From d95321b83e7c1a1d74cb62f0c5d98f3b110ee163 Mon Sep 17 00:00:00 2001 From: "tg(x)" <*@tg-x.net> Date: Sat, 27 Feb 2016 16:13:08 +0100 Subject: [PATCH 1/6] grsecurity: 4.3.4 -> 4.4.2 --- pkgs/build-support/grsecurity/default.nix | 2 +- pkgs/os-specific/linux/kernel/grsec-path.patch | 3 ++- pkgs/os-specific/linux/kernel/patches.nix | 6 +++--- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix index 841effcfca1..f58d98933d4 100644 --- a/pkgs/build-support/grsecurity/default.nix +++ b/pkgs/build-support/grsecurity/default.nix @@ -33,7 +33,7 @@ let grKernel = if cfg.stable then mkKernel pkgs.linux_3_14 stable-patch - else mkKernel pkgs.linux_4_3 test-patch; + else mkKernel pkgs.linux_4_4 test-patch; ## -- grsecurity configuration --------------------------------------------- diff --git a/pkgs/os-specific/linux/kernel/grsec-path.patch b/pkgs/os-specific/linux/kernel/grsec-path.patch index 6f477c22b5e..bef1a75c23d 100644 --- a/pkgs/os-specific/linux/kernel/grsec-path.patch +++ b/pkgs/os-specific/linux/kernel/grsec-path.patch @@ -2,13 +2,14 @@ diff --git a/kernel/kmod.c b/kernel/kmod.c index a689506..30747b4 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c -@@ -294,10 +294,8 @@ static int ____call_usermodehelper(void *data) +@@ -294,11 +294,8 @@ static int ____call_usermodehelper(void *data) out the path to be used prior to this point and are now operating on that copy */ - if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) && - strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) && - strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) && +- strncmp(sub_info->path, "/usr/sbin/", 10) && - strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) { + if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) && + strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) { diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 3f7afd90322..93c31d0cdd0 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -87,10 +87,10 @@ rec { }; grsecurity_unstable = grsecPatch - { kversion = "4.3.4"; - revision = "201601231215"; + { kversion = "4.4.2"; + revision = "201602182048"; branch = "test"; - sha256 = "1dacld4zlp8mk6ykc0f1v5crppvq3znbdw9rwfrf6qi90984x0mr"; + sha256 = "0dm0nzzja6ynzdz2k5h0ckys7flw307i3w0k1lwjxfj80civ73wr"; }; grsec_fix_path = From 75479605463a0319fa6af0dcd64c833138d38198 Mon Sep 17 00:00:00 2001 From: "tg(x)" <*@tg-x.net> Date: Sat, 27 Feb 2016 16:33:18 +0100 Subject: [PATCH 2/6] grsecurity: move version information to one place --- pkgs/build-support/grsecurity/default.nix | 14 +++++++------- pkgs/os-specific/linux/kernel/patches.nix | 15 +++++++++------ 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix index f58d98933d4..77b947f906e 100644 --- a/pkgs/build-support/grsecurity/default.nix +++ b/pkgs/build-support/grsecurity/default.nix @@ -22,18 +22,18 @@ let vals = rec { - mkKernel = kernel: patch: - assert patch.kversion == kernel.version; - { inherit kernel patch; - inherit (patch) grversion revision; + mkKernel = patch: + { + inherit patch; + inherit (patch) kernel grversion revision; }; - test-patch = with pkgs.kernelPatches; grsecurity_unstable; + test-patch = with pkgs.kernelPatches; grsecurity_testing; stable-patch = with pkgs.kernelPatches; grsecurity_stable; grKernel = if cfg.stable - then mkKernel pkgs.linux_3_14 stable-patch - else mkKernel pkgs.linux_4_4 test-patch; + then mkKernel stable-patch + else mkKernel test-patch; ## -- grsecurity configuration --------------------------------------------- diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 93c31d0cdd0..3e745d9f2b5 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl }: +{ stdenv, fetchurl, pkgs }: let @@ -18,9 +18,10 @@ let }; }; - grsecPatch = { grversion ? "3.1", kversion, revision, branch, sha256 }: + grsecPatch = { grversion ? "3.1", kernel, kversion, revision, branch, sha256 }: + assert kversion == kernel.version; { name = "grsecurity-${grversion}-${kversion}"; - inherit grversion kversion revision; + inherit grversion kernel kversion revision; patch = fetchurl { url = "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"; inherit