grsecurity: update stable/testing kernels, refactoring

This updates the new stable kernel to 3.14, and the new testing kernel to 3.15. This also removes the vserver kernel, since it's probably not nearly as used. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-06-22 22:28:32 -05:00 · 2014-06-22 22:28:32 -05:00 · 0399c5ee24
commit 0399c5ee24
parent 125c2b9468
5 changed files with 15 additions and 51 deletions
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -6,12 +6,10 @@ let
  cfg = config.security.grsecurity;
  customGrsecPkg =
-    (import ../../../pkgs/build-support/grsecurity
+    (import ../../../pkgs/build-support/grsecurity {
      {
        inherit lib pkgs;
      grsecOptions = cfg;
-      }
+      inherit pkgs lib;
-    ).grsecPackage;
+    }).grsecPackage;
 in
 {
  options = {
@ -36,14 +34,6 @@ in
        '';
      };
      vserver = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the stable grsecurity/vserver patches, based on Linux 3.2.
        '';
      };
      testing = mkOption {
        type = types.bool;
        default = false;
@ -246,9 +236,6 @@ in
            both.
          '';
        }
        { assertion = (cfg.testing -> !cfg.vserver);
          message   = "The vserver patches are only supported in the stable kernel.";
        }
        { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) ||
                      (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc);
          message   = "You cannot enable both restrictProc and restrictProcWithGroup";
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@ -5,7 +5,6 @@ with lib;
 let
  cfg = {
    stable  = grsecOptions.stable  or false;
    vserver = grsecOptions.vserver or false;
    testing = grsecOptions.testing or false;
    config = {
      mode = "auto";
@ -29,12 +28,11 @@ let
        };
    test-patch = with pkgs.kernelPatches; grsecurity_unstable;
-    stable-patch = with pkgs.kernelPatches;
+    stable-patch = with pkgs.kernelPatches; grsecurity_stable;
      if cfg.vserver then grsecurity_vserver else grsecurity_stable;
-    grKernel = if (cfg.stable || cfg.vserver)
+    grKernel = if cfg.stable
-               then mkKernel pkgs.linux_3_2  stable-patch
+               then mkKernel pkgs.linux_3_14 stable-patch
-               else mkKernel pkgs.linux_3_14 test-patch;
+               else mkKernel pkgs.linux_3_15 test-patch;
    ## -- grsecurity configuration ---------------------------------------------
--- a/pkgs/build-support/grsecurity/flavors.nix
+++ b/pkgs/build-support/grsecurity/flavors.nix
@ -16,12 +16,6 @@ in
  linux_grsec_stable_server_xen =
    mkOpts "stable" "security" "server" "guest" "xen" true;
  # Stable+vserver kernels - server versions only
  linux_grsec_vserver_server  =
    mkOpts "vserver" "security" "server" "host" "kvm" true;
  linux_grsec_vserver_server_xen =
    mkOpts "vserver" "security" "server" "guest" "xen" true;
  # Testing kernels
  linux_grsec_testing_desktop =
    mkOpts "testing" "performance" "desktop" "host" "kvm" true;
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@ -60,24 +60,17 @@ rec {
  };
  grsecurity_stable = grsecPatch
-    { kversion  = "3.2.60";
+    { kversion  = "3.14.8";
-      revision  = "201406191345";
+      revision  = "201406222110";
      branch    = "stable";
-      sha256    = "1zb2qxh2qhsrqi4gnslr3b6342ni9c6y20gb8jgh5plhnk5szx7v";
+      sha256    = "0jar710hqpjkp4g3ldrbcpgc170v9qp8ykajq5fi8mxx4j54gjwa";
    };
  grsecurity_vserver = grsecPatch
    { kversion  = "3.2.60";
      revision  = "vs2.3.2.16-201406191346";
      branch    = "vserver";
      sha256    = "0qlbqpnh5wkgk8phh67bl4a25rb8n1k1hlq0kmcrnz6c3kflrsdz";
    };
  grsecurity_unstable = grsecPatch
-    { kversion  = "3.14.8";
+    { kversion  = "3.15.1";
-      revision  = "201406191347";
+      revision  = "201406222112";
      branch    = "test";
-      sha256    = "01kl89vhr3mrp7g4ypcf9xrv0i4f9d4sdq4a11qhwyf1w48qr7da";
+      sha256    = "04sbpmzgfgn7hjiln9baynpgr7k67lm0b5wn2z8i2jsjigfmv0r4";
    };
  grsec_fix_path =
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -7285,10 +7285,6 @@ let
  linux_grsec_stable_server     = grKernel grFlavors.linux_grsec_stable_server;
  linux_grsec_stable_server_xen = grKernel grFlavors.linux_grsec_stable_server_xen;
  # Stable+vserver kernels - server versions only
  #linux_grsec_vserver_server     = grKernel grFlavors.linux_grsec_vserver_server;
  #linux_grsec_vserver_server_xen = grKernel grFlavors.linux_grsec_vserver_server_xen;
  # Testing kernels
  linux_grsec_testing_desktop = grKernel grFlavors.linux_grsec_testing_desktop;
  linux_grsec_testing_server  = grKernel grFlavors.linux_grsec_testing_server;
@ -7408,10 +7404,6 @@ let
  linuxPackages_grsec_stable_server     = grPackage grFlavors.linux_grsec_stable_server;
  linuxPackages_grsec_stable_server_xen = grPackage grFlavors.linux_grsec_stable_server_xen;
  # Stable+vserver kernels - server versions only
  #linuxPackages_grsec_vserver_server     = grPackage grFlavors.linux_grsec_vserver_server;
  #linuxPackages_grsec_vserver_server_xen = grPackage grFlavors.linux_grsec_vserver_server_xen;
  # Testing kernels
  linuxPackages_grsec_testing_desktop = grPackage grFlavors.linux_grsec_testing_desktop;
  linuxPackages_grsec_testing_server  = grPackage grFlavors.linux_grsec_testing_server;