3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

160 commits

Author SHA1 Message Date
William A. Kennington III 1ec68e0d13 kernel: Fix path to stp bridge helper 2015-01-14 10:34:28 -08:00
William A. Kennington III 3d4b315d91 Revert "kernel: Add a patch to remove checks for bridge stp helpers"
This reverts commit f64c3ce18d.
2015-01-13 15:34:26 -08:00
William A. Kennington III f64c3ce18d kernel: Add a patch to remove checks for bridge stp helpers 2015-01-13 15:24:02 -08:00
Ricardo M. Correia 757071af5b grsecurity: Update stable and test patches
stable: 3.0-3.14.28-201501111421 -> 3.0-3.14.28-201501120819
test:   3.0-3.18.2-201501111422  -> 3.0-3.18.2-201501120821
2015-01-12 18:21:22 +01:00
William A. Kennington III 97783b87c0 kernel: 3.14.27 -> 3.14.28 2015-01-11 23:59:13 -08:00
William A. Kennington III 33651bb865 kernel: 3.18.1 -> 3.18.2 2015-01-11 23:58:19 -08:00
Ricardo M. Correia e90bfba2f6 grsecurity: Update stable and test patches
stable: 3.0-3.14.27-201412280859 -> 3.0-3.14.27-201501042018
test:   3.0-3.18.1-201412281149  -> 3.0-3.18.1-201501042021
2015-01-07 05:49:56 +01:00
Ricardo M. Correia 1d44322d53 grsecurity: Update stable and test patches
stable: 3.0-3.14.27-201412211908 -> 3.0-3.14.27-201412280859
test:   3.0-3.17.7-201412211910  -> 3.0-3.18.1-201412281149
2014-12-29 03:00:47 +01:00
Ricardo M. Correia a8e33da2dd grsecurity: Update stable and test patches
stable: 3.0-3.14.27-201412170659 -> 3.0-3.14.27-201412211908
test:   3.0-3.17.7-201412170700  -> 3.0-3.17.7-201412211910
2014-12-22 20:33:00 +01:00
William A. Kennington III 7e8c5b578a kernel: 3.14.26 -> 3.14.27 2014-12-17 14:36:38 -08:00
William A. Kennington III eea5383b48 kernel: 3.17.6 -> 3.17.7 2014-12-17 14:36:29 -08:00
William A. Kennington III 042f266e10 kernel: 3.14.25 -> 3.14.26 2014-12-08 23:24:50 -08:00
William A. Kennington III c8abfe37ab kernel: 3.17.4 -> 3.17.6 2014-12-08 23:23:42 -08:00
Ricardo M. Correia 7ce1cbed93 grsecurity: Update stable and test patches
stable: 3.0-3.14.25-201411260106 -> 3.0-3.14.25-201412040016
test:   3.0-3.17.4-201411260107  -> 3.0-3.17.4-201412040017
2014-12-05 18:26:21 +01:00
Ricardo M. Correia 6f31905563 grsecurity: Update stable and test patches
stable: 3.0-3.14.25-201411231452 -> 3.0-3.14.25-201411260106
test:   3.0-3.17.4-201411231452  -> 3.0-3.17.4-201411260107
2014-11-27 18:36:01 +01:00
Ricardo M. Correia c07f81ce89 grsecurity: Update stable and test patches
stable: 3.0-3.14.25-201411220954 -> 3.0-3.14.25-201411231452
test:   3.0-3.17.4-201411220955  -> 3.0-3.17.4-201411231452
2014-11-24 03:53:28 +01:00
William A. Kennington III d1493bc1ee kernel: 3.14.24 -> 3.14.25 2014-11-23 02:47:36 -08:00
Jonathan Rudenberg 30578e30d8 kernel: 3.17.3 -> 3.17.4 2014-11-22 16:50:16 -05:00
