forked from mirrors/nixpkgs
grsecurity: remove expressions for unsupported versions
Retain top-level attributes for now but consolidate compatibility attributes. Part of ongoing cleanup, doing it all at once is infeasible.
This commit is contained in:
parent
f7ec37f3e8
commit
f99c86eec1
|
@ -1,17 +0,0 @@
|
||||||
diff --git a/kernel/kmod.c b/kernel/kmod.c
|
|
||||||
index a689506..30747b4 100644
|
|
||||||
--- a/kernel/kmod.c
|
|
||||||
+++ b/kernel/kmod.c
|
|
||||||
@@ -294,10 +294,8 @@ static int ____call_usermodehelper(void *data)
|
|
||||||
out the path to be used prior to this point and are now operating
|
|
||||||
on that copy
|
|
||||||
*/
|
|
||||||
- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
|
|
||||||
- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
|
|
||||||
- strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
|
|
||||||
- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
|
|
||||||
+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
|
|
||||||
+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
|
|
||||||
printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
|
|
||||||
retval = -EPERM;
|
|
||||||
goto out;
|
|
|
@ -1,18 +0,0 @@
|
||||||
diff --git a/kernel/kmod.c b/kernel/kmod.c
|
|
||||||
index a689506..30747b4 100644
|
|
||||||
--- a/kernel/kmod.c
|
|
||||||
+++ b/kernel/kmod.c
|
|
||||||
@@ -294,11 +294,8 @@ static int ____call_usermodehelper(void *data)
|
|
||||||
out the path to be used prior to this point and are now operating
|
|
||||||
on that copy
|
|
||||||
*/
|
|
||||||
- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
|
|
||||||
- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
|
|
||||||
- strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
|
|
||||||
- strncmp(sub_info->path, "/usr/sbin/", 10) &&
|
|
||||||
- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
|
|
||||||
+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
|
|
||||||
+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
|
|
||||||
printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
|
|
||||||
retval = -EPERM;
|
|
||||||
goto out;
|
|
|
@ -1,21 +0,0 @@
|
||||||
{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
|
|
||||||
|
|
||||||
throw "grsecurity stable is no longer supported; please update your configuration"
|
|
||||||
|
|
||||||
import ./generic.nix (args // rec {
|
|
||||||
version = "3.14.51";
|
|
||||||
extraMeta.branch = "3.14";
|
|
||||||
|
|
||||||
src = fetchurl {
|
|
||||||
url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz";
|
|
||||||
sha256 = "1gqsd69cqijff4c4br4ydmcjl226d0yy6vrmgfvy16xiraavq1mk";
|
|
||||||
};
|
|
||||||
|
|
||||||
kernelPatches = args.kernelPatches;
|
|
||||||
|
|
||||||
features.iwlwifi = true;
|
|
||||||
features.efiBootStub = true;
|
|
||||||
features.needsCifsUtils = true;
|
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
|
||||||
} // (args.argsOverride or {}))
|
|
|
@ -1,21 +0,0 @@
|
||||||
{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
|
|
||||||
|
|
||||||
throw "grsecurity stable is no longer supported; please update your configuration"
|
|
||||||
|
|
||||||
import ./generic.nix (args // rec {
|
|
||||||
version = "4.4.5";
|
|
||||||
extraMeta.branch = "4.4";
|
|
||||||
|
|
||||||
src = fetchurl {
|
|
||||||
url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
|
|
||||||
sha256 = "1daavrj2msl85aijh1izfm1cwf14c7mi75hldzidr1h2v629l89h";
|
|
||||||
};
|
|
||||||
|
|
||||||
kernelPatches = args.kernelPatches;
|
|
||||||
|
|
||||||
features.iwlwifi = true;
|
|
||||||
features.efiBootStub = true;
|
|
||||||
features.needsCifsUtils = true;
|
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
|
||||||
} // (args.argsOverride or {}))
|
|
|
@ -88,22 +88,9 @@ rec {
|
||||||
sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
|
sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
|
||||||
};
|
};
|
||||||
|
|
||||||
grsecurity_3_14 = grsecPatch
|
grsecurity_3_14 = throw "grsecurity stable is no longer supported";
|
||||||
{ kernel = pkgs.grsecurity_base_linux_3_14;
|
|
||||||
patches = [ grsecurity_fix_path_3_14 ];
|
|
||||||
kversion = "3.14.51";
|
|
||||||
revision = "201508181951";
|
|
||||||
branch = "stable";
|
|
||||||
sha256 = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f";
|
|
||||||
};
|
|
||||||
|
|
||||||
grsecurity_4_4 = grsecPatch
|
grsecurity_4_4 = throw "grsecurity stable is no longer supported";
|
||||||
{ kernel = pkgs.grsecurity_base_linux_4_4;
|
|
||||||
patches = [ grsecurity_fix_path_4_4 ];
|
|
||||||
kversion = "4.4.5";
|
|
||||||
revision = "201603131305";
|
|
||||||
sha256 = "04k4nhshl6r5n41ha5620s7cd70dmmmvyf9mnn5359jr1720kxpf";
|
|
||||||
};
|
|
||||||
|
|
||||||
grsecurity_4_5 = grsecPatch
