tree-wide: prune some dead grsec leaves

The beginning of pruning grsecurity/PaX from the tree.

nixos/tests/grsecurity.nix

@@ -1,46 +0,0 @@
-# Basic test to make sure grsecurity works
-
-import ./make-test.nix ({ pkgs, ...} : {
-  name = "grsecurity";
-  meta = with pkgs.stdenv.lib.maintainers; {
-    maintainers = [ copumpkin joachifm ];
-  };
-
-  machine = { config, pkgs, ... }:
-    { security.grsecurity.enable = true;
-      boot.kernel.sysctl."kernel.grsecurity.audit_mount" = 0;
-      boot.kernel.sysctl."kernel.grsecurity.deter_bruteforce" = 0;
-      networking.useDHCP = false;
-    };
-
-  testScript = ''
-    subtest "grsec-lock", sub {
-      $machine->succeed("systemctl is-active grsec-lock");
-      $machine->succeed("grep -Fq 1 /proc/sys/kernel/grsecurity/grsec_lock");
-      $machine->fail("echo -n 0 >/proc/sys/kernel/grsecurity/grsec_lock");
-    };
-
-    subtest "paxtest", sub {
-      # TODO: running paxtest blackhat hangs the vm
-      my @pax_mustkill = (
-        "anonmap", "execbss", "execdata", "execheap", "execstack",
-        "mprotanon", "mprotbss", "mprotdata", "mprotheap", "mprotstack",
-      );
-      foreach my $name (@pax_mustkill) {
-        my $paxtest = "${pkgs.paxtest}/lib/paxtest/" . $name;
-        $machine->succeed($paxtest) =~ /Killed/ or die
-      }
-    };
-
-    # tcc -run executes run-time generated code and so allows us to test whether
-    # paxmark actually works (otherwise, the process should be terminated)
-    subtest "tcc", sub {
-      $machine->execute("echo -e '#include <stdio.h>\nint main(void) { puts(\"hello\"); return 0; }' >main.c");
-      $machine->succeed("${pkgs.tinycc}/bin/tcc -run main.c");
-    };
-
-    subtest "RBAC", sub {
-      $machine->succeed("[ -c /dev/grsec ]");
-    };
-  '';
-})

pkgs/build-support/grsecurity/default.nix

@@ -1,37 +0,0 @@
-{ stdenv
-, lib
-, overrideDerivation
-
-# required for gcc plugins
-, gmp, libmpc, mpfr
-
-# the base kernel
-, kernel
-
-, grsecPatch
-, kernelPatches ? []
-
-, localver ? "-grsec"
-, modDirVersion ? "${kernel.version}${localver}"
-, extraConfig ? ""
-, ...
-} @ args:
-
-assert (kernel.version == grsecPatch.kver);
-
-overrideDerivation (kernel.override {
-  inherit modDirVersion;
-  kernelPatches = lib.unique ([ grsecPatch ] ++ kernelPatches ++ (kernel.kernelPatches or []));
-  extraConfig = ''
-    GRKERNSEC y
-    PAX y
-    ${extraConfig}
-  '';
-  ignoreConfigErrors = true;
-}) (attrs: {
-  nativeBuildInputs = (lib.chooseDevOutputs [ gmp libmpc mpfr ]) ++ (attrs.nativeBuildInputs or []);
-  preConfigure = ''
-    echo ${localver} >localversion-grsec
-    ${attrs.preConfigure or ""}
-  '';
-})

pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix

@@ -1,63 +0,0 @@
-{ stdenv }:
-
-with stdenv.lib;
-
-''
-# Auto configuration with these constraints will enable most of the
-# important features (RAP, UDEREF, ASLR, memory sanitization).
-GRKERNSEC_CONFIG_AUTO y
-GRKERNSEC_CONFIG_DESKTOP y
-GRKERNSEC_CONFIG_PRIORITY_SECURITY y
-
-# We specify virt guest rather than host here, the latter deselects e.g.,
-# paravirtualization.
-GRKERNSEC_CONFIG_VIRT_GUEST y
-# Note: assumes platform supports CPU-level virtualization (so no pentium 4)
-GRKERNSEC_CONFIG_VIRT_EPT y
-GRKERNSEC_CONFIG_VIRT_KVM y
-
-# PaX control
-PAX_SOFTMODE y
-PAX_PT_PAX_FLAGS y
-PAX_XATTR_PAX_FLAGS y
-PAX_EI_PAX n
-
-PAX_INITIFY y
-
-# The bts instrumentation method is compatible with binary only modules.
-#
-# Note: if platform supports SMEP, we could do without this
-PAX_KERNEXEC_PLUGIN_METHOD_BTS y
-
-# Additional grsec hardening not implied by auto constraints
-GRKERNSEC_IO y
-GRKERNSEC_SYSFS_RESTRICT y
-GRKERNSEC_ROFS y
-
-GRKERNSEC_MODHARDEN y
-
-# Disable protections rendered useless by redistribution
-GRKERNSEC_HIDESYM n
-GRKERNSEC_RANDSTRUCT n
-
-# Disable protections covered by vanilla mechanisms
-GRKERNSEC_DMESG n
-GRKERNSEC_KMEM n
-GRKERNSEC_PROC n
-
-# Disable protections that are inappropriate for a general-purpose kernel
-GRKERNSEC_NO_SIMULT_CONNECT n
-
-# Enable additional audititing
-GRKERNSEC_AUDIT_MOUNT y
-GRKERNSEC_AUDIT_PTRACE y
-GRKERNSEC_FORKFAIL y
-
-# Wishlist: support trusted path execution
-GRKERNSEC_TPE n
-
-GRKERNSEC_SYSCTL y
-GRKERNSEC_SYSCTL_DISTRO y
-# Assume that appropriate sysctls are toggled once the system is up
-GRKERNSEC_SYSCTL_ON n
-''

pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch

@@ -1,14 +0,0 @@
-diff -ru a/kernel/kmod.c b/kernel/kmod.c
---- a/kernel/kmod.c	2016-04-21 17:06:09.882281660 +0200
-+++ b/kernel/kmod.c	2016-04-21 17:08:17.458949309 +0200
-@@ -294,7 +294,9 @@
- 	     strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
- 	     strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
- 	     strncmp(sub_info->path, "/usr/sbin/", 10) && strcmp(sub_info->path, "/bin/false") && 
--	     strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
-+	     strcmp(sub_info->path, "/usr/share/apport/apport") &&
-+       strncmp(sub_info->path, "/nix/store/", 11) &&
-+       strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
- 		printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
- 		retval = -EPERM;
- 		goto out;

pkgs/os-specific/linux/kernel/linux-grsecurity.nix

@@ -1,18 +0,0 @@
-{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
-
-import ./generic.nix (args // rec {
-  version = "4.9.24";
-  extraMeta.branch = "4.9";
-
-  src = fetchurl {
-    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha512 = "3031ldw2f6dwkm3z1cn7rw8y4diq57rs3na64nzkw7xw4q74cfpzzp5866vf58y0fsyl8l2vgvwza7cdhxywmmxp7q0q5385jn8nnvd";
-  };
-
-  kernelPatches = args.kernelPatches;
-
-  features.iwlwifi = true;
-  features.efiBootStub = true;
-  features.needsCifsUtils = true;
-  features.netfilterRPFilter = true;
-} // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/patches.nix

@@ -17,26 +17,6 @@ let
         '';
       };
     };
-
-  grsecPatch = { grbranch ? "test", grver ? "3.1", kver, grrev, sha512 }: rec {
-    name = "grsecurity-${grver}-${kver}-${grrev}";
-
-    # Pass these along to allow the caller to determine compatibility
-    inherit grver kver grrev;
-
-    patch = fetchurl {
-      urls = [
-        "https://grsecurity.net/${grbranch}/${name}.patch"
-        # When updating versions/hashes, ALWAYS use the official
-        # version; we use this mirror only because upstream removes
-        # source files immediately upon releasing a new version ...
-        "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${kver}/${name}.patch"
-      ];
-      inherit sha512;
-    };
-
-    features.grsecurity = true;
-  };
 in
 
 rec {
@@ -107,14 +87,6 @@ rec {
     for more information.
   '';
 
-  # This patch relaxes grsec constraints on the location of usermode helpers,
-  # e.g., modprobe, to allow calling into the Nix store.
-  grsecurity_nixos_kmod =
-    {
-      name  = "grsecurity-nixos-kmod";
-      patch = ./grsecurity-nixos-kmod.patch;
-    };
-
   crc_regression =
     { name = "crc-backport-regression";
       patch = ./crc-regression.patch;

pkgs/top-level/all-packages.nix

@@ -11922,16 +11922,7 @@ with pkgs;
   linuxPackages_grsec_nixos =
     recurseIntoAttrs (linuxPackagesFor linux_grsec_nixos);
 
-  # An unsupported grsec xen guest kernel
-  linux_grsec_server_xen = linux_grsec_nixos.override {
-    extraConfig = ''
-      GRKERNSEC_CONFIG_AUTO y
-      GRKERNSEC_CONFIG_PRIORITY_SECURITY y
-      GRKERNSEC_CONFIG_SERVER y
-      GRKERNSEC_CONFIG_VIRT_GUEST y
-      GRKERNSEC_CONFIG_VIRT_XEN y
-    '';
-  };
+  linux_grsec_server_xen = linux_grsec_nixos;
 
   # ChromiumOS kernels
   linuxPackages_chromiumos_3_18 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_chromiumos_3_18);