diff --git a/nixos/tests/grsecurity.nix b/nixos/tests/grsecurity.nix deleted file mode 100644 index d4a419fd0e3..00000000000 --- a/nixos/tests/grsecurity.nix +++ /dev/null @@ -1,46 +0,0 @@ -# Basic test to make sure grsecurity works - -import ./make-test.nix ({ pkgs, ...} : { - name = "grsecurity"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ copumpkin joachifm ]; - }; - - machine = { config, pkgs, ... }: - { security.grsecurity.enable = true; - boot.kernel.sysctl."kernel.grsecurity.audit_mount" = 0; - boot.kernel.sysctl."kernel.grsecurity.deter_bruteforce" = 0; - networking.useDHCP = false; - }; - - testScript = '' - subtest "grsec-lock", sub { - $machine->succeed("systemctl is-active grsec-lock"); - $machine->succeed("grep -Fq 1 /proc/sys/kernel/grsecurity/grsec_lock"); - $machine->fail("echo -n 0 >/proc/sys/kernel/grsecurity/grsec_lock"); - }; - - subtest "paxtest", sub { - # TODO: running paxtest blackhat hangs the vm - my @pax_mustkill = ( - "anonmap", "execbss", "execdata", "execheap", "execstack", - "mprotanon", "mprotbss", "mprotdata", "mprotheap", "mprotstack", - ); - foreach my $name (@pax_mustkill) { - my $paxtest = "${pkgs.paxtest}/lib/paxtest/" . $name; - $machine->succeed($paxtest) =~ /Killed/ or die - } - }; - - # tcc -run executes run-time generated code and so allows us to test whether - # paxmark actually works (otherwise, the process should be terminated) - subtest "tcc", sub { - $machine->execute("echo -e '#include \nint main(void) { puts(\"hello\"); return 0; }' >main.c"); - $machine->succeed("${pkgs.tinycc}/bin/tcc -run main.c"); - }; - - subtest "RBAC", sub { - $machine->succeed("[ -c /dev/grsec ]"); - }; - ''; -}) diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix deleted file mode 100644 index ccd46e20654..00000000000 --- a/pkgs/build-support/grsecurity/default.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ stdenv -, lib -, overrideDerivation - -# required for gcc plugins -, gmp, libmpc, mpfr - -# the base kernel -, kernel - -, grsecPatch -, kernelPatches ? [] - -, localver ? "-grsec" -, modDirVersion ? "${kernel.version}${localver}" -, extraConfig ? "" -, ... -} @ args: - -assert (kernel.version == grsecPatch.kver); - -overrideDerivation (kernel.override { - inherit modDirVersion; - kernelPatches = lib.unique ([ grsecPatch ] ++ kernelPatches ++ (kernel.kernelPatches or [])); - extraConfig = '' - GRKERNSEC y - PAX y - ${extraConfig} - ''; - ignoreConfigErrors = true; -}) (attrs: { - nativeBuildInputs = (lib.chooseDevOutputs [ gmp libmpc mpfr ]) ++ (attrs.nativeBuildInputs or []); - preConfigure = '' - echo ${localver} >localversion-grsec - ${attrs.preConfigure or ""} - ''; -}) diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix deleted file mode 100644 index ed8942b1066..00000000000 --- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ stdenv }: - -with stdenv.lib; - -'' -# Auto configuration with these constraints will enable most of the -# important features (RAP, UDEREF, ASLR, memory sanitization). -GRKERNSEC_CONFIG_AUTO y -GRKERNSEC_CONFIG_DESKTOP y -GRKERNSEC_CONFIG_PRIORITY_SECURITY y - -# We specify virt guest rather than host here, the latter deselects e.g., -# paravirtualization. -GRKERNSEC_CONFIG_VIRT_GUEST y -# Note: assumes platform supports CPU-level virtualization (so no pentium 4) -GRKERNSEC_CONFIG_VIRT_EPT y -GRKERNSEC_CONFIG_VIRT_KVM y - -# PaX control -PAX_SOFTMODE y -PAX_PT_PAX_FLAGS y -PAX_XATTR_PAX_FLAGS y -PAX_EI_PAX n - -PAX_INITIFY y - -# The bts instrumentation method is compatible with binary only modules. -# -# Note: if platform supports SMEP, we could do without this -PAX_KERNEXEC_PLUGIN_METHOD_BTS y - -# Additional grsec hardening not implied by auto constraints -GRKERNSEC_IO y -GRKERNSEC_SYSFS_RESTRICT y -GRKERNSEC_ROFS y - -GRKERNSEC_MODHARDEN y - -# Disable protections rendered useless by redistribution -GRKERNSEC_HIDESYM n -GRKERNSEC_RANDSTRUCT n - -# Disable protections covered by vanilla mechanisms -GRKERNSEC_DMESG