sha256; @@ -80,14 +81,16 @@ rec { }; grsecurity_stable = grsecPatch - { kversion = "3.14.51"; + { kernel = pkgs.linux_3_14; + kversion = "3.14.51"; revision = "201508181951"; branch = "stable"; sha256 = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f"; }; - grsecurity_unstable = grsecPatch - { kversion = "4.4.2"; + grsecurity_testing = grsecPatch + { kernel = pkgs.linux_4_4; + kversion = "4.4.2"; revision = "201602182048"; branch = "test"; sha256 = "0dm0nzzja6ynzdz2k5h0ckys7flw307i3w0k1lwjxfj80civ73wr"; From 75f353ffbdbd5345005e6231a93dd1eae95f6785 Mon Sep 17 00:00:00 2001 From: "tg(x)" <*@tg-x.net> Date: Sat, 27 Feb 2016 19:33:35 +0100 Subject: [PATCH 3/6] grsecurity: decouple from mainline --- .../linux/kernel/linux-grsecurity-3.14.nix | 19 +++++++++++++++++++ .../linux/kernel/linux-grsecurity-4.4.nix | 19 +++++++++++++++++++ pkgs/os-specific/linux/kernel/patches.nix | 8 +++++--- pkgs/top-level/all-packages.nix | 18 ++++++++++++++++++ 4 files changed, 61 insertions(+), 3 deletions(-) create mode 100644 pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix create mode 100644 pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix new file mode 100644 index 00000000000..a67a91b4d0c --- /dev/null +++ b/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix @@ -0,0 +1,19 @@ +{ stdenv, fetchurl, perl, buildLinux, ... } @ args: + +import ./generic.nix (args // rec { + version = "3.14.51"; + extraMeta.branch = "3.14"; + + src = fetchurl { + url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz"; + sha256 = "1gqsd69cqijff4c4br4ydmcjl226d0yy6vrmgfvy16xiraavq1mk"; + }; + + kernelPatches = args.kernelPatches; + + features.iwlwifi = true; + features.efiBootStub = true; + features.needsCifsUtils = true; + features.canDisableNetfilterConntrackHelpers = true; + features.netfilterRPFilter = true; +} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix new file mode 100644 index 00000000000..dff91095549 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix @@ -0,0 +1,19 @@ +{ stdenv, fetchurl, perl, buildLinux, ... } @ args: + +import ./generic.nix (args // rec { + version = "4.4.2"; + extraMeta.branch = "4.4"; + + src = fetchurl { + url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; + sha256 = "09l6y0nb8yv7l16arfwhy4i5h9pkxcbd7hlbw0015n7gm4i2mzc2"; + }; + + kernelPatches = args.kernelPatches; + + features.iwlwifi = true; + features.efiBootStub = true; + features.needsCifsUtils = true; + features.canDisableNetfilterConntrackHelpers = true; + features.netfilterRPFilter = true; +} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 3e745d9f2b5..8ff83b2d7ee 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -23,7 +23,9 @@ let { name = "grsecurity-${grversion}-${kversion}"; inherit grversion kernel kversion revision; patch = fetchurl { - url = "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"; + url = if branch == "stable" + then "https://github.com/kdave/grsecurity-patches/blob/master/grsecurity_patches/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true" + else "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"; inherit sha256; }; features.grsecurity = true; @@ -81,7 +83,7 @@ rec { }; grsecurity_stable = grsecPatch - { kernel = pkgs.linux_3_14; + { kernel = pkgs.linux_grsecurity_3_14; kversion = "3.14.51"; revision = "201508181951"; branch = "stable"; @@ -89,7 +91,7 @@ rec { }; grsecurity_testing = grsecPatch - { kernel = pkgs.linux_4_4; + { kernel = pkgs.linux_grsecurity_4_4; kversion = "4.4.2"; revision = "201602182048"; branch = "test"; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 22dbfc41f43..d45c78d67a7 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -10407,6 +10407,24 @@ let to EC2, where Xen is the Hypervisor. */ + linux_grsecurity_3_14 = callPackage ../os-specific/linux/kernel/linux-grsecurity-3.14.nix { + kernelPatches = [ kernelPatches.bridge_stp_helper ] + ++ lib.optionals ((platform.kernelArch or null) == "mips") + [ kernelPatches.mips_fpureg_emu + kernelPatches.mips_fpu_sigill + kernelPatches.mips_ext3_n32 + ]; + }; + + linux_grsecurity_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix { + kernelPatches = [ kernelPatches.bridge_stp_helper ] + ++ lib.optionals ((platform.kernelArch or null) == "mips") + [ kernelPatches.mips_fpureg_emu + kernelPatches.mips_fpu_sigill + kernelPatches.mips_ext3_n32 + ]; + }; + grFlavors = import ../build-support/grsecurity/flavors.nix; mkGrsecurity = opts: From 4e3d6d3e90de85b610290af60ba374da20a2cc69 Mon Sep 17 00:00:00 2001 From: "tg(x)" <*@tg-x.net> Date: Sat, 27 Feb 2016 19:54:55 +0100 Subject: [PATCH 4/6] grsecurity: separate fix patches for testing & stable --- pkgs/build-support/grsecurity/default.nix | 4 ++-- .../linux/kernel/grsecurity-path-3.14.patch | 17 +++++++++++++++++ ...sec-path.patch => grsecurity-path-4.4.patch} | 0 pkgs/os-specific/linux/kernel/patches.nix | 17 ++++++++++++----- 4 files changed, 31 insertions(+), 7 deletions(-) create mode 100644 pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch rename pkgs/os-specific/linux/kernel/{grsec-path.patch => grsecurity-path-4.4.patch} (100%) diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix index 77b947f906e..4a395d46459 100644 --- a/pkgs/build-support/grsecurity/default.nix +++ b/pkgs/build-support/grsecurity/default.nix @@ -25,7 +25,7 @@ let mkKernel = patch: { inherit patch; - inherit (patch) kernel grversion revision; + inherit (patch) kernel patches grversion revision; }; test-patch = with pkgs.kernelPatches; grsecurity_testing; @@ -136,7 +136,7 @@ let mkGrsecKern = grkern: lowPrio (overrideDerivation (grkern.kernel.override (args: { - kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ]; + kernelPatches = args.kernelPatches ++ [ grkern.patch ] ++ grkern.patches; argsOverride = { modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}"; }; diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch new file mode 100644 index 00000000000..6f477c22b5e --- /dev/null +++ b/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch @@ -0,0 +1,17 @@ +diff --git a/kernel/kmod.c b/kernel/kmod.c +index a689506..30747b4 100644 +--- a/kernel/kmod.c ++++ b/kernel/kmod.c +@@ -294,10 +294,8 @@ static int ____call_usermodehelper(void *data) + out the path to be used prior to this point and are now operating + on that copy + */ +- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) && +- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) && +- strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) && +- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) { ++ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) && ++ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) { + printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path); + retval = -EPERM; + goto out; diff --git a/pkgs/os-specific/linux/kernel/grsec-path.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch similarity index 100% rename from pkgs/os-specific/linux/kernel/grsec-path.patch rename to pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 8ff83b2d7ee..c5b9fe9d3a7 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -18,10 +18,10 @@ let }; }; - grsecPatch = { grversion ? "3.1", kernel, kversion, revision, branch, sha256 }: + grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch, sha256 }: assert kversion == kernel.version; { name = "grsecurity-${grversion}-${kversion}"; - inherit grversion kernel kversion revision; + inherit grversion kernel patches kversion revision; patch = fetchurl { url = if branch == "stable" then "https://github.com/kdave/grsecurity-patches/blob/master/grsecurity_patches/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true" @@ -84,6 +84,7 @@ rec { grsecurity_stable = grsecPatch { kernel = pkgs.linux_grsecurity_3_14; + patches = [ grsecurity_fix_path_3_14 ]; kversion = "3.14.51"; revision = "201508181951"; branch = "stable"; @@ -92,15 +93,21 @@ rec { grsecurity_testing = grsecPatch { kernel = pkgs.linux_grsecurity_4_4; + patches = [ grsecurity_fix_path_4_4 ]; kversion = "4.4.2"; revision = "201602182048"; branch = "test"; sha256 = "0dm0nzzja6ynzdz2k5h0ckys7flw307i3w0k1lwjxfj80civ73wr"; }; - grsec_fix_path = - { name = "grsec-fix-path"; - patch = ./grsec-path.patch; + grsecurity_fix_path_3_14 = + { name = "grsecurity-fix-path-3.14"; + patch = ./grsecurity-path-3.14.patch; + }; + + grsecurity_fix_path_4_4 = + { name = "grsecurity-fix-path-4.4"; + patch = ./grsecurity-path-4.4.patch; }; crc_regression = From 38614d3f6ac0a071e4d9e4ee0a6faa1d517c3b95 Mon Sep 17 00:00:00 2001 From: "tg(x)" <*@tg-x.net> Date: Sun, 28 Feb 2016 04:10:59 +0100 Subject: [PATCH 5/6] grsecurity: use kernel version instead of testing / stable --- nixos/modules/security/grsecurity.nix | 27 ++------ pkgs/build-support/grsecurity/default.nix | 15 ++--- pkgs/build-support/grsecurity/flavors.nix | 25 +++---- pkgs/os-specific/linux/kernel/patches.nix | 13 ++-- pkgs/top-level/all-packages.nix | 80 +++++++++++++++-------- 5 files changed, 76 insertions(+), 84 deletions(-) diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 40942644868..ea739264a14 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -26,19 +26,11 @@ in ''; }; - stable = mkOption { - type = types.bool; - default = false; + kernelPatch = mkOption { + type = types.attrs; + default = pkgs.kernelPatches.grsecurity_latest; description = '' - Enable the stable grsecurity patch, based on Linux 3.14. - ''; - }; - - testing = mkOption { - type = types.bool; - default = false; - description = '' - Enable the testing grsecurity patch, based on Linux 4.0. + Grsecurity patch to use. ''; }; @@ -219,16 +211,7 @@ in config = mkIf cfg.enable { assertions = - [ { assertion = cfg.stable || cfg.testing; - message = '' - If grsecurity is enabled, you must select either the - stable patch (with kernel 3.14), or the testing patch (with - kernel 4.0) to continue. - ''; - } - { assertion = !(cfg.stable && cfg.testing); - message = "Select either one of the stable or testing patch"; - } + [ { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) || (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc); message = "You cannot enable both restrictProc and restrictProcWithGroup"; diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix index 4a395d46459..64cce3dbad5 100644 --- a/pkgs/build-support/grsecurity/default.nix +++ b/pkgs/build-support/grsecurity/default.nix @@ -4,8 +4,7 @@ with lib; let cfg = { - stable = grsecOptions.stable or false; - testing = grsecOptions.testing or false; + kernelPatch = grsecOptions.kernelPatch; config = { mode = "auto"; sysctl = false; @@ -28,12 +27,7 @@ let inherit (patch) kernel patches grversion revision; }; - test-patch = with pkgs.kernelPatches; grsecurity_testing; - stable-patch = with pkgs.kernelPatches; grsecurity_stable; - - grKernel = if cfg.stable - then mkKernel stable-patch - else mkKernel test-patch; + grKernel = mkKernel cfg.kernelPatch; ## -- grsecurity configuration --------------------------------------------- @@ -90,8 +84,8 @@ let # Disable restricting links under the testing kernel, as something # has changed causing it to fail miserably during boot. - restrictLinks = optionalString cfg.testing - "GRKERNSEC_LINK n"; + #restrictLinks = optionalString cfg.testing + # "GRKERNSEC_LINK n"; in '' GRKERNSEC y ${grsecMainConfig} @@ -109,7 +103,6 @@ let GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB} GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC} - ${restrictLinks} ${cfg.config.kernelExtraConfig} ''; diff --git a/pkgs/build-support/grsecurity/flavors.nix b/pkgs/build-support/grsecurity/flavors.nix index 969ca579f5a..1281d60aa32 100644 --- a/pkgs/build-support/grsecurity/flavors.nix +++ b/pkgs/build-support/grsecurity/flavors.nix @@ -1,26 +1,17 @@ let - mkOpts = ver: prio: sys: virt: swvirt: hwvirt: + mkOpts = prio: sys: virt: swvirt: hwvirt: { config.priority = prio; config.system = sys; config.virtualisationConfig = virt; config.hardwareVirtualisation = hwvirt; config.virtualisationSoftware = swvirt; - } // builtins.listToAttrs [ { name = ver; value = true; } ]; + }; in { - # Stable kernels - linux_grsec_stable_desktop = - mkOpts "stable" "performance" "desktop" "host" "kvm" true; - linux_grsec_stable_server = - mkOpts "stable" "security" "server" "host" "kvm" true; - linux_grsec_stable_server_xen = - mkOpts "stable" "security" "server" "guest" "xen" true; - - # Testing kernels - linux_grsec_testing_desktop = - mkOpts "testing" "performance" "desktop" "host" "kvm" true; - linux_grsec_testing_server = - mkOpts "testing" "security" "server" "host" "kvm" true; - linux_grsec_testing_server_xen = - mkOpts "testing" "security" "server" "guest" "xen" true; + desktop = + mkOpts "performance" "desktop" "host" "kvm" true; + server = + mkOpts "security" "server" "host" "kvm" true; + server_xen = + mkOpts "security" "server" "guest" "xen" true; } diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index c5b9fe9d3a7..9945361688e 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -18,7 +18,7 @@ let }; }; - grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch, sha256 }: + grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch ? "test", sha256 }: assert kversion == kernel.version; { name = "grsecurity-${grversion}-${kversion}"; inherit grversion kernel patches kversion revision; @@ -82,8 +82,8 @@ rec { sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j"; }; - grsecurity_stable = grsecPatch - { kernel = pkgs.linux_grsecurity_3_14; + grsecurity_3_14 = grsecPatch + { kernel = pkgs.grsecurity_base_linux_3_14; patches = [ grsecurity_fix_path_3_14 ]; kversion = "3.14.51"; revision = "201508181951"; @@ -91,15 +91,16 @@ rec { sha256 = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f"; }; - grsecurity_testing = grsecPatch - { kernel = pkgs.linux_grsecurity_4_4; + grsecurity_4_4 = grsecPatch + { kernel = pkgs.grsecurity_base_linux_4_4; patches = [ grsecurity_fix_path_4_4 ]; kversion = "4.4.2"; revision = "201602182048"; - branch = "test"; sha256 = "0dm0nzzja6ynzdz2k5h0ckys7flw307i3w0k1lwjxfj80civ73wr"; }; + grsecurity_latest = grsecurity_4_4; + grsecurity_fix_path_3_14 = { name = "grsecurity-fix-path-3.14"; patch = ./grsecurity-path-3.14.patch; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index d45c78d67a7..b4d83c68c64 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -10407,7 +10407,9 @@ let to EC2, where Xen is the Hypervisor. */ - linux_grsecurity_3_14 = callPackage ../os-specific/linux/kernel/linux-grsecurity-3.14.nix { + # Base kernels to apply the grsecurity patch onto + + grsecurity_base_linux_3_14 = callPackage ../os-specific/linux/kernel/linux-grsecurity-3.14.nix { kernelPatches = [ kernelPatches.bridge_stp_helper ] ++ lib.optionals ((platform.kernelArch or null) == "mips") [ kernelPatches.mips_fpureg_emu @@ -10416,7 +10418,7 @@ let ]; }; - linux_grsecurity_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix { + grsecurity_base_linux_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix { kernelPatches = [ kernelPatches.bridge_stp_helper ] ++ lib.optionals ((platform.kernelArch or null) == "mips") [ kernelPatches.mips_fpureg_emu @@ -10427,28 +10429,37 @@ let grFlavors = import ../build-support/grsecurity/flavors.nix; - mkGrsecurity = opts: + mkGrsecurity = patch: opts: (callPackage ../build-support/grsecurity { - grsecOptions = opts; + grsecOptions = { kernelPatch = patch; } // opts; }); - grKernel = opts: (mkGrsecurity opts).grsecKernel; - grPackage = opts: recurseIntoAttrs (mkGrsecurity opts).grsecPackage; + grKernel = patch: opts: (mkGrsecurity patch opts).grsecKernel; + grPackage = patch: opts: recurseIntoAttrs (mkGrsecurity patch opts).grsecPackage; - # Stable kernels - # This is no longer supported. Please see the official announcement on the - # grsecurity page. https://grsecurity.net/announce.php - linux_grsec_stable_desktop = throw "No longer supported due to https://grsecurity.net/announce.php. " - + "Please use linux_grsec_testing_desktop."; - linux_grsec_stable_server = throw "No longer supported due to https://grsecurity.net/announce.php. " - + "Please use linux_grsec_testing_server."; - linux_grsec_stable_server_xen = throw "No longer supporteddue to https://grsecurity.net/announce.php. " - + "Please use linux_grsec_testing_server_xen."; + # grsecurity kernels (see also linuxPackages_grsec_*) - # Testing kernels - linux_grsec_testing_desktop = grKernel