This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via 483803413129ae3999d334b8972bb3daa71f0c9e (commit) from 3069380c4189a1d875717441d88082286a85586b (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 483803413129ae3999d334b8972bb3daa71f0c9e Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Jun 28 20:36:32 2018 +0200
random: update initskript for machines with low entropy
the script wait until crng is correct initialized before restore the random seed and make some disc io to work around low entropy at boot on some machines. Not really a fix but it should be better than reverting CVE-2018-1108 fixes from kernel.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/aarch64/initscripts | 2 +- config/rootfiles/common/armv5tel/initscripts | 2 +- config/rootfiles/common/i586/initscripts | 2 +- config/rootfiles/common/x86_64/initscripts | 2 +- config/rootfiles/core/122/filelists/files | 1 + config/rootfiles/core/122/update.sh | 2 ++ lfs/initscripts | 5 ++-- src/initscripts/system/random | 35 +++++++++++++++++++++------- 8 files changed, 35 insertions(+), 16 deletions(-)
Difference in files: diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts index 9e9e1a71a..97ba5ad65 100644 --- a/config/rootfiles/common/aarch64/initscripts +++ b/config/rootfiles/common/aarch64/initscripts @@ -117,6 +117,7 @@ etc/rc.d/rc0.d/S80mountfs etc/rc.d/rc0.d/S90swap etc/rc.d/rc0.d/S99halt #etc/rc.d/rc3.d +etc/rc.d/rc3.d/S00random etc/rc.d/rc3.d/S01vnstat etc/rc.d/rc3.d/S10sysklogd etc/rc.d/rc3.d/S11unbound @@ -130,7 +131,6 @@ etc/rc.d/rc3.d/S19wlanclient etc/rc.d/rc3.d/S20network etc/rc.d/rc3.d/S21leds etc/rc.d/rc3.d/S24cyrus-sasl -etc/rc.d/rc3.d/S25random etc/rc.d/rc3.d/S30sshd etc/rc.d/rc3.d/S32apache etc/rc.d/rc3.d/S40fcron diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 9e9e1a71a..97ba5ad65 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -117,6 +117,7 @@ etc/rc.d/rc0.d/S80mountfs etc/rc.d/rc0.d/S90swap etc/rc.d/rc0.d/S99halt #etc/rc.d/rc3.d +etc/rc.d/rc3.d/S00random etc/rc.d/rc3.d/S01vnstat etc/rc.d/rc3.d/S10sysklogd etc/rc.d/rc3.d/S11unbound @@ -130,7 +131,6 @@ etc/rc.d/rc3.d/S19wlanclient etc/rc.d/rc3.d/S20network etc/rc.d/rc3.d/S21leds etc/rc.d/rc3.d/S24cyrus-sasl -etc/rc.d/rc3.d/S25random etc/rc.d/rc3.d/S30sshd etc/rc.d/rc3.d/S32apache etc/rc.d/rc3.d/S40fcron diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index cc0e4580d..ab8d4f108 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -116,6 +116,7 @@ etc/rc.d/rc0.d/S80mountfs etc/rc.d/rc0.d/S90swap etc/rc.d/rc0.d/S99halt #etc/rc.d/rc3.d +etc/rc.d/rc3.d/S00random etc/rc.d/rc3.d/S01vnstat etc/rc.d/rc3.d/S10sysklogd etc/rc.d/rc3.d/S12acpid @@ -129,7 +130,6 @@ etc/rc.d/rc3.d/S20network etc/rc.d/rc3.d/S11unbound etc/rc.d/rc3.d/S21leds etc/rc.d/rc3.d/S24cyrus-sasl -etc/rc.d/rc3.d/S25random etc/rc.d/rc3.d/S30sshd etc/rc.d/rc3.d/S32apache etc/rc.d/rc3.d/S40fcron diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index cc0e4580d..ab8d4f108 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -116,6 +116,7 @@ etc/rc.d/rc0.d/S80mountfs etc/rc.d/rc0.d/S90swap etc/rc.d/rc0.d/S99halt #etc/rc.d/rc3.d +etc/rc.d/rc3.d/S00random etc/rc.d/rc3.d/S01vnstat etc/rc.d/rc3.d/S10sysklogd etc/rc.d/rc3.d/S12acpid @@ -129,7 +130,6 @@ etc/rc.d/rc3.d/S20network etc/rc.d/rc3.d/S11unbound etc/rc.d/rc3.d/S21leds etc/rc.d/rc3.d/S24cyrus-sasl -etc/rc.d/rc3.d/S25random etc/rc.d/rc3.d/S30sshd etc/rc.d/rc3.d/S32apache etc/rc.d/rc3.d/S40fcron diff --git a/config/rootfiles/core/122/filelists/files