diff --git a/.etckeeper b/.etckeeper index 72ff53e..cc5bf28 100755 --- a/.etckeeper +++ b/.etckeeper @@ -36,8 +36,6 @@ mkdir -p './incron.d' mkdir -p './java/security/security.d' mkdir -p './jvm' mkdir -p './jvm-commmon' -mkdir -p './kernel/postinst.d' -mkdir -p './kernel/prerm.d' mkdir -p './keyutils' mkdir -p './letsencrypt/renewal-hooks/deploy' mkdir -p './letsencrypt/renewal-hooks/post' @@ -482,6 +480,11 @@ maybe chmod 0750 'dhcp' maybe chmod 0644 'dhcp/dhclient.conf' maybe chmod 0755 'dhcp/dhclient.d' maybe chmod 0755 'dhcp/dhclient.d/chrony.sh' +maybe chmod 0755 'dkms' +maybe chmod 0644 'dkms/framework.conf' +maybe chmod 0755 'dkms/sign_helper.sh' +maybe chmod 0644 'dkms/template-dkms-mkrpm.spec' +maybe chmod 0644 'dkms/template-dkms-redhat-kmod.spec' maybe chmod 0755 'dnf' maybe chmod 0755 'dnf/aliases.d' maybe chmod 0644 'dnf/dnf.conf' @@ -990,8 +993,11 @@ maybe chmod 0755 'kernel' maybe chmod 0755 'kernel/install.d' maybe chmod 0644 'kernel/install.d/20-grubby.install' maybe chmod 0644 'kernel/install.d/90-loaderentry.install' +maybe chmod 0755 'kernel/install.d/dkms' maybe chmod 0755 'kernel/postinst.d' +maybe chmod 0755 'kernel/postinst.d/dkms' maybe chmod 0755 'kernel/prerm.d' +maybe chmod 0755 'kernel/prerm.d/dkms' maybe chmod 0755 'keyutils' maybe chmod 0644 'krb5.conf' maybe chmod 0755 'krb5.conf.d' @@ -4470,6 +4476,7 @@ maybe chmod 0755 'qemu-kvm' maybe chmod 0755 'rc.d' maybe chmod 0755 'rc.d/init.d' maybe chmod 0644 'rc.d/init.d/README' +maybe chmod 0755 'rc.d/init.d/bestcrypt' maybe chmod 0644 'rc.d/init.d/functions' maybe chmod 0755 'rc.d/init.d/network' maybe chmod 0755 'rc.d/init.d/rundeckd' @@ -5033,6 +5040,7 @@ maybe chmod 0644 'udev/rules.d/70-persistent-ipoib.rules' maybe chmod 0644 'udev/rules.d/70-snap.snapd.rules' maybe chmod 0644 'udev/rules.d/75-cd-aliases-generator.rules' maybe chmod 0644 'udev/rules.d/75-persistent-net-generator.rules' +maybe chmod 0644 'udev/rules.d/90-bcrypt-device-permissions.rules' maybe chmod 0644 'udev/udev.conf' maybe chmod 0755 'unbound' maybe chmod 0644 'unbound/icannbundle.pem' diff --git a/dkms/framework.conf b/dkms/framework.conf new file mode 100644 index 0000000..896ee93 --- /dev/null +++ b/dkms/framework.conf @@ -0,0 +1,32 @@ +## This configuration file modifies the behavior of +## DKMS (Dynamic Kernel Module Support) and is sourced +## in by DKMS every time it is run. + +## Source Tree Location (default: /usr/src) +# source_tree="/usr/src" + +## DKMS Tree Location (default: /var/lib/dkms) +# dkms_tree="/var/lib/dkms" + +## Install Tree Location (default: /lib/modules) +# install_tree="/lib/modules" + +## tmp Location (default: /tmp) +# tmp_location="/tmp" + +## verbosity setting (verbose will be active if you set it to a non-null value) +# verbose="" + +## symlink kernel modules (will be active if you set it to a non-null value) +## This creates symlinks from the install_tree into the dkms_tree instead of +## copying the modules. This preserves some space on the costs of being less +## safe. +# symlink_modules="" + +## Automatic installation and upgrade for all installed kernels (if set to a +## non-null value) +# autoinstall_all_kernels="" + +## Script to sign modules during build, script is called with kernel version +## and module name +# sign_tool="/etc/dkms/sign_helper.sh" diff --git a/dkms/sign_helper.sh b/dkms/sign_helper.sh new file mode 100755 index 0000000..441661e --- /dev/null +++ b/dkms/sign_helper.sh @@ -0,0 +1,2 @@ +#!