Merge pull request #16107 from joachifm/grsec-ng

Rework grsecurity support
2016-06-14 03:52:50 +02:00 · 2016-06-14 03:52:50 +02:00 · 886c03ad2e
commit 886c03ad2e
parent 3123c7df37 7bda8f0a8f
15 changed files with 315 additions and 571 deletions
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -468,7 +468,6 @@ in {
        home = "/root";
        shell = mkDefault cfg.defaultUserShell;
        group = "root";
        extraGroups = [ "grsecurity" ];
        initialHashedPassword = mkDefault config.security.initialRootPassword;
      };
      nobody = {
@ -497,7 +496,6 @@ in {
      nixbld.gid = ids.gids.nixbld;
      utmp.gid = ids.gids.utmp;
      adm.gid = ids.gids.adm;
      grsecurity.gid = ids.gids.grsecurity;
      input.gid = ids.gids.input;
    };
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -147,7 +147,6 @@
      foundationdb = 118;
      newrelic = 119;
      starbound = 120;
      #grsecurity = 121; # unused
      hydra = 122;
      spiped = 123;
      teamspeak = 124;
@ -396,7 +395,6 @@
      foundationdb = 118;
      newrelic = 119;
      starbound = 120;
      grsecurity = 121;
      hydra = 122;
      spiped = 123;
      teamspeak = 124;
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -114,6 +114,26 @@ with lib;
    (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ])
    (mkRemovedOptionModule [ "services" "iodined" "client" ])
    # Grsecurity
    (mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ])
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ])
    # Options that are obsolete and have no replacement.
    (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ])
    (mkRemovedOptionModule [ "programs" "bash" "enable" ])
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -1,312 +1,122 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.security.grsecurity;
  grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock";
-  customGrsecPkg =
+  # Ascertain whether ZFS is required for booting the system; grsecurity is
-    (import ../../../pkgs/build-support/grsecurity {
+  # currently incompatible with ZFS, rendering the system unbootable.
-      grsecOptions = cfg;
+  zfsNeededForBoot = filter
-      inherit pkgs lib;
+    (fs: (fs.neededForBoot
-    }).grsecPackage;
+          || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ])
          && fs.fsType == "zfs")
    (attrValues config.fileSystems) != [];
 in
 {
-  options = {
+  options.security.grsecurity = {
-    security.grsecurity = {
+
-      enable = mkOption {
+    enable = mkEnableOption "Grsecurity/PaX";
-        type = types.bool;
+
-        default = false;
+    lockTunables = mkOption {
        description = ''
          Enable grsecurity support. This enables advanced exploit
          hardening for the Linux kernel, and adds support for
          administrative Role-Based Acess Control (RBAC) via
          <literal>gradm</literal>. It also includes traditional
          utilities for PaX.
        '';
      };
      kernelPatch = mkOption {
        type = types.attrs;
        example = lib.literalExample "pkgs.kernelPatches.grsecurity_4_1";
        description = ''
          Grsecurity patch to use.
        '';
      };
      config = {
        mode = mkOption {
          type = types.enum [ "auto" "custom" ];
          default = "auto";
          description = ''
            grsecurity configuration mode. This specifies whether
            grsecurity is auto-configured or otherwise completely
            manually configured.
          '';
        };
        priority = mkOption {
          type = types.enum [ "security" "performance" ];
          default = "security";
          description = ''
            grsecurity configuration priority. This specifies whether
            the kernel configuration should emphasize speed or
            security.
          '';
        };
        system = mkOption {
          type = types.enum [ "desktop" "server" ];
          default = "desktop";
          description = ''
            grsecurity system configuration.
          '';
        };
        virtualisationConfig = mkOption {
          type = types.nullOr (types.enum [ "host" "guest" ]);
          default = null;
          description = ''
            grsecurity virtualisation configuration. This specifies
            the virtualisation role of the machine - that is, whether
            it will be a virtual machine guest, a virtual machine
            host, or neither.
          '';
        };
        hardwareVirtualisation = mkOption {
          type = types.nullOr types.bool;
          default = null;
          example = true;
          description = ''
            grsecurity hardware virtualisation configuration. Set to
            <literal>true</literal> if your machine supports hardware
            accelerated virtualisation.
          '';
        };
        virtualisationSoftware = mkOption {
          type = types.nullOr (types.enum [ "kvm" "xen" "vmware" "virtualbox" ]);
          default = null;
          description = ''
            Configure grsecurity for use with this virtualisation software.
          '';
        };
        sysctl = mkOption {
          type = types.bool;
          default = false;
          description = ''
            If true, then set <literal>GRKERN_SYSCTL y</literal>. If
            enabled then grsecurity can be controlled using sysctl
            (and turned off). You are advised to *never* enable this,
            but if you do, make sure to always set the sysctl
            <literal>kernel.grsecurity.grsec_lock</literal> to
            non-zero as soon as all sysctl options are set. *THIS IS
            EXTREMELY IMPORTANT*!
