colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

grsecurity: remove expressions for unsupported versions

Browse Source 
Retain top-level attributes for now but consolidate compatibility
attributes.

Part of ongoing cleanup, doing it all at once is infeasible.
This commit is contained in:
Joachim Fasting 2016-05-15 21:36:24 +02:00
parent f7ec37f3e8
commit f99c86eec1
No known key found for this signature in database
GPG Key ID: 4330820E1E04DCF4
6 changed files with 31 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch
View File

@ -1,17 +0,0 @@
diff --git a/kernel/kmod.c b/kernel/kmod.c
index a689506..30747b4 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -294,10 +294,8 @@ static int ____call_usermodehelper(void *data)
out the path to be used prior to this point and are now operating
on that copy
*/
- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
- strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
retval = -EPERM;
goto out;

18
pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch
View File

@ -1,18 +0,0 @@
diff --git a/kernel/kmod.c b/kernel/kmod.c
index a689506..30747b4 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -294,11 +294,8 @@ static int ____call_usermodehelper(void *data)
out the path to be used prior to this point and are now operating
on that copy
*/
- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
- strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
- strncmp(sub_info->path, "/usr/sbin/", 10) &&
- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
retval = -EPERM;
goto out;

21
pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix
View File

@ -1,21 +0,0 @@
{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
throw "grsecurity stable is no longer supported; please update your configuration"
import ./generic.nix (args // rec {
version = "3.14.51";
extraMeta.branch = "3.14";
src = fetchurl {
url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz";
sha256 = "1gqsd69cqijff4c4br4ydmcjl226d0yy6vrmgfvy16xiraavq1mk";
};
kernelPatches = args.kernelPatches;
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
} // (args.argsOverride or {}))

21
pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix
View File

@ -1,21 +0,0 @@
{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
throw "grsecurity stable is no longer supported; please update your configuration"
import ./generic.nix (args // rec {
version = "4.4.5";
extraMeta.branch = "4.4";
src = fetchurl {
url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
sha256 = "1daavrj2msl85aijh1izfm1cwf14c7mi75hldzidr1h2v629l89h";
};
kernelPatches = args.kernelPatches;
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
} // (args.argsOverride or {}))

27
pkgs/os-specific/linux/kernel/patches.nix
View File

@ -88,22 +88,9 @@ rec {
sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
};
grsecurity_3_14 = grsecPatch
{ kernel = pkgs.grsecurity_base_linux_3_14;
patches = [ grsecurity_fix_path_3_14 ];
kversion = "3.14.51";
revision = "201508181951";
branch = "stable";
sha256 = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f";
};
grsecurity_3_14 = throw "grsecurity stable is no longer supported";
grsecurity_4_4 = grsecPatch
{ kernel = pkgs.grsecurity_base_linux_4_4;
patches = [ grsecurity_fix_path_4_4 ];
kversion = "4.4.5";
revision = "201603131305";
sha256 = "04k4nhshl6r5n41ha5620s7cd70dmmmvyf9mnn5359jr1720kxpf";
};
grsecurity_4_4 = throw "grsecurity stable is no longer supported";
grsecurity_4_5 = grsecPatch
{ kernel = pkgs.grsecurity_base_linux_4_5;
@ -115,16 +102,6 @@ rec {
grsecurity_latest = grsecurity_4_5;
grsecurity_fix_path_3_14 =
{ name = "grsecurity-fix-path-3.14";
patch = ./grsecurity-path-3.14.patch;
};
grsecurity_fix_path_4_4 =
{ name = "grsecurity-fix-path-4.4";
patch = ./grsecurity-path-4.4.patch;
};
grsecurity_fix_path_4_5 =
{ name = "grsecurity-fix-path-4.5";
patch = ./grsecurity-path-4.5.patch;