|
grsecurity_4_5 = grsecPatch
|
||||||
{ kernel = pkgs.grsecurity_base_linux_4_5;
|
{ kernel = pkgs.grsecurity_base_linux_4_5;
|
||||||
|
@ -115,16 +102,6 @@ rec {
|
||||||
|
|
||||||
grsecurity_latest = grsecurity_4_5;
|
grsecurity_latest = grsecurity_4_5;
|
||||||
|
|
||||||
grsecurity_fix_path_3_14 =
|
|
||||||
{ name = "grsecurity-fix-path-3.14";
|
|
||||||
patch = ./grsecurity-path-3.14.patch;
|
|
||||||
};
|
|
||||||
|
|
||||||
grsecurity_fix_path_4_4 =
|
|
||||||
{ name = "grsecurity-fix-path-4.4";
|
|
||||||
patch = ./grsecurity-path-4.4.patch;
|
|
||||||
};
|
|
||||||
|
|
||||||
grsecurity_fix_path_4_5 =
|
grsecurity_fix_path_4_5 =
|
||||||
{ name = "grsecurity-fix-path-4.5";
|
{ name = "grsecurity-fix-path-4.5";
|
||||||
patch = ./grsecurity-path-4.5.patch;
|
patch = ./grsecurity-path-4.5.patch;
|
||||||
|
|
|
@ -10717,38 +10717,7 @@ in
|
||||||
|
|
||||||
linux_chromiumos_latest = self.linux_chromiumos_3_18;
|
linux_chromiumos_latest = self.linux_chromiumos_3_18;
|
||||||
|
|
||||||
/* grsec configuration
|
# grsecurity configuration
|
||||||
|
|
||||||
We build several flavors of 'default' grsec kernels. These are
|
|
||||||
built by default with Hydra. If the user selects a matching
|
|
||||||
'default' flavor, then the pre-canned package set can be
|
|
||||||
chosen. Typically, users will make very basic choices like
|
|
||||||
'security' + 'server' or 'performance' + 'desktop' with
|
|
||||||
virtualisation support. These will then be picked.
|
|
||||||
|
|
||||||
Note: Xen guest kernels are included for e.g. NixOps deployments
|
|
||||||
to EC2, where Xen is the Hypervisor.
|
|
||||||
*/
|
|
||||||
|
|
||||||
# Base kernels to apply the grsecurity patch onto
|
|
||||||
|
|
||||||
grsecurity_base_linux_3_14 = callPackage ../os-specific/linux/kernel/linux-grsecurity-3.14.nix {
|
|
||||||
kernelPatches = [ kernelPatches.bridge_stp_helper ]
|
|
||||||
++ lib.optionals ((platform.kernelArch or null) == "mips")
|
|
||||||
[ kernelPatches.mips_fpureg_emu
|
|
||||||
kernelPatches.mips_fpu_sigill
|
|
||||||
kernelPatches.mips_ext3_n32
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
grsecurity_base_linux_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix {
|
|
||||||
kernelPatches = [ kernelPatches.bridge_stp_helper ]
|
|
||||||
++ lib.optionals ((platform.kernelArch or null) == "mips")
|
|
||||||
[ kernelPatches.mips_fpureg_emu
|
|
||||||
kernelPatches.mips_fpu_sigill
|
|
||||||
kernelPatches.mips_ext3_n32
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
grsecurity_base_linux_4_5 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.5.nix {
|
grsecurity_base_linux_4_5 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.5.nix {
|
||||||
kernelPatches = [ kernelPatches.bridge_stp_helper ]
|
kernelPatches = [ kernelPatches.bridge_stp_helper ]
|
||||||
|
@ -10771,14 +10740,6 @@ in
|
||||||
|
|
||||||
# grsecurity kernels (see also linuxPackages_grsec_*)
|
# grsecurity kernels (see also linuxPackages_grsec_*)
|
||||||
|
|
||||||
linux_grsec_desktop_3_14 = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.desktop;
|
|
||||||
linux_grsec_server_3_14 = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.server;
|
|
||||||
linux_grsec_server_xen_3_14 = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.server_xen;
|
|
||||||
|
|
||||||
linux_grsec_desktop_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.desktop;
|
|
||||||
linux_grsec_server_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server;
|
|
||||||
linux_grsec_server_xen_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
|
|
||||||
|
|
||||||
linux_grsec_desktop_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
|
linux_grsec_desktop_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
|
||||||
linux_grsec_server_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server;
|
linux_grsec_server_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server;
|
||||||
linux_grsec_server_xen_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
|
linux_grsec_server_xen_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
|
||||||
|
@ -10787,16 +10748,6 @@ in
|
||||||
linux_grsec_server_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server;
|
linux_grsec_server_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server;
|
||||||
linux_grsec_server_xen_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server_xen;
|
linux_grsec_server_xen_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server_xen;
|
||||||
|
|
||||||
# grsecurity: old names
|
|
||||||
|
|
||||||
linux_grsec_testing_desktop = self.linux_grsec_desktop_latest;
|
|
||||||
linux_grsec_testing_server = self.linux_grsec_server_latest;
|
|
||||||