          '';
        };
        denyChrootChmod = mkOption {
          type = types.bool;
          default = false;
          description = ''
            If true, then set <literal>GRKERN_CHROOT_CHMOD
            y</literal>. If enabled, this denies processes inside a
            chroot from setting the suid or sgid bits using
            <literal>chmod</literal> or <literal>fchmod</literal>.
            By default this protection is disabled - it makes it
            impossible to use Nix to build software on your system,
            which is what most users want.
            If you are using NixOps to deploy your software to a
            remote machine, you're encouraged to enable this as you
            won't need to compile code.
          '';
        };
        denyChrootCaps = mkOption {
          type = types.bool;
          default = false;
          description = ''
            Whether to lower capabilities of all processes within a chroot,
            preventing commands that require <literal>CAP_SYS_ADMIN</literal>.
            This protection is disabled by default because it breaks
            <literal>nixos-rebuild</literal>. Whenever possible, it is
            highly recommended to enable this protection.
          '';
        };
        denyUSB = mkOption {
          type = types.bool;
          default = false;
          description = ''
            If true, then set <literal>GRKERNSEC_DENYUSB y</literal>.
            This enables a sysctl with name
            <literal>kernel.grsecurity.deny_new_usb</literal>. Setting
            its value to <literal>1</literal> will prevent any new USB
            devices from being recognized by the OS.  Any attempted
            USB device insertion will be logged.
            This option is intended to be used against custom USB
            devices designed to exploit vulnerabilities in various USB
            device drivers.
          '';
        };
        restrictProc = mkOption {
          type = types.bool;
          default = false;
          description = ''
            If true, then set <literal>GRKERN_PROC_USER
            y</literal>. This restricts non-root users to only viewing
            their own processes and restricts network-related
            information, kernel symbols, and module information.
          '';
        };
        restrictProcWithGroup = mkOption {
      type = types.bool;
      example = false;
      default = true;
      description = ''
-            If true, then set <literal>GRKERN_PROC_USERGROUP
+        Whether to automatically lock grsecurity tunables
-            y</literal>. This is similar to
+        (<option>boot.kernel.sysctl."kernel.grsecurity.*"</option>).  Disable
-            <literal>restrictProc</literal> except it allows a special
+        this to allow configuration of grsecurity features while the system is
-            group (specified by <literal>unrestrictProcGid</literal>)
+        running.  The lock can be manually engaged by activating the
-            to still access otherwise classified information in
+        <literal>grsec-lock</literal> service unit.
            <literal>/proc</literal>.
      '';
    };
        unrestrictProcGid = mkOption {
          type = types.int;
          default = config.ids.gids.grsecurity;
          description = ''
            If set, specifies a GID which is exempt from
            <literal>/proc</literal> restrictions (set by
            <literal>GRKERN_PROC_USERGROUP</literal>). By default,
            this is set to the GID for <literal>grsecurity</literal>,
            a predefined NixOS group, which the
            <literal>root</literal> account is a member of. You may
            conveniently add other users to this group if you need
            access to <literal>/proc</literal>
          '';
        };
        disableRBAC = mkOption {
          type = types.bool;
          default = false;
          description = ''
            If true, then set <literal>GRKERN_NO_RBAC
            y</literal>. This disables the
            <literal>/dev/grsec</literal> device, which in turn
            disables the RBAC system (and <literal>gradm</literal>).
          '';
        };
        disableSimultConnect = mkOption {
          type = types.bool;
          default = false;
          description = ''
            Disable TCP simultaneous connect.  The TCP simultaneous connect
            feature allows two clients to connect without either of them
            entering the listening state.  This feature of the TCP specification
            is claimed to enable an attacker to deny the target access to a given
            server by guessing the source port the target would use to make the
            connection.
            This option is OFF by default because TCP simultaneous connect has
            some legitimate uses.  Enable this option if you know what this TCP
            feature is for and know that you do not need it.
          '';
        };
        verboseVersion = mkOption {
          type = types.bool;
          default = false;
          description = "Use verbose version in kernel localversion.";
        };
        kernelExtraConfig = mkOption {
          type = types.str;
          default = "";
          description = "Extra kernel configuration parameters.";
        };
      };
    };
  };
  config = mkIf cfg.enable {
-    assertions =
+
-      [
+    # Allow the user to select a different package set, subject to the stated
-        { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) ||
+    # required kernel config
-                      (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc);
+    boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos;
-          message   = "You cannot enable both restrictProc and restrictProcWithGroup";
+
-        }
+    system.requiredKernelConfig = with config.lib.kernelConfig;
-        { assertion = config.boot.kernelPackages.kernel.features ? grsecurity
+      [ (isEnabled "GRKERNSEC")
-                   && config.boot.kernelPackages.kernel.features.grsecurity;
+        (isEnabled "PAX")
-          message = "grsecurity enabled, but kernel doesn't have grsec support";
+        (isYES "GRKERNSEC_SYSCTL")
-        }
+        (isYES "GRKERNSEC_SYSCTL_DISTRO")
-        { assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) ->
+      ];
-              cfg.config.hardwareVirtualisation != null;
+
-          message   = "when using auto grsec mode with virtualisation, you must specify if your hardware has virtualisation extensions";
+    # Crashing on an overflow in kernel land is user unfriendly and may prevent
-        }
+    # the system from booting, which is too severe for our use case.
