linux: remove remnants of grsecurity

Nixpkgs hasn't supported grsecurity kernels since 2017, so unless anybody is manually enabling the grsecurity feature to make these small kernel tweaks this is dead code. This means we don't actually support any "features" in the kernel common-config any more, but I've left the argument there because it's conceivable we could have some again in future.
2021-04-05 10:01:58 +00:00 · 2021-04-05 10:01:58 +00:00 · 52cd3538ff
commit 52cd3538ff
parent a10183d3ec
3 changed files with 6 additions and 7 deletions
--- a/pkgs/os-specific/linux/anbox/kmod.nix
+++ b/pkgs/os-specific/linux/anbox/kmod.nix
@ -36,7 +36,7 @@ stdenv.mkDerivation {
    homepage = "https://github.com/anbox/anbox-modules";
    license = licenses.gpl2;
    platforms = platforms.linux;
-    broken = (versionOlder kernel.version "4.4") || (kernel.features.grsecurity or false);
+    broken = (versionOlder kernel.version "4.4");
    maintainers = with maintainers; [ edwtjo ];
  };

--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@ -12,7 +12,7 @@
 # Configuration
 { lib, stdenv, version

-, features ? { grsecurity = false; }
+, features ? {}
 }:

 with lib;
@ -42,7 +42,7 @@ let
      TIMER_STATS               = whenOlder "4.11" yes;
      DEBUG_NX_TEST             = whenOlder "4.11" no;
      DEBUG_STACK_USAGE         = no;
-      DEBUG_STACKOVERFLOW       = mkIf (!features.grsecurity) (option no);
+      DEBUG_STACKOVERFLOW       = option no;
      RCU_TORTURE_TEST          = no;
      SCHEDSTATS                = no;
      DETECT_HUNG_TASK          = yes;
@ -443,7 +443,7 @@ let
      SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
      # Prevent processes from ptracing non-children processes
      SECURITY_YAMA                    = option yes;
-      DEVKMEM                          = mkIf (!features.grsecurity) no; # Disable /dev/kmem
+      DEVKMEM                          = no; # Disable /dev/kmem

      USER_NS                          = yes; # Support for user namespaces

@ -523,7 +523,7 @@ let
    virtualisation = {
      PARAVIRT = option yes;

-      HYPERVISOR_GUEST = mkIf (!features.grsecurity) yes;
+      HYPERVISOR_GUEST = yes;
      PARAVIRT_SPINLOCKS  = option yes;

      KVM_APIC_ARCHITECTURE             = whenOlder "4.8" yes;
@ -531,7 +531,7 @@ let
      KVM_COMPAT = { optional = true; tristate = whenBetween "4.0" "4.12" "y"; };
      KVM_DEVICE_ASSIGNMENT  = { optional = true; tristate = whenBetween "3.10" "4.12" "y"; };
      KVM_GENERIC_DIRTYLOG_READ_PROTECT = whenAtLeast "4.0"  yes;
-      KVM_GUEST                         = mkIf (!features.grsecurity) yes;
+      KVM_GUEST                         = yes;
      KVM_MMIO                          = yes;
      KVM_VFIO                          = yes;
      KSM = yes;
--- a/pkgs/os-specific/linux/kernel/generic.nix
+++ b/pkgs/os-specific/linux/kernel/generic.nix
@ -72,7 +72,6 @@ let
    efiBootStub = true;
    needsCifsUtils = true;
    netfilterRPFilter = true;
-    grsecurity = false;
    ia32Emulation = true;
  } // features) kernelPatches;