From 699381b6993b9428e99a0055dae03e7a222ea9f9 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Fri, 15 Nov 2019 06:10:37 +0000 Subject: [PATCH] core138: insert emergency core update for new intel vulnarabilities. Signed-off-by: Arne Fitzenreiter --- config/rootfiles/core/138/exclude | 28 ++++ .../core/138/filelists/aarch64/linux | 1 + .../core/138/filelists/aarch64/linux-initrd | 1 + .../filelists/armv5tel/linux-initrd-kirkwood | 1 + .../138/filelists/armv5tel/linux-initrd-multi | 1 + .../138/filelists/armv5tel/linux-kirkwood | 1 + .../core/138/filelists/armv5tel/linux-multi | 1 + config/rootfiles/core/138/filelists/files | 5 + .../core/138/filelists/i586/intel-microcode | 1 + .../rootfiles/core/138/filelists/i586/linux | 1 + .../core/138/filelists/i586/linux-initrd | 1 + .../core/138/filelists/x86_64/intel-microcode | 1 + .../rootfiles/core/138/filelists/x86_64/linux | 1 + .../core/138/filelists/x86_64/linux-initrd | 1 + config/rootfiles/core/138/update.sh | 151 ++++++++++++++++++ make.sh | 4 +- 16 files changed, 198 insertions(+), 2 deletions(-) create mode 100644 config/rootfiles/core/138/exclude create mode 120000 config/rootfiles/core/138/filelists/aarch64/linux create mode 120000 config/rootfiles/core/138/filelists/aarch64/linux-initrd create mode 120000 config/rootfiles/core/138/filelists/armv5tel/linux-initrd-kirkwood create mode 120000 config/rootfiles/core/138/filelists/armv5tel/linux-initrd-multi create mode 120000 config/rootfiles/core/138/filelists/armv5tel/linux-kirkwood create mode 120000 config/rootfiles/core/138/filelists/armv5tel/linux-multi create mode 100644 config/rootfiles/core/138/filelists/files create mode 120000 config/rootfiles/core/138/filelists/i586/intel-microcode create mode 120000 config/rootfiles/core/138/filelists/i586/linux create mode 120000 config/rootfiles/core/138/filelists/i586/linux-initrd create mode 120000 config/rootfiles/core/138/filelists/x86_64/intel-microcode create mode 120000 config/rootfiles/core/138/filelists/x86_64/linux create mode 120000 config/rootfiles/core/138/filelists/x86_64/linux-initrd create mode 100644 config/rootfiles/core/138/update.sh diff --git a/config/rootfiles/core/138/exclude b/config/rootfiles/core/138/exclude new file mode 100644 index 0000000000..b221598781 --- /dev/null +++ b/config/rootfiles/core/138/exclude @@ -0,0 +1,28 @@ +boot/config.txt +boot/grub/grub.cfg +boot/grub/grubenv +etc/alternatives +etc/collectd.custom +etc/default/grub +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/log/dhcpcd.log +var/log/messages +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/138/filelists/aarch64/linux b/config/rootfiles/core/138/filelists/aarch64/linux new file mode 120000 index 0000000000..3a2532bc7d --- /dev/null +++ b/config/rootfiles/core/138/filelists/aarch64/linux @@ -0,0 +1 @@ +../../../../common/aarch64/linux \ No newline at end of file diff --git a/config/rootfiles/core/138/filelists/aarch64/linux-initrd b/config/rootfiles/core/138/filelists/aarch64/linux-initrd new file mode 120000 index 0000000000..8acdb0f318 --- /dev/null +++ b/config/rootfiles/core/138/filelists/aarch64/linux-initrd @@ -0,0 +1 @@ +../../../../common/aarch64/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/138/filelists/armv5tel/linux-initrd-kirkwood b/config/rootfiles/core/138/filelists/armv5tel/linux-initrd-kirkwood new file mode 120000 index 0000000000..39c5591b71 --- /dev/null +++ b/config/rootfiles/core/138/filelists/armv5tel/linux-initrd-kirkwood @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-initrd-kirkwood \ No newline at end of file diff --git a/config/rootfiles/core/138/filelists/armv5tel/linux-initrd-multi b/config/rootfiles/core/138/filelists/armv5tel/linux-initrd-multi new file mode 120000 index 0000000000..0b1b4530a8 --- /dev/null +++ b/config/rootfiles/core/138/filelists/armv5tel/linux-initrd-multi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-initrd-multi \ No newline at end of file diff --git a/config/rootfiles/core/138/filelists/armv5tel/linux-kirkwood b/config/rootfiles/core/138/filelists/armv5tel/linux-kirkwood new file mode 120000 index 0000000000..72171071e6 --- /dev/null +++ b/config/rootfiles/core/138/filelists/armv5tel/linux-kirkwood @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-kirkwood \ No newline at end of file diff --git a/config/rootfiles/core/138/filelists/armv5tel/linux-multi b/config/rootfiles/core/138/filelists/armv5tel/linux-multi new file mode 120000 index 0000000000..204eb4c437 --- /dev/null +++ b/config/rootfiles/core/138/filelists/armv5tel/linux-multi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-multi \ No newline at end of file diff --git a/config/rootfiles/core/138/filelists/files b/config/rootfiles/core/138/filelists/files new file mode 100644 index 0000000000..393ad72272 --- /dev/null +++ b/config/rootfiles/core/138/filelists/files @@ -0,0 +1,5 @@ +etc/system-release +etc/issue +srv/web/ipfire/cgi-bin/credits.cgi +var/ipfire/langs +srv/web/ipfire/cgi-bin/vulnerabilities.cgi diff --git a/config/rootfiles/core/138/filelists/i586/intel-microcode b/config/rootfiles/core/138/filelists/i586/intel-microcode new file mode 120000 index 0000000000..f03e84778a --- /dev/null +++ b/config/rootfiles/core/138/filelists/i586/intel-microcode @@ -0,0 +1 @@ +../../../../common/i586/intel-microcode \ No newline at end of file diff --git a/config/rootfiles/core/138/filelists/i586/linux b/config/rootfiles/core/138/filelists/i586/linux new file mode 120000 index 0000000000..693ec4bbf9 --- /dev/null +++ b/config/rootfiles/core/138/filelists/i586/linux @@ -0,0 +1 @@ +../../../../common/i586/linux \ No newline at end of file diff --git a/config/rootfiles/core/138/filelists/i586/linux-initrd b/config/rootfiles/core/138/filelists/i586/linux-initrd new file mode 120000 index 0000000000..32a03e6a90 --- /dev/null +++ b/config/rootfiles/core/138/filelists/i586/linux-initrd @@ -0,0 +1 @@ +../../../../common/i586/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/138/filelists/x86_64/intel-microcode b/config/rootfiles/core/138/filelists/x86_64/intel-microcode new file mode 120000 index 0000000000..d5ac074e2e --- /dev/null +++ b/config/rootfiles/core/138/filelists/x86_64/intel-microcode @@ -0,0 +1 @@ +../../../../common/x86_64/intel-microcode \ No newline at end of file diff --git a/config/rootfiles/core/138/filelists/x86_64/linux b/config/rootfiles/core/138/filelists/x86_64/linux new file mode 120000 index 0000000000..0615b5b9ad --- /dev/null +++ b/config/rootfiles/core/138/filelists/x86_64/linux @@ -0,0 +1 @@ +../../../../common/x86_64/linux \ No newline at end of file diff --git a/config/rootfiles/core/138/filelists/x86_64/linux-initrd b/config/rootfiles/core/138/filelists/x86_64/linux-initrd new file mode 120000 index 0000000000..1b9fff70ff --- /dev/null +++ b/config/rootfiles/core/138/filelists/x86_64/linux-initrd @@ -0,0 +1 @@ +../../../../common/x86_64/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/138/update.sh b/config/rootfiles/core/138/update.sh new file mode 100644 index 0000000000..e659555017 --- /dev/null +++ b/config/rootfiles/core/138/update.sh @@ -0,0 +1,151 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2019 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +core=138 + +exit_with_error() { + # Set last succesfull installed core. + echo $(($core-1)) > /opt/pakfire/db/core/mine + # don't start pakfire again at error + killall -KILL pak_update + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: $1" + exit $2 +} + +# Remove old core updates from pakfire cache to save space... +for (( i=1; i<=$core; i++ )); do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +KVER="xxxKVERxxx" + +# Backup uEnv.txt if exist +if [ -e /boot/uEnv.txt ]; then + cp -vf /boot/uEnv.txt /boot/uEnv.txt.org +fi + +# Do some sanity checks. +case $(uname -r) in + *-ipfire*) + # Ok. + ;; + *) + exit_with_error "ERROR cannot update. No IPFire Kernel." 1 + ;; +esac + +# Check diskspace on root +ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $ROOTSPACE -lt 80000 ]; then + exit_with_error "ERROR cannot update because not enough free space on root." 2 + exit 2 +fi + +# Remove the old kernel +rm -rf /boot/System.map-* +rm -rf /boot/config-* +rm -rf /boot/ipfirerd-* +rm -rf /boot/initramfs-* +rm -rf /boot/vmlinuz-* +rm -rf /boot/uImage-*-ipfire-* +rm -rf /boot/zImage-*-ipfire-* +rm -rf /boot/uInit-*-ipfire-* +rm -rf /boot/dtb-*-ipfire-* +rm -rf /lib/modules +rm -f /etc/sysconfig/lm_sensors + +# Remove files + +# Stop services + +# Extract files +extract_files + +# update dhcpcd.conf + +# update linker config +ldconfig + +# Update Language cache +/usr/local/bin/update-lang-cache + +# Start services + +# Search sensors again after reboot into the new kernel +rm -f /etc/sysconfig/lm_sensors + +# Upadate Kernel version uEnv.txt +if [ -e /boot/uEnv.txt ]; then + sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt +fi + +# call user update script (needed for some arm boards) +if [ -e /boot/pakfire-kernel-update ]; then + /boot/pakfire-kernel-update ${KVER} +fi + +case "$(uname -m)" in + i?86) + # Force (re)install pae kernel if pae is supported + rm -rf /opt/pakfire/db/installed/meta-linux-pae + rm -rf /opt/pakfire/db/rootfiles/linux-pae + if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then + ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + if [ $BOOTSPACE -lt 22000 -o $ROOTSPACE -lt 120000 ]; then + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: WARNING not enough space for pae kernel." + touch /var/run/need_reboot + else + echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae + echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae + echo "Release: 0" >> /opt/pakfire/db/installed/meta-linux-pae + fi + else + touch /var/run/need_reboot + fi + ;; + *) + # This update needs a reboot... + touch /var/run/need_reboot + ;; +esac + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi + +sync + +# Don't report the exitcode last command +exit 0 diff --git a/make.sh b/make.sh index 170b16504c..2377c40ce1 100755 --- a/make.sh +++ b/make.sh @@ -26,8 +26,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name # If you update the version don't forget to update backupiso and add it to core update VERSION="2.23" # Version number -CORE="137" # Core Level (Filename) -PAKFIRE_CORE="137" # Core Level (PAKFIRE) +CORE="138" # Core Level (Filename) +PAKFIRE_CORE="138" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir -- 2.39.2