diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch deleted file mode 100644 index 6f477c22b5ee..000000000000 --- a/pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/kernel/kmod.c b/kernel/kmod.c -index a689506..30747b4 100644 ---- a/kernel/kmod.c -+++ b/kernel/kmod.c -@@ -294,10 +294,8 @@ static int ____call_usermodehelper(void *data) - out the path to be used prior to this point and are now operating - on that copy - */ -- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) && -- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) && -- strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) && -- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) { -+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) && -+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) { - printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path); - retval = -EPERM; - goto out; diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch deleted file mode 100644 index bef1a75c23d4..000000000000 --- a/pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/kernel/kmod.c b/kernel/kmod.c -index a689506..30747b4 100644 ---- a/kernel/kmod.c -+++ b/kernel/kmod.c -@@ -294,11 +294,8 @@ static int ____call_usermodehelper(void *data) - out the path to be used prior to this point and are now operating - on that copy - */ -- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) && -- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) && -- strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) && -- strncmp(sub_info->path, "/usr/sbin/", 10) && -- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) { -+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) && -+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) { - printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path); - retval = -EPERM; - goto out; diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix deleted file mode 100644 index da6286207642..000000000000 --- a/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ stdenv, fetchurl, perl, buildLinux, ... } @ args: - -throw "grsecurity stable is no longer supported; please update your configuration" - -import ./generic.nix (args // rec { - version = "3.14.51"; - extraMeta.branch = "3.14"; - - src = fetchurl { - url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz"; - sha256 = "1gqsd69cqijff4c4br4ydmcjl226d0yy6vrmgfvy16xiraavq1mk"; - }; - - kernelPatches = args.kernelPatches; - - features.iwlwifi = true; - features.efiBootStub = true; - features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; - features.netfilterRPFilter = true; -} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix deleted file mode 100644 index e51fe6423680..000000000000 --- a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ stdenv, fetchurl, perl, buildLinux, ... } @ args: - -throw "grsecurity stable is no longer supported; please update your configuration" - -import ./generic.nix (args // rec { - version = "4.4.5"; - extraMeta.branch = "4.4"; - - src = fetchurl { - url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "1daavrj2msl85aijh1izfm1cwf14c7mi75hldzidr1h2v629l89h"; - }; - - kernelPatches = args.kernelPatches; - - features.iwlwifi = true; - features.efiBootStub = true; - features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; - features.netfilterRPFilter = true; -} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index efa3cb2eb864..8e198e7a3ed9 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -88,22 +88,9 @@ rec { sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j"; }; - grsecurity_3_14 = grsecPatch - { kernel = pkgs.grsecurity_base_linux_3_14; - patches = [ grsecurity_fix_path_3_14 ]; - kversion = "3.14.51"; - revision = "201508181951"; - branch = "stable"; - sha256 = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f"; - }; + grsecurity_3_14 = throw "grsecurity stable is no longer supported"; - grsecurity_4_4 = grsecPatch - { kernel = pkgs.grsecurity_base_linux_4_4; - patches = [ grsecurity_fix_path_4_4 ]; - kversion = "4.4.5"; - revision = "201603131305"; - sha256 = "04k4nhshl6r5n41ha5620s7cd70dmmmvyf9mnn5359jr1720kxpf"; - }; + grsecurity_4_4 = throw "grsecurity stable is no longer supported"; grsecurity_4_5 = grsecPatch { kernel = pkgs.grsecurity_base_linux_4_5; @@ -115,16 +102,6 @@ rec { grsecurity_latest = grsecurity_4_5; - grsecurity_fix_path_3_14 = - { name = "grsecurity-fix-path-3.14"; - patch = ./grsecurity-path-3.14.patch; - }; - - grsecurity_fix_path_4_4 = - { name = "grsecurity-fix-path-4.4"; - patch = ./grsecurity-path-4.4.patch; - }; - grsecurity_fix_path_4_5 = { name = "grsecurity-fix-path-4.5"; patch = ./grsecurity-path-4.5.patch; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 19a259375008..916e7f8ee455 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -10717,38 +10717,7 @@ in linux_chromiumos_latest = self.linux_chromiumos_3_18; - /* grsec configuration - - We build several flavors of 'default' grsec kernels. These are - built by default with Hydra. If the user selects a matching - 'default' flavor, then the pre-canned package set can be - chosen. Typically, users will make very basic choices like - 'security' + 'server' or 'performance' + 'desktop' with - virtualisation support. These will then be picked. - - Note: Xen guest kernels are included for e.g. NixOps deployments - to EC2, where Xen is the Hypervisor. - */ - - # Base kernels to apply the