public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

kernel: unconditionally disable /dev/kmem 

This was presumably set for grsecurity compatibility, but now appears
redundant.  Grsecurity does not expect nor require /dev/kmem to be
present and so it makes little sense to continue making its inclusion in
the standard kernel dependent on grsecurity.

More generally, given the large number of possible grsecurity
configurations, it is unclear what `features.grsecurity` even
*means* and its use should be discouraged.
This commit is contained in:
Joachim Fasting 2016-05-17 05:20:04 +02:00
parent c1cb5ca57e
commit d8e4432fe2
No known key found for this signature in database
GPG Key ID: 4330820E1E04DCF4
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkgs/os-specific/linux/kernel/common-config.nix
View File

@ -261,9 +261,7 @@ with stdenv.lib;
# Security related features. # Security related features.
STRICT_DEVMEM y # Filter access to /dev/mem STRICT_DEVMEM y # Filter access to /dev/mem
SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default
${optionalString (!(features.grsecurity or false)) ''
DEVKMEM n # Disable /dev/kmem DEVKMEM n # Disable /dev/kmem
''}
${if versionOlder version "3.14" then '' ${if versionOlder version "3.14" then ''
CC_STACKPROTECTOR? y # Detect buffer overflows on the stack CC_STACKPROTECTOR? y # Detect buffer overflows on the stack
'' else '' '' else ''