tree-wide: prune some dead grsec leaves
The beginning of pruning grsecurity/PaX from the tree.
This commit is contained in:
parent
8c98e8ca2f
commit
ab4fa1cce4
|
@ -1,46 +0,0 @@
|
|||
# Basic test to make sure grsecurity works
|
||||
|
||||
import ./make-test.nix ({ pkgs, ...} : {
|
||||
name = "grsecurity";
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
maintainers = [ copumpkin joachifm ];
|
||||
};
|
||||
|
||||
machine = { config, pkgs, ... }:
|
||||
{ security.grsecurity.enable = true;
|
||||
boot.kernel.sysctl."kernel.grsecurity.audit_mount" = 0;
|
||||
boot.kernel.sysctl."kernel.grsecurity.deter_bruteforce" = 0;
|
||||
networking.useDHCP = false;
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
subtest "grsec-lock", sub {
|
||||
$machine->succeed("systemctl is-active grsec-lock");
|
||||
$machine->succeed("grep -Fq 1 /proc/sys/kernel/grsecurity/grsec_lock");
|
||||
$machine->fail("echo -n 0 >/proc/sys/kernel/grsecurity/grsec_lock");
|
||||
};
|
||||
|
||||
subtest "paxtest", sub {
|
||||
# TODO: running paxtest blackhat hangs the vm
|
||||
my @pax_mustkill = (
|
||||
"anonmap", "execbss", "execdata", "execheap", "execstack",
|
||||
"mprotanon", "mprotbss", "mprotdata", "mprotheap", "mprotstack",
|
||||
);
|
||||
foreach my $name (@pax_mustkill) {
|
||||
my $paxtest = "${pkgs.paxtest}/lib/paxtest/" . $name;
|
||||
$machine->succeed($paxtest) =~ /Killed/ or die
|
||||
}
|
||||
};
|
||||
|
||||
# tcc -run executes run-time generated code and so allows us to test whether
|
||||
# paxmark actually works (otherwise, the process should be terminated)
|
||||
subtest "tcc", sub {
|
||||
$machine->execute("echo -e '#include <stdio.h>\nint main(void) { puts(\"hello\"); return 0; }' >main.c");
|
||||
$machine->succeed("${pkgs.tinycc}/bin/tcc -run main.c");
|
||||
};
|
||||
|
||||
subtest "RBAC", sub {
|
||||
$machine->succeed("[ -c /dev/grsec ]");
|
||||
};
|
||||
'';
|
||||
})
|
|
@ -1,37 +0,0 @@
|
|||
{ stdenv
|
||||
, lib
|
||||
, overrideDerivation
|
||||
|
||||
# required for gcc plugins
|
||||
, gmp, libmpc, mpfr
|
||||
|
||||
# the base kernel
|
||||
, kernel
|
||||
|
||||
, grsecPatch
|
||||
, kernelPatches ? []
|
||||
|
||||
, localver ? "-grsec"
|
||||
, modDirVersion ? "${kernel.version}${localver}"
|
||||
, extraConfig ? ""
|
||||
, ...
|
||||
} @ args:
|
||||
|
||||
assert (kernel.version == grsecPatch.kver);
|
||||
|
||||
overrideDerivation (kernel.override {
|
||||
inherit modDirVersion;
|
||||
kernelPatches = lib.unique ([ grsecPatch ] ++ kernelPatches ++ (kernel.kernelPatches or []));
|
||||
extraConfig = ''
|
||||
GRKERNSEC y
|
||||
PAX y
|
||||
${extraConfig}
|
||||
'';
|
||||
ignoreConfigErrors = true;
|
||||
}) (attrs: {
|
||||
nativeBuildInputs = (lib.chooseDevOutputs [ gmp libmpc mpfr ]) ++ (attrs.nativeBuildInputs or []);
|
||||
preConfigure = ''
|
||||
echo ${localver} >localversion-grsec
|
||||
${attrs.preConfigure or ""}
|
||||
'';
|
||||
})
|
|
@ -1,63 +0,0 @@
|
|||
{ stdenv }:
|
||||
|
||||
with stdenv.lib;
|
||||
|
||||
''
