You are not logged in.
Not really a request, just wanted to see if there is interest in putting this up in the AUR.
I've already created the PKGBUILD, it builds and all runs fine.
The PKGBUILD combines the following patches:
linux-hardened
Tomoyo 1.8.5 branch (CCS)
In the config I've also enabled AppArmor. Everything works as it should. The CCS branch of Tomoyo is designed to be stackable with one other LSM, in this case I've stacked it with AppArmor, and enabled Yama in the config.
All I really did is pull the commit from linux-hardened to get the sources of it and then altered it to patch for CCS, and enabled AppArmor.
One last note is that its a little difficult to get it to line up with hardened for CCS, as sometimes there isn't a hardened patch for the kernel that CCS has the patch released for, if its tracked from the OSDN commits. His last update from Christmas lined up perfectly with the 4.19.12 release of hardened though.
# Maintainer: Matthew Zilvar <mattzilvar@gmail.com>
# Contributor: Levente Polyak <anthraxx[at]archlinux[dot]org>
# Contributor: Daniel Micay <danielmicay@gmail.com>
# Contributor: Tobias Powalowski <tpowa@archlinux.org>
# Contributor: Thomas Baechler <thomas@archlinux.org>
pkgbase=linux-hardened-ccs-apparmor
_pkgver=4.19.12
_hardenedver=a
_srcname=linux-${_pkgver}
pkgver=${_pkgver}.${_hardenedver}
pkgrel=1
ccsver=1.8.5
ccskernver=4.19
_timestamp=20181225
url='https://github.com/anthraxx/linux-hardened https://tomoyo.osdn.jp https://gitlab.com/apparmor/apparmor'
arch=('x86_64')
license=('GPL2')
makedepends=('xmlto' 'kmod' 'inetutils' 'bc' 'libelf' 'python-sphinx' 'graphviz')
options=('!strip')
source=(https://www.kernel.org/pub/linux/kernel/v4.x/linux-${_pkgver}.tar.xz
https://www.kernel.org/pub/linux/kernel/v4.x/linux-${_pkgver}.tar.sign
https://github.com/anthraxx/linux-hardened/releases/download/${pkgver}/linux-hardened-${pkgver}.patch{,.sig}
config.x86_64 # the main kernel config files
60-linux.hook # pacman hook for depmod
90-linux.hook # pacman hook for initramfs regeneration
linux.preset # standard config files for mkinitcpio ramdisk
# TOMOYO CCS patch
https://osdn.net/projects/tomoyo/downloads/49684/ccs-patch-${ccsver}-${_timestamp}.tar.gz{,.asc}
)
sha256sums=('4d81ac539d62617f5b52f25971749d8c6d3a200deee76898bb99be8492999b77'
'SKIP'
'df3b2316bfe81e702dbddccfbbd37402d592f1af80dfc90296b50ba141604b44'
'SKIP'
'c539959aa437349518e14b7a86ce6eee26ab927dfffbbe0bb67a124b4f596ab1'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636'
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
'98161b952eda87723ea68dfc3071b6c55699c0649be7f5356be5d1aaa6031f2a'
'SKIP')
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
'65EEFE022108E2B708CBFCF7F9E712E59AF5F22A' # Daniel Micay
'E240B57E2C4630BA768E2F26FC1B547C8D8172C8' # Levente Polyak
'43C83369623D7AD3A96C2FC7425F128D0C64F52A' # Tetsuo Handa
)
_kernelname=${pkgbase#linux}
: ${_kernelname:=-hardened-ccs-apparmor}
prepare() {
cd $_srcname
msg2 "Setting version..."
sed -e "/^EXTRAVERSION =/s/=.*/= .${_hardenedver}/" -i Makefile
scripts/setlocalversion --save-scmversion
echo "-$pkgrel" > localversion.10-pkgrel
echo "$_kernelname" > localversion.20-pkgname
local src
for src in "${source[@]}"; do
src="${src%%::*}"
src="${src##*/}"
[[ $src = *.patch ]] || continue
msg2 "Applying patch $src..."
