diff options
| author | Austin Seipp <aseipp@pobox.com> | 2014-05-14 12:04:40 -0500 |
|---|---|---|
| committer | Austin Seipp <aseipp@pobox.com> | 2014-05-17 14:09:43 -0500 |
| commit | 4f27ad14a1ca4fcac1c572c7309cf6b8ef9e3d00 (patch) | |
| tree | dca16b72095abdb2ab5f65680f70aeea8dc09ba6 /nixos/modules/security/grsecurity.nix | |
| parent | cb894d4fc3b004cba95043f375ef2665c85df6dd (diff) | |
| download | nixlib-4f27ad14a1ca4fcac1c572c7309cf6b8ef9e3d00.tar nixlib-4f27ad14a1ca4fcac1c572c7309cf6b8ef9e3d00.tar.gz nixlib-4f27ad14a1ca4fcac1c572c7309cf6b8ef9e3d00.tar.bz2 nixlib-4f27ad14a1ca4fcac1c572c7309cf6b8ef9e3d00.tar.lz nixlib-4f27ad14a1ca4fcac1c572c7309cf6b8ef9e3d00.tar.xz nixlib-4f27ad14a1ca4fcac1c572c7309cf6b8ef9e3d00.tar.zst nixlib-4f27ad14a1ca4fcac1c572c7309cf6b8ef9e3d00.zip | |
grsec: refactor grsecurity packages
This now provides a handful of different grsecurity kernels for slightly different 'flavors' of packages. This doesn't change the grsecurity module to use them just yet, however. Signed-off-by: Austin Seipp <aseipp@pobox.com>
Diffstat (limited to 'nixos/modules/security/grsecurity.nix')
| -rw-r--r-- | nixos/modules/security/grsecurity.nix | 125 |
1 files changed, 4 insertions, 121 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index a0f63cdf3a9e..78baa0cc5c3f 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -3,128 +3,11 @@ with lib; let - cfg = config.security.grsecurity; - - mkKernel = kernel: patch: - assert patch.kversion == kernel.version; - { inherit kernel patch; - inherit (patch) grversion revision; + customGrsecPkg = + (import ../../../pkgs/build-support/grsecurity + { grsecOptions = config.security.grsecurity; }; - - stable-patch = with pkgs.kernelPatches; - if cfg.vserver then grsecurity_vserver else grsecurity_stable; - stableKernel = mkKernel pkgs.linux_3_2 stable-patch; - testKernel = mkKernel pkgs.linux_3_14 pkgs.kernelPatches.grsecurity_unstable; - - ## -- grsecurity configuration ----------------------------------------------- - - grsecPrioCfg = - if cfg.config.priority == "security" then - "GRKERNSEC_CONFIG_PRIORITY_SECURITY y" - else - "GRKERNSEC_CONFIG_PRIORITY_PERF y"; - - grsecSystemCfg = - if cfg.config.system == "desktop" then - "GRKERNSEC_CONFIG_DESKTOP y" - else - "GRKERNSEC_CONFIG_SERVER y"; - - grsecVirtCfg = - if cfg.config.virtualisationConfig == "none" then - "GRKERNSEC_CONFIG_VIRT_NONE y" - else if cfg.config.virtualisationConfig == "host" then - "GRKERNSEC_CONFIG_VIRT_HOST y" - else - "GRKERNSEC_CONFIG_VIRT_GUEST y"; - - grsecHwvirtCfg = if cfg.config.virtualisationConfig == "none" then "" else - if cfg.config.hardwareVirtualisation == true then - "GRKERNSEC_CONFIG_VIRT_EPT y" - else - "GRKERNSEC_CONFIG_VIRT_SOFT y"; - - grsecVirtswCfg = - let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y"; - in - if cfg.config.virtualisationConfig == "none" then "" - else if cfg.config.virtualisationSoftware == "xen" then virtCfg "XEN" - else if cfg.config.virtualisationSoftware == "kvm" then virtCfg "KVM" - else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE" - else virtCfg "VIRTUALBOX"; - - grsecMainConfig = if cfg.config.mode == "custom" then "" else '' - GRKERNSEC_CONFIG_AUTO y - ${grsecPrioCfg} - ${grsecSystemCfg} - ${grsecVirtCfg} - ${grsecHwvirtCfg} - ${grsecVirtswCfg} - ''; - - grsecConfig = - let boolToKernOpt = b: if b then "y" else "n"; - # Disable RANDSTRUCT under virtualbox, as it has some kind of - # breakage with the vbox guest drivers - randstruct = optionalString config.services.virtualbox.enable - "GRKERNSEC_RANDSTRUCT n"; - # Disable restricting links under the testing kernel, as something - # has changed causing it to fail miserably during boot. - restrictLinks = optionalString cfg.testing - "GRKERNSEC_LINK n"; - in '' - GRKERNSEC y - ${grsecMainConfig} - - ${if cfg.config.restrictProc then - "GRKERNSEC_PROC_USER y" - else - optionalString cfg.config.restrictProcWithGroup '' - GRKERNSEC_PROC_USERGROUP y - GRKERNSEC_PROC_GID ${toString cfg.config.unrestrictProcGid} - '' - } - - GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl} - GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} - GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC} - ${randstruct} - ${restrictLinks} - - ${cfg.config.kernelExtraConfig} - ''; - - ## -- grsecurity kernel packages --------------------------------------------- - - localver = grkern: - "-grsec" + optionalString cfg.config.verboseVersion - "-${grkern.grversion}-${grkern.revision}"; - - grsecurityOverrider = args: grkern: { - # Apparently as of gcc 4.6, gcc-plugin headers (which are needed by PaX plugins) - # include libgmp headers, so we need these extra tweaks - buildInputs = args.buildInputs ++ [ pkgs.gmp ]; - preConfigure = '' - ${args.preConfigure or ""} - sed -i 's|-I|-I${pkgs.gmp}/include -I|' scripts/gcc-plugin.sh - sed -i 's|HOST_EXTRACFLAGS +=|HOST_EXTRACFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile - sed -i 's|HOST_EXTRACXXFLAGS +=|HOST_EXTRACXXFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile - rm localversion-grsec - echo ${localver grkern} > localversion-grsec - ''; - }; - - mkGrsecPkg = grkern: - let kernelPkg = lowPrio (overrideDerivation (grkern.kernel.override (args: { - kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ]; - argsOverride = { - modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}"; - }; - extraConfig = grsecConfig; - })) (args: grsecurityOverrider args grkern)); - in pkgs.linuxPackagesFor kernelPkg (mkGrsecPkg grkern); - - grsecPackage = mkGrsecPkg (if cfg.stable then stableKernel else testKernel); + ).grsecPackage; in { options = { |