grsec

Signed-off-by: Jessica Frazelle <acidburn@docker.com>

kernel-builder/install_kernel

@@ -1,6 +1,8 @@
 #!/bin/bash
 set -e
 
+GRSEC_VERSION=3.1-4.4.5-201603142220
+
 linux_next(){
 	(
 	cd /usr/src
@@ -26,7 +28,7 @@ linux_next(){
 	fi
 
 	git checkout -b next-$(date +%Y%m%d) next-$(date +%Y%m%d)
-	
+
 	if [[ ! -f .config ]] && [[ -f ../config ]]; then
 		cp ../config .config
 	fi
@@ -60,16 +62,30 @@ install_kernel(){
 	fi
 
 	# get the aufs standalone source
-	aufsdir=/usr/src/aufs4-standalone
+	aufsdir=/tmp/aufs4-standalone
 	if [[ -d $aufsdir ]]; then
 		rm -rf $aufsdir
 	fi
 	git clone -b aufs${MAJOR_MINOR_VERSION} --single-branch --depth 1 https://github.com/sfjro/aufs4-standalone.git $aufsdir
-	cd $aufsdir
 
+	# get the grsec patches
+	grsecdir=/tmp/grsec
+	if [[ -d $grsecdir ]]; then
+		rm -rf $grsecdir
+	fi
+	mkdir -p $grsecdir
+	curl -sSL -o "${grsecdir}/grsecurity.patch" "https://grsecurity.net/test/grsecurity-${GRSEC_VERSION}.patch"
+	curl -sSL -o "${grsecdir}/grsecurity.patch.sig" "https://grsecurity.net/test/grsecurity-${GRSEC_VERSION}.patch.sig"
+	# add the gpg key
+	gpg --keyserver pgp.mit.edu --recv-keys "DE94 52CE 46F4 2094 907F 108B 44D1 C0F8 2525 FE49"
+	# verify the patch
+	gpg --verify $grsecdir/grsecurity.patch.sig
+
+	# apply the patches and compile the kernel
 	cd /usr/src/linux-${VERSION}
 
 	# apply the aufs patches
+	patch -p1 < $grsecdir/grsecurity.patch || true
 	git apply $aufsdir/aufs4-kbuild.patch
 	git apply $aufsdir/aufs4-base.patch
 	git apply $aufsdir/aufs4-mmap.patch
@@ -79,12 +95,15 @@ install_kernel(){
 	# remove aufs source
 	rm -rf $aufsdir
 
+	# remove grsecdir
+	rm -rf $grsecdir
+
 	if [[ ! -f .config ]] && [[ -f ../config ]]; then
 		cp ../config .config
 		echo "CONFIG_AUFS_FS=y" >> .config
 	fi
 
-	nice -19 make -j$JOBS KDEB_PKGVERSION=$PKGVERSION INSTALL_MOD_STRIP=1 deb-pkg
+	nice -19 make -j$JOBS KDEB_PKGVERSION=$PKGVERSION DISABLE_PAX_PLUGINS=y INSTALL_MOD_STRIP=1 deb-pkg
 }
 
 install_kernel $@