diff options
| author | Alyssa Ross <hi@alyssa.is> | 2021-04-05 10:01:58 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2021-04-06 09:48:56 +0000 |
| commit | 52cd3538ff0214f0416455322cec299d2a43a436 (patch) | |
| tree | b7ff5010abfa6479bff6703399a562c7e4b8d066 | |
| parent | a10183d3ecdb391a867c8b8da21ca07ae3d6e5cf (diff) | |
| download | nixpkgs-52cd3538ff0214f0416455322cec299d2a43a436.tar nixpkgs-52cd3538ff0214f0416455322cec299d2a43a436.tar.gz nixpkgs-52cd3538ff0214f0416455322cec299d2a43a436.tar.bz2 nixpkgs-52cd3538ff0214f0416455322cec299d2a43a436.tar.lz nixpkgs-52cd3538ff0214f0416455322cec299d2a43a436.tar.xz nixpkgs-52cd3538ff0214f0416455322cec299d2a43a436.tar.zst nixpkgs-52cd3538ff0214f0416455322cec299d2a43a436.zip | |
linux: remove remnants of grsecurity
Nixpkgs hasn't supported grsecurity kernels since 2017, so unless anybody is manually enabling the grsecurity feature to make these small kernel tweaks this is dead code. This means we don't actually support any "features" in the kernel common-config any more, but I've left the argument there because it's conceivable we could have some again in future.
| -rw-r--r-- | pkgs/os-specific/linux/anbox/kmod.nix | 2 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/kernel/common-config.nix | 10 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/kernel/generic.nix | 1 |
3 files changed, 6 insertions, 7 deletions
diff --git a/pkgs/os-specific/linux/anbox/kmod.nix b/pkgs/os-specific/linux/anbox/kmod.nix index f62e6ee6aa5..1ed6d9c5f72 100644 --- a/pkgs/os-specific/linux/anbox/kmod.nix +++ b/pkgs/os-specific/linux/anbox/kmod.nix @@ -36,7 +36,7 @@ stdenv.mkDerivation { homepage = "https://github.com/anbox/anbox-modules"; license = licenses.gpl2; platforms = platforms.linux; - broken = (versionOlder kernel.version "4.4") || (kernel.features.grsecurity or false); + broken = (versionOlder kernel.version "4.4"); maintainers = with maintainers; [ edwtjo ]; }; diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 488aa30c54a..213f344add1 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -12,7 +12,7 @@ # Configuration { lib, stdenv, version -, features ? { grsecurity = false; } +, features ? {} }: with lib; @@ -42,7 +42,7 @@ let TIMER_STATS = whenOlder "4.11" yes; DEBUG_NX_TEST = whenOlder "4.11" no; DEBUG_STACK_USAGE = no; - DEBUG_STACKOVERFLOW = mkIf (!features.grsecurity) (option no); + DEBUG_STACKOVERFLOW = option no; RCU_TORTURE_TEST = no; SCHEDSTATS = no; DETECT_HUNG_TASK = yes; @@ -443,7 +443,7 @@ let SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default # Prevent processes from ptracing non-children processes SECURITY_YAMA = option yes; - DEVKMEM = mkIf (!features.grsecurity) no; # Disable /dev/kmem + DEVKMEM = no; # Disable /dev/kmem USER_NS = yes; # Support for user namespaces @@ -523,7 +523,7 @@ let virtualisation = { PARAVIRT = option yes; - HYPERVISOR_GUEST = mkIf (!features.grsecurity) yes; + HYPERVISOR_GUEST = yes; PARAVIRT_SPINLOCKS = option yes; KVM_APIC_ARCHITECTURE = whenOlder "4.8" yes; @@ -531,7 +531,7 @@ let KVM_COMPAT = { optional = true; tristate = whenBetween "4.0" "4.12" "y"; }; KVM_DEVICE_ASSIGNMENT = { optional = true; tristate = whenBetween "3.10" "4.12" "y"; }; KVM_GENERIC_DIRTYLOG_READ_PROTECT = whenAtLeast "4.0" yes; - KVM_GUEST = mkIf (!features.grsecurity) yes; + KVM_GUEST = yes; KVM_MMIO = yes; KVM_VFIO = yes; KSM = yes; diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix index 4518b5a336b..1c289d86002 100644 --- a/pkgs/os-specific/linux/kernel/generic.nix +++ b/pkgs/os-specific/linux/kernel/generic.nix @@ -72,7 +72,6 @@ let efiBootStub = true; needsCifsUtils = true; netfilterRPFilter = true; - grsecurity = false; ia32Emulation = true; } // features) kernelPatches; |