88
pkgs/top-level/all-packages.nix
View File

@ -10717,38 +10717,7 @@ in
linux_chromiumos_latest = self.linux_chromiumos_3_18;
/* grsec configuration
We build several flavors of 'default' grsec kernels. These are
built by default with Hydra. If the user selects a matching
'default' flavor, then the pre-canned package set can be
chosen. Typically, users will make very basic choices like
'security' + 'server' or 'performance' + 'desktop' with
virtualisation support. These will then be picked.
Note: Xen guest kernels are included for e.g. NixOps deployments
to EC2, where Xen is the Hypervisor.
*/
# Base kernels to apply the grsecurity patch onto
grsecurity_base_linux_3_14 = callPackage ../os-specific/linux/kernel/linux-grsecurity-3.14.nix {
kernelPatches = [ kernelPatches.bridge_stp_helper ]
++ lib.optionals ((platform.kernelArch or null) == "mips")
[ kernelPatches.mips_fpureg_emu
kernelPatches.mips_fpu_sigill
kernelPatches.mips_ext3_n32
];
};
grsecurity_base_linux_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix {
kernelPatches = [ kernelPatches.bridge_stp_helper ]
++ lib.optionals ((platform.kernelArch or null) == "mips")
[ kernelPatches.mips_fpureg_emu
kernelPatches.mips_fpu_sigill
kernelPatches.mips_ext3_n32
];
};
# grsecurity configuration
grsecurity_base_linux_4_5 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.5.nix {
kernelPatches = [ kernelPatches.bridge_stp_helper ]
@ -10771,14 +10740,6 @@ in
# grsecurity kernels (see also linuxPackages_grsec_*)
linux_grsec_desktop_3_14 = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.desktop;
linux_grsec_server_3_14 = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.server;
linux_grsec_server_xen_3_14 = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.server_xen;
linux_grsec_desktop_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.desktop;
linux_grsec_server_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server;
linux_grsec_server_xen_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
linux_grsec_desktop_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
linux_grsec_server_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server;
linux_grsec_server_xen_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
@ -10787,16 +10748,6 @@ in
linux_grsec_server_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server;
linux_grsec_server_xen_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server_xen;
# grsecurity: old names
linux_grsec_testing_desktop = self.linux_grsec_desktop_latest;
linux_grsec_testing_server = self.linux_grsec_server_latest;
linux_grsec_testing_server_xen = self.linux_grsec_server_xen_latest;
linux_grsec_stable_desktop = self.linux_grsec_desktop_3_14;
linux_grsec_stable_server = self.linux_grsec_server_3_14;
linux_grsec_stable_server_xen = self.linux_grsec_server_xen_3_14;
/* Linux kernel modules are inherently tied to a specific kernel. So
rather than provide specific instances of those packages for a
specific kernel, we have a function that builds those packages
@ -10942,14 +10893,6 @@ in
# grsecurity packages
linuxPackages_grsec_desktop_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.desktop;
linuxPackages_grsec_server_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server;
linuxPackages_grsec_server_xen_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server_xen;
linuxPackages_grsec_desktop_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.desktop;
linuxPackages_grsec_server_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server;
linuxPackages_grsec_server_xen_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
linuxPackages_grsec_desktop_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
linuxPackages_grsec_server_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server;
linuxPackages_grsec_server_xen_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
@ -10958,7 +10901,34 @@ in
linuxPackages_grsec_server_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server;
linuxPackages_grsec_server_xen_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server_xen;
# grsecurity: old names
# grsecurity: legacy
grsecurity_base_linux_3_14 = throw "grsecurity stable is no longer supported";
grsecurity_base_linux_4_4 = throw "grsecurity stable is no longer supported";
linux_grsec_desktop_3_14 = throw "grsecurity stable is no longer supported";
linux_grsec_server_3_14 = throw "grsecurity stable is no longer supported";
linux_grsec_server_xen_3_14 = throw "grsecurity stable is no longer supported";
linux_grsec_desktop_4_4 = throw "grsecurity stable is no longer supported";
linux_grsec_server_4_4 = throw "grsecurity stable is no longer supported";
linux_grsec_server_xen_4_4 = throw "grsecurity stable is no longer supported";
linux_grsec_testing_desktop = self.linux_grsec_desktop_latest;
linux_grsec_testing_server = self.linux_grsec_server_latest;
linux_grsec_testing_server_xen = self.linux_grsec_server_xen_latest;
linux_grsec_stable_desktop = self.linux_grsec_desktop_3_14;
linux_grsec_stable_server = self.linux_grsec_server_3_14;
linux_grsec_stable_server_xen = self.linux_grsec_server_xen_3_14;
linuxPackages_grsec_desktop_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.desktop;
linuxPackages_grsec_server_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server;
linuxPackages_grsec_server_xen_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server_xen;
linuxPackages_grsec_desktop_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.desktop;
linuxPackages_grsec_server_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server;
linuxPackages_grsec_server_xen_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
linuxPackages_grsec_testing_desktop = self.linuxPackages_grsec_desktop_latest;
linuxPackages_grsec_testing_server = self.linuxPackages_grsec_server_latest;