|
||||
# Auto configuration with these constraints will enable most of the
|
||||
# important features (RAP, UDEREF, ASLR, memory sanitization).
|
||||
GRKERNSEC_CONFIG_AUTO y
|
||||
GRKERNSEC_CONFIG_DESKTOP y
|
||||
GRKERNSEC_CONFIG_PRIORITY_SECURITY y
|
||||
|
||||
# We specify virt guest rather than host here, the latter deselects e.g.,
|
||||
# paravirtualization.
|
||||
GRKERNSEC_CONFIG_VIRT_GUEST y
|
||||
# Note: assumes platform supports CPU-level virtualization (so no pentium 4)
|
||||
GRKERNSEC_CONFIG_VIRT_EPT y
|
||||
GRKERNSEC_CONFIG_VIRT_KVM y
|
||||
|
||||
# PaX control
|
||||
PAX_SOFTMODE y
|
||||
PAX_PT_PAX_FLAGS y
|
||||
PAX_XATTR_PAX_FLAGS y
|
||||
PAX_EI_PAX n
|
||||
|
||||
PAX_INITIFY y
|
||||
|
||||
# The bts instrumentation method is compatible with binary only modules.
|
||||
#
|
||||
# Note: if platform supports SMEP, we could do without this
|
||||
PAX_KERNEXEC_PLUGIN_METHOD_BTS y
|
||||
|
||||
# Additional grsec hardening not implied by auto constraints
|
||||
GRKERNSEC_IO y
|
||||
GRKERNSEC_SYSFS_RESTRICT y
|
||||
GRKERNSEC_ROFS y
|
||||
|
||||
GRKERNSEC_MODHARDEN y
|
||||
|
||||
# Disable protections rendered useless by redistribution
|
||||
GRKERNSEC_HIDESYM n
|
||||
GRKERNSEC_RANDSTRUCT n
|
||||
|
||||
# Disable protections covered by vanilla mechanisms
|
||||
GRKERNSEC_DMESG n
|
||||
GRKERNSEC_KMEM n
|
||||
GRKERNSEC_PROC n
|
||||
|
||||
# Disable protections that are inappropriate for a general-purpose kernel
|
||||
GRKERNSEC_NO_SIMULT_CONNECT n
|
||||
|
||||
# Enable additional audititing
|
||||
GRKERNSEC_AUDIT_MOUNT y
|
||||
GRKERNSEC_AUDIT_PTRACE y
|
||||
GRKERNSEC_FORKFAIL y
|
||||
|
||||
# Wishlist: support trusted path execution
|
||||
GRKERNSEC_TPE n
|
||||
|
||||
GRKERNSEC_SYSCTL y
|
||||
GRKERNSEC_SYSCTL_DISTRO y
|
||||
# Assume that appropriate sysctls are toggled once the system is up
|
||||
GRKERNSEC_SYSCTL_ON n
|
||||
''
|
|
@ -1,14 +0,0 @@
|
|||
diff -ru a/kernel/kmod.c b/kernel/kmod.c
|
||||
--- a/kernel/kmod.c 2016-04-21 17:06:09.882281660 +0200
|
||||
+++ b/kernel/kmod.c 2016-04-21 17:08:17.458949309 +0200
|
||||
@@ -294,7 +294,9 @@
|
||||
strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
|
||||
strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
|
||||
strncmp(sub_info->path, "/usr/sbin/", 10) && strcmp(sub_info->path, "/bin/false") &&
|
||||
- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
|
||||
+ strcmp(sub_info->path, "/usr/share/apport/apport") &&
|
||||
+ strncmp(sub_info->path, "/nix/store/", 11) &&
|
||||
+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
|
||||
printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
|
||||
retval = -EPERM;
|
||||
goto out;
|
|
@ -1,18 +0,0 @@
|
|||
{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
|
||||
|
||||
import ./generic.nix (args // rec {
|
||||
version = "4.9.24";
|
||||
extraMeta.branch = "4.9";
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
|
||||
sha512 = "3031ldw2f6dwkm3z1cn7rw8y4diq57rs3na64nzkw7xw4q74cfpzzp5866vf58y0fsyl8l2vgvwza7cdhxywmmxp7q0q5385jn8nnvd";
|
||||
};
|
||||
|
||||
kernelPatches = args.kernelPatches;
|
||||
|
||||
features.iwlwifi = true;
|
||||
features.efiBootStub = true;
|
||||
features.needsCifsUtils = true;
|
||||
features.netfilterRPFilter = true;
|
||||
} // (args.argsOverride or {}))
|
|
@ -17,26 +17,6 @@ let
|
|||
'';
|
||||
};
|
||||
};
|
||||
|
||||
grsecPatch = { grbranch ? "test", grver ? "3.1", kver, grrev, sha512 }: rec {
|
||||
name = "grsecurity-${grver}-${kver}-${grrev}";
|
||||
|
||||
# Pass these along to allow the caller to determine compatibility
|
||||
inherit grver kver grrev;
|
||||
|
||||
patch = fetchurl {
|
||||
urls = [
|
||||
"https://grsecurity.net/${grbranch}/${name}.patch"
|
||||
# When updating versions/hashes, ALWAYS use the official
|
||||
# version; we use this mirror only because upstream removes
|
||||
# source files immediately upon releasing a new version ...
|
||||
"https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${kver}/${name}.patch"
|
||||
];
|
||||
inherit sha512;
|
||||
};
|
||||
|
||||
features.grsecurity = true;
|
||||
};
|
||||
in
|
||||
|
||||
rec {
|
||||
|
@ -107,14 +87,6 @@ rec {
|
|||
for more information.
|
||||
'';
|
||||
|
||||
# This patch relaxes grsec constraints on the location of usermode helpers,
|
||||
# e.g., modprobe, to allow calling into the Nix store.
|
||||
grsecurity_nixos_kmod =
|
||||
{
|
||||
name = "grsecurity-nixos-kmod";
|
||||
patch = ./grsecurity-nixos-kmod.patch;
|
||||
};
|
||||
|
||||
crc_regression =
|
||||
{ name = "crc-backport-regression";
|
||||
patch = ./crc-regression.patch;
|
||||
|
|
|
@ -11922,16 +11922,7 @@ with pkgs;
|
|||
linuxPackages_grsec_nixos =
|
||||
recurseIntoAttrs (linuxPackagesFor linux_grsec_nixos);
|
||||
|
||||
# An unsupported grsec xen guest kernel
|
||||
linux_grsec_server_xen = linux_grsec_nixos.override {
|
||||
extraConfig = ''
|
||||
GRKERNSEC_CONFIG_AUTO y
|
||||
GRKERNSEC_CONFIG_PRIORITY_SECURITY y
|
||||
GRKERNSEC_CONFIG_SERVER y
|
||||
GRKERNSEC_CONFIG_VIRT_GUEST y
|
||||
GRKERNSEC_CONFIG_VIRT_XEN y
|
||||
'';
|
||||
};
|
||||
linux_grsec_server_xen = linux_grsec_nixos;
|
||||
|
||||
# ChromiumOS kernels
|
||||
linuxPackages_chromiumos_3_18 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_chromiumos_3_18);
|
||||
|
|
Loading…
Reference in New Issue