/bin/sh +/lib/modules/"$1"/build/scripts/sign-file sha512 /root/dkms.key /root/dkms.der "$2" diff --git a/dkms/template-dkms-mkrpm.spec b/dkms/template-dkms-mkrpm.spec new file mode 100644 index 0000000..a5f1f8b --- /dev/null +++ b/dkms/template-dkms-mkrpm.spec @@ -0,0 +1,82 @@ +%{?!module_name: %{error: You did not specify a module name (%%module_name)}} +%{?!version: %{error: You did not specify a module version (%%version)}} +%{?!kernel_versions: %{error: You did not specify kernel versions (%%kernel_version)}} +%{?!packager: %define packager DKMS } +%{?!license: %define license Unknown} +%{?!_dkmsdir: %define _dkmsdir /var/lib/dkms} +%{?!_srcdir: %define _srcdir %_prefix/src} +%{?!_datarootdir: %define _datarootdir %{_datadir}} + +Summary: %{module_name} %{version} dkms package +Name: %{module_name} +Version: %{version} +License: %license +Release: 1dkms +BuildArch: noarch +Group: System/Kernel +Requires: dkms >= 1.95 +BuildRequires: dkms +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root/ + +%description +Kernel modules for %{module_name} %{version} in a DKMS wrapper. + +%prep +if [ "%mktarball_line" != "none" ]; then + /usr/sbin/dkms mktarball -m %module_name -v %version %mktarball_line --archive `basename %{module_name}-%{version}.dkms.tar.gz` + cp -af %{_dkmsdir}/%{module_name}/%{version}/tarball/`basename %{module_name}-%{version}.dkms.tar.gz` %{module_name}-%{version}.dkms.tar.gz +fi + +%install +if [ "$RPM_BUILD_ROOT" != "/" ]; then + rm -rf $RPM_BUILD_ROOT +fi +mkdir -p $RPM_BUILD_ROOT/%{_srcdir} +mkdir -p $RPM_BUILD_ROOT/%{_datarootdir}/%{module_name} + +if [ -d %{_sourcedir}/%{module_name}-%{version} ]; then + cp -Lpr %{_sourcedir}/%{module_name}-%{version} $RPM_BUILD_ROOT/%{_srcdir} +fi + +if [ -f %{module_name}-%{version}.dkms.tar.gz ]; then + install -m 644 %{module_name}-%{version}.dkms.tar.gz $RPM_BUILD_ROOT/%{_datarootdir}/%{module_name} +fi + +if [ -f %{_sourcedir}/common.postinst ]; then + install -m 755 %{_sourcedir}/common.postinst $RPM_BUILD_ROOT/%{_datarootdir}/%{module_name}/postinst +fi + +%clean +if [ "$RPM_BUILD_ROOT" != "/" ]; then + rm -rf $RPM_BUILD_ROOT +fi + +%post +for POSTINST in %{_prefix}/lib/dkms/common.postinst %{_datarootdir}/%{module_name}/postinst; do + if [ -f $POSTINST ]; then + $POSTINST %{module_name} %{version} %{_datarootdir}/%{module_name} + exit $? + fi + echo "WARNING: $POSTINST does not exist." +done +echo -e "ERROR: DKMS version is too old and %{module_name} was not" +echo -e "built with legacy DKMS support." +echo -e "You must either rebuild %{module_name} with legacy postinst" +echo -e "support or upgrade DKMS to a more current version." +exit 1 + +%preun +echo -e +echo -e "Uninstall of %{module_name} module (version %{version}) beginning:" +dkms remove -m %{module_name} -v %{version} --all --rpm_safe_upgrade +exit 0 + +%files +%defattr(-,root,root) +%{_srcdir} +%{_datarootdir}/%{module_name}/ + +%changelog +* %(date "+%a %b %d %Y") %packager %{version}-%{release} +- Automatic build by DKMS + diff --git a/dkms/template-dkms-redhat-kmod.spec b/dkms/template-dkms-redhat-kmod.spec new file mode 100644 index 0000000..4ea87fa --- /dev/null +++ b/dkms/template-dkms-redhat-kmod.spec @@ -0,0 +1,37 @@ +%{?!module_name: %{error: You did not specify a module name (%%module_name)}} +%{?!version: %{error: You did not specify a module version (%%version)}} +Name: %{module_name} +Version: %{version} +Release: 1%{?dist} +Summary: %{module_name}-%{version} RHEL Driver Update Program package + +License: Unknown +Source0: %{module_name}-%{version}.tar.bz2 +BuildRequires: %kernel_module_package_buildreqs + +%kernel_module_package default + +%description +%{module_name}-%{version} RHEL Driver Update package. + +%prep +%setup +set -- * +mkdir source +mv "$@" source/ +mkdir obj + +%build +for flavor in %flavors_to_build; do + rm -rf obj/$flavor + cp -r source obj/$flavor + make -C %{kernel_source $flavor} M=$PWD/obj/$flavor +done + +%install +export INSTALL_MOD_PATH=$RPM_BUILD_ROOT +export INSTALL_MOD_DIR=extra/%{name} +for flavor in %flavors_to_build ; do + make -C %{kernel_source $flavor} modules_install \ + M=$PWD/obj/$flavor +done diff --git a/kernel/install.d/dkms b/kernel/install.d/dkms new file mode 100755 index 0000000..c1d6df1 --- /dev/null +++ b/kernel/install.d/dkms @@ -0,0 +1,9 @@ +#!/usr/bin/bash + +if [[ "$1" == "add" ]]; then + /etc/kernel/postinst.d/dkms $2 +fi + +if [[ "$1" == "remove" ]]; then + /etc/kernel/prerm.d/dkms $2 +fi diff --git a/kernel/postinst.d/dkms b/kernel/postinst.d/dkms new file mode 100755 index 0000000..c90c2d6 --- /dev/null +++ b/kernel/postinst.d/dkms @@ -0,0 +1,45 @@ +#!/bin/bash + +# We're passed the version of the kernel being installed +inst_kern=$1 + +uname_s=$(uname -s) + +_get_kernel_dir() { + KVER=$1 + case ${uname_s} in + Linux) DIR="/lib/modules/$KVER/build" ;; + GNU/kFreeBSD) DIR="/usr/src/kfreebsd-headers-$KVER/sys" ;; + esac + echo $DIR +} + +_check_kernel_dir() { + DIR=$(_get_kernel_dir $1) + case ${uname_s} in + Linux) test -e $DIR/include ;; + GNU/kFreeBSD) test -e $DIR/kern && test -e $DIR/conf/kmod.mk ;; + *) return 1 ;; + esac + return $? +} + +case "${uname_s}" in + Linux) + header_pkg="linux-headers-$inst_kern" + kernel="Linux" + ;; + GNU/kFreeBSD) + header_pkg="kfreebsd-headers-$inst_kern" + kernel="kFreeBSD" + ;; +esac + +if [ -x /usr/lib/dkms/dkms_autoinstaller ]; then + exec /usr/lib/dkms/dkms_autoinstaller start $inst_kern +fi + +if ! _check_kernel_dir $inst_kern ; then + echo "dkms: WARNING: $kernel headers are missing, which may explain the above failures." >&2 + echo " please install the $header_pkg package to fix this." >&2 +fi diff --git a/kernel/prerm.d/dkms b/kernel/prerm.d/dkms new file mode 100755 index 0000000..c8116a3 --- /dev/null +++ b/kernel/prerm.d/dkms @@ -0,0 +1,30 @@ +#!/bin/bash + +# We're passed the version of the kernel being removed +inst_kern=$1 + +# This is applied from make_initrd function in dkms command, which +# creates the possible initrd backup file. +remove_initrd_backup() { + for initrd in "initrd-$1.img" "initramfs-$1.img" "initrd.img-$1" "initrd-$1"; do + rm -fv /boot/"${initrd}".old-dkms >&2 + done +} + +if [ -x /usr/sbin/dkms ]; then +while read line; do + name=`echo "$line" | awk '{print $1}' | sed 's/,$//'` + vers=`echo "$line" | awk '{print $2}' | sed 's/,$//'` + arch=`echo "$line" | awk '{print $4}' | sed 's/:$//'` + echo "dkms: removing: $name $vers ($inst_kern) ($arch)" >&2 + dkms remove -m $name -v $vers -k $inst_kern -a $arch +done < <(dkms status -k $inst_kern 2>/dev/null | grep ": installed") +fi + +remove_initrd_backup "$inst_kern" + +rmdir --ignore-fail-on-non-empty \ + "/lib/modules/$inst_kern/updates/dkms" \ + "/lib/modules/$inst_kern/updates" 2>/dev/null + +exit 0 diff --git a/rc.d/init.d/bestcrypt b/rc.d/init.d/bestcrypt new file mode 100755 index 0000000..2d7efbf --- /dev/null +++ b/rc.d/init.d/bestcrypt @@ -0,0 +1,93 @@ +#!