b/config/rootfiles/core/122/filelists/files index f7c692d8b..d87145961 100644 --- a/config/rootfiles/core/122/filelists/files +++ b/config/rootfiles/core/122/filelists/files @@ -5,6 +5,7 @@ etc/rc.d/init.d/collectd etc/rc.d/init.d/firstsetup etc/rc.d/init.d/leds etc/rc.d/init.d/partresize +etc/rc.d/init.d/random etc/rc.d/rc0.d/K87acpid etc/rc.d/rc3.d/S12acpid etc/rc.d/rc6.d/K87acpid diff --git a/config/rootfiles/core/122/update.sh b/config/rootfiles/core/122/update.sh index 3e8cab693..bb38696c4 100644 --- a/config/rootfiles/core/122/update.sh +++ b/config/rootfiles/core/122/update.sh @@ -117,6 +117,8 @@ if [ -e /boot/pakfire-kernel-update ]; then /boot/pakfire-kernel-update ${KVER} fi
+mv /etc/rc.d/rc3.d/S??random /etc/rc.d/rc3.d/S00random + case "$(uname -m)" in i?86) # Force (re)install pae kernel if pae is supported diff --git a/lfs/initscripts b/lfs/initscripts index 0d7f40cad..848540680 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2016 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -16,7 +16,6 @@ # You should have received a copy of the GNU General Public License # # along with this program. If not, see http://www.gnu.org/licenses/. # # # -###############################################################################
############################################################################### # Definitions @@ -131,7 +130,7 @@ $(TARGET) : ln -sf ../init.d/unbound /etc/rc.d/rc3.d/S11unbound ln -sf ../init.d/unbound /etc/rc.d/rc6.d/K79unbound ln -sf ../init.d/random /etc/rc.d/rc0.d/K45random - ln -sf ../init.d/random /etc/rc.d/rc3.d/S25random + ln -sf ../init.d/random /etc/rc.d/rc3.d/S00random ln -sf ../init.d/random /etc/rc.d/rc6.d/K45random ln -sf ../../sysconfig/rc.local /etc/rc.d/rc3.d/S98rc.local ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 diff --git a/src/initscripts/system/random b/src/initscripts/system/random index 57aef99d4..1f825cd18 100644 --- a/src/initscripts/system/random +++ b/src/initscripts/system/random @@ -1,28 +1,45 @@ #!/bin/sh -# Begin $rc_base/init.d/random - -# Based on sysklogd script from LFS-3.1 and earlier. -# Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org -# Random script elements by Larry Lawrence - . /etc/sysconfig/rc . $rc_functions
+if [ -e /proc/sys/kernel/random/poolsize ]; then + poolsize=$(</proc/sys/kernel/random/poolsize); + poolsize=$(expr $poolsize / 8 ); +else + poolsize=512; +fi + case "$1" in start) - boot_mesg "Initializing kernel random number generator..." + + #CRNG init need 128bit so wait until there is more) + avail=$(</proc/sys/kernel/random/entropy_avail) + while [ $avail -lt 130 ]; do + avail=$(</proc/sys/kernel/random/entropy_avail) + boot_mesg -n "\rWait for entropy: $avail/130 " + # Generate some disc access to gather entropy + echo avail > /var/tmp/random-tmpfile + sync + rm -f /var/tmp/random-tmpfile + done; + + boot_mesg "\rInitializing kernel random number generator..." if [ -f /var/tmp/random-seed ]; then /bin/cat /var/tmp/random-seed >/dev/urandom fi + touch /var/tmp/random-seed + chmod 600 /var/tmp/random-seed /bin/dd if=/dev/urandom of=/var/tmp/random-seed \ - count=4 &>/dev/null + count=1 bs=$poolsize &>/dev/null evaluate_retval ;;
stop) boot_mesg "Saving random seed..." + touch /var/tmp/random-seed + chmod 600 /var/tmp/random-seed /bin/dd if=/dev/urandom of=/var/tmp/random-seed \ - count=4 &>/dev/null + count=1 bs=$poolsize &>/dev/null evaluate_retval ;;
hooks/post-receive -- IPFire 2.x development tree