From d8e4432fe26c2b9aaa4eedfb17d77d0cbd9492cf Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Tue, 17 May 2016 05:20:04 +0200 Subject: [PATCH] kernel: unconditionally disable /dev/kmem This was presumably set for grsecurity compatibility, but now appears redundant. Grsecurity does not expect nor require /dev/kmem to be present and so it makes little sense to continue making its inclusion in the standard kernel dependent on grsecurity. More generally, given the large number of possible grsecurity configurations, it is unclear what `features.grsecurity` even *means* and its use should be discouraged. --- pkgs/os-specific/linux/kernel/common-config.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 3ce65a3f6e1..bd0bd142486 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -261,9 +261,7 @@ with stdenv.lib; # Security related features. STRICT_DEVMEM y # Filter access to /dev/mem SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default - ${optionalString (!(features.grsecurity or false)) '' - DEVKMEM n # Disable /dev/kmem - ''} + DEVKMEM n # Disable /dev/kmem ${if versionOlder version "3.14" then '' CC_STACKPROTECTOR? y # Detect buffer overflows on the stack '' else ''