-        { assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) ->
+    boot.kernelParams = [ "pax_size_overflow_report_only" ];
-              cfg.config.virtualisationSoftware != null;
+
-         message   = "grsecurity configured for virtualisation but no virtualisation software specified";
+    # Install PaX related utillities into the system profile.  Eventually, we
    # also want to include gradm here.
    environment.systemPackages = with pkgs; [ paxctl pax-utils ];
    # Install rules for the grsec device node
    services.udev.packages = [ pkgs.gradm ];
    # This service unit is responsible for locking the Grsecurity tunables.  The
    # unit is always defined, but only activated on bootup if lockTunables is
    # toggled.  When lockTunables is toggled, failure to activate the unit will
    # enter emergency mode.  The intent is to make it difficult to silently
    # enter multi-user mode without having locked the tunables.  Some effort is
    # made to ensure that starting the unit is an idempotent operation.
    systemd.services.grsec-lock = {
      description = "Lock grsecurity tunables";
      wantedBy = optional cfg.lockTunables "multi-user.target";
      wants = [ "local-fs.target" "systemd-sysctl.service" ];
      after = [ "local-fs.target" "systemd-sysctl.service" ];
      conflicts = [ "shutdown.target" ];
      restartIfChanged = false;
      script = ''
        if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then
          echo -n 1 > ${grsecLockPath}
        fi
      '';
      unitConfig = {
        ConditionPathIsReadWrite = grsecLockPath;
        DefaultDependencies = false;
      } // optionalAttrs cfg.lockTunables {
        OnFailure = "emergency.target";
      };
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
    };
    # Configure system tunables
    boot.kernel.sysctl = {
      # Removed under grsecurity
      "kernel.kptr_restrict" = mkForce null;
    } // optionalAttrs config.nix.useSandbox {
      # chroot(2) restrictions that conflict with sandboxed Nix builds
      "kernel.grsecurity.chroot_caps" = mkForce 0;
      "kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
      "kernel.grsecurity.chroot_deny_mount" = mkForce 0;
      "kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
    } // optionalAttrs config.boot.enableContainers {
      # chroot(2) restrictions that conflict with NixOS lightweight containers
      "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
      "kernel.grsecurity.chroot_deny_mount" = mkForce 0;
      "kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
    };
    assertions = [
      { assertion = !zfsNeededForBoot;
        message = "grsecurity is currently incompatible with ZFS";
      }
    ];
    security.grsecurity.kernelPatch = lib.mkDefault pkgs.kernelPatches.grsecurity_latest;
    systemd.services.grsec-lock = mkIf cfg.config.sysctl {
      description     = "grsecurity sysctl-lock Service";
      wants           = [ "systemd-sysctl.service" ];
      after           = [ "systemd-sysctl.service" ];
      wantedBy        = [ "multi-user.target" ];
      serviceConfig.Type = "oneshot";
      serviceConfig.RemainAfterExit = "yes";
      unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel/grsecurity/grsec_lock";
      script = ''
        locked=`cat /proc/sys/kernel/grsecurity/grsec_lock`
        if [ "$locked" == "0" ]; then
            echo 1 > /proc/sys/kernel/grsecurity/grsec_lock
            echo grsecurity sysctl lock - enabled
        else
            echo grsecurity sysctl lock already enabled - doing nothing
        fi
      '';
    };
 #   systemd.services.grsec-learn = {
 #     description     = "grsecurity learning Service";
 #     wantedBy        = [ "local-fs.target" ];
 #     serviceConfig   = {
 #       Type = "oneshot";
 #       RemainAfterExit = "yes";
 #       ExecStart = "${pkgs.gradm}/sbin/gradm -VFL /etc/grsec/learning.logs";
 #       ExecStop  = "${pkgs.gradm}/sbin/gradm -D";
 #     };
 #   };
    system.activationScripts = lib.optionalAttrs (!cfg.config.disableRBAC) { grsec = ''
      mkdir -p /etc/grsec
      if [ ! -f /etc/grsec/learn_config ]; then
        cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec
      fi
      if [ ! -f /etc/grsec/policy ]; then
        cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec
      fi
      chmod -R 0600 /etc/grsec
    ''; };
    # Enable AppArmor, gradm udev rules, and utilities
    security.apparmor.enable   = true;
    boot.kernelPackages        = customGrsecPkg;
    services.udev.packages     = lib.optional (!cfg.config.disableRBAC) pkgs.gradm;
    environment.systemPackages = [ pkgs.paxctl pkgs.pax-utils ] ++ lib.optional (!cfg.config.disableRBAC) pkgs.gradm;
  };
 }
--- a/nixos/tests/grsecurity.nix
+++ b/nixos/tests/grsecurity.nix
@ -3,17 +3,39 @@
 import ./make-test.nix ({ pkgs, ...} : {
  name = "grsecurity";
  meta = with pkgs.stdenv.lib.maintainers; {
-    maintainers = [ copumpkin ];
+    maintainers = [ copumpkin joachifm ];
  };
  machine = { config, pkgs, ... }:
-    { boot.kernelPackages = pkgs.linuxPackages_grsec_testing_server; };
+    { security.grsecurity.enable = true;
      boot.kernel.sysctl."kernel.grsecurity.deter_bruteforce" = 0;
      security.apparmor.enable = true;
    };
-  testScript =
+  testScript = ''
-    ''
+    subtest "grsec-lock", sub {
-      $machine->succeed("uname -a") =~ /grsec/;
+      $machine->succeed("systemctl is-active grsec-lock");
-      # FIXME: this seems to hang the whole test. Unclear why, but let's fix it
+      $machine->succeed("grep -Fq 1 /proc/sys/kernel/grsecurity/grsec_lock");
-      # $machine->succeed("${pkgs.paxtest}/bin/paxtest blackhat");
+      $machine->fail("echo -n 0 >/proc/sys/kernel/grsecurity/grsec_lock");
    };
    subtest "paxtest", sub {
      # TODO: running paxtest blackhat hangs the vm
      $machine->succeed("${pkgs.paxtest}/lib/paxtest/anonmap") =~ /Killed/ or die;
      $machine->succeed("${pkgs.paxtest}/lib/paxtest/execbss") =~ /Killed/ or die;
      $machine->succeed("${pkgs.paxtest}/lib/paxtest/execdata") =~ /Killed/ or die;
      $machine->succeed("${pkgs.paxtest}/lib/paxtest/execheap") =~ /Killed/ or die;
      $machine->succeed("${pkgs.paxtest}/lib/paxtest/execstack") =~ /Killed/ or die;
      $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotanon") =~ /Killed/ or die;
      $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotbss") =~ /Killed/ or die;
      $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotdata") =~ /Killed/ or die;
      $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotheap") =~ /Killed/ or die;
      $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotstack") =~ /Killed/ or die;
    };
    subtest "tcc", sub {
      $machine->execute("echo -e '#include <stdio.h>\nint main(void) { puts(\"hello\"); return 0; }' >main.c");
      $machine->succeed("${pkgs.tinycc.bin}/bin/tcc -run main.c");
    };
  '';
 })
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@ -60,6 +60,13 @@ stdenv.mkDerivation rec {
    ++ optional stdenv.isDarwin "--enable-cocoa"
    ++ optional stdenv.isLinux "--enable-linux-aio";
  postFixup =
    ''
      for exe in $out/bin/qemu-system-* ; do
        paxmark m $exe
      done
    '';
  postInstall =
    ''
      # Add a ‘qemu-kvm’ wrapper for compatibility/convenience.
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@ -1,158 +1,33 @@
-{ grsecOptions, lib, pkgs }:
+{ stdenv
 , overrideDerivation
-with lib;
+# required for gcc plugins
 , gmp, libmpc, mpfr
-let
+# the base kernel
-  cfg = {
+, kernel
    kernelPatch = grsecOptions.kernelPatch;
    config = {
      mode = "auto";
      sysctl = false;
      denyChrootCaps = false;
      denyChrootChmod = false;
      denyUSB = false;
      restrictProc = false;
      restrictProcWithGroup = true;
      unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid
      disableRBAC = false;
      disableSimultConnect = false;
      redistKernel = true;
      verboseVersion = false;
      kernelExtraConfig = "";
    } // grsecOptions.config;
  };
-  vals = rec {
+, grsecPatch
 , kernelPatches ? []
-    mkKernel = patch:
+, localver ? "-grsec"
-        {
+, modDirVersion ? "${kernel.version}${localver}"
-          inherit patch;
+, extraConfig ? ""
-          inherit (patch) kernel patches grversion revision;
+, ...
