rosenthal: linux-xanmod: Add linux-hardened patch.

* rosenthal/packages/patches/linux-hardened-xanmod-adaption.patch: New file. * rosenthal/packages/linux.scm (%hardened-revision) (linux-hardened-patch-for-xanmod): New variables. (linux-xanmod-source)[patches]: Add linux-hardened-patch-for-xanmod.
2 years ago · 5469ef7ff2
parent e30e13349f
commit 5469ef7ff2
2 changed files with 41 additions and 3 deletions
--- a/rosenthal/packages/linux.scm
+++ b/rosenthal/packages/linux.scm
@ -66,6 +66,7 @@

 (define %xanmod-version "6.0.10")
 (define %xanmod-revision "xanmod1")
+(define %hardened-revision "hardened1")

 (define (extract-xanmod-patch version hash)
  (let ((patch (string-append "linux-" version ".patch"))
@ -74,7 +75,7 @@
                  (uri (string-append "https://github.com/xanmod/linux"
                                      "/releases/download/" version
                                      "/patch-" version ".xz"))
-                  (sha256 (base32 hash)))))
+                  (sha256 hash))))
    (origin
      (method computed-origin-method)
      (file-name patch)
@ -97,7 +98,16 @@
 (define linux-xanmod-patch
  (extract-xanmod-patch
   (string-append %xanmod-version "-" %xanmod-revision)
-   "0ypvr7lp9bhlja3zp97vmfxa80144z1kplsrzqdj301xwrmiki37"))
+   (base32 "0ypvr7lp9bhlja3zp97vmfxa80144z1kplsrzqdj301xwrmiki37")))
+
+(define linux-hardened-patch-for-xanmod
+  (origin
+    (method url-fetch)
+    (uri (string-append "https://github.com/anthraxx/linux-hardened/releases/download/"
+                        %xanmod-version "-" %hardened-revision "/linux-hardened-"
+                        %xanmod-version "-" %hardened-revision ".patch"))
+    (patches (list (local-file "patches/linux-hardened-xanmod-adaption.patch")))
+    (sha256 (base32 "1zbhqwhbzjc2jsmbrqk6y4w62b9drhzh2kb1p5bwgi3nd17f43jj"))))

 (define linux-xanmod-source
  (origin
@ -105,7 +115,8 @@
              "6.0"
              (base32 "13kqh7yhifwz5dmd3ky0b3mzbh9r0nmjfp5mxy42drcdafjl692w")))
    (patches
-     (append (list linux-xanmod-patch)
+     (append (list linux-xanmod-patch
+                   linux-hardened-patch-for-xanmod)
             (if (doc-supported? %xanmod-version)
                 (search-patches "linux-libre-infodocs-target.patch")
                 '())))))
--- a/rosenthal/packages/patches/linux-hardened-xanmod-adaption.patch
+++ b/rosenthal/packages/patches/linux-hardened-xanmod-adaption.patch
@ -0,0 +1,27 @@
+diff --git a/linux-hardened-6.0.10-hardened1.patch b/linux-hardened-6.0.10-hardened1.patch
+index 9cc8a0f..e7e71a7 100644
+--- a/linux-hardened-6.0.10-hardened1.patch
+++ b/linux-hardened-6.0.10-hardened1.patch
+@@ -1545,22 +1545,6 @@ index 205d605cacc5b..26c15bed8f7b4 100644
+  int proc_dointvec_jiffies(struct ctl_table *table, int write,
+  		    void *buffer, size_t *lenp, loff_t *ppos)
+  {
+-@@ -1649,6 +1687,15 @@ static struct ctl_table kern_table[] = {
+- 		.mode		= 0644,
+- 		.proc_handler	= proc_dointvec,
+- 	},
+-+#ifdef CONFIG_USER_NS
+-+	{
+-+		.procname	= "unprivileged_userns_clone",
+-+		.data		= &unprivileged_userns_clone,
+-+		.maxlen		= sizeof(int),
+-+		.mode		= 0644,
+-+		.proc_handler	= proc_dointvec,
+-+	},
+-+#endif
+- #ifdef CONFIG_PROC_SYSCTL
+- 	{
+- 		.procname	= "tainted",
+ @@ -2498,6 +2545,7 @@ EXPORT_SYMBOL(proc_douintvec);
+  EXPORT_SYMBOL(proc_dointvec_jiffies);
+  EXPORT_SYMBOL(proc_dointvec_minmax);