grFlavors.linux_grsec_testing_desktop; - linux_grsec_testing_server = grKernel grFlavors.linux_grsec_testing_server; - linux_grsec_testing_server_xen = grKernel grFlavors.linux_grsec_testing_server_xen; + linux_grsec_desktop_3_14 = grKernel kernelPatches.grsecurity_3_14 grFlavors.desktop; + linux_grsec_server_3_14 = grKernel kernelPatches.grsecurity_3_14 grFlavors.server; + linux_grsec_server_xen_3_14 = grKernel kernelPatches.grsecurity_3_14 grFlavors.server_xen; + + linux_grsec_desktop_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.desktop; + linux_grsec_server_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.server; + linux_grsec_server_xen_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.server_xen; + + linux_grsec_desktop_latest = grKernel kernelPatches.grsecurity_latest grFlavors.desktop; + linux_grsec_server_latest = grKernel kernelPatches.grsecurity_latest grFlavors.server; + linux_grsec_server_xen_latest = grKernel kernelPatches.grsecurity_latest grFlavors.server_xen; + + # grsecurity: old names + + linux_grsec_testing_desktop = linux_grsec_desktop_latest; + linux_grsec_testing_server = linux_grsec_server_latest; + linux_grsec_testing_server_xen = linux_grsec_server_xen_latest; + + linux_grsec_stable_desktop = linux_grsec_desktop_3_14; + linux_grsec_stable_server = linux_grsec_server_3_14; + linux_grsec_stable_server_xen = linux_grsec_server_xen_3_14; /* Linux kernel modules are inherently tied to a specific kernel. So rather than provide specific instances of those packages for a @@ -10589,16 +10600,29 @@ let # Build a kernel for Xen dom0 linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }) linuxPackages_latest); - # grsecurity flavors - # Stable kernels - linuxPackages_grsec_stable_desktop = grPackage grFlavors.linux_grsec_stable_desktop; - linuxPackages_grsec_stable_server = grPackage grFlavors.linux_grsec_stable_server; - linuxPackages_grsec_stable_server_xen = grPackage grFlavors.linux_grsec_stable_server_xen; + # grsecurity packages - # Testing kernels - linuxPackages_grsec_testing_desktop = grPackage grFlavors.linux_grsec_testing_desktop; - linuxPackages_grsec_testing_server = grPackage grFlavors.linux_grsec_testing_server; - linuxPackages_grsec_testing_server_xen = grPackage grFlavors.linux_grsec_testing_server_xen; + linuxPackages_grsec_desktop_3_14 = grPackage kernelPatches.grsecurity_3_14 grFlavors.desktop; + linuxPackages_grsec_server_3_14 = grPackage kernelPatches.grsecurity_3_14 grFlavors.server; + linuxPackages_grsec_server_xen_3_14 = grPackage kernelPatches.grsecurity_3_14 grFlavors.server_xen; + + linuxPackages_grsec_desktop_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.desktop; + linuxPackages_grsec_server_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.server; + linuxPackages_grsec_server_xen_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.server_xen; + + linuxPackages_grsec_desktop_latest = grPackage kernelPatches.grsecurity_latest grFlavors.desktop; + linuxPackages_grsec_server_latest = grPackage kernelPatches.grsecurity_latest grFlavors.server; + linuxPackages_grsec_server_xen_latest = grPackage kernelPatches.grsecurity_latest grFlavors.server_xen; + + # grsecurity: old names + + linuxPackages_grsec_testing_desktop = linuxPackages_grsec_desktop_latest; + linuxPackages_grsec_testing_server = linuxPackages_grsec_server_latest; + linuxPackages_grsec_testing_server_xen = linuxPackages_grsec_server_xen_latest; + + linuxPackages_grsec_stable_desktop = linuxPackages_grsec_desktop_3_14; + linuxPackages_grsec_stable_server = linuxPackages_grsec_server_3_14; + linuxPackages_grsec_stable_server_xen = linuxPackages_grsec_server_xen_3_14; # ChromiumOS kernels linuxPackages_chromiumos_3_14 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_chromiumos_3_14 linuxPackages_chromiumos_3_14); From be3bd972d5f242340a28b65c31d2f16a97c59017 Mon Sep 17 00:00:00 2001 From: "tg(x)" <*@tg-x.net> Date: Sun, 28 Feb 2016 15:00:05 +0100 Subject: [PATCH 6/6] grsecurity: add 4.1 kernel --- nixos/modules/security/grsecurity.nix | 1 + .../linux/kernel/linux-grsecurity-4.1.nix | 19 +++++++++++++++++++ pkgs/os-specific/linux/kernel/patches.nix | 8 ++++++++ pkgs/top-level/all-packages.nix | 17 +++++++++++++++++ 4 files changed, 45 insertions(+) create mode 100644 pkgs/os-specific/linux/kernel/linux-grsecurity-4.1.nix diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index ea739264a14..3aabbc8fe1b 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -29,6 +29,7 @@ in kernelPatch = mkOption { type = types.attrs; default = pkgs.kernelPatches.grsecurity_latest; + example = pkgs.kernelPatches.grsecurity_4_1; description = '' Grsecurity patch to use. ''; diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.1.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.1.nix new file mode 100644 index 00000000000..4359f4586c5 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.1.nix @@ -0,0 +1,19 @@ +{ stdenv, fetchurl, perl, buildLinux, ... } @ args: + +import ./generic.nix (args // rec { + version = "4.1.7"; + extraMeta.branch = "4.1"; + + src = fetchurl { + url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; + sha256 = "0g1dnvak0pd03d4miy1025bw64wq71w29a058dzspdr6jcf9qwbn"; + }; + + kernelPatches = args.kernelPatches; + + features.iwlwifi = true; + features.efiBootStub = true; + features.needsCifsUtils = true; + features.canDisableNetfilterConntrackHelpers = true; + features.netfilterRPFilter = true; +} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 9945361688e..b20d53ef6da 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -91,6 +91,14 @@ rec { sha256 = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f"; }; + grsecurity_4_1 = grsecPatch + { kernel = pkgs.grsecurity_base_linux_4_1; + patches = [ grsecurity_fix_path_3_14 ]; + kversion = "4.1.7"; + revision = "201509201149"; + sha256 = "1agv8c3c4vmh5algbzmrq2f6vwk72rikrlcbm4h7jbrb9js6fxk4"; + }; + grsecurity_4_4 = grsecPatch { kernel = pkgs.grsecurity_base_linux_4_4; patches = [ grsecurity_fix_path_4_4 ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b4d83c68c64..321e28f95b3 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -10418,6 +10418,15 @@ let ]; }; + grsecurity_base_linux_4_1 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.1.nix { + kernelPatches = [ kernelPatches.bridge_stp_helper ] + ++ lib.optionals ((platform.kernelArch or null) == "mips") + [ kernelPatches.mips_fpureg_emu + kernelPatches.mips_fpu_sigill + kernelPatches.mips_ext3_n32 + ]; + }; + grsecurity_base_linux_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix { kernelPatches = [ kernelPatches.bridge_stp_helper ] ++ lib.optionals ((platform.kernelArch or null) == "mips") @@ -10443,6 +10452,10 @@ let linux_grsec_server_3_14 = grKernel kernelPatches.grsecurity_3_14 grFlavors.server; linux_grsec_server_xen_3_14 = grKernel kernelPatches.grsecurity_3_14 grFlavors.server_xen; + linux_grsec_desktop_4_1 = grKernel kernelPatches.grsecurity_4_1 grFlavors.desktop; + linux_grsec_server_4_1 = grKernel kernelPatches.grsecurity_4_1 grFlavors.server; + linux_grsec_server_xen_4_1 = grKernel kernelPatches.grsecurity_4_1 grFlavors.server_xen; + linux_grsec_desktop_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.desktop; linux_grsec_server_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.server; linux_grsec_server_xen_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.server_xen; @@ -10606,6 +10619,10 @@ let linuxPackages_grsec_server_3_14 = grPackage kernelPatches.grsecurity_3_14 grFlavors.server; linuxPackages_grsec_server_xen_3_14 = grPackage kernelPatches.grsecurity_3_14 grFlavors.server_xen; + linuxPackages_grsec_desktop_4_1 = grPackage kernelPatches.grsecurity_4_1 grFlavors.desktop; + linuxPackages_grsec_server_4_1 = grPackage kernelPatches.grsecurity_4_1 grFlavors.server; + linuxPackages_grsec_server_xen_4_1 = grPackage kernelPatches.grsecurity_4_1 grFlavors.server_xen; + linuxPackages_grsec_desktop_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.desktop; linuxPackages_grsec_server_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.server; linuxPackages_grsec_server_xen_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.server_xen;