Merge pull request #16107 from joachifm/grsec-ng

Rework grsecurity support

5 files changed, 70 insertions, 34 deletions

diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 3ce65a3f6e1..624d380fe56 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -261,9 +261,7 @@ with stdenv.lib;
   # Security related features.
   STRICT_DEVMEM y # Filter access to /dev/mem
   SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default
-  ${optionalString (!(features.grsecurity or false)) ''
-    DEVKMEM n # Disable /dev/kmem
-  ''}
+  DEVKMEM n # Disable /dev/kmem
   ${if versionOlder version "3.14" then ''
     CC_STACKPROTECTOR? y # Detect buffer overflows on the stack
   '' else ''
@@ -422,13 +420,11 @@ with stdenv.lib;
 
   # Virtualisation.
   PARAVIRT? y
-  ${optionalString (!(features.grsecurity or false))
-    (if versionAtLeast version "3.10" then ''
-      HYPERVISOR_GUEST y
-    '' else ''
-      PARAVIRT_GUEST? y
-    '')
-  }
+  ${if versionAtLeast version "3.10" then ''
+    HYPERVISOR_GUEST y
+  '' else ''
+    PARAVIRT_GUEST? y
+  ''}
   KVM_APIC_ARCHITECTURE y
   KVM_ASYNC_PF y
   ${optionalString (versionOlder version "3.7") ''
@@ -443,9 +439,7 @@ with stdenv.lib;
   ${optionalString (versionAtLeast version "4.0") ''
     KVM_GENERIC_DIRTYLOG_READ_PROTECT y
   ''}
-  ${optionalString (!features.grsecurity or true) ''
-    KVM_GUEST y
-  ''}
+  KVM_GUEST y
   KVM_MMIO y
   ${optionalString (versionAtLeast version "3.13") ''
     KVM_VFIO y
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
new file mode 100644
index 00000000000..894f2d8e364
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
@@ -0,0 +1,43 @@
+{ stdenv }:
+
+with stdenv.lib;
+
+''
+GRKERNSEC y
+PAX y
+
+GRKERNSEC_CONFIG_AUTO y
+GRKERNSEC_CONFIG_DESKTOP y
+GRKERNSEC_CONFIG_VIRT_HOST y
+GRKERNSEC_CONFIG_VIRT_EPT y
+GRKERNSEC_CONFIG_VIRT_KVM y
+GRKERNSEC_CONFIG_PRIORITY_SECURITY y
+
+PAX_PT_PAX_FLAGS y
+PAX_XATTR_PAX_FLAGS n
+PAX_EI_PAX n
+
+GRKERNSEC_PROC_GID 0
+
+PAX_LATENT_ENTROPY n
+PAX_SIZE_OVERFLOW n
+GRKERNSEC_HIDESYM n
+GRKERNSEC_RANDSTRUCT n
+GRKERNSEC_PROC n
+GRKERNSEC_SYSFS_RESTRICT n
+GRKERNSEC_KMEM n
+GRKERNSEC_MODHARDEN n
+GRKERNSEC_NO_SIMULT_CONNECT n
+
+PAX_KERNEXEC_PLUGIN_METHOD_BTS y
+
+GRKERNSEC_ACL_HIDEKERN y
+GRKERNSEC_IO y
+
+GRKERNSEC_AUDIT_PTRACE y
+GRKERNSEC_FORKFAIL y
+
+GRKERNSEC_SYSCTL y
+GRKERNSEC_SYSCTL_DISTRO y
+GRKERNSEC_SYSCTL_ON y
+''
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch b/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch
index e0430a69c95..e0430a69c95 100644
--- a/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch
+++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch
diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix
index 63db1779014..63db1779014 100644
--- a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix
+++ b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 877e51565ac..0fa9708efe5 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -18,20 +18,20 @@ let
       };
     };
 
-  grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch ? "test", sha256 }:
-    assert kversion == kernel.version;
-    { name = "grsecurity-${grversion}-${kversion}";
-      inherit grversion kernel patches kversion revision;
+  grsecPatch = { grbranch ? "test", grver ? "3.1", kver, grrev, sha256 }: rec {
+    name = "grsecurity-${grver}-${kver}-${grrev}";
+
+    # Pass these along to allow the caller to determine compatibility
+    inherit grver kver grrev;
+
+    patch = fetchurl {
       # When updating versions/hashes, ALWAYS use the official version; we use
       # this mirror only because upstream removes sources files immediately upon
       # releasing a new version ...
-      patch = fetchurl {
-        url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/test/grsecurity-${grversion}-${kversion}-${revision}.patch";
-        inherit sha256;
-      };
-      features.grsecurity = true;
+      url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch";
+      inherit sha256;
     };
-
+  };
 in
 
 rec {
@@ -92,19 +92,18 @@ rec {
 
   grsecurity_4_4 = throw "grsecurity stable is no longer supported";
 
-  grsecurity_4_5 = grsecPatch
-    { kernel    = pkgs.grsecurity_base_linux_4_5;
-      patches   = [ grsecurity_fix_path_4_5 ];
-      kversion  = "4.5.7";
-      revision  = "201606080852";
-      sha256    = "1vgc314nh6bd7zw9r927lnbjq29z32g0s02jgvf635y9zz550nsh";
+  grsecurity_testing = grsecPatch
+    { kver   = "4.5.7";
+      grrev  = "201606080852";
+      sha256 = "1vgc314nh6bd7zw9r927lnbjq29z32g0s02jgvf635y9zz550nsh";
     };
 
-  grsecurity_latest = grsecurity_4_5;
-
-  grsecurity_fix_path_4_5 =
-    { name = "grsecurity-fix-path-4.5";
-      patch = ./grsecurity-path-4.5.patch;
+  # This patch relaxes grsec constraints on the location of usermode helpers,
+  # e.g., modprobe, to allow calling into the Nix store.
+  grsecurity_nixos_kmod =
+    {
+      name  = "grsecurity-nixos-kmod";
+      patch = ./grsecurity-nixos-kmod.patch;
     };
 
   crc_regression =