linuxPackages_grsec_4_5: init at 3.1-4.5.2-201604290633

4 files changed, 64 insertions, 1 deletions

diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch
new file mode 100644
index 000000000000..e0430a69c950
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch
@@ -0,0 +1,14 @@
+diff -ru a/kernel/kmod.c b/kernel/kmod.c
+--- a/kernel/kmod.c	2016-04-21 17:06:09.882281660 +0200
++++ b/kernel/kmod.c	2016-04-21 17:08:17.458949309 +0200
+@@ -294,7 +294,9 @@
+ 	     strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
+ 	     strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
+ 	     strncmp(sub_info->path, "/usr/sbin/", 10) && strcmp(sub_info->path, "/bin/false") && 
+-	     strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
++	     strcmp(sub_info->path, "/usr/share/apport/apport") &&
++       strncmp(sub_info->path, "/nix/store/", 11) &&
++       strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
+ 		printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
+ 		retval = -EPERM;
+ 		goto out;
diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix
new file mode 100644
index 000000000000..267d0d58de41
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix
@@ -0,0 +1,19 @@
+{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
+
+import ./generic.nix (args // rec {
+  version = "4.5.2";
+  extraMeta.branch = "4.5";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "17r063zx880ka3ayv9cf1yjfilvxlifhja1rhw5z3w35hgdkj8z3";
+  };
+
+  kernelPatches = args.kernelPatches;
+
+  features.iwlwifi = true;
+  features.efiBootStub = true;
+  features.needsCifsUtils = true;
+  features.canDisableNetfilterConntrackHelpers = true;
+  features.netfilterRPFilter = true;
+} // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 707ebb544bf4..e84941091cdd 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -112,7 +112,15 @@ rec {
       sha256    = "04k4nhshl6r5n41ha5620s7cd70dmmmvyf9mnn5359jr1720kxpf";
     };
 
-  grsecurity_latest = grsecurity_4_4;
+  grsecurity_4_5 = grsecPatch
+    { kernel    = pkgs.grsecurity_base_linux_4_5;
+      patches   = [ grsecurity_fix_path_4_5 ];
+      kversion  = "4.5.2";
+      revision  = "201604290633";
+      sha256    = "0qrs4fk6lyqngq3fnsmrv0y3yp1lrbiwadfc6v7hy4lyv77wz107";
+    };
+
+  grsecurity_latest = grsecurity_4_5;
 
   grsecurity_fix_path_3_14 =
     { name = "grsecurity-fix-path-3.14";
@@ -124,6 +132,11 @@ rec {
       patch = ./grsecurity-path-4.4.patch;
     };
 
+  grsecurity_fix_path_4_5 =
+    { name = "grsecurity-fix-path-4.5";
+      patch = ./grsecurity-path-4.5.patch;
+    };
+
   crc_regression =
     { name = "crc-backport-regression";
       patch = ./crc-regression.patch;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index cea479e2adff..5d93c4fa2a4a 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -10655,6 +10655,15 @@ in
       ];
   };
 
+  grsecurity_base_linux_4_5 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.5.nix {
+    kernelPatches = [ kernelPatches.bridge_stp_helper ]
+      ++ lib.optionals ((platform.kernelArch or null) == "mips")
+      [ kernelPatches.mips_fpureg_emu
+        kernelPatches.mips_fpu_sigill
+        kernelPatches.mips_ext3_n32
+      ];
+  };
+
   grFlavors = import ../build-support/grsecurity/flavors.nix;
 
   mkGrsecurity = patch: opts:
@@ -10679,6 +10688,10 @@ in
   linux_grsec_server_4_4     = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server;
   linux_grsec_server_xen_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
 
+  linux_grsec_desktop_4_5    = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
+  linux_grsec_server_4_5     = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server;
+  linux_grsec_server_xen_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
+
   linux_grsec_desktop_latest    = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.desktop;
   linux_grsec_server_latest     = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server;
   linux_grsec_server_xen_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server_xen;
@@ -10850,6 +10863,10 @@ in
   linuxPackages_grsec_server_4_4     = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server;
   linuxPackages_grsec_server_xen_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
 
+  linuxPackages_grsec_desktop_4_5    = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
+  linuxPackages_grsec_server_4_5     = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server;
+  linuxPackages_grsec_server_xen_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
+
   linuxPackages_grsec_desktop_latest    = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.desktop;
   linuxPackages_grsec_server_latest     = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server;
   linuxPackages_grsec_server_xen_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server_xen;