William A. Kennington III f4a27311b7 kernel: 3.14.23 -> 3.14.24 2014-11-14 23:03:54 -08:00
William A. Kennington III 0ef4ee5d06 kernel: 3.17.2 -> 3.17.3 2014-11-14 23:03:47 -08:00
Ricardo M. Correia c108ab47be grsecurity: Update stable and test patches
stable: 3.0-3.14.23-201411062033 -> 3.0-3.14.23-201411091053
test:   3.0-3.17.2-201411062034  -> 3.0-3.17.2-201411091054
2014-11-10 19:34:00 +01:00
Ricardo M. Correia 5701e40681 grsecurity: Update stable and test patches
stable: 3.0-3.14.23-201410312212 -> 3.0-3.14.23-201411062033
test:   3.0-3.17.2-201410312213  -> 3.0-3.17.2-201411062034
2014-11-09 02:47:54 +01:00
Ricardo M. Correia 268c72b92b grsecurity: Update stable and test patches
stable: 3.0-3.14.22-201410250026 -> 3.0-3.14.23-201410312212
test:   3.0-3.17.1-201410281754  -> 3.0-3.17.2-201410312213
2014-11-01 17:25:22 +01:00
Ricardo M. Correia a9170c0dba grsecurity: Update stable and test patches
stable: 3.0-3.14.22-201410192047 -> 3.0-3.14.22-201410250026
test:   3.0-3.17.1-201410192051  -> 3.0-3.17.1-201410281754
2014-10-30 12:47:36 +01:00
Alexander Kjeldaas 005bb796e6 Updated grsec. 2014-10-22 02:18:41 +02:00
Ricardo M. Correia c615793317 grsecurity: Update stable and test patches
stable: 3.0-3.14.19-201409282024 -> 3.0-3.14.20-201410062037
test:   3.0-3.16.3-201409282025  -> 3.0-3.16.4-201410062041
2014-10-07 16:55:49 +02:00
Ricardo M. Correia bbdc35d4dd grsecurity: Update stable and test patches
stable: 3.0-3.14.19-201409180900 -> 3.0-3.14.19-201409282024
test:   3.0-3.16.3-201409180901  -> 3.0-3.16.3-201409282025
2014-09-29 14:44:20 +02:00
Ricardo M. Correia cf61fa8013 grsecurity: Update stable and test patches
stable: 3.0-3.14.18-201409060013 -> 3.0-3.14.19-201409180900
test:   3.0-3.16.2-201409060014  -> 3.0-3.16.3-201409180901
2014-09-25 23:37:26 +02:00
Ricardo M. Correia 238a84ac78 grsecurity: Update stable and test patches
stable: 3.0-3.14.17-201408260041 -> 3.0-3.14.18-201409060013
test:   3.0-3.15.10-201408212335 -> 3.0-3.16.2-201409060014
2014-09-08 15:16:38 +02:00
Austin Seipp 2dc2699ca4 linux/grsec: updates
3.15.10 is EOL soon, but grsecurity/unstable hasn't moved to 3.16.x yet.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-08-27 15:14:19 -05:00
Ricardo M. Correia b50074929e grsecurity: Update stable and test patches
stable: 3.0-3.14.9-201406262057 -> 3.0-3.14.10-201407012152
test:   3.0-3.15.2-201406262058 -> 3.0-3.15.3-201407012153
2014-07-03 11:37:19 +02:00
Austin Seipp dd56bfbd00 kernel/grsec: updates
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-06-27 00:52:12 -05:00
Austin Seipp 0399c5ee24 grsecurity: update stable/testing kernels, refactoring
This updates the new stable kernel to 3.14, and the new testing kernel
to 3.15.

