public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #15158 from joachifm/grsecurity 

Grsecurity updates & improvements
This commit is contained in:
Robin Gloster 2016-05-02 11:56:11 +02:00
parent 5a2b26cf7b 60a27781d6
commit 1ea32f8235
6 changed files with 48 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/modules/security/grsecurity.nix
View File

@ -234,7 +234,8 @@ in
systemd.services.grsec-lock = mkIf cfg.config.sysctl {
description = "grsecurity sysctl-lock Service";
requires = [ "systemd-sysctl.service" ];
wants = [ "systemd-sysctl.service" ];
after = [ "systemd-sysctl.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = "yes";

7
pkgs/build-support/grsecurity/default.nix
View File

@ -90,6 +90,10 @@ let
GRKERNSEC y
${grsecMainConfig}
# The paxmarks mechanism relies on ELF header markings, but the default
# grsecurity configuration only enables xattr markings
PAX_PT_PAX_FLAGS y
${if cfg.config.restrictProc then
"GRKERNSEC_PROC_USER y"
else
@ -117,8 +121,7 @@ let
# additional build inputs for gcc plugins, required by some PaX/grsec features
nativeBuildInputs = args.nativeBuildInputs ++ (with pkgs; [ gmp libmpc mpfr ]);
preConfigure = args.preConfigure or "" + ''
rm localversion-grsec
preConfigure = (args.preConfigure or "") + ''
echo ${localver grkern} > localversion-grsec
'';
};

14
pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch Normal file
View File

@ -0,0 +1,14 @@
diff -ru a/kernel/kmod.c b/kernel/kmod.c
--- a/kernel/kmod.c 2016-04-21 17:06:09.882281660 +0200
+++ b/kernel/kmod.c 2016-04-21 17:08:17.458949309 +0200
@@ -294,7 +294,9 @@
strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
strncmp(sub_info->path, "/usr/sbin/", 10) && strcmp(sub_info->path, "/bin/false") &&
- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
+ strcmp(sub_info->path, "/usr/share/apport/apport") &&
+ strncmp(sub_info->path, "/nix/store/", 11) &&
+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
retval = -EPERM;
goto out;

6
pkgs/os-specific/linux/kernel/linux-grsecurity-4.1.nix → pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix
View File

@ -1,12 +1,12 @@
{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
import ./generic.nix (args // rec {
version = "4.1.7";
extraMeta.branch = "4.1";
version = "4.5.2";
extraMeta.branch = "4.5";
src = fetchurl {
url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
sha256 = "0g1dnvak0pd03d4miy1025bw64wq71w29a058dzspdr6jcf9qwbn";
sha256 = "17r063zx880ka3ayv9cf1yjfilvxlifhja1rhw5z3w35hgdkj8z3";
};
kernelPatches = args.kernelPatches;

23
pkgs/os-specific/linux/kernel/patches.nix
View File

@ -96,14 +96,6 @@ rec {
sha256 = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f";
};
grsecurity_4_1 = grsecPatch
{ kernel = pkgs.grsecurity_base_linux_4_1;
patches = [ grsecurity_fix_path_3_14 ];
kversion = "4.1.7";
revision = "201509201149";
sha256 = "1agv8c3c4vmh5algbzmrq2f6vwk72rikrlcbm4h7jbrb9js6fxk4";
};
grsecurity_4_4 = grsecPatch
{ kernel = pkgs.grsecurity_base_linux_4_4;
patches = [ grsecurity_fix_path_4_4 ];
@ -112,7 +104,15 @@ rec {
sha256 = "04k4nhshl6r5n41ha5620s7cd70dmmmvyf9mnn5359jr1720kxpf";
};
grsecurity_latest = grsecurity_4_4;
grsecurity_4_5 = grsecPatch
{ kernel = pkgs.grsecurity_base_linux_4_5;
patches = [ grsecurity_fix_path_4_5 ];
kversion = "4.5.2";
revision = "201604290633";
sha256 = "0qrs4fk6lyqngq3fnsmrv0y3yp1lrbiwadfc6v7hy4lyv77wz107";
};
grsecurity_latest = grsecurity_4_5;
grsecurity_fix_path_3_14 =
{ name = "grsecurity-fix-path-3.14";
@ -124,6 +124,11 @@ rec {
patch = ./grsecurity-path-4.4.patch;
};
grsecurity_fix_path_4_5 =
{ name = "grsecurity-fix-path-4.5";
patch = ./grsecurity-path-4.5.patch;
};
crc_regression =
{ name = "crc-backport-regression";
patch = ./crc-regression.patch;

20
pkgs/top-level/all-packages.nix
View File

@ -10637,7 +10637,7 @@ in
];
};
grsecurity_base_linux_4_1 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.1.nix {
grsecurity_base_linux_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix {
kernelPatches = [ kernelPatches.bridge_stp_helper ]
++ lib.optionals ((platform.kernelArch or null) == "mips")
[ kernelPatches.mips_fpureg_emu
@ -10646,7 +10646,7 @@ in
];
};
grsecurity_base_linux_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix {
grsecurity_base_linux_4_5 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.5.nix {
kernelPatches = [ kernelPatches.bridge_stp_helper ]
++ lib.optionals ((platform.kernelArch or null) == "mips")
[ kernelPatches.mips_fpureg_emu
@ -10671,14 +10671,14 @@ in
linux_grsec_server_3_14 = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.server;
linux_grsec_server_xen_3_14 = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.server_xen;
linux_grsec_desktop_4_1 = self.grKernel kernelPatches.grsecurity_4_1 self.grFlavors.desktop;
linux_grsec_server_4_1 = self.grKernel kernelPatches.grsecurity_4_1 self.grFlavors.server;
linux_grsec_server_xen_4_1 = self.grKernel kernelPatches.grsecurity_4_1 self.grFlavors.server_xen;
linux_grsec_desktop_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.desktop;
linux_grsec_server_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server;
linux_grsec_server_xen_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
linux_grsec_desktop_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
linux_grsec_server_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server;
linux_grsec_server_xen_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
linux_grsec_desktop_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.desktop;
linux_grsec_server_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server;
linux_grsec_server_xen_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server_xen;
@ -10842,14 +10842,14 @@ in
linuxPackages_grsec_server_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server;
linuxPackages_grsec_server_xen_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server_xen;
linuxPackages_grsec_desktop_4_1 = self.grPackage kernelPatches.grsecurity_4_1 self.grFlavors.desktop;
linuxPackages_grsec_server_4_1 = self.grPackage kernelPatches.grsecurity_4_1 self.grFlavors.server;
linuxPackages_grsec_server_xen_4_1 = self.grPackage kernelPatches.grsecurity_4_1 self.grFlavors.server_xen;
linuxPackages_grsec_desktop_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.desktop;
linuxPackages_grsec_server_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server;
linuxPackages_grsec_server_xen_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
linuxPackages_grsec_desktop_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
linuxPackages_grsec_server_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server;
linuxPackages_grsec_server_xen_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
linuxPackages_grsec_desktop_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.desktop;
linuxPackages_grsec_server_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server;
linuxPackages_grsec_server_xen_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server_xen;