Merge remote-tracking branch 'origin/pr/13505'

Fixes #13505.
2016-03-08 01:01:44 +01:00 · 2016-03-08 01:01:44 +01:00 · eb5a897161
commit eb5a897161
parent d43578b599 be3bd972d5
10 changed files with 218 additions and 95 deletions
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -26,19 +26,12 @@ in
        '';
      };
-      stable = mkOption {
+      kernelPatch = mkOption {
-        type = types.bool;
+        type = types.attrs;
-        default = false;
+        default = pkgs.kernelPatches.grsecurity_latest;
        example = pkgs.kernelPatches.grsecurity_4_1;
        description = ''
-          Enable the stable grsecurity patch, based on Linux 3.14.
+          Grsecurity patch to use.
        '';
      };
      testing = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the testing grsecurity patch, based on Linux 4.0.
        '';
      };
@ -219,16 +212,7 @@ in
  config = mkIf cfg.enable {
    assertions =
-      [ { assertion = cfg.stable || cfg.testing;
+      [
          message   = ''
            If grsecurity is enabled, you must select either the
            stable patch (with kernel 3.14), or the testing patch (with
            kernel 4.0) to continue.
          '';
        }
        { assertion = !(cfg.stable && cfg.testing);
          message   = "Select either one of the stable or testing patch";
        }
        { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) ||
                      (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc);
          message   = "You cannot enable both restrictProc and restrictProcWithGroup";
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@ -4,8 +4,7 @@ with lib;
 let
  cfg = {
-    stable  = grsecOptions.stable  or false;
+    kernelPatch = grsecOptions.kernelPatch;
    testing = grsecOptions.testing or false;
    config = {
      mode = "auto";
      sysctl = false;
@ -22,18 +21,13 @@ let
  vals = rec {
-    mkKernel = kernel: patch:
+    mkKernel = patch:
-      assert patch.kversion == kernel.version;
+        {
-        { inherit kernel patch;
+          inherit patch;
-          inherit (patch) grversion revision;
+          inherit (patch) kernel patches grversion revision;
        };
-    test-patch = with pkgs.kernelPatches; grsecurity_unstable;
+    grKernel = mkKernel cfg.kernelPatch;
    stable-patch = with pkgs.kernelPatches; grsecurity_stable;
    grKernel = if cfg.stable
               then mkKernel pkgs.linux_3_14 stable-patch
               else mkKernel pkgs.linux_4_3 test-patch;
    ## -- grsecurity configuration ---------------------------------------------
@ -90,8 +84,8 @@ let
          # Disable restricting links under the testing kernel, as something
          # has changed causing it to fail miserably during boot.
-          restrictLinks = optionalString cfg.testing
+          #restrictLinks = optionalString cfg.testing
-            "GRKERNSEC_LINK n";
+          #  "GRKERNSEC_LINK n";
      in ''
        GRKERNSEC y
        ${grsecMainConfig}
@ -109,7 +103,6 @@ let
        GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
        GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}
        GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
        ${restrictLinks}
        ${cfg.config.kernelExtraConfig}
      '';
@ -136,7 +129,7 @@ let
    mkGrsecKern = grkern:
      lowPrio (overrideDerivation (grkern.kernel.override (args: {
-        kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ];
+        kernelPatches = args.kernelPatches ++ [ grkern.patch  ] ++ grkern.patches;
        argsOverride = {
          modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
        };
--- a/pkgs/build-support/grsecurity/flavors.nix
+++ b/pkgs/build-support/grsecurity/flavors.nix
@ -1,26 +1,17 @@
 let
-  mkOpts = ver: prio: sys: virt: swvirt: hwvirt:
+  mkOpts = prio: sys: virt: swvirt: hwvirt:
    { config.priority               = prio;
      config.system                 = sys;
      config.virtualisationConfig   = virt;
      config.hardwareVirtualisation = hwvirt;
      config.virtualisationSoftware = swvirt;
-    } // builtins.listToAttrs [ { name = ver; value = true; } ];
+    };
 in
 {
-  # Stable kernels
+  desktop =
-  linux_grsec_stable_desktop =
+    mkOpts "performance" "desktop" "host" "kvm" true;
-    mkOpts "stable" "performance" "desktop" "host" "kvm" true;
+  server  =
-  linux_grsec_stable_server  =
+    mkOpts "security" "server" "host" "kvm" true;
-    mkOpts "stable" "security" "server" "host" "kvm" true;
+  server_xen =
-  linux_grsec_stable_server_xen =
+    mkOpts "security" "server" "guest" "xen" true;
    mkOpts "stable" "security" "server" "guest" "xen" true;
  # Testing kernels
  linux_grsec_testing_desktop =
    mkOpts "testing" "performance" "desktop" "host" "kvm" true;
  linux_grsec_testing_server  =
    mkOpts "testing" "security" "server" "host" "kvm" true;
  linux_grsec_testing_server_xen =
    mkOpts "testing" "security" "server" "guest" "xen" true;
 }
--- a/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch
+++ b/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch
--- a/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch
+++ b/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch
@ -0,0 +1,18 @@
