From b9eef33cb7294d6fb1ea859e4ff2f669ecac94e7 Mon Sep 17 00:00:00 2001 From: Dinko Korunic Date: Wed, 24 Feb 2010 13:19:00 +0100 Subject: [PATCH] * #10198: ExecShield wrapperi za grub, grub-probe --- debian/changelog | 1 + debian/install | 2 -- debian/postinst | 5 +++-- debian/postrm | 12 ------------ debian/preinst | 29 +++++++++++++++++++---------- grub | 26 -------------------------- grub-probe | 1 - 7 files changed, 23 insertions(+), 53 deletions(-) delete mode 100755 grub delete mode 120000 grub-probe diff --git a/debian/changelog b/debian/changelog index 7137078..77353df 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,7 @@ kernel-2.6-cn (3:2.6.26-6) stable; urgency=low * #10172: NEWS.CARNet za ExecShield, Layer7 * #10200: debian/postinst: here-doc quoting * #10199: Lintian greske/upozorenja + * #10198: ExecShield wrapperi za grub, grub-probe -- Dinko Korunic Wed, 24 Feb 2010 12:12:08 +0100 diff --git a/debian/install b/debian/install index 60485e3..07aa51a 100644 --- a/debian/install +++ b/debian/install @@ -1,3 +1 @@ grub-functions.sh usr/share/kernel-2.6-cn -grub usr/sbin -grub-probe usr/sbin diff --git a/debian/postinst b/debian/postinst index 05e3d63..291078f 100755 --- a/debian/postinst +++ b/debian/postinst @@ -312,6 +312,7 @@ fi rm -f /etc/sysctl.conf.$$ cat > /etc/sysctl.conf.$$ <<'EOF' kernel.maps_protect=1 +kernel.exec-shield=0 net.core.rmem_default=1048576 net.core.wmem_default=1048576 net.ipv4.conf.all.accept_redirects=0 @@ -332,9 +333,9 @@ net.ipv4.tcp_syncookies=1 vm.mmap_min_addr=65536 EOF -# old kernel params +# old kernel params (skipping some of the obsolete or overrided entries) if [ -e /etc/sysctl.conf ]; then - egrep -v 'net\.core\.(r|w)mem_max|net\.ipv4\.tcp_(r|w)mem|vm\.bdflush|net\.ipv4\.ip_local_port_range|kernel\.rtsig-max|net\.ipv4\.tcp_syncookies|kernel\.exec-shield|net\.ipv4\.tcp_max_syn_backlog|net\.ipv4\.tcp_congestion_control' \ + egrep -v 'net\.core\.(r|w)mem_max|net\.ipv4\.tcp_(r|w)mem|vm\.bdflush|net\.ipv4\.ip_local_port_range|kernel\.rtsig-max|net\.ipv4\.tcp_syncookies|kernel\.exec-shield|net\.ipv4\.tcp_max_syn_backlog|net\.ipv4\.tcp_congestion_control|kernel\.exec-shield' \ /etc/sysctl.conf >> /etc/sysctl.conf.$$ fi diff --git a/debian/postrm b/debian/postrm index 13374b3..5c733a3 100755 --- a/debian/postrm +++ b/debian/postrm @@ -47,18 +47,6 @@ echo -n " modules" echo "." -################################################################################ - -DIVERT_TO="grub grub-probe" - -echo -n "CN: Undiverting binaries:" -for i in $DIVERT_TO; do - dpkg-divert --remove --rename --package 'kernel-2.6-cn' \ - --divert /usr/sbin/$i.real /usr/sbin/$i >/dev/null - echo -n " $i" -done -echo "." - # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. diff --git a/debian/preinst b/debian/preinst index 01a7582..b680d9a 100755 --- a/debian/preinst +++ b/debian/preinst @@ -19,6 +19,11 @@ case "$1" in ;; abort-upgrade) + # check if we have Layer7 active... + if iptables-save | grep -qs '^-A.* -m layer7 '; then + echo 'CN: Layer7 Netfilter no longer supported, report this to SysHelp!' + exit 1 + fi ;; *) @@ -35,23 +40,27 @@ fi ################################################################################ +SHIELD=$(sysctl -e -n kernel.exec-shield) + +if [ ! -z "$SHIELD" ]; then + sysctl -e -w kernel.exec-shield=0 >/dev/null 2>&1 || true + echo "CN: Disabled Exec-Shield." +fi + +################################################################################ + DIVERT_TO="grub grub-probe" -echo -n "CN: Diverting binaries:" +echo -n "CN: Undiverting binaries:" for i in $DIVERT_TO; do - dpkg-divert --add --rename --package 'kernel-2.6-cn' \ - --divert /usr/sbin/$i.real /usr/sbin/$i >/dev/null + if [ -e /usr/sbin/$i.real ]; then + dpkg-divert --remove --rename --package 'kernel-2.6-cn' \ + --divert /usr/sbin/$i.real /usr/sbin/$i >/dev/null + fi echo -n " $i" done echo "." -################################################################################ - -if iptables-save | grep -qs '^-A.* -m layer7 '; then - echo 'CN: Layer7 Netfilter no longer supported, report this to SysHelp!' - exit 1 -fi - # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. diff --git a/grub b/grub deleted file mode 100755 index b5fbe31..0000000 --- a/grub +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -# Grub shell ExecShield wrapper -# -# Copyright (C) 2009 Dinko Korunic, CARNet, Grupa za izradu paketa -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. - -SHIELD=$(sysctl -e -n kernel.exec-shield) -_retval=0 - -if [ ! -z "$SHIELD" ]; then - sysctl -e -w kernel.exec-shield=0 >/dev/null 2>&1 || true -fi - -if [ -x "$0.real" ]; then - "$0.real" $@ || _retval=$? -fi - -if [ ! -z "$SHIELD" ]; then - sysctl -e -w "kernel.exec-shield=$SHIELD" >/dev/null 2>&1 || true -fi - -exit $_retval diff --git a/grub-probe b/grub-probe deleted file mode 120000 index 2c8276e..0000000 --- a/grub-probe +++ /dev/null @@ -1 +0,0 @@ -grub \ No newline at end of file -- 1.7.10.4