patch -Np1 < "../$src"
done
# Prepare source directory for CCS
msg2 "Preparing source directory for CCS ${ccsver} patch"
mv ../include/linux/** /${srcdir}/${_srcname}/include/linux/
mv -t /${srcdir}/${_srcname}/security/ /${srcdir}/security/ccsecurity/
# linux ccs patch for tomoyo
msg2 "Applying CCS patch for TOMOYO ${ccsver}"
patch -sp1 < ../patches/ccs-patch-${ccskernver}.diff
# load configuration
# Configure the kernel. Replace the line below with one of your choice.
#make menuconfig # CLI menu for configuration
#make nconfig # new CLI menu for configuration
#make xconfig # X-based configuration
#make oldconfig # using old config from previous kernel version
# ... or manually edit .config
msg2 "Setting config..."
cp ../config.x86_64 .config
make olddefconfig
make -s kernelrelease > ../version
msg2 "Prepared %s version %s" "$pkgbase" "$(<../version)"
}
build() {
cd $_srcname
make bzImage modules htmldocs
}
_package() {
pkgdesc="The ${pkgbase/linux/Linux} kernel and modules"
[[ $pkgbase = linux ]] && groups=(base)
depends=(coreutils linux-firmware kmod mkinitcpio)
optdepends=('crda: to set the correct wireless channels of your country'
'usbctl: deny_new_usb control'
'ccs-tools: TOMOYO Linux 1.8.x userspace tools'
'apparmor: Mandatory Access Control (MAC) using Linux Security Module (LSM)')
backup=("etc/mkinitcpio.d/$pkgbase.preset")
install=linux.install
local kernver="$(<version)"
local modulesdir="$pkgdir/usr/lib/modules/$kernver"
cd $_srcname
msg2 "Installing boot image..."
# systemd expects to find the kernel here to allow hibernation
# https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz"
install -Dm644 "$modulesdir/vmlinuz" "$pkgdir/boot/vmlinuz-$pkgbase"
msg2 "Installing modules..."
make INSTALL_MOD_PATH="$pkgdir/usr" modules_install
# a place for external modules,
# with version file for building modules and running depmod from hook
local extramodules="extramodules$_kernelname"
local extradir="$pkgdir/usr/lib/modules/$extramodules"
install -Dt "$extradir" -m644 ../version
ln -sr "$extradir" "$modulesdir/extramodules"
# remove build and source links
rm "$modulesdir"/{source,build}
msg2 "Installing hooks..."
# sed expression for following substitutions
local subst="
s|%PKGBASE%|$pkgbase|g
s|%KERNVER%|$kernver|g
s|%EXTRAMODULES%|$extramodules|g
"
# hack to allow specifying an initially nonexisting install file
sed "$subst" "$startdir/$install" > "$startdir/$install.pkg"
true && install=$install.pkg
# fill in mkinitcpio preset and pacman hooks
sed "$subst" ../linux.preset | install -Dm644 /dev/stdin \
"$pkgdir/etc/mkinitcpio.d/$pkgbase.preset"
sed "$subst" ../60-linux.hook | install -Dm644 /dev/stdin \
"$pkgdir/usr/share/libalpm/hooks/60-$pkgbase.hook"
sed "$subst" ../90-linux.hook | install -Dm644 /dev/stdin \
"$pkgdir/usr/share/libalpm/hooks/90-$pkgbase.hook"
msg2 "Fixing permissions..."
chmod -Rc u=rwX,go=rX "$pkgdir"
}
_package-headers() {
pkgdesc="Header files and scripts for building modules for ${pkgbase/linux/Linux} kernel"
local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
cd $_srcname
msg2 "Installing build files..."
install -Dt "$builddir" -m644 Makefile .config Module.symvers System.map vmlinux
install -Dt "$builddir/kernel" -m644 kernel/Makefile
install -Dt "$builddir/arch/x86" -m644 arch/x86/Makefile
cp -t "$builddir" -a scripts
# add objtool for external module building and enabled VALIDATION_STACK option
install -Dt "$builddir/tools/objtool" tools/objtool/objtool
# add xfs and shmem for aufs building
mkdir -p "$builddir"/{fs/xfs,mm}
# ???
mkdir "$builddir/.tmp_versions"
msg2 "Installing headers..."