n -GRKERNSEC_KMEM n -GRKERNSEC_PROC n - -# Disable protections that are inappropriate for a general-purpose kernel -GRKERNSEC_NO_SIMULT_CONNECT n - -# Enable additional audititing -GRKERNSEC_AUDIT_MOUNT y -GRKERNSEC_AUDIT_PTRACE y -GRKERNSEC_FORKFAIL y - -# Wishlist: support trusted path execution -GRKERNSEC_TPE n - -GRKERNSEC_SYSCTL y -GRKERNSEC_SYSCTL_DISTRO y -# Assume that appropriate sysctls are toggled once the system is up -GRKERNSEC_SYSCTL_ON n -'' diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch b/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch deleted file mode 100644 index e0430a69c95..00000000000 --- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -ru a/kernel/kmod.c b/kernel/kmod.c ---- a/kernel/kmod.c 2016-04-21 17:06:09.882281660 +0200 -+++ b/kernel/kmod.c 2016-04-21 17:08:17.458949309 +0200 -@@ -294,7 +294,9 @@ - strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) && - strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) && - strncmp(sub_info->path, "/usr/sbin/", 10) && strcmp(sub_info->path, "/bin/false") && -- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) { -+ strcmp(sub_info->path, "/usr/share/apport/apport") && -+ strncmp(sub_info->path, "/nix/store/", 11) && -+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) { - printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path); - retval = -EPERM; - goto out; diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix deleted file mode 100644 index 166836a3275..00000000000 --- a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ stdenv, fetchurl, perl, buildLinux, ... } @ args: - -import ./generic.nix (args // rec { - version = "4.9.24"; - extraMeta.branch = "4.9"; - - src = fetchurl { - url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha512 = "3031ldw2f6dwkm3z1cn7rw8y4diq57rs3na64nzkw7xw4q74cfpzzp5866vf58y0fsyl8l2vgvwza7cdhxywmmxp7q0q5385jn8nnvd"; - }; - - kernelPatches = args.kernelPatches; - - features.iwlwifi = true; - features.efiBootStub = true; - features.needsCifsUtils = true; - features.netfilterRPFilter = true; -} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index ffc193efbf1..1747d34fe11 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -17,26 +17,6 @@ let ''; }; }; - - grsecPatch = { grbranch ? "test", grver ? "3.1", kver, grrev, sha512 }: rec { - name = "grsecurity-${grver}-${kver}-${grrev}"; - - # Pass these along to allow the caller to determine compatibility - inherit grver kver grrev; - - patch = fetchurl { - urls = [ - "https://grsecurity.net/${grbranch}/${name}.patch" - # When updating versions/hashes, ALWAYS use the official - # version; we use this mirror only because upstream removes - # source files immediately upon releasing a new version ... - "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${kver}/${name}.patch" - ]; - inherit sha512; - }; - - features.grsecurity = true; - }; in rec { @@ -107,14 +87,6 @@ rec { for more information. ''; - # This patch relaxes grsec constraints on the location of usermode helpers, - # e.g., modprobe, to allow calling into the Nix store. - grsecurity_nixos_kmod = - { - name = "grsecurity-nixos-kmod"; - patch = ./grsecurity-nixos-kmod.patch; - }; - crc_regression = { name = "crc-backport-regression"; patch = ./crc-regression.patch; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 01a862c6c83..d9e85032790 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11922,16 +11922,7 @@ with pkgs; linuxPackages_grsec_nixos = recurseIntoAttrs (linuxPackagesFor linux_grsec_nixos); - # An unsupported grsec xen guest kernel - linux_grsec_server_xen = linux_grsec_nixos.override { - extraConfig = '' - GRKERNSEC_CONFIG_AUTO y - GRKERNSEC_CONFIG_PRIORITY_SECURITY y - GRKERNSEC_CONFIG_SERVER y - GRKERNSEC_CONFIG_VIRT_GUEST y - GRKERNSEC_CONFIG_VIRT_XEN y - ''; - }; + linux_grsec_server_xen = linux_grsec_nixos; # ChromiumOS kernels linuxPackages_chromiumos_3_18 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_chromiumos_3_18);