-        };
+} @ args:
-    grKernel = mkKernel cfg.kernelPatch;
+assert (kernel.version == grsecPatch.kver);
-    ## -- grsecurity configuration ---------------------------------------------
+overrideDerivation (kernel.override {
-
+  inherit modDirVersion;
-    grsecPrioCfg =
+  kernelPatches = [ { inherit (grsecPatch) name patch; } ] ++ kernelPatches ++ (kernel.kernelPatches or []);
-      if cfg.config.priority == "security" then
+  features = (kernel.features or {}) // { grsecurity = true; };
-        "GRKERNSEC_CONFIG_PRIORITY_SECURITY y"
+  inherit extraConfig;
-      else
+  ignoreConfigErrors = true;
-        "GRKERNSEC_CONFIG_PRIORITY_PERF y";
+}) (attrs: {
-
+  nativeBuildInputs = [ gmp libmpc mpfr ] ++ (attrs.nativeBuildInputs or []);
-    grsecSystemCfg =
+  preConfigure = ''
-      if cfg.config.system == "desktop" then
+    echo ${localver} >localversion-grsec
-        "GRKERNSEC_CONFIG_DESKTOP y"
+    ${attrs.preConfigure or ""}
      else
        "GRKERNSEC_CONFIG_SERVER y";
    grsecVirtCfg =
      if cfg.config.virtualisationConfig == null then
        "GRKERNSEC_CONFIG_VIRT_NONE y"
      else if cfg.config.virtualisationConfig == "host" then
        "GRKERNSEC_CONFIG_VIRT_HOST y"
      else
        "GRKERNSEC_CONFIG_VIRT_GUEST y";
    grsecHwvirtCfg = if cfg.config.virtualisationConfig == null then "" else
      if cfg.config.hardwareVirtualisation == true then
        "GRKERNSEC_CONFIG_VIRT_EPT y"
      else
        "GRKERNSEC_CONFIG_VIRT_SOFT y";
    grsecVirtswCfg =
      let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y";
      in
        if cfg.config.virtualisationConfig == null then ""
        else if cfg.config.virtualisationSoftware == "xen"    then virtCfg "XEN"
        else if cfg.config.virtualisationSoftware == "kvm"    then virtCfg "KVM"
        else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE"
        else                                                       virtCfg "VIRTUALBOX";
    grsecMainConfig = if cfg.config.mode == "custom" then "" else ''
      GRKERNSEC_CONFIG_AUTO y
      ${grsecPrioCfg}
      ${grsecSystemCfg}
      ${grsecVirtCfg}
      ${grsecHwvirtCfg}
      ${grsecVirtswCfg}
  '';
-
+})
    grsecConfig =
      let boolToKernOpt = b: if b then "y" else "n";
          # Disable RANDSTRUCT under virtualbox, as it has some kind of
          # breakage with the vbox guest drivers
          #randstruct = optionalString config.virtualisation.virtualbox.guest.enable
          #  "GRKERNSEC_RANDSTRUCT n";
          # Disable restricting links under the testing kernel, as something
          # has changed causing it to fail miserably during boot.
          #restrictLinks = optionalString cfg.testing
          #  "GRKERNSEC_LINK n";
      in ''
        GRKERNSEC y
        ${grsecMainConfig}
        # Disable features rendered useless by redistributing the kernel
        ${optionalString cfg.config.redistKernel ''
          GRKERNSEC_RANDSTRUCT n
          GRKERNSEC_HIDESYM n
          ''}
        # The paxmarks mechanism relies on ELF header markings, but the default
        # grsecurity configuration only enables xattr markings
        PAX_PT_PAX_FLAGS y
        ${if cfg.config.restrictProc then
            "GRKERNSEC_PROC_USER y"
          else
            optionalString cfg.config.restrictProcWithGroup ''
              GRKERNSEC_PROC_USERGROUP y
              GRKERNSEC_PROC_GID ${toString cfg.config.unrestrictProcGid}
            ''
        }
        GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}
        GRKERNSEC_CHROOT_CAPS ${boolToKernOpt cfg.config.denyChrootCaps}
        GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
        GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}
        GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
        GRKERNSEC_NO_SIMULT_CONNECT ${boolToKernOpt cfg.config.disableSimultConnect}
        ${cfg.config.kernelExtraConfig}
      '';
    ## -- grsecurity kernel packages -------------------------------------------
    localver = grkern:
      "-grsec" + optionalString cfg.config.verboseVersion
         "-${grkern.grversion}-${grkern.revision}";
    grsecurityOverrider = args: grkern: {
      # additional build inputs for gcc plugins, required by some PaX/grsec features
      nativeBuildInputs = args.nativeBuildInputs ++ (with pkgs; [ gmp libmpc mpfr ]);
      preConfigure = (args.preConfigure or "") + ''
        echo ${localver grkern} > localversion-grsec
      '';
    };
    mkGrsecKern = grkern:
      lowPrio (overrideDerivation (grkern.kernel.override (args: {
        kernelPatches = args.kernelPatches ++ [ grkern.patch  ] ++ grkern.patches;
        argsOverride = {
          modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
        };
        extraConfig = grsecConfig;
        features.grsecurity = true;
        ignoreConfigErrors = true; # Too lazy to model the config options that work with grsecurity and don't for now
      })) (args: grsecurityOverrider args grkern));
    mkGrsecPkg = grkern: pkgs.linuxPackagesFor grkern (mkGrsecPkg grkern);
    ## -- Kernel packages ------------------------------------------------------
    grsecKernel  = mkGrsecKern grKernel;
    grsecPackage = mkGrsecPkg grsecKernel;
  };
 in vals
--- a/pkgs/build-support/grsecurity/flavors.nix
+++ b/pkgs/build-support/grsecurity/flavors.nix
@ -1,17 +0,0 @@
 let
  mkOpts = prio: sys: virt: swvirt: hwvirt:
    { config.priority               = prio;
      config.system                 = sys;
      config.virtualisationConfig   = virt;
      config.hardwareVirtualisation = hwvirt;
      config.virtualisationSoftware = swvirt;
    };
 in
 {
  desktop =
    mkOpts "performance" "desktop" "host" "kvm" true;
  server  =
    mkOpts "security" "server" "host" "kvm" true;
  server_xen =
    mkOpts "security" "server" "guest" "xen" true;
 }
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@ -261,9 +261,7 @@ with stdenv.lib;
