grsecurity: remove expressions for unsupported versions

Retain top-level attributes for now but consolidate compatibility attributes. Part of ongoing cleanup, doing it all at once is infeasible.
author: Joachim Fasting <joachifm@fastmail.fm> 2016-05-15 21:36:24 +0200
committer: Joachim Fasting <joachifm@fastmail.fm> 2016-05-16 09:10:27 +0200
commit: f99c86eec1d90b54ad29dcde33e315b9c33f1da8 (patch)
tree: b33383d0d40ddf7fe78a845eaf94c264a05dd21e /pkgs/os-specific/linux
parent: f7ec37f3e8d25ecb0d1d83f559db404aa0faf3e1 (diff)
download: nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar
nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.gz
nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.bz2
nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.lz
nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.xz
nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.zst
nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.zip
5 files changed, 2 insertions, 102 deletions
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch
deleted file mode 100644
index 6f477c22b5e..00000000000
--- a/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-diff --git a/kernel/kmod.c b/kernel/kmod.c
-index a689506..30747b4 100644
---- a/kernel/kmod.c
-+++ b/kernel/kmod.c
-@@ -294,10 +294,8 @@ static int ____call_usermodehelper(void *data)
- 	   out the path to be used prior to this point and are now operating
- 	   on that copy
- 	*/
--	if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
--	     strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
--	     strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
--	     strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
-+	if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
-+	     strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
- 		printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
- 		retval = -EPERM;
- 		goto out;
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch
deleted file mode 100644
index bef1a75c23d..00000000000
--- a/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff --git a/kernel/kmod.c b/kernel/kmod.c
-index a689506..30747b4 100644
---- a/kernel/kmod.c
-+++ b/kernel/kmod.c
-@@ -294,11 +294,8 @@ static int ____call_usermodehelper(void *data)
- 	   out the path to be used prior to this point and are now operating
- 	   on that copy
- 	*/
--	if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
--	     strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
--	     strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
--	     strncmp(sub_info->path, "/usr/sbin/", 10) &&
--	     strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
-+	if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
-+	     strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
- 		printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
- 		retval = -EPERM;
- 		goto out;
diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix
deleted file mode 100644
index da628620764..00000000000
--- a/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
-
-throw "grsecurity stable is no longer supported; please update your configuration"
-
-import ./generic.nix (args // rec {
-  version = "3.14.51";
-  extraMeta.branch = "3.14";
-
-  src = fetchurl {
-    url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz";
-    sha256 = "1gqsd69cqijff4c4br4ydmcjl226d0yy6vrmgfvy16xiraavq1mk";
-  };
-
-  kernelPatches = args.kernelPatches;
-
-  features.iwlwifi = true;
-  features.efiBootStub = true;
-  features.needsCifsUtils = true;
-  features.canDisableNetfilterConntrackHelpers = true;
-  features.netfilterRPFilter = true;
-} // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix
deleted file mode 100644
index e51fe642368..00000000000
--- a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
-
-throw "grsecurity stable is no longer supported; please update your configuration"
-
-import ./generic.nix (args // rec {
-  version = "4.4.5";
-  extraMeta.branch = "4.4";
-
-  src = fetchurl {
-    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1daavrj2msl85aijh1izfm1cwf14c7mi75hldzidr1h2v629l89h";
-  };
-
-  kernelPatches = args.kernelPatches;
-
-  features.iwlwifi = true;
-  features.efiBootStub = true;
-  features.needsCifsUtils = true;
-  features.canDisableNetfilterConntrackHelpers = true;
-  features.netfilterRPFilter = true;
-} // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index efa3cb2eb86..8e198e7a3ed 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -88,22 +88,9 @@ rec {
     sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
   };
 
-  grsecurity_3_14 = grsecPatch
-    { kernel    = pkgs.grsecurity_base_linux_3_14;
-      patches   = [ grsecurity_fix_path_3_14 ];
-      kversion  = "3.14.51";
-      revision  = "201508181951";
-      branch    = "stable";
-      sha256    = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f";
-    };
+  grsecurity_3_14 = throw "grsecurity stable is no longer supported";
 
-  grsecurity_4_4 = grsecPatch
-    { kernel    = pkgs.grsecurity_base_linux_4_4;
-      patches   = [ grsecurity_fix_path_4_4 ];
-      kversion  = "4.4.5";
-      revision  = "201603131305";
-      sha256    = "04k4nhshl6r5n41ha5620s7cd70dmmmvyf9mnn5359jr1720kxpf";
-    };
+  grsecurity_4_4 = throw "grsecurity stable is no longer supported";
 
   grsecurity_4_5 = grsecPatch
     { kernel    = pkgs.grsecurity_base_linux_4_5;
@@ -115,16 +102,6 @@ rec {
 
   grsecurity_latest = grsecurity_4_5;
 
-  grsecurity_fix_path_3_14 =
-    { name = "grsecurity-fix-path-3.14";
-      patch = ./grsecurity-path-3.14.patch;
-    };
-
-  grsecurity_fix_path_4_4 =
-    { name = "grsecurity-fix-path-4.4";
-      patch = ./grsecurity-path-4.4.patch;
-    };
-
   grsecurity_fix_path_4_5 =
     { name = "grsecurity-fix-path-4.5";
       patch = ./grsecurity-path-4.5.patch;
author	Joachim Fasting <joachifm@fastmail.fm>	2016-05-15 21:36:24 +0200
committer	Joachim Fasting <joachifm@fastmail.fm>	2016-05-16 09:10:27 +0200
commit	f99c86eec1d90b54ad29dcde33e315b9c33f1da8 (patch)
tree	b33383d0d40ddf7fe78a845eaf94c264a05dd21e /pkgs/os-specific/linux
parent	f7ec37f3e8d25ecb0d1d83f559db404aa0faf3e1 (diff)
download	nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.gz nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.bz2 nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.lz nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.xz nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.zst nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.zip