Merge remote-tracking branch 'origin/pr/13505'

Fixes #13505.

2 files changed, 17 insertions, 33 deletions

diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
index 841effcfca11..64cce3dbad52 100644
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@@ -4,8 +4,7 @@ with lib;
 
 let
   cfg = {
-    stable  = grsecOptions.stable  or false;
-    testing = grsecOptions.testing or false;
+    kernelPatch = grsecOptions.kernelPatch;
     config = {
       mode = "auto";
       sysctl = false;
@@ -22,18 +21,13 @@ let
 
   vals = rec {
 
-    mkKernel = kernel: patch:
-      assert patch.kversion == kernel.version;
-        { inherit kernel patch;
-          inherit (patch) grversion revision;
+    mkKernel = patch:
+        {
+          inherit patch;
+          inherit (patch) kernel patches grversion revision;
         };
 
-    test-patch = with pkgs.kernelPatches; grsecurity_unstable;
-    stable-patch = with pkgs.kernelPatches; grsecurity_stable;
-
-    grKernel = if cfg.stable
-               then mkKernel pkgs.linux_3_14 stable-patch
-               else mkKernel pkgs.linux_4_3 test-patch;
+    grKernel = mkKernel cfg.kernelPatch;
 
     ## -- grsecurity configuration ---------------------------------------------
 
@@ -90,8 +84,8 @@ let
 
           # Disable restricting links under the testing kernel, as something
           # has changed causing it to fail miserably during boot.
-          restrictLinks = optionalString cfg.testing
-            "GRKERNSEC_LINK n";
+          #restrictLinks = optionalString cfg.testing
+          #  "GRKERNSEC_LINK n";
       in ''
         GRKERNSEC y
         ${grsecMainConfig}
@@ -109,7 +103,6 @@ let
         GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
         GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}
         GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
-        ${restrictLinks}
 
         ${cfg.config.kernelExtraConfig}
       '';
@@ -136,7 +129,7 @@ let
 
     mkGrsecKern = grkern:
       lowPrio (overrideDerivation (grkern.kernel.override (args: {
-        kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ];
+        kernelPatches = args.kernelPatches ++ [ grkern.patch  ] ++ grkern.patches;
         argsOverride = {
           modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
         };
diff --git a/pkgs/build-support/grsecurity/flavors.nix b/pkgs/build-support/grsecurity/flavors.nix
index 969ca579f5a6..1281d60aa328 100644
--- a/pkgs/build-support/grsecurity/flavors.nix
+++ b/pkgs/build-support/grsecurity/flavors.nix
@@ -1,26 +1,17 @@
 let
-  mkOpts = ver: prio: sys: virt: swvirt: hwvirt:
+  mkOpts = prio: sys: virt: swvirt: hwvirt:
     { config.priority               = prio;
       config.system                 = sys;
       config.virtualisationConfig   = virt;
       config.hardwareVirtualisation = hwvirt;
       config.virtualisationSoftware = swvirt;
-    } // builtins.listToAttrs [ { name = ver; value = true; } ];
+    };
 in
 {
-  # Stable kernels
-  linux_grsec_stable_desktop =
-    mkOpts "stable" "performance" "desktop" "host" "kvm" true;
-  linux_grsec_stable_server  =
-    mkOpts "stable" "security" "server" "host" "kvm" true;
-  linux_grsec_stable_server_xen =
-    mkOpts "stable" "security" "server" "guest" "xen" true;
-
-  # Testing kernels
-  linux_grsec_testing_desktop =
-    mkOpts "testing" "performance" "desktop" "host" "kvm" true;
-  linux_grsec_testing_server  =
-    mkOpts "testing" "security" "server" "host" "kvm" true;
-  linux_grsec_testing_server_xen =
-    mkOpts "testing" "security" "server" "guest" "xen" true;
+  desktop =
+    mkOpts "performance" "desktop" "host" "kvm" true;
+  server  =
+    mkOpts "security" "server" "host" "kvm" true;
+  server_xen =
+    mkOpts "security" "server" "guest" "xen" true;
 }