  # Security related features.
  STRICT_DEVMEM y # Filter access to /dev/mem
  SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default
  ${optionalString (!(features.grsecurity or false)) ''
  DEVKMEM n # Disable /dev/kmem
  ''}
  ${if versionOlder version "3.14" then ''
    CC_STACKPROTECTOR? y # Detect buffer overflows on the stack
  '' else ''
@ -422,13 +420,11 @@ with stdenv.lib;
  # Virtualisation.
  PARAVIRT? y
-  ${optionalString (!(features.grsecurity or false))
+  ${if versionAtLeast version "3.10" then ''
    (if versionAtLeast version "3.10" then ''
    HYPERVISOR_GUEST y
  '' else ''
    PARAVIRT_GUEST? y
-    '')
+  ''}
  }
  KVM_APIC_ARCHITECTURE y
  KVM_ASYNC_PF y
  ${optionalString (versionOlder version "3.7") ''
@ -443,9 +439,7 @@ with stdenv.lib;
  ${optionalString (versionAtLeast version "4.0") ''
    KVM_GENERIC_DIRTYLOG_READ_PROTECT y
  ''}
  ${optionalString (!features.grsecurity or true) ''
  KVM_GUEST y
  ''}
  KVM_MMIO y
  ${optionalString (versionAtLeast version "3.13") ''
    KVM_VFIO y
--- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
+++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
@ -0,0 +1,43 @@
 { stdenv }:
 with stdenv.lib;
 ''
 GRKERNSEC y
 PAX y
 GRKERNSEC_CONFIG_AUTO y
 GRKERNSEC_CONFIG_DESKTOP y
 GRKERNSEC_CONFIG_VIRT_HOST y
 GRKERNSEC_CONFIG_VIRT_EPT y
 GRKERNSEC_CONFIG_VIRT_KVM y
 GRKERNSEC_CONFIG_PRIORITY_SECURITY y
 PAX_PT_PAX_FLAGS y
 PAX_XATTR_PAX_FLAGS n
 PAX_EI_PAX n
 GRKERNSEC_PROC_GID 0
 PAX_LATENT_ENTROPY n
 PAX_SIZE_OVERFLOW n
 GRKERNSEC_HIDESYM n
 GRKERNSEC_RANDSTRUCT n
 GRKERNSEC_PROC n
 GRKERNSEC_SYSFS_RESTRICT n
 GRKERNSEC_KMEM n
 GRKERNSEC_MODHARDEN n
 GRKERNSEC_NO_SIMULT_CONNECT n
 PAX_KERNEXEC_PLUGIN_METHOD_BTS y
 GRKERNSEC_ACL_HIDEKERN y
 GRKERNSEC_IO y
 GRKERNSEC_AUDIT_PTRACE y
 GRKERNSEC_FORKFAIL y
 GRKERNSEC_SYSCTL y
 GRKERNSEC_SYSCTL_DISTRO y
 GRKERNSEC_SYSCTL_ON y
 ''
--- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch
+++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch
--- a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix
+++ b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@ -18,20 +18,20 @@ let
      };
    };
-  grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch ? "test", sha256 }:
+  grsecPatch = { grbranch ? "test", grver ? "3.1", kver, grrev, sha256 }: rec {
-    assert kversion == kernel.version;
+    name = "grsecurity-${grver}-${kver}-${grrev}";
-    { name = "grsecurity-${grversion}-${kversion}";
+
-      inherit grversion kernel patches kversion revision;
+    # Pass these along to allow the caller to determine compatibility
    inherit grver kver grrev;
