-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathpostinst
91 lines (77 loc) · 2.74 KB
/
postinst
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/bin/sh
# postinst script for securedrop-workstation-grsec
#
# see: dh_installdeb(1)
set -e
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
# <new-version>
# * <postinst> `abort-remove'
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see https://www.debian.org/doc/debian-policy/ or
# the debian-policy package
# When updating the kernel version, also check that the u2mfn version matches:
# https://github.com/QubesOS/qubes-linux-utils/blob/release4.0/version
GRSEC_VERSION='4.14.241-grsec-workstation'
U2MFN_VERSION="4.0.34"
# Sets default grub boot parameter to the kernel version specified
# by $GRSEC_VERSION. The debian buster default kernel is 4.19, thus
# supersedes this 4.14.x series grsecurity kernel at boot-time
set_grub_default() {
GRUB_OPT="'Advanced options for Debian GNU/Linux>Debian GNU/Linux, with Linux $GRSEC_VERSION'"
perl -pi -e "s|^GRUB_DEFAULT=.*|GRUB_DEFAULT=$GRUB_OPT|" /etc/default/grub
}
# Ensure the paxctld daemon is running
start_paxctld() {
paxctld_config='/etc/paxctld.conf'
if [ -f "$paxctld_config" ]; then
systemctl enable paxctld
systemctl restart paxctld
# Wait just a moment while flag are re-applied
sleep 1
fi
}
# Checks that the u2mfn kernel module was successfully built via dkms.
verify_u2mfn_exists() {
ko_filepath="/usr/lib/modules/${GRSEC_VERSION}/updates/dkms/u2mfn.ko"
if ! test -f "$ko_filepath"; then
return 1
fi
}
# For reasons unknown, u2mfn may be missing. If not found, try to rebuild it,
# otherwise we'll fail and require admin intervention.
ensure_u2mfn_exists() {
if ! verify_u2mfn_exists ; then
dkms remove u2mfn -v "$U2MFN_VERSION" -k "$GRSEC_VERSION" || true
dkms autoinstall -k "$GRSEC_VERSION"
if ! verify_u2mfn_exists ; then
echo "ERROR: u2mfn kernel object is missing: $ko_filepath"
exit 1
fi
fi
}
case "$1" in
configure)
# Ensure pax flags are set prior to running grub
start_paxctld
# Rebuild u2mfn kernel module if missing
ensure_u2mfn_exists
# Force latest hardened kernel for next boot
set_grub_default
update-grub
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0