diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-05-02 07:06:36 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-05-02 11:28:05 +0200 |
commit | fecb56fc3febd6e2bab58f6701f044296cf4835e (patch) | |
tree | f093ff2dac6c3f249d6e0a87143a01ade5d17912 | |
parent | 3829bcf8663b540d5e5ae69e04b196d291dc091b (diff) | |
download | nixlib-fecb56fc3febd6e2bab58f6701f044296cf4835e.tar nixlib-fecb56fc3febd6e2bab58f6701f044296cf4835e.tar.gz nixlib-fecb56fc3febd6e2bab58f6701f044296cf4835e.tar.bz2 nixlib-fecb56fc3febd6e2bab58f6701f044296cf4835e.tar.lz nixlib-fecb56fc3febd6e2bab58f6701f044296cf4835e.tar.xz nixlib-fecb56fc3febd6e2bab58f6701f044296cf4835e.tar.zst nixlib-fecb56fc3febd6e2bab58f6701f044296cf4835e.zip |
linuxPackages_grsec_4_5: init at 3.1-4.5.2-201604290633
-rw-r--r-- | pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch | 14 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix | 19 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/patches.nix | 15 | ||||
-rw-r--r-- | pkgs/top-level/all-packages.nix | 17 |
4 files changed, 64 insertions, 1 deletions
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch new file mode 100644 index 000000000000..e0430a69c950 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch @@ -0,0 +1,14 @@ +diff -ru a/kernel/kmod.c b/kernel/kmod.c +--- a/kernel/kmod.c 2016-04-21 17:06:09.882281660 +0200 ++++ b/kernel/kmod.c 2016-04-21 17:08:17.458949309 +0200 +@@ -294,7 +294,9 @@ + strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) && + strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) && + strncmp(sub_info->path, "/usr/sbin/", 10) && strcmp(sub_info->path, "/bin/false") && +- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) { ++ strcmp(sub_info->path, "/usr/share/apport/apport") && ++ strncmp(sub_info->path, "/nix/store/", 11) && ++ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) { + printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path); + retval = -EPERM; + goto out; diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix new file mode 100644 index 000000000000..267d0d58de41 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix @@ -0,0 +1,19 @@ +{ stdenv, fetchurl, perl, buildLinux, ... } @ args: + +import ./generic.nix (args // rec { + version = "4.5.2"; + extraMeta.branch = "4.5"; + + src = fetchurl { + url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; + sha256 = "17r063zx880ka3ayv9cf1yjfilvxlifhja1rhw5z3w35hgdkj8z3"; + }; + + kernelPatches = args.kernelPatches; + + features.iwlwifi = true; + features.efiBootStub = true; + features.needsCifsUtils = true; + features.canDisableNetfilterConntrackHelpers = true; + features.netfilterRPFilter = true; +} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 707ebb544bf4..e84941091cdd 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -112,7 +112,15 @@ rec { sha256 = "04k4nhshl6r5n41ha5620s7cd70dmmmvyf9mnn5359jr1720kxpf"; }; - grsecurity_latest = grsecurity_4_4; + grsecurity_4_5 = grsecPatch + { kernel = pkgs.grsecurity_base_linux_4_5; + patches = [ grsecurity_fix_path_4_5 ]; + kversion = "4.5.2"; + revision = "201604290633"; + sha256 = "0qrs4fk6lyqngq3fnsmrv0y3yp1lrbiwadfc6v7hy4lyv77wz107"; + }; + + grsecurity_latest = grsecurity_4_5; grsecurity_fix_path_3_14 = { name = "grsecurity-fix-path-3.14"; @@ -124,6 +132,11 @@ rec { patch = ./grsecurity-path-4.4.patch; }; + grsecurity_fix_path_4_5 = + { name = "grsecurity-fix-path-4.5"; + patch = ./grsecurity-path-4.5.patch; + }; + crc_regression = { name = "crc-backport-regression"; patch = ./crc-regression.patch; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index cea479e2adff..5d93c4fa2a4a 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -10655,6 +10655,15 @@ in ]; }; + grsecurity_base_linux_4_5 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.5.nix { + kernelPatches = [ kernelPatches.bridge_stp_helper ] + ++ lib.optionals ((platform.kernelArch or null) == "mips") + [ kernelPatches.mips_fpureg_emu + kernelPatches.mips_fpu_sigill + kernelPatches.mips_ext3_n32 + ]; + }; + grFlavors = import ../build-support/grsecurity/flavors.nix; mkGrsecurity = patch: opts: @@ -10679,6 +10688,10 @@ in linux_grsec_server_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server; linux_grsec_server_xen_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server_xen; + linux_grsec_desktop_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.desktop; + linux_grsec_server_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server; + linux_grsec_server_xen_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server_xen; + linux_grsec_desktop_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.desktop; linux_grsec_server_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server; linux_grsec_server_xen_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server_xen; @@ -10850,6 +10863,10 @@ in linuxPackages_grsec_server_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server; linuxPackages_grsec_server_xen_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server_xen; + linuxPackages_grsec_desktop_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.desktop; + linuxPackages_grsec_server_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server; + linuxPackages_grsec_server_xen_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server_xen; + linuxPackages_grsec_desktop_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.desktop; linuxPackages_grsec_server_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server; linuxPackages_grsec_server_xen_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server_xen; |