    patch = fetchurl {
      # When updating versions/hashes, ALWAYS use the official version; we use
      # this mirror only because upstream removes sources files immediately upon
      # releasing a new version ...
-      patch = fetchurl {
+      url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch";
        url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/test/grsecurity-${grversion}-${kversion}-${revision}.patch";
      inherit sha256;
    };
      features.grsecurity = true;
  };
 in
 rec {
@ -92,19 +92,18 @@ rec {
  grsecurity_4_4 = throw "grsecurity stable is no longer supported";
-  grsecurity_4_5 = grsecPatch
+  grsecurity_testing = grsecPatch
-    { kernel    = pkgs.grsecurity_base_linux_4_5;
+    { kver   = "4.5.7";
-      patches   = [ grsecurity_fix_path_4_5 ];
+      grrev  = "201606080852";
      kversion  = "4.5.7";
      revision  = "201606080852";
      sha256 = "1vgc314nh6bd7zw9r927lnbjq29z32g0s02jgvf635y9zz550nsh";
    };
-  grsecurity_latest = grsecurity_4_5;
+  # This patch relaxes grsec constraints on the location of usermode helpers,
-
+  # e.g., modprobe, to allow calling into the Nix store.
-  grsecurity_fix_path_4_5 =
+  grsecurity_nixos_kmod =
-    { name = "grsecurity-fix-path-4.5";
+    {
-      patch = ./grsecurity-path-4.5.patch;
+      name  = "grsecurity-nixos-kmod";
      patch = ./grsecurity-nixos-kmod.patch;
    };
  crc_regression =
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -10822,32 +10822,6 @@ in
  linux_chromiumos_latest = self.linux_chromiumos_3_18;
  # grsecurity configuration
  grsecurity_base_linux_4_5 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.5.nix {
    inherit (linux_4_5) kernelPatches;
  };
  grFlavors = import ../build-support/grsecurity/flavors.nix;
  mkGrsecurity = patch: opts:
    (callPackage ../build-support/grsecurity {
      grsecOptions = { kernelPatch = patch; } // opts;
    });
  grKernel  = patch: opts: (self.mkGrsecurity patch opts).grsecKernel;
  grPackage = patch: opts: recurseIntoAttrs (self.mkGrsecurity patch opts).grsecPackage;
  # grsecurity kernels (see also linuxPackages_grsec_*)
  linux_grsec_desktop_4_5    = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
  linux_grsec_server_4_5     = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server;
  linux_grsec_server_xen_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
  linux_grsec_desktop_latest    = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.desktop;
  linux_grsec_server_latest     = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server;
  linux_grsec_server_xen_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server_xen;
  /* Linux kernel modules are inherently tied to a specific kernel.  So
     rather than provide specific instances of those packages for a
     specific kernel, we have a function that builds those packages
@ -10997,52 +10971,78 @@ in
  # Build a kernel for Xen dom0
  linuxPackages_latest_xen_dom0 = recurseIntoAttrs (self.linuxPackagesFor (self.linux_latest.override { features.xen_dom0=true; }) linuxPackages_latest);
-  # grsecurity packages
+  # Grsecurity packages
-  linuxPackages_grsec_desktop_4_5    = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
+  linux_grsec_nixos = callPackage ../build-support/grsecurity {
-  linuxPackages_grsec_server_4_5     = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server;
+    inherit (lib) overrideDerivation;
-  linuxPackages_grsec_server_xen_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
+    kernel = callPackage ../os-specific/linux/kernel/linux-grsecurity.nix {
      inherit (self.linux_4_5) kernelPatches;
    };
    grsecPatch = self.kernelPatches.grsecurity_testing;
    kernelPatches = [ self.kernelPatches.grsecurity_nixos_kmod ];
    extraConfig = callPackage ../os-specific/linux/kernel/grsecurity-nixos-config.nix { };
  };
-  linuxPackages_grsec_desktop_latest    = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.desktop;
+  linuxPackages_grsec_nixos =
-  linuxPackages_grsec_server_latest     = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server;
+    let self = linuxPackagesFor linux_grsec_nixos self;
-  linuxPackages_grsec_server_xen_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server_xen;
+    in recurseIntoAttrs self;
  # An unsupported grsec xen guest kernel
  linux_grsec_server_xen = linux_grsec_nixos.override {
    extraConfig = ''
      GRKERNSEC y
      PAX y
      GRKERNSEC_CONFIG_AUTO y
      GRKERNSEC_CONFIG_PRIORITY_SECURITY y
      GRKERNSEC_CONFIG_SERVER y
      GRKERNSEC_CONFIG_VIRT_GUEST y
      GRKERNSEC_CONFIG_VIRT_XEN y
    '';
  };
  # grsecurity: legacy
  grsecurity_base_linux_3_14 = throw "grsecurity stable is no longer supported";
