd56  config-virtgrsec.x86_64"
sha512sums="168ef84a4e67619f9f53f3574e438542a5747f9b43443363cb83597fcdac9f40d201625c66e375a23226745eaada9176eb006ca023613cec089349e91751f3c0  linux-4.1.tar.xz
a5ed73e8a473f8b374d9762947e79efb83a9713af08d10869997a16ab51c357cac7c96f99f942496fad1ed0589051f2a5d97c8e72f4ab15648c12c1a5d6ff1f2  patch-4.1.39.xz
6b48f1da703ba64d7e4f42f3b62d1fd6de8ea600a0e0c354a73890754c511c0bcc86a7f60cfb6168ca437e89ba7c84f596bd40d0c379ab2e1eca072f1329849b  grsec-4.1.39-3.1-201509201149-alpine.patch
4e3aeb70712f9838afea75fe9e6c1389414d833a89286ea55441d6a8d54ce74b0e39b565721e3153443af0a614bff57c767251b7e5b81faa5e0784eddfcd2164  fix-spi-nor-namespace-clash.patch
87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221  imx6q-no-unclocked-sleep.patch
8d4646d564e6beb60925724ca4cdef06ac08a4909629330f0e3c5cf1701dc82ca4bc9b809cdbf1f2229a30cc700106733cb77fea12885a44a0c4a65a1d5656d5  keys-fixes.patch
51bdf43837e0bc24771b6dd67e4f5f49ae77716a49155b2b04ca17aa84a7aea65f858733795a91d8c5c3221a77c576370c0ccc7e711c32edaa87210cf55974ec  staging-dgnc-fix-info-leak-in-ioctl.patch
0be40b94b99f0fa0ab975c833e50a121e45b057c812e229a3d175a7bc8b03472eb6ab4a1273988971db89625f55b9fc4a35b7696acb21709887294fcf8a7c48d  via-velocity-length-check.patch
a8a0a152638f9125274f9933c90cf2459b941ac5f6b860dcba1f35179eaa8f303eb7c392da360f423534c015ffba8818fb79fdb4a7b82a65d42415a7bd2beeb2  xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
e85369cec62f0b249362930bf32e03f277cfc7d9844e5250b5fd73a22dcc09720f1920bb5c5f1063a4ee51a146fe9c8eb5f180b58a41cd833916904fdc230e90  xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
8814d694c2196ee4c8bcf52522622c56a166e6b77b414e9298190f23ed86c1e205410d3ba257a323d008c59df25496e2161d828bc99a34d445430115769495a8  xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
a79f354c4e82c0eefc9b346215a2e993508f139095a197565aa5c56b1e0981f06c66c4796d0fd97800ac25f1ff21f6921cb25a7dd455254fb446cf6845d8e0a3  xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
7640585542d6970d2d35d728091c770daab7ea24c4a5d61e268d27b4b4bc9742d5fa04a11cbff9ac890376397f0b39f693e433639325470f6e39cea7a283810e  xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
2c5246a7c0a8fb19b8adf70162501f0af111ad3d1816e6719ae61b28c2b11565b1bd7a82c04ab50dce1ed88ec2259de0903222976d8cdf4b17ad1e5002e101bd  xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
672508160104509406ea2a0a9a605224366876d256e6b6e8312e3f166672524cdaaa60905aa475980f55b9fa6c7c88656219f651afabfa68e38ba22375788176  xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch
09b8a301e326f97f2e6de6e98f0bf835aeaa631272224ba006ce312576e510e260807f0149855630b3449ec7d6728129f3170f8e05b9b815ca7d9a6f1cf6a75d  xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch
95abf6b5d92c322fbb318d40249f8bd0303b4848f70ad42250cac0768fe86129aaf2864031febd78a0b7171a54885e0fa44e6a28994b35b8f6f04e5b5198fb6f  xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch
946bb48acc7d34056426ae171f73450b58b4a1288630e77168e317e0f5cb59141a7548f79ffd4e142cdb8978387e3c1f9bd372e996f2801ae39c6d32e11d0016  CVE-2016-10229.patch
819ff2d16b5c15399de9b3c254d4ed6b7ef580a5b7cdacb209d90d35d178e93e34a5d6159b0edfab4afec9decf404901a7504f7b106c62c3dba0cdb4f0951a61  config-grsec.x86
61b2f6b1264e51548c657b337a23592d7bdf0fe730f71e9039af098dd9ebd1b2bd7dbff1811ccb36c7c50b4cfef4cf19534a1f25ef05048a404fd6a6c3120a59  config-grsec.x86_64
3be2587ca157eff3910ad1cd4dd9013c699e08d6f8fdde22458caa423f17591a7b386aad5f592f79baac4da6b32f5965483c3080c1cf2bc906fdffbe33a16bf7  config-grsec.armhf
caec0c97bfd25c9cc6921addc8b39941284a38746d5b9c5f19c0f1fe679d9f4c6ee7881a2eb95a16dcfbb082486435f467d27d539405ee6094b70d13b3bf2276  config-virtgrsec.x86
3a8dbd0bdf8c1a46b6ced0b70e60bd830f46cb9752af12759b7ba8d8b041c117de1b25496f98653e65aa3828ab8644982f10807bf18ab60afaa778fde7711544  config-virtgrsec.x86_64"