diff options
| author | Michael Raskin <7c6f434c@mail.ru> | 2013-11-28 21:42:27 -0800 |
|---|---|---|
| committer | Michael Raskin <7c6f434c@mail.ru> | 2013-11-28 21:42:27 -0800 |
| commit | 0851ed23d87b7fc7372b77180d157f2b3a6c600d (patch) | |
| tree | 081f6f60d7297fccd46ef1078bd2e1dc669d7684 /pkgs/os-specific | |
| parent | 87aca961235e64bbecc18b0bc1717b8c571af44a (diff) | |
| parent | 2106191003dd549e1c4cfc95e26e658f9c5babbe (diff) | |
| download | nixlib-0851ed23d87b7fc7372b77180d157f2b3a6c600d.tar nixlib-0851ed23d87b7fc7372b77180d157f2b3a6c600d.tar.gz nixlib-0851ed23d87b7fc7372b77180d157f2b3a6c600d.tar.bz2 nixlib-0851ed23d87b7fc7372b77180d157f2b3a6c600d.tar.lz nixlib-0851ed23d87b7fc7372b77180d157f2b3a6c600d.tar.xz nixlib-0851ed23d87b7fc7372b77180d157f2b3a6c600d.tar.zst nixlib-0851ed23d87b7fc7372b77180d157f2b3a6c600d.zip | |
Merge pull request #1282 from wizeman/grsec-upd
grsecurity: Update to latest version and add patch for kernel 3.12
Diffstat (limited to 'pkgs/os-specific')
| -rw-r--r-- | pkgs/os-specific/linux/kernel/grsec-path.patch | 15 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/kernel/patches.nix | 26 |
2 files changed, 36 insertions, 5 deletions
diff --git a/pkgs/os-specific/linux/kernel/grsec-path.patch b/pkgs/os-specific/linux/kernel/grsec-path.patch new file mode 100644 index 000000000000..be242779548f --- /dev/null +++ b/pkgs/os-specific/linux/kernel/grsec-path.patch @@ -0,0 +1,15 @@ +diff --git a/kernel/kmod.c b/kernel/kmod.c +index 3227c2c..f32c944 100644 +--- a/kernel/kmod.c ++++ b/kernel/kmod.c +@@ -246,8 +246,8 @@ static int ____call_usermodehelper(void *data) + out the path to be used prior to this point and are now operating + on that copy + */ +- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) && +- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7)) || strstr(sub_info->path, "..")) { ++ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) && ++ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) { + printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of /sbin and system library paths\n", sub_info->path); + retval = -EPERM; + goto fail; diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 36f3232838c2..128c42533c63 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -124,14 +124,30 @@ rec { }; - grsecurity_2_9_1_3_2_52 = - { name = "grsecurity-2.9.1-3.2.52"; + grsecurity_3_0_3_2_52 = + { name = "grsecurity-3.0-3.2.52"; patch = fetchurl { - url = http://grsecurity.net/stable/grsecurity-2.9.1-3.2.52-201310271550.patch; - sha256 = "08y4y323y2lfvdj67gmg3ca8gaf3snhr3pyrmgvj877avaz0475m"; + url = https://grsecurity.net/stable/grsecurity-3.0-3.2.52-201311261307.patch; + sha256 = "1zmzgjpbq90q2w3yl3dgdc79qan7qkh5w6g3y3nvzr6ww6jl8hqw"; }; - # The grsec kernel patch seems to include the apparmor patches as of 2.9.1-3.2.52 + features.grsecurity = true; + # The grsec kernel patch seems to include the apparmor patches as of 3.0-3.2.52 features.apparmor = true; }; + grsecurity_3_0_3_12_1 = + { name = "grsecurity-3.0-3.12.1"; + patch = fetchurl { + url = https://grsecurity.net/test/grsecurity-3.0-3.12.1-201311261309.patch; + sha256 = "129q740m2iivc4i9a465lvzcph9gxlivxzg2p9dsi7c136p42mdz"; + }; + features.grsecurity = true; + # The grsec kernel patch seems to include the apparmor patches as of 3.0-3.12.1 + features.apparmor = true; + }; + + grsec_path = + { name = "grsec-path"; + patch = ./grsec-path.patch; + }; } |