/bin/sh +# Copyright 2010-2016 Jetico Inc. Oy +# All rights reserved. + +# chkconfig: 345 99 01 +# description: BestCrypt for Linux +# +### BEGIN INIT INFO +# Provides: bestcrypt +# Required-Start: dkms +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: BestCrypt for Linux +# Description: BestCrypt for Linux +### END INIT INFO + + +KERNEL_VERSION=`uname -r|sed 's/\(.\..\).*/\1/'` + +case "$1" in + start) + echo "Starting BestCrypt..." + rm -rf /dev/bcrypt?* 2>/dev/null + + depmod -a + + modprobe bestcrypt + modprobe bc_blowfish + modprobe bc_des + modprobe bc_gost + modprobe bc_camellia + modprobe bc_twofish + modprobe bc_bf448 + modprobe bc_bf128 + modprobe bc_3des + modprobe bc_idea + modprobe bc_rijn + modprobe bc_cast + modprobe bc_serpent + modprobe bc_rc6 + +#modprobe bc_noop + + echo "Started." + ;; + + stop) + echo "Stopping BestCrypt..." + + if bctool is_guard_on ; then + echo "on" > "$HOME"/.config/Jetico/guard_status + else + echo "off" > "$HOME"/.config/Jetico/guard_status + fi + + bctool umountall + + for i in `lsmod | egrep "^\"?bc_.*\"?" | awk '{print $1}' `; do + rmmod $i; + done + + rmmod bestcrypt + + echo "Stopped." + ;; + + status) + if [ -f /sys/class/misc/bestcrypt ] ; then + echo "BestCrypt driver is loaded. List of loaded algorithms:\n" + ls /sys/class/misc/bectcrypt/plugins + else + echo "SysFS entry unavailable, possibly driver is not running." + fi + + if bctool is_guard_on ; then + echo "BestCrypt container file guard is on" + fi + + ;; + + restart) + $0 stop + $0 start + ;; + + *) + echo "Usage: $0 {start|stop|restart|status}" + exit 1 +esac + +exit 0 + diff --git a/rc.d/rc0.d/K01bestcrypt b/rc.d/rc0.d/K01bestcrypt new file mode 120000 index 0000000..3e0e04e --- /dev/null +++ b/rc.d/rc0.d/K01bestcrypt @@ -0,0 +1 @@ +../init.d/bestcrypt \ No newline at end of file diff --git a/rc.d/rc1.d/K01bestcrypt b/rc.d/rc1.d/K01bestcrypt new file mode 120000 index 0000000..3e0e04e --- /dev/null +++ b/rc.d/rc1.d/K01bestcrypt @@ -0,0 +1 @@ +../init.d/bestcrypt \ No newline at end of file diff --git a/rc.d/rc2.d/S99bestcrypt b/rc.d/rc2.d/S99bestcrypt new file mode 120000 index 0000000..3e0e04e --- /dev/null +++ b/rc.d/rc2.d/S99bestcrypt @@ -0,0 +1 @@ +../init.d/bestcrypt \ No newline at end of file diff --git a/rc.d/rc3.d/S99bestcrypt b/rc.d/rc3.d/S99bestcrypt new file mode 120000 index 0000000..3e0e04e --- /dev/null +++ b/rc.d/rc3.d/S99bestcrypt @@ -0,0 +1 @@ +../init.d/bestcrypt \ No newline at end of file diff --git a/rc.d/rc4.d/S99bestcrypt b/rc.d/rc4.d/S99bestcrypt new file mode 120000 index 0000000..3e0e04e --- /dev/null +++ b/rc.d/rc4.d/S99bestcrypt @@ -0,0 +1 @@ +../init.d/bestcrypt \ No newline at end of file diff --git a/rc.d/rc5.d/S99bestcrypt b/rc.d/rc5.d/S99bestcrypt new file mode 120000 index 0000000..3e0e04e --- /dev/null +++ b/rc.d/rc5.d/S99bestcrypt @@ -0,0 +1 @@ +../init.d/bestcrypt \ No newline at end of file diff --git a/rc.d/rc6.d/K01bestcrypt b/rc.d/rc6.d/K01bestcrypt new file mode 120000 index 0000000..3e0e04e --- /dev/null +++ b/rc.d/rc6.d/K01bestcrypt @@ -0,0 +1 @@ +../init.d/bestcrypt \ No newline at end of file diff --git a/udev/rules.d/90-bcrypt-device-permissions.rules b/udev/rules.d/90-bcrypt-device-permissions.rules new file mode 100644 index 0000000..9011a7d --- /dev/null +++ b/udev/rules.d/90-bcrypt-device-permissions.rules @@ -0,0 +1,2 @@ +KERNEL=="bcrypt*", MODE="0666", ENV{UDISKS_PRESENTATION_NOPOLICY}="1" +KERNEL=="bestcrypt", MODE="0755"