mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-09-11 15:08:33 +01:00
grsecurity: separate fix patches for testing & stable
This commit is contained in:
parent
75f353ffbd
commit
4e3d6d3e90
|
@ -25,7 +25,7 @@ let
|
||||||
mkKernel = patch:
|
mkKernel = patch:
|
||||||
{
|
{
|
||||||
inherit patch;
|
inherit patch;
|
||||||
inherit (patch) kernel grversion revision;
|
inherit (patch) kernel patches grversion revision;
|
||||||
};
|
};
|
||||||
|
|
||||||
test-patch = with pkgs.kernelPatches; grsecurity_testing;
|
test-patch = with pkgs.kernelPatches; grsecurity_testing;
|
||||||
|
@ -136,7 +136,7 @@ let
|
||||||
|
|
||||||
mkGrsecKern = grkern:
|
mkGrsecKern = grkern:
|
||||||
lowPrio (overrideDerivation (grkern.kernel.override (args: {
|
lowPrio (overrideDerivation (grkern.kernel.override (args: {
|
||||||
kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ];
|
kernelPatches = args.kernelPatches ++ [ grkern.patch ] ++ grkern.patches;
|
||||||
argsOverride = {
|
argsOverride = {
|
||||||
modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
|
modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
|
||||||
};
|
};
|
||||||
|
|
17
pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch
Normal file
17
pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
diff --git a/kernel/kmod.c b/kernel/kmod.c
|
||||||
|
index a689506..30747b4 100644
|
||||||
|
--- a/kernel/kmod.c
|
||||||
|
+++ b/kernel/kmod.c
|
||||||
|
@@ -294,10 +294,8 @@ static int ____call_usermodehelper(void *data)
|
||||||
|
out the path to be used prior to this point and are now operating
|
||||||
|
on that copy
|
||||||
|
*/
|
||||||
|
- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
|
||||||
|
- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
|
||||||
|
- strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
|
||||||
|
- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
|
||||||
|
+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
|
||||||
|
+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
|
||||||
|
printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
|
||||||
|
retval = -EPERM;
|
||||||
|
goto out;
|
|
@ -18,10 +18,10 @@ let
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
grsecPatch = { grversion ? "3.1", kernel, kversion, revision, branch, sha256 }:
|
grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch, sha256 }:
|
||||||
assert kversion == kernel.version;
|
assert kversion == kernel.version;
|
||||||
{ name = "grsecurity-${grversion}-${kversion}";
|
{ name = "grsecurity-${grversion}-${kversion}";
|
||||||
inherit grversion kernel kversion revision;
|
inherit grversion kernel patches kversion revision;
|
||||||
patch = fetchurl {
|
patch = fetchurl {
|
||||||
url = if branch == "stable"
|
url = if branch == "stable"
|
||||||
then "https://github.com/kdave/grsecurity-patches/blob/master/grsecurity_patches/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"
|
then "https://github.com/kdave/grsecurity-patches/blob/master/grsecurity_patches/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"
|
||||||
|
@ -84,6 +84,7 @@ rec {
|
||||||
|
|
||||||
grsecurity_stable = grsecPatch
|
grsecurity_stable = grsecPatch
|
||||||
{ kernel = pkgs.linux_grsecurity_3_14;
|
{ kernel = pkgs.linux_grsecurity_3_14;
|
||||||
|
patches = [ grsecurity_fix_path_3_14 ];
|
||||||
kversion = "3.14.51";
|
kversion = "3.14.51";
|
||||||
revision = "201508181951";
|
revision = "201508181951";
|
||||||
branch = "stable";
|
branch = "stable";
|
||||||
|
@ -92,15 +93,21 @@ rec {
|
||||||
|
|
||||||
grsecurity_testing = grsecPatch
|
grsecurity_testing = grsecPatch
|
||||||
{ kernel = pkgs.linux_grsecurity_4_4;
|
{ kernel = pkgs.linux_grsecurity_4_4;
|
||||||
|
patches = [ grsecurity_fix_path_4_4 ];
|
||||||
kversion = "4.4.2";
|
kversion = "4.4.2";
|
||||||
revision = "201602182048";
|
revision = "201602182048";
|
||||||
branch = "test";
|
branch = "test";
|
||||||
sha256 = "0dm0nzzja6ynzdz2k5h0ckys7flw307i3w0k1lwjxfj80civ73wr";
|
sha256 = "0dm0nzzja6ynzdz2k5h0ckys7flw307i3w0k1lwjxfj80civ73wr";
|
||||||
};
|
};
|
||||||
|
|
||||||
grsec_fix_path =
|
grsecurity_fix_path_3_14 =
|
||||||
{ name = "grsec-fix-path";
|
{ name = "grsecurity-fix-path-3.14";
|
||||||
patch = ./grsec-path.patch;
|
patch = ./grsecurity-path-3.14.patch;
|
||||||
|
};
|
||||||
|
|
||||||
|
grsecurity_fix_path_4_4 =
|
||||||
|
{ name = "grsecurity-fix-path-4.4";
|
||||||
|
patch = ./grsecurity-path-4.4.patch;
|
||||||
};
|
};
|
||||||
|
|
||||||
crc_regression =
|
crc_regression =
|
||||||
|
|
Loading…
Reference in a new issue