grsecurity patch onto - - grsecurity_base_linux_3_14 = callPackage ../os-specific/linux/kernel/linux-grsecurity-3.14.nix { - kernelPatches = [ kernelPatches.bridge_stp_helper ] - ++ lib.optionals ((platform.kernelArch or null) == "mips") - [ kernelPatches.mips_fpureg_emu - kernelPatches.mips_fpu_sigill - kernelPatches.mips_ext3_n32 - ]; - }; - - grsecurity_base_linux_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix { - kernelPatches = [ kernelPatches.bridge_stp_helper ] - ++ lib.optionals ((platform.kernelArch or null) == "mips") - [ kernelPatches.mips_fpureg_emu - kernelPatches.mips_fpu_sigill - kernelPatches.mips_ext3_n32 - ]; - }; + # grsecurity configuration grsecurity_base_linux_4_5 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.5.nix { kernelPatches = [ kernelPatches.bridge_stp_helper ] @@ -10771,14 +10740,6 @@ in # grsecurity kernels (see also linuxPackages_grsec_*) - linux_grsec_desktop_3_14 = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.desktop; - linux_grsec_server_3_14 = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.server; - linux_grsec_server_xen_3_14 = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.server_xen; - - linux_grsec_desktop_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.desktop; - linux_grsec_server_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server; - linux_grsec_server_xen_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server_xen; - linux_grsec_desktop_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.desktop; linux_grsec_server_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server; linux_grsec_server_xen_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server_xen; @@ -10787,16 +10748,6 @@ in linux_grsec_server_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server; linux_grsec_server_xen_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server_xen; - # grsecurity: old names - - linux_grsec_testing_desktop = self.linux_grsec_desktop_latest; - linux_grsec_testing_server = self.linux_grsec_server_latest; - linux_grsec_testing_server_xen = self.linux_grsec_server_xen_latest; - - linux_grsec_stable_desktop = self.linux_grsec_desktop_3_14; - linux_grsec_stable_server = self.linux_grsec_server_3_14; - linux_grsec_stable_server_xen = self.linux_grsec_server_xen_3_14; - /* Linux kernel modules are inherently tied to a specific kernel. So rather than provide specific instances of those packages for a specific kernel, we have a function that builds those packages @@ -10942,14 +10893,6 @@ in # grsecurity packages - linuxPackages_grsec_desktop_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.desktop; - linuxPackages_grsec_server_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server; - linuxPackages_grsec_server_xen_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server_xen; - - linuxPackages_grsec_desktop_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.desktop; - linuxPackages_grsec_server_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server; - linuxPackages_grsec_server_xen_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server_xen; - linuxPackages_grsec_desktop_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.desktop; linuxPackages_grsec_server_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server; linuxPackages_grsec_server_xen_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server_xen; @@ -10958,7 +10901,34 @@ in linuxPackages_grsec_server_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server; linuxPackages_grsec_server_xen_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server_xen; - # grsecurity: old names + # grsecurity: legacy + + grsecurity_base_linux_3_14 = throw "grsecurity stable is no longer supported"; + grsecurity_base_linux_4_4 = throw "grsecurity stable is no longer supported"; + + linux_grsec_desktop_3_14 = throw "grsecurity stable is no longer supported"; + linux_grsec_server_3_14 = throw "grsecurity stable is no longer supported"; + linux_grsec_server_xen_3_14 = throw "grsecurity stable is no longer supported"; + + linux_grsec_desktop_4_4 = throw "grsecurity stable is no longer supported"; + linux_grsec_server_4_4 = throw "grsecurity stable is no longer supported"; + linux_grsec_server_xen_4_4 = throw "grsecurity stable is no longer supported"; + + linux_grsec_testing_desktop = self.linux_grsec_desktop_latest; + linux_grsec_testing_server = self.linux_grsec_server_latest; + linux_grsec_testing_server_xen = self.linux_grsec_server_xen_latest; + + linux_grsec_stable_desktop = self.linux_grsec_desktop_3_14; + linux_grsec_stable_server = self.linux_grsec_server_3_14; + linux_grsec_stable_server_xen = self.linux_grsec_server_xen_3_14; + + linuxPackages_grsec_desktop_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.desktop; + linuxPackages_grsec_server_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server; + linuxPackages_grsec_server_xen_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server_xen; + + linuxPackages_grsec_desktop_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.desktop; + linuxPackages_grsec_server_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server; + linuxPackages_grsec_server_xen_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server_xen; linuxPackages_grsec_testing_desktop = self.linuxPackages_grsec_desktop_latest; linuxPackages_grsec_testing_server = self.linuxPackages_grsec_server_latest;