kernel-builder/debian/securedrop-grsec/DEBIAN/postinst at 230db7d60a8e05cdeabf3cf04be8fa19c3632ad8 · freedomofpress/kernel-builder · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/bin/bash
# postinst script for securedrop-grsec
#
# see: dh_installdeb(1)
set -e
set -x
# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <postinst> `abort-remove'
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see https://www.debian.org/doc/debian-policy/ or
# the debian-policy package

# Pin current version of custom kernel
GRSEC_VERSION="#DEB_VERSION_UPSTREAM#"

# Sets default grub boot parameter to the kernel version specified
# by $GRSEC_VERSION.
set_grub_default() {
    GRUB_OPT="'Advanced options for Ubuntu>Ubuntu, with Linux $GRSEC_VERSION'"
    perl -pi -e "s|^GRUB_DEFAULT=.*|GRUB_DEFAULT=$GRUB_OPT|" /etc/default/grub

    # When using CONFIG_PAX_KERNEXEC, the grsecurity team recommends the kernel
    # is booted with "noefi" on the kernel command line if "CONFIG_EFI" is
    # enabled, as EFI runtime services are necessarily mapped as RWX.
    # 'nomodeset' is added to work around issues with Mac Mini graphics support
    sed -i '/^GRUB_CMDLINE_LINUX_DEFAULT=/s/=.*/=\"noefi nomodeset ipv6\.disable=1 quiet\"/' /etc/default/grub
    update-grub
}

# Ensure the paxctld daemon is running
start_paxctld() {
    cp -v /opt/securedrop/paxctld.conf /etc/paxctld.conf
    systemctl enable paxctld
    systemctl restart paxctld
    # Wait just a moment while flags are re-applied
    sleep 1
}

cleanup_sysctld() {
    # Remove settings previously set by ansible that are now set via
    # our sysctl.d/30-securedrop.conf file
    if [[ -f /etc/sysctld.conf ]]; then
        sed -i '/^vm\.heap_stack_gap/d' /etc/sysctld.conf
        sed -i '/^net\.ipv4\./d' /etc/sysctld.conf
    fi
}

case "$1" in
    configure)
    # Configure paxctld, required before update-grub runs
    start_paxctld
    # Ensure latest grsec kernel is used on every boot.
    set_grub_default
    # Remove sysctld configuration
    cleanup_sysctld
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

exit 0