This also removes the vserver kernel, since it's probably not nearly as
used.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-06-22 22:29:10 -05:00
Austin Seipp b8ede68b25 kernel/grsec: updates
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-06-21 22:13:49 -05:00
Austin Seipp b43421221f kernel/grsec: updates; add mainline package for brave souls
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-06-05 06:06:19 -05:00
Austin Seipp cb894d4fc3 grsec: updates
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:09 -05:00
Austin Seipp 92abc4c610 kernel: enable AppArmor by default
AppArmor only requires a few patches to the 3.2 and 3.4 kernels in order
to work properly (with the minor catch grsecurity -stable includes the
3.2 patches.) This adds them to the kernel builds by default, removes
features.apparmor (since it's always true) and makes it the default MAC
system.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:09 -05:00
Austin Seipp 92f7781f00 kernel/grsecurity: stable/longterm/testing updates
kernels:

  - longterm: 3.4.87  -> 3.4.88
  - longterm: 3.10.37 -> 3.10.38
  - stable:   3.13.10 -> 3.13.11
  - stable:   3.14.1  -> 3.14.2

grsecurity:

  - test: 3.0-3.14.1-201404241722 -> 3.0-3.14.2-201404270907

NOTE: technically the 3.13 stable kernel is now EOL. However, it will
become the long-term grsecurity stable kernel, and will have ongoing
support from Canonical.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-27 08:41:42 -05:00
Ricardo M. Correia efae8ce543 grsecurity: Update all patches
stable:  3.0-3.2.57-201404182109            -> 3.0-3.2.57-201404241714
test:    3.0-3.14.1-201404201132            -> 3.0-3.14.1-201404241722
vserver: 3.0-3.2.57-vs2.3.2.16-201404182110 -> 3.0-3.2.57-vs2.3.2.16-201404241715
2014-04-25 04:41:58 +02:00
Ricardo M. Correia 5d5ca7b260 grsecurity: Update all patches
stable:  3.0-3.2.57-201404131252            -> 3.0-3.2.57-201404182109
test:    3.0-3.13.10-201404141717           -> 3.0-3.14.1-201404201132
vserver: 3.0-3.2.57-vs2.3.2.16-201404131253 -> 3.0-3.2.57-vs2.3.2.16-201404182110
2014-04-21 18:46:41 +02:00
Ricardo M. Correia 1b113178ee grsecurity: Update test patch from 3.0-3.13.9-201404131254 -> 3.0-3.13.10-201404141717 2014-04-15 00:16:29 +02:00
Austin Seipp 788d9a13fb grsecurity: stable/vserver/testing updates
- stable:  201404111812            -> 201404131252
 - vserver: vs2.3.2.16-201404111814 -> vs2.3.2.16-201404131253
 - testing: 201404111815            -> 201404131254

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-13 13:11:17 -05:00
Austin Seipp 172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Ricardo M. Correia 5dfc6584a5 grsecurity: Update stable patch from 3.0-3.2.56-201404062126 -> 3.0-3.2.57-201404091758 2014-04-10 00:37:33 +02:00
Ricardo M. Correia 807fad571a grsecurity: Update stable and test patches
stable: 3.0-3.2.56-201404012135 -> 3.0-3.2.56-201404062126
test:   3.0-3.13.8-201404011912 -> 3.0-3.13.9-201404062127
2014-04-07 15:31:12 +02:00
Ricardo M. Correia 52d233af22 grsecurity: Update stable patch from 3.0-3.2.55-201403300851 -> 3.0-3.2.56-201404012135 2014-04-02 15:11:33 +02:00
Ricardo M. Correia 407a6857c6 grsecurity: Update stable and test patches
stable: 3.0-3.2.55-201403252026 -> 3.0-3.2.55-201403300851
test:   3.0-3.13.7-201403252047 -> 3.0-3.13.8-201404011912
2014-04-02 02:16:59 +02:00
Ricardo M. Correia 911f332279 grsecurity: Update stable and test patches
stable: 3.0-3.2.55-201403202347 -> 3.0-3.2.55-201403252026
test:   3.0-3.13.6-201403202349 -> 3.0-3.13.7-201403252047
2014-03-26 23:07:57 +00:00
Ricardo M. Correia 9db587bf7d grsecurity: Update stable and test patches
stable: 3.0-3.2.55-201403172027 -> 3.0-3.2.55-201403202347
test:   3.0-3.13.6-201403172032 -> 3.0-3.13.6-201403202349
2014-03-21 15:41:32 +01:00
Shea Levy e4961c63f7 Remove sec_perm patch that was needed by AUFS
Now the kernel is unpatched by default on non-MIPS!
2014-03-21 04:37:23 -04:00