public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #1282 from wizeman/grsec-upd

Browse Source 
grsecurity: Update to latest version and add patch for kernel 3.12
This commit is contained in:
Michael Raskin
2013-11-28 21:42:27 -08:00
parent 87aca96123 2106191003
commit 0851ed23d8
3 changed files with 50 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
pkgs/os-specific/linux/kernel/grsec-path.patch Normal file
View File

@@ -0,0 +1,15 @@
diff --git a/kernel/kmod.c b/kernel/kmod.c
index 3227c2c..f32c944 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -246,8 +246,8 @@ static int ____call_usermodehelper(void *data)
out the path to be used prior to this point and are now operating
on that copy
*/
- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7)) || strstr(sub_info->path, "..")) {
+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of /sbin and system library paths\n", sub_info->path);
retval = -EPERM;
goto fail;

26
pkgs/os-specific/linux/kernel/patches.nix
View File

@@ -124,14 +124,30 @@ rec {
};
grsecurity_2_9_1_3_2_52 =
{ name = "grsecurity-2.9.1-3.2.52";
grsecurity_3_0_3_2_52 =
{ name = "grsecurity-3.0-3.2.52";
patch = fetchurl {
url = http://grsecurity.net/stable/grsecurity-2.9.1-3.2.52-201310271550.patch;
sha256 = "08y4y323y2lfvdj67gmg3ca8gaf3snhr3pyrmgvj877avaz0475m";
url = https://grsecurity.net/stable/grsecurity-3.0-3.2.52-201311261307.patch;
sha256 = "1zmzgjpbq90q2w3yl3dgdc79qan7qkh5w6g3y3nvzr6ww6jl8hqw";
};
# The grsec kernel patch seems to include the apparmor patches as of 2.9.1-3.2.52
features.grsecurity = true;
# The grsec kernel patch seems to include the apparmor patches as of 3.0-3.2.52
features.apparmor = true;
};
grsecurity_3_0_3_12_1 =
{ name = "grsecurity-3.0-3.12.1";
patch = fetchurl {
url = https://grsecurity.net/test/grsecurity-3.0-3.12.1-201311261309.patch;
sha256 = "129q740m2iivc4i9a465lvzcph9gxlivxzg2p9dsi7c136p42mdz";
};
features.grsecurity = true;
# The grsec kernel patch seems to include the apparmor patches as of 3.0-3.12.1
features.apparmor = true;
};
grsec_path =
{ name = "grsec-path";
patch = ./grsec-path.patch;
};
}