diff options
author | Joachim Fasting <joachifm@users.noreply.github.com> | 2016-06-14 03:52:50 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-06-14 03:52:50 +0200 |
commit | 886c03ad2ec5fed59831bd552d34ba03327f2ac7 (patch) | |
tree | c201f8766bb9e8b97ada0f1852cfcb99258ea8ae /pkgs/os-specific | |
parent | 3123c7df37ac2fa69bc3fa4c561ac94d529d2fc5 (diff) | |
parent | 7bda8f0a8fc38e3cccd565521342ec9aaeffb297 (diff) | |
download | nixpkgs-886c03ad2ec5fed59831bd552d34ba03327f2ac7.tar nixpkgs-886c03ad2ec5fed59831bd552d34ba03327f2ac7.tar.gz nixpkgs-886c03ad2ec5fed59831bd552d34ba03327f2ac7.tar.bz2 nixpkgs-886c03ad2ec5fed59831bd552d34ba03327f2ac7.tar.lz nixpkgs-886c03ad2ec5fed59831bd552d34ba03327f2ac7.tar.xz nixpkgs-886c03ad2ec5fed59831bd552d34ba03327f2ac7.tar.zst nixpkgs-886c03ad2ec5fed59831bd552d34ba03327f2ac7.zip |
Merge pull request #16107 from joachifm/grsec-ng
Rework grsecurity support
Diffstat (limited to 'pkgs/os-specific')
-rw-r--r-- | pkgs/os-specific/linux/kernel/common-config.nix | 20 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix | 43 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch (renamed from pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch) | 0 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-grsecurity.nix (renamed from pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix) | 0 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/patches.nix | 41 |
5 files changed, 70 insertions, 34 deletions
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 3ce65a3f6e1..624d380fe56 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -261,9 +261,7 @@ with stdenv.lib; # Security related features. STRICT_DEVMEM y # Filter access to /dev/mem SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default - ${optionalString (!(features.grsecurity or false)) '' - DEVKMEM n # Disable /dev/kmem - ''} + DEVKMEM n # Disable /dev/kmem ${if versionOlder version "3.14" then '' CC_STACKPROTECTOR? y # Detect buffer overflows on the stack '' else '' @@ -422,13 +420,11 @@ with stdenv.lib; # Virtualisation. PARAVIRT? y - ${optionalString (!(features.grsecurity or false)) - (if versionAtLeast version "3.10" then '' - HYPERVISOR_GUEST y - '' else '' - PARAVIRT_GUEST? y - '') - } + ${if versionAtLeast version "3.10" then '' + HYPERVISOR_GUEST y + '' else '' + PARAVIRT_GUEST? y + ''} KVM_APIC_ARCHITECTURE y KVM_ASYNC_PF y ${optionalString (versionOlder version "3.7") '' @@ -443,9 +439,7 @@ with stdenv.lib; ${optionalString (versionAtLeast version "4.0") '' KVM_GENERIC_DIRTYLOG_READ_PROTECT y ''} - ${optionalString (!features.grsecurity or true) '' - KVM_GUEST y - ''} + KVM_GUEST y KVM_MMIO y ${optionalString (versionAtLeast version "3.13") '' KVM_VFIO y diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix new file mode 100644 index 00000000000..894f2d8e364 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix @@ -0,0 +1,43 @@ +{ stdenv }: + +with stdenv.lib; + +'' +GRKERNSEC y +PAX y + +GRKERNSEC_CONFIG_AUTO y +GRKERNSEC_CONFIG_DESKTOP y +GRKERNSEC_CONFIG_VIRT_HOST y +GRKERNSEC_CONFIG_VIRT_EPT y +GRKERNSEC_CONFIG_VIRT_KVM y +GRKERNSEC_CONFIG_PRIORITY_SECURITY y + +PAX_PT_PAX_FLAGS y +PAX_XATTR_PAX_FLAGS n +PAX_EI_PAX n + +GRKERNSEC_PROC_GID 0 + +PAX_LATENT_ENTROPY n +PAX_SIZE_OVERFLOW n +GRKERNSEC_HIDESYM n +GRKERNSEC_RANDSTRUCT n +GRKERNSEC_PROC n +GRKERNSEC_SYSFS_RESTRICT n +GRKERNSEC_KMEM n +GRKERNSEC_MODHARDEN n +GRKERNSEC_NO_SIMULT_CONNECT n + +PAX_KERNEXEC_PLUGIN_METHOD_BTS y + +GRKERNSEC_ACL_HIDEKERN y +GRKERNSEC_IO y + +GRKERNSEC_AUDIT_PTRACE y +GRKERNSEC_FORKFAIL y + +GRKERNSEC_SYSCTL y +GRKERNSEC_SYSCTL_DISTRO y +GRKERNSEC_SYSCTL_ON y +'' diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch b/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch index e0430a69c95..e0430a69c95 100644 --- a/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch +++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix index 63db1779014..63db1779014 100644 --- a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix +++ b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 877e51565ac..0fa9708efe5 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -18,20 +18,20 @@ let }; }; - grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch ? "test", sha256 }: - assert kversion == kernel.version; - { name = "grsecurity-${grversion}-${kversion}"; - inherit grversion kernel patches kversion revision; + grsecPatch = { grbranch ? "test", grver ? "3.1", kver, grrev, sha256 }: rec { + name = "grsecurity-${grver}-${kver}-${grrev}"; + + # Pass these along to allow the caller to determine compatibility + inherit grver kver grrev; + + patch = fetchurl { # When updating versions/hashes, ALWAYS use the official version; we use # this mirror only because upstream removes sources files immediately upon # releasing a new version ... - patch = fetchurl { - url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/test/grsecurity-${grversion}-${kversion}-${revision}.patch"; - inherit sha256; - }; - features.grsecurity = true; + url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch"; + inherit sha256; }; - + }; in rec { @@ -92,19 +92,18 @@ rec { grsecurity_4_4 = throw "grsecurity stable is no longer supported"; - grsecurity_4_5 = grsecPatch - { kernel = pkgs.grsecurity_base_linux_4_5; - patches = [ grsecurity_fix_path_4_5 ]; - kversion = "4.5.7"; - revision = "201606080852"; - sha256 = "1vgc314nh6bd7zw9r927lnbjq29z32g0s02jgvf635y9zz550nsh"; + grsecurity_testing = grsecPatch + { kver = "4.5.7"; + grrev = "201606080852"; + sha256 = "1vgc314nh6bd7zw9r927lnbjq29z32g0s02jgvf635y9zz550nsh"; }; - grsecurity_latest = grsecurity_4_5; - - grsecurity_fix_path_4_5 = - { name = "grsecurity-fix-path-4.5"; - patch = ./grsecurity-path-4.5.patch; + # This patch relaxes grsec constraints on the location of usermode helpers, + # e.g., modprobe, to allow calling into the Nix store. + grsecurity_nixos_kmod = + { + name = "grsecurity-nixos-kmod"; + patch = ./grsecurity-nixos-kmod.patch; }; crc_regression = |