  grsecurity_base_linux_4_4  = throw "grsecurity stable is no longer supported";
  linuxPackages_grsec_desktop_3_14    = throw "linuxPackages_grsec_desktop has been removed";
  linuxPackages_grsec_desktop_4_4    = throw "linuxPackages_grsec_desktop has been removed";
  linuxPackages_grsec_desktop_4_5    = throw "linuxPackages_grsec_desktop has been removed";
  linuxPackages_grsec_desktop_latest    = throw "linuxPackages_grsec_desktop has been removed";
  linuxPackages_grsec_server_3_14     = throw "linuxPackages_grsec_server has been removed";
  linuxPackages_grsec_server_4_4     = throw "linuxPackages_grsec_server has been removed";
  linuxPackages_grsec_server_4_5     = throw "linuxPackages_grsec_server has been removed";
  linuxPackages_grsec_server_latest     = throw "linuxPackages_grsec_server has been removed";
  linuxPackages_grsec_server_xen_3_14 = throw "linuxPackages_grsec_server_xen has been removed";
  linuxPackages_grsec_server_xen_4_4 = throw "linuxPackages_grsec_server_xen has been removed";
  linuxPackages_grsec_server_xen_4_5 = throw "linuxPackages_grsec_server_xen has been removed";
  linuxPackages_grsec_server_xen_latest = throw "linuxPackages_grsec_server_xen has been removed";
  linux_grsec_desktop_3_14    = throw "grsecurity stable is no longer supported";
  linux_grsec_server_3_14     = throw "grsecurity stable is no longer supported";
  linux_grsec_server_xen_3_14 = throw "grsecurity stable is no longer supported";
  linux_grsec_desktop_4_4    = throw "grsecurity stable is no longer supported";
-  linux_grsec_server_4_4     = throw "grsecurity stable is no longer supported";
+  linux_grsec_desktop_4_5    = throw "linux_grsec_desktop has been removed";
-  linux_grsec_server_xen_4_4 = throw "grsecurity stable is no longer supported";
+  linux_grsec_desktop_latest    = throw "linux_grsec_desktop has been removed";
-  linux_grsec_testing_desktop    = self.linux_grsec_desktop_latest;
+  linux_grsec_server_3_14     = throw "grsecurity stable is no longer supported";
-  linux_grsec_testing_server     = self.linux_grsec_server_latest;
+  linux_grsec_server_4_4     = throw "grsecurity stable is no longer supported";
-  linux_grsec_testing_server_xen = self.linux_grsec_server_xen_latest;
+  linux_grsec_server_4_5     = throw "linux_grsec_server has been removed";
  linux_grsec_server_latest     = throw "linux_grsec_server_latest has been removed";
  linux_grsec_server_xen_3_14 = throw "grsecurity stable is no longer supported";
  linux_grsec_server_xen_4_4 = throw "grsecurity stable is no longer supported";
  linux_grsec_server_xen_4_5 = throw "linux_grsec_server_xen has been removed";
  linux_grsec_server_xen_latest = throw "linux_grsec_server_xen has been removed";
  linux_grsec_stable_desktop    = self.linux_grsec_desktop_3_14;
  linux_grsec_stable_server     = self.linux_grsec_server_3_14;
  linux_grsec_stable_server_xen = self.linux_grsec_server_xen_3_14;
-  linuxPackages_grsec_desktop_3_14    = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.desktop;
+  linux_grsec_testing_desktop    = self.linux_grsec_desktop_latest;
-  linuxPackages_grsec_server_3_14     = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server;
+  linux_grsec_testing_server     = self.linux_grsec_server_latest;
-  linuxPackages_grsec_server_xen_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server_xen;
+  linux_grsec_testing_server_xen = self.linux_grsec_server_xen_latest;
  linuxPackages_grsec_desktop_4_4    = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.desktop;
  linuxPackages_grsec_server_4_4     = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server;
  linuxPackages_grsec_server_xen_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
  linuxPackages_grsec_testing_desktop    = self.linuxPackages_grsec_desktop_latest;
  linuxPackages_grsec_testing_server     = self.linuxPackages_grsec_server_latest;
  linuxPackages_grsec_testing_server_xen = self.linuxPackages_grsec_server_xen_latest;
  linuxPackages_grsec_stable_desktop    = self.linuxPackages_grsec_desktop_3_14;
  linuxPackages_grsec_stable_server     = self.linuxPackages_grsec_server_3_14;
  linuxPackages_grsec_stable_server_xen = self.linuxPackages_grsec_server_xen_3_14;
  # ChromiumOS kernels
  linuxPackages_chromiumos_3_14 = recurseIntoAttrs (self.linuxPackagesFor self.linux_chromiumos_3_14 linuxPackages_chromiumos_3_14);
--- a/pkgs/top-level/release.nix
+++ b/pkgs/top-level/release.nix
@ -332,11 +332,6 @@ let
        xfwm4 = linux;
      };
      linuxPackages_testing = { };
      linuxPackages_grsec_testing_desktop = { };
      linuxPackages_grsec_testing_server = { };
      linuxPackages_grsec_testing_server_xen = { };
    } ));
 in jobs