 diff --git a/kernel/kmod.c b/kernel/kmod.c
 index a689506..30747b4 100644
 --- a/kernel/kmod.c
 +++ b/kernel/kmod.c
@@ -294,11 +294,8 @@ static int ____call_usermodehelper(void *data)
 	   out the path to be used prior to this point and are now operating
 	   on that copy
 	*/
 -	if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
 -	     strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
 -	     strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
 -	     strncmp(sub_info->path, "/usr/sbin/", 10) &&
 -	     strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
 +	if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
 +	     strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
 		printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
 		retval = -EPERM;
 		goto out;
--- a/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix
+++ b/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix
@ -0,0 +1,19 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 import ./generic.nix (args // rec {
  version = "3.14.51";
  extraMeta.branch = "3.14";
  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz";
    sha256 = "1gqsd69cqijff4c4br4ydmcjl226d0yy6vrmgfvy16xiraavq1mk";
  };
  kernelPatches = args.kernelPatches;
  features.iwlwifi = true;
  features.efiBootStub = true;
  features.needsCifsUtils = true;
  features.canDisableNetfilterConntrackHelpers = true;
  features.netfilterRPFilter = true;
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.1.nix
+++ b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.1.nix
@ -0,0 +1,19 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 import ./generic.nix (args // rec {
  version = "4.1.7";
  extraMeta.branch = "4.1";
  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
    sha256 = "0g1dnvak0pd03d4miy1025bw64wq71w29a058dzspdr6jcf9qwbn";
  };
  kernelPatches = args.kernelPatches;
  features.iwlwifi = true;
  features.efiBootStub = true;
  features.needsCifsUtils = true;
  features.canDisableNetfilterConntrackHelpers = true;
  features.netfilterRPFilter = true;
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix
@ -0,0 +1,19 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 import ./generic.nix (args // rec {
  version = "4.4.2";
  extraMeta.branch = "4.4";
  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
    sha256 = "09l6y0nb8yv7l16arfwhy4i5h9pkxcbd7hlbw0015n7gm4i2mzc2";
  };
  kernelPatches = args.kernelPatches;
  features.iwlwifi = true;
  features.efiBootStub = true;
  features.needsCifsUtils = true;
  features.canDisableNetfilterConntrackHelpers = true;
  features.netfilterRPFilter = true;
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ stdenv, fetchurl, pkgs }:
 let
@ -18,11 +18,14 @@ let
      };
    };
-  grsecPatch = { grversion ? "3.1", kversion, revision, branch, sha256 }:
+  grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch ? "test", sha256 }:
    assert kversion == kernel.version;
    { name = "grsecurity-${grversion}-${kversion}";
-      inherit grversion kversion revision;
+      inherit grversion kernel patches kversion revision;
      patch = fetchurl {
-        url = "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true";
+        url = if branch == "stable"
              then "https://github.com/kdave/grsecurity-patches/blob/master/grsecurity_patches/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"
              else "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true";
        inherit sha256;
      };
      features.grsecurity = true;
@ -79,23 +82,41 @@ rec {
    sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
  };
-  grsecurity_stable = grsecPatch
+  grsecurity_3_14 = grsecPatch
-    { kversion  = "3.14.51";
+    { kernel    = pkgs.grsecurity_base_linux_3_14;
      patches   = [ grsecurity_fix_path_3_14 ];
      kversion  = "3.14.51";
      revision  = "201508181951";
      branch    = "stable";
      sha256    = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f";
    };
-  grsecurity_unstable = grsecPatch
+  grsecurity_4_1 = grsecPatch
-    { kversion  = "4.3.4";
+    { kernel    = pkgs.grsecurity_base_linux_4_1;
-      revision  = "201601231215";
+      patches   = [ grsecurity_fix_path_3_14 ];
-      branch    = "test";
+      kversion  = "4.1.7";
-      sha256    = "1dacld4zlp8mk6ykc0f1v5crppvq3znbdw9rwfrf6qi90984x0mr";
+      revision  = "201509201149";
      sha256    = "1agv8c3c4vmh5algbzmrq2f6vwk72rikrlcbm4h7jbrb9js6fxk4";
    };
-  grsec_fix_path =
+  grsecurity_4_4 = grsecPatch
-    { name = "grsec-fix-path";
+    { kernel    = pkgs.grsecurity_base_linux_4_4;
-      patch = ./grsec-path.patch;
+      patches   = [ grsecurity_fix_path_4_4 ];
      kversion  = "4.4.2";
      revision  = "201602182048";
      sha256    = "0dm0nzzja6ynzdz2k5h0ckys7flw307i3w0k1lwjxfj80civ73wr";
    };
  grsecurity_latest = grsecurity_4_4;
  grsecurity_fix_path_3_14 =
    { name = "grsecurity-fix-path-3.14";
      patch = ./grsecurity-path-3.14.patch;
    };
  grsecurity_fix_path_4_4 =
    { name = "grsecurity-fix-path-4.4";
      patch = ./grsecurity-path-4.4.patch;
    };
  crc_regression =
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -10448,30 +10448,72 @@ let
     to EC2, where Xen is the Hypervisor.
