* #10172: NEWS.CARNet za ExecShield, Layer7
* #10200: debian/postinst: here-doc quoting
* #10199: Lintian greske/upozorenja
+ * #10198: ExecShield wrapperi za grub, grub-probe
-- Dinko Korunic <kreator@carnet.hr> Wed, 24 Feb 2010 12:12:08 +0100
grub-functions.sh usr/share/kernel-2.6-cn
-grub usr/sbin
-grub-probe usr/sbin
rm -f /etc/sysctl.conf.$$
cat > /etc/sysctl.conf.$$ <<'EOF'
kernel.maps_protect=1
+kernel.exec-shield=0
net.core.rmem_default=1048576
net.core.wmem_default=1048576
net.ipv4.conf.all.accept_redirects=0
vm.mmap_min_addr=65536
EOF
-# old kernel params
+# old kernel params (skipping some of the obsolete or overrided entries)
if [ -e /etc/sysctl.conf ]; then
- egrep -v 'net\.core\.(r|w)mem_max|net\.ipv4\.tcp_(r|w)mem|vm\.bdflush|net\.ipv4\.ip_local_port_range|kernel\.rtsig-max|net\.ipv4\.tcp_syncookies|kernel\.exec-shield|net\.ipv4\.tcp_max_syn_backlog|net\.ipv4\.tcp_congestion_control' \
+ egrep -v 'net\.core\.(r|w)mem_max|net\.ipv4\.tcp_(r|w)mem|vm\.bdflush|net\.ipv4\.ip_local_port_range|kernel\.rtsig-max|net\.ipv4\.tcp_syncookies|kernel\.exec-shield|net\.ipv4\.tcp_max_syn_backlog|net\.ipv4\.tcp_congestion_control|kernel\.exec-shield' \
/etc/sysctl.conf >> /etc/sysctl.conf.$$
fi
echo "."
-################################################################################
-
-DIVERT_TO="grub grub-probe"
-
-echo -n "CN: Undiverting binaries:"
-for i in $DIVERT_TO; do
- dpkg-divert --remove --rename --package 'kernel-2.6-cn' \
- --divert /usr/sbin/$i.real /usr/sbin/$i >/dev/null
- echo -n " $i"
-done
-echo "."
-
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
;;
abort-upgrade)
+ # check if we have Layer7 active...
+ if iptables-save | grep -qs '^-A.* -m layer7 '; then
+ echo 'CN: Layer7 Netfilter no longer supported, report this to SysHelp!'
+ exit 1
+ fi
;;
*)
################################################################################
+SHIELD=$(sysctl -e -n kernel.exec-shield)
+
+if [ ! -z "$SHIELD" ]; then
+ sysctl -e -w kernel.exec-shield=0 >/dev/null 2>&1 || true
+ echo "CN: Disabled Exec-Shield."
+fi
+
+################################################################################
+
DIVERT_TO="grub grub-probe"
-echo -n "CN: Diverting binaries:"
+echo -n "CN: Undiverting binaries:"
for i in $DIVERT_TO; do
- dpkg-divert --add --rename --package 'kernel-2.6-cn' \
- --divert /usr/sbin/$i.real /usr/sbin/$i >/dev/null
+ if [ -e /usr/sbin/$i.real ]; then
+ dpkg-divert --remove --rename --package 'kernel-2.6-cn' \
+ --divert /usr/sbin/$i.real /usr/sbin/$i >/dev/null
+ fi
echo -n " $i"
done
echo "."
-################################################################################
-
-if iptables-save | grep -qs '^-A.* -m layer7 '; then
- echo 'CN: Layer7 Netfilter no longer supported, report this to SysHelp!'
- exit 1
-fi
-
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
+++ /dev/null
-#!/bin/sh
-# Grub shell ExecShield wrapper
-#
-# Copyright (C) 2009 Dinko Korunic, CARNet, Grupa za izradu paketa
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.
-
-SHIELD=$(sysctl -e -n kernel.exec-shield)
-_retval=0
-
-if [ ! -z "$SHIELD" ]; then
- sysctl -e -w kernel.exec-shield=0 >/dev/null 2>&1 || true
-fi
-
-if [ -x "$0.real" ]; then
- "$0.real" $@ || _retval=$?
-fi
-
-if [ ! -z "$SHIELD" ]; then
- sysctl -e -w "kernel.exec-shield=$SHIELD" >/dev/null 2>&1 || true
-fi
-
-exit $_retval
+++ /dev/null
-grub
\ No newline at end of file
projects / kernel-cn.git / commitdiff