linux_grsec_testing_server_xen = self.linux_grsec_server_xen_latest;
|
|
||||||
|
|
||||||
linux_grsec_stable_desktop = self.linux_grsec_desktop_3_14;
|
|
||||||
linux_grsec_stable_server = self.linux_grsec_server_3_14;
|
|
||||||
linux_grsec_stable_server_xen = self.linux_grsec_server_xen_3_14;
|
|
||||||
|
|
||||||
/* Linux kernel modules are inherently tied to a specific kernel. So
|
/* Linux kernel modules are inherently tied to a specific kernel. So
|
||||||
rather than provide specific instances of those packages for a
|
rather than provide specific instances of those packages for a
|
||||||
specific kernel, we have a function that builds those packages
|
specific kernel, we have a function that builds those packages
|
||||||
|
@ -10942,14 +10893,6 @@ in
|
||||||
|
|
||||||
# grsecurity packages
|
# grsecurity packages
|
||||||
|
|
||||||
linuxPackages_grsec_desktop_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.desktop;
|
|
||||||
linuxPackages_grsec_server_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server;
|
|
||||||
linuxPackages_grsec_server_xen_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server_xen;
|
|
||||||
|
|
||||||
linuxPackages_grsec_desktop_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.desktop;
|
|
||||||
linuxPackages_grsec_server_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server;
|
|
||||||
linuxPackages_grsec_server_xen_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
|
|
||||||
|
|
||||||
linuxPackages_grsec_desktop_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
|
linuxPackages_grsec_desktop_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
|
||||||
linuxPackages_grsec_server_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server;
|
linuxPackages_grsec_server_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server;
|
||||||
linuxPackages_grsec_server_xen_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
|
linuxPackages_grsec_server_xen_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
|
||||||
|
@ -10958,7 +10901,34 @@ in
|
||||||
linuxPackages_grsec_server_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server;
|
linuxPackages_grsec_server_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server;
|
||||||
linuxPackages_grsec_server_xen_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server_xen;
|
linuxPackages_grsec_server_xen_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server_xen;
|
||||||
|
|
||||||
# grsecurity: old names
|
# grsecurity: legacy
|
||||||
|
|
||||||
|
grsecurity_base_linux_3_14 = throw "grsecurity stable is no longer supported";
|
||||||
|
grsecurity_base_linux_4_4 = throw "grsecurity stable is no longer supported";
|
||||||
|
|
||||||
|
linux_grsec_desktop_3_14 = throw "grsecurity stable is no longer supported";
|
||||||
|
linux_grsec_server_3_14 = throw "grsecurity stable is no longer supported";
|
||||||
|
linux_grsec_server_xen_3_14 = throw "grsecurity stable is no longer supported";
|
||||||
|
|
||||||
|
linux_grsec_desktop_4_4 = throw "grsecurity stable is no longer supported";
|
||||||
|
linux_grsec_server_4_4 = throw "grsecurity stable is no longer supported";
|
||||||
|
linux_grsec_server_xen_4_4 = throw "grsecurity stable is no longer supported";
|
||||||
|
|
||||||
|
linux_grsec_testing_desktop = self.linux_grsec_desktop_latest;
|
||||||
|
linux_grsec_testing_server = self.linux_grsec_server_latest;
|
||||||
|
linux_grsec_testing_server_xen = self.linux_grsec_server_xen_latest;
|
||||||
|
|
||||||
|
linux_grsec_stable_desktop = self.linux_grsec_desktop_3_14;
|
||||||
|
linux_grsec_stable_server = self.linux_grsec_server_3_14;
|
||||||
|
linux_grsec_stable_server_xen = self.linux_grsec_server_xen_3_14;
|
||||||
|
|
||||||
|
linuxPackages_grsec_desktop_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.desktop;
|
||||||
|
linuxPackages_grsec_server_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server;
|
||||||
|
linuxPackages_grsec_server_xen_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server_xen;
|
||||||
|
|
||||||
|
linuxPackages_grsec_desktop_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.desktop;
|
||||||
|
linuxPackages_grsec_server_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server;
|
||||||
|
linuxPackages_grsec_server_xen_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
|
||||||
|
|
||||||
linuxPackages_grsec_testing_desktop = self.linuxPackages_grsec_desktop_latest;
|
linuxPackages_grsec_testing_desktop = self.linuxPackages_grsec_desktop_latest;
|
||||||
linuxPackages_grsec_testing_server = self.linuxPackages_grsec_server_latest;
|
linuxPackages_grsec_testing_server = self.linuxPackages_grsec_server_latest;
|
||||||
|
|
Loading…
Reference in a new issue