From 4e3d6d3e90de85b610290af60ba374da20a2cc69 Mon Sep 17 00:00:00 2001
From: "tg(x)" <*@tg-x.net>
Date: Sat, 27 Feb 2016 19:54:55 +0100
Subject: [PATCH] grsecurity: separate fix patches for testing & stable

---
 pkgs/build-support/grsecurity/default.nix       |  4 ++--
 .../linux/kernel/grsecurity-path-3.14.patch     | 17 +++++++++++++++++
 ...sec-path.patch => grsecurity-path-4.4.patch} |  0
 pkgs/os-specific/linux/kernel/patches.nix       | 17 ++++++++++++-----
 4 files changed, 31 insertions(+), 7 deletions(-)
 create mode 100644 pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch
 rename pkgs/os-specific/linux/kernel/{grsec-path.patch => grsecurity-path-4.4.patch} (100%)

diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
index 77b947f906e..4a395d46459 100644
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@@ -25,7 +25,7 @@ let
     mkKernel = patch:
         {
           inherit patch;
-          inherit (patch) kernel grversion revision;
+          inherit (patch) kernel patches grversion revision;
         };
 
     test-patch = with pkgs.kernelPatches; grsecurity_testing;
@@ -136,7 +136,7 @@ let
 
     mkGrsecKern = grkern:
       lowPrio (overrideDerivation (grkern.kernel.override (args: {
-        kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ];
+        kernelPatches = args.kernelPatches ++ [ grkern.patch  ] ++ grkern.patches;
         argsOverride = {
           modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
         };
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch
new file mode 100644
index 00000000000..6f477c22b5e
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch
@@ -0,0 +1,17 @@
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index a689506..30747b4 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -294,10 +294,8 @@ static int ____call_usermodehelper(void *data)
+ 	   out the path to be used prior to this point and are now operating
+ 	   on that copy
+ 	*/
+-	if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
+-	     strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
+-	     strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
+-	     strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
++	if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
++	     strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
+ 		printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
+ 		retval = -EPERM;
+ 		goto out;
diff --git a/pkgs/os-specific/linux/kernel/grsec-path.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch
similarity index 100%
rename from pkgs/os-specific/linux/kernel/grsec-path.patch
rename to pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 8ff83b2d7ee..c5b9fe9d3a7 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -18,10 +18,10 @@ let
       };
     };
 
-  grsecPatch = { grversion ? "3.1", kernel, kversion, revision, branch, sha256 }:
+  grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch, sha256 }:
     assert kversion == kernel.version;
     { name = "grsecurity-${grversion}-${kversion}";
-      inherit grversion kernel kversion revision;
+      inherit grversion kernel patches kversion revision;
       patch = fetchurl {
         url = if branch == "stable"
               then "https://github.com/kdave/grsecurity-patches/blob/master/grsecurity_patches/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"
@@ -84,6 +84,7 @@ rec {
 
   grsecurity_stable = grsecPatch
     { kernel    = pkgs.linux_grsecurity_3_14;
+      patches   = [ grsecurity_fix_path_3_14 ];
       kversion  = "3.14.51";
       revision  = "201508181951";
       branch    = "stable";
@@ -92,15 +93,21 @@ rec {
 
   grsecurity_testing = grsecPatch
     { kernel    = pkgs.linux_grsecurity_4_4;
+      patches   = [ grsecurity_fix_path_4_4 ];
       kversion  = "4.4.2";
       revision  = "201602182048";
       branch    = "test";
       sha256    = "0dm0nzzja6ynzdz2k5h0ckys7flw307i3w0k1lwjxfj80civ73wr";
     };
 
-  grsec_fix_path =
-    { name = "grsec-fix-path";
-      patch = ./grsec-path.patch;
+  grsecurity_fix_path_3_14 =
+    { name = "grsecurity-fix-path-3.14";
+      patch = ./grsecurity-path-3.14.patch;
+    };
+
+  grsecurity_fix_path_4_4 =
+    { name = "grsecurity-fix-path-4.4";
+      patch = ./grsecurity-path-4.4.patch;
     };
 
   crc_regression =