  */
  # Base kernels to apply the grsecurity patch onto
  grsecurity_base_linux_3_14 = callPackage ../os-specific/linux/kernel/linux-grsecurity-3.14.nix {
    kernelPatches = [ kernelPatches.bridge_stp_helper ]
      ++ lib.optionals ((platform.kernelArch or null) == "mips")
      [ kernelPatches.mips_fpureg_emu
        kernelPatches.mips_fpu_sigill
        kernelPatches.mips_ext3_n32
      ];
  };
  grsecurity_base_linux_4_1 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.1.nix {
    kernelPatches = [ kernelPatches.bridge_stp_helper ]
      ++ lib.optionals ((platform.kernelArch or null) == "mips")
      [ kernelPatches.mips_fpureg_emu
        kernelPatches.mips_fpu_sigill
        kernelPatches.mips_ext3_n32
      ];
  };
  grsecurity_base_linux_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix {
    kernelPatches = [ kernelPatches.bridge_stp_helper ]
      ++ lib.optionals ((platform.kernelArch or null) == "mips")
      [ kernelPatches.mips_fpureg_emu
        kernelPatches.mips_fpu_sigill
        kernelPatches.mips_ext3_n32
      ];
  };
  grFlavors = import ../build-support/grsecurity/flavors.nix;
-  mkGrsecurity = opts:
+  mkGrsecurity = patch: opts:
    (callPackage ../build-support/grsecurity {
-      grsecOptions = opts;
+      grsecOptions = { kernelPatch = patch; } // opts;
    });
-  grKernel  = opts: (mkGrsecurity opts).grsecKernel;
+  grKernel  = patch: opts: (mkGrsecurity patch opts).grsecKernel;
-  grPackage = opts: recurseIntoAttrs (mkGrsecurity opts).grsecPackage;
+  grPackage = patch: opts: recurseIntoAttrs (mkGrsecurity patch opts).grsecPackage;
-  # Stable kernels
+  # grsecurity kernels (see also linuxPackages_grsec_*)
  # This is no longer supported. Please see the official announcement on the
  # grsecurity page. https://grsecurity.net/announce.php
  linux_grsec_stable_desktop    = throw "No longer supported due to https://grsecurity.net/announce.php. "
    + "Please use linux_grsec_testing_desktop.";
  linux_grsec_stable_server     = throw "No longer supported due to https://grsecurity.net/announce.php. "
    + "Please use linux_grsec_testing_server.";
  linux_grsec_stable_server_xen = throw "No longer supporteddue to https://grsecurity.net/announce.php. "
    + "Please use linux_grsec_testing_server_xen.";
-  # Testing kernels
+  linux_grsec_desktop_3_14    = grKernel kernelPatches.grsecurity_3_14 grFlavors.desktop;
-  linux_grsec_testing_desktop = grKernel grFlavors.linux_grsec_testing_desktop;
+  linux_grsec_server_3_14     = grKernel kernelPatches.grsecurity_3_14 grFlavors.server;
-  linux_grsec_testing_server  = grKernel grFlavors.linux_grsec_testing_server;
+  linux_grsec_server_xen_3_14 = grKernel kernelPatches.grsecurity_3_14 grFlavors.server_xen;
-  linux_grsec_testing_server_xen = grKernel grFlavors.linux_grsec_testing_server_xen;
+
  linux_grsec_desktop_4_1    = grKernel kernelPatches.grsecurity_4_1 grFlavors.desktop;
  linux_grsec_server_4_1     = grKernel kernelPatches.grsecurity_4_1 grFlavors.server;
  linux_grsec_server_xen_4_1 = grKernel kernelPatches.grsecurity_4_1 grFlavors.server_xen;
  linux_grsec_desktop_4_4    = grKernel kernelPatches.grsecurity_4_4 grFlavors.desktop;
  linux_grsec_server_4_4     = grKernel kernelPatches.grsecurity_4_4 grFlavors.server;
  linux_grsec_server_xen_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.server_xen;
