diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-05-15 21:36:24 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-05-16 09:10:27 +0200 |
commit | f99c86eec1d90b54ad29dcde33e315b9c33f1da8 (patch) | |
tree | b33383d0d40ddf7fe78a845eaf94c264a05dd21e /pkgs/os-specific/linux | |
parent | f7ec37f3e8d25ecb0d1d83f559db404aa0faf3e1 (diff) | |
download | nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.gz nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.bz2 nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.lz nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.xz nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.tar.zst nixpkgs-f99c86eec1d90b54ad29dcde33e315b9c33f1da8.zip |
grsecurity: remove expressions for unsupported versions
Retain top-level attributes for now but consolidate compatibility attributes. Part of ongoing cleanup, doing it all at once is infeasible.
Diffstat (limited to 'pkgs/os-specific/linux')
5 files changed, 2 insertions, 102 deletions
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch deleted file mode 100644 index 6f477c22b5e..00000000000 --- a/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/kernel/kmod.c b/kernel/kmod.c -index a689506..30747b4 100644 ---- a/kernel/kmod.c -+++ b/kernel/kmod.c -@@ -294,10 +294,8 @@ static int ____call_usermodehelper(void *data) - out the path to be used prior to this point and are now operating - on that copy - */ -- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) && -- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) && -- strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) && -- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) { -+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) && -+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) { - printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path); - retval = -EPERM; - goto out; diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch deleted file mode 100644 index bef1a75c23d..00000000000 --- a/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/kernel/kmod.c b/kernel/kmod.c -index a689506..30747b4 100644 ---- a/kernel/kmod.c -+++ b/kernel/kmod.c -@@ -294,11 +294,8 @@ static int ____call_usermodehelper(void *data) - out the path to be used prior to this point and are now operating - on that copy - */ -- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) && -- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) && -- strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) && -- strncmp(sub_info->path, "/usr/sbin/", 10) && -- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) { -+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) && -+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) { - printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path); - retval = -EPERM; - goto out; diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix deleted file mode 100644 index da628620764..00000000000 --- a/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ stdenv, fetchurl, perl, buildLinux, ... } @ args: - -throw "grsecurity stable is no longer supported; please update your configuration" - -import ./generic.nix (args // rec { - version = "3.14.51"; - extraMeta.branch = "3.14"; - - src = fetchurl { - url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz"; - sha256 = "1gqsd69cqijff4c4br4ydmcjl226d0yy6vrmgfvy16xiraavq1mk"; - }; - - kernelPatches = args.kernelPatches; - - features.iwlwifi = true; - features.efiBootStub = true; - features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; - features.netfilterRPFilter = true; -} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix deleted file mode 100644 index e51fe642368..00000000000 --- a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ stdenv, fetchurl, perl, buildLinux, ... } @ args: - -throw "grsecurity stable is no longer supported; please update your configuration" - -import ./generic.nix (args // rec { - version = "4.4.5"; - extraMeta.branch = "4.4"; - - src = fetchurl { - url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "1daavrj2msl85aijh1izfm1cwf14c7mi75hldzidr1h2v629l89h"; - }; - - kernelPatches = args.kernelPatches; - - features.iwlwifi = true; - features.efiBootStub = true; - features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; - features.netfilterRPFilter = true; -} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index efa3cb2eb86..8e198e7a3ed 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -88,22 +88,9 @@ rec { sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j"; }; - grsecurity_3_14 = grsecPatch - { kernel = pkgs.grsecurity_base_linux_3_14; - patches = [ grsecurity_fix_path_3_14 ]; - kversion = "3.14.51"; - revision = "201508181951"; - branch = "stable"; - sha256 = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f"; - }; + grsecurity_3_14 = throw "grsecurity stable is no longer supported"; - grsecurity_4_4 = grsecPatch - { kernel = pkgs.grsecurity_base_linux_4_4; - patches = [ grsecurity_fix_path_4_4 ]; - kversion = "4.4.5"; - revision = "201603131305"; - sha256 = "04k4nhshl6r5n41ha5620s7cd70dmmmvyf9mnn5359jr1720kxpf"; - }; + grsecurity_4_4 = throw "grsecurity stable is no longer supported"; grsecurity_4_5 = grsecPatch { kernel = pkgs.grsecurity_base_linux_4_5; @@ -115,16 +102,6 @@ rec { grsecurity_latest = grsecurity_4_5; - grsecurity_fix_path_3_14 = - { name = "grsecurity-fix-path-3.14"; - patch = ./grsecurity-path-3.14.patch; - }; - - grsecurity_fix_path_4_4 = - { name = "grsecurity-fix-path-4.4"; - patch = ./grsecurity-path-4.4.patch; - }; - grsecurity_fix_path_4_5 = { name = "grsecurity-fix-path-4.5"; patch = ./grsecurity-path-4.5.patch; |