The plan is to fix mounting DFS shares on NixOS (for which some of these
options are needed), but I figured it might be a good idea to enable all
CONFIG_CIFS_* like Fedora 24 and Ubuntu 16.04 while at it. Ubuntu even
has CONFIG_CIFS_SMB311, but as Fedora do not, I left it out.
Mounting DFS shares still doesn't work; need to configure cifs.upcall
and /etc/request-key.conf. Until then, using GVFS as a workaround.
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
Copied from linux_4_4 (except for the EFI stub thing).
Otherwise the firewall module fails to evaluate:
Failed assertions:
- This kernel does not support rpfilter
This reverts commit e38b74ba89d3d03e01ee751131d2a6dc316ac33a.
I failed to notice f19c961b4e461da045f2e72e73701059e5117be0; better
use that fix instead.
In `scripts/Makefile.modinst`, the code that generates the list of
modules to install passes file names via the command line. When
installing a grsecurity kernel, this list appears to exceed the
shell's argument list limit, as in
make[2]: execvp: /nix/store/[...]-bash-4.3-p46/bin/bash: Argument list too long
The build does not fail, however, but the list of modules to be installed ends
up being empty. Thus, the resulting kernel package output contains no modules,
rendering it useless.
We work around this by patching the makefile to use `find -exec` to
process files. Why this would occur for grsecurity and not other
kernels is unknown, most likely there's something *else* that is
actually causing this behaviour, so this is a temporary fix until that
cause is found.
Fixes https://github.com/NixOS/nixpkgs/issues/20490
This reverts commit e02173c70cd18dee1972713031c412eee35d73ef, reversing
changes made to c2b4a0d2668fda88430e7067245fc63d977ea28c.
Breaks all grsec packages; Not having binary substitutes for no good
reason is disruptive to my workflow, so I'll just revert this for now.