  linux_grsec_desktop_latest    = grKernel kernelPatches.grsecurity_latest grFlavors.desktop;
  linux_grsec_server_latest     = grKernel kernelPatches.grsecurity_latest grFlavors.server;
  linux_grsec_server_xen_latest = grKernel kernelPatches.grsecurity_latest grFlavors.server_xen;
  # grsecurity: old names
  linux_grsec_testing_desktop    = linux_grsec_desktop_latest;
  linux_grsec_testing_server     = linux_grsec_server_latest;
  linux_grsec_testing_server_xen = linux_grsec_server_xen_latest;
  linux_grsec_stable_desktop    = linux_grsec_desktop_3_14;
  linux_grsec_stable_server     = linux_grsec_server_3_14;
  linux_grsec_stable_server_xen = linux_grsec_server_xen_3_14;
  /* Linux kernel modules are inherently tied to a specific kernel.  So
     rather than provide specific instances of those packages for a
@ -10615,16 +10657,33 @@ let
  # Build a kernel for Xen dom0
  linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }) linuxPackages_latest);
-  # grsecurity flavors
+  # grsecurity packages
  # Stable kernels
  linuxPackages_grsec_stable_desktop    = grPackage grFlavors.linux_grsec_stable_desktop;
  linuxPackages_grsec_stable_server     = grPackage grFlavors.linux_grsec_stable_server;
  linuxPackages_grsec_stable_server_xen = grPackage grFlavors.linux_grsec_stable_server_xen;
-  # Testing kernels
+  linuxPackages_grsec_desktop_3_14    = grPackage kernelPatches.grsecurity_3_14 grFlavors.desktop;
-  linuxPackages_grsec_testing_desktop = grPackage grFlavors.linux_grsec_testing_desktop;
+  linuxPackages_grsec_server_3_14     = grPackage kernelPatches.grsecurity_3_14 grFlavors.server;
-  linuxPackages_grsec_testing_server  = grPackage grFlavors.linux_grsec_testing_server;
+  linuxPackages_grsec_server_xen_3_14 = grPackage kernelPatches.grsecurity_3_14 grFlavors.server_xen;
-  linuxPackages_grsec_testing_server_xen = grPackage grFlavors.linux_grsec_testing_server_xen;
+
  linuxPackages_grsec_desktop_4_1    = grPackage kernelPatches.grsecurity_4_1 grFlavors.desktop;
  linuxPackages_grsec_server_4_1     = grPackage kernelPatches.grsecurity_4_1 grFlavors.server;
  linuxPackages_grsec_server_xen_4_1 = grPackage kernelPatches.grsecurity_4_1 grFlavors.server_xen;
  linuxPackages_grsec_desktop_4_4    = grPackage kernelPatches.grsecurity_4_4 grFlavors.desktop;
  linuxPackages_grsec_server_4_4     = grPackage kernelPatches.grsecurity_4_4 grFlavors.server;
  linuxPackages_grsec_server_xen_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.server_xen;
  linuxPackages_grsec_desktop_latest    = grPackage kernelPatches.grsecurity_latest grFlavors.desktop;
  linuxPackages_grsec_server_latest     = grPackage kernelPatches.grsecurity_latest grFlavors.server;
  linuxPackages_grsec_server_xen_latest = grPackage kernelPatches.grsecurity_latest grFlavors.server_xen;
  # grsecurity: old names
  linuxPackages_grsec_testing_desktop    = linuxPackages_grsec_desktop_latest;
  linuxPackages_grsec_testing_server     = linuxPackages_grsec_server_latest;
  linuxPackages_grsec_testing_server_xen = linuxPackages_grsec_server_xen_latest;
  linuxPackages_grsec_stable_desktop    = linuxPackages_grsec_desktop_3_14;
  linuxPackages_grsec_stable_server     = linuxPackages_grsec_server_3_14;
  linuxPackages_grsec_stable_server_xen = linuxPackages_grsec_server_xen_3_14;
  # ChromiumOS kernels
  linuxPackages_chromiumos_3_14 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_chromiumos_3_14 linuxPackages_chromiumos_3_14);