cp -t "$builddir" -a include
cp -t "$builddir/arch/x86" -a arch/x86/include
install -Dt "$builddir/arch/x86/kernel" -m644 arch/x86/kernel/asm-offsets.s
install -Dt "$builddir/drivers/md" -m644 drivers/md/*.h
install -Dt "$builddir/net/mac80211" -m644 net/mac80211/*.h
# http://bugs.archlinux.org/task/13146
install -Dt "$builddir/drivers/media/i2c" -m644 drivers/media/i2c/msp3400-driver.h
# http://bugs.archlinux.org/task/20402
install -Dt "$builddir/drivers/media/usb/dvb-usb" -m644 drivers/media/usb/dvb-usb/*.h
install -Dt "$builddir/drivers/media/dvb-frontends" -m644 drivers/media/dvb-frontends/*.h
install -Dt "$builddir/drivers/media/tuners" -m644 drivers/media/tuners/*.h
msg2 "Installing KConfig files..."
find . -name 'Kconfig*' -exec install -Dm644 {} "$builddir/{}" \;
msg2 "Removing unneeded architectures..."
local arch
for arch in "$builddir"/arch/*/; do
[[ $arch = */x86/ ]] && continue
echo "Removing $(basename "$arch")"
rm -r "$arch"
done
msg2 "Removing documentation..."
rm -r "$builddir/Documentation"
msg2 "Removing broken symlinks..."
find -L "$builddir" -type l -printf 'Removing %P\n' -delete
msg2 "Removing loose objects..."
find "$builddir" -type f -name '*.o' -printf 'Removing %P\n' -delete
msg2 "Stripping build tools..."
local file
while read -rd '' file; do
case "$(file -bi "$file")" in
application/x-sharedlib\;*) # Libraries (.so)
strip -v $STRIP_SHARED "$file" ;;
application/x-archive\;*) # Libraries (.a)
strip -v $STRIP_STATIC "$file" ;;
application/x-executable\;*) # Binaries
strip -v $STRIP_BINARIES "$file" ;;
application/x-pie-executable\;*) # Relocatable binaries
strip -v $STRIP_SHARED "$file" ;;
esac
done < <(find "$builddir" -type f -perm -u+x ! -name vmlinux -print0)
msg2 "Adding symlink..."
mkdir -p "$pkgdir/usr/src"
ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase-$pkgver"
msg2 "Fixing permissions..."
chmod -Rc u=rwX,go=rX "$pkgdir"
}
_package-docs() {
pkgdesc="Kernel hackers manual - HTML documentation that comes with the ${pkgbase/linux/Linux} kernel"
local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
cd $_srcname
msg2 "Installing documentation..."
mkdir -p "$builddir"
cp -t "$builddir" -a Documentation
msg2 "Removing doctrees..."
rm -r "$builddir/Documentation/output/.doctrees"
msg2 "Moving HTML docs..."
local src dst
while read -rd '' src; do
dst="$builddir/Documentation/${src#$builddir/Documentation/output/}"
mkdir -p "${dst%/*}"
mv "$src" "$dst"
rmdir -p --ignore-fail-on-non-empty "${src%/*}"
done < <(find "$builddir/Documentation/output" -type f -print0)
msg2 "Adding symlink..."
mkdir -p "$pkgdir/usr/share/doc"
ln -sr "$builddir/Documentation" "$pkgdir/usr/share/doc/$pkgbase"
msg2 "Fixing permissions..."
chmod -Rc u=rwX,go=rX "$pkgdir"
}
pkgname=("$pkgbase" "$pkgbase-headers" "$pkgbase-docs")
for _p in "${pkgname[@]}"; do
eval "package_$_p() {
$(declare -f "_package${_p#$pkgbase}")
_package${_p#$pkgbase}
}"
done
# vim:set ts=8 sts=2 sw=2 et:Offline
I went ahead and submitted it to the AUR, think I did everything ok, first time using git.
Offline