diff options
| author | Matthieu Coudron <mattator@gmail.com> | 2018-06-25 09:12:17 +0900 |
|---|---|---|
| committer | Tuomas Tynkkynen <tuomas@tuxera.com> | 2018-06-30 16:01:41 +0300 |
| commit | e4fe7b31beb04937b08486a89e88c30e265f7211 (patch) | |
| tree | 7642be87a246dc7713323af926fdb5e61b6bc0bf /pkgs/os-specific | |
| parent | dcea150a89e027389439b32e999de71c559134e1 (diff) | |
| download | nixlib-e4fe7b31beb04937b08486a89e88c30e265f7211.tar nixlib-e4fe7b31beb04937b08486a89e88c30e265f7211.tar.gz nixlib-e4fe7b31beb04937b08486a89e88c30e265f7211.tar.bz2 nixlib-e4fe7b31beb04937b08486a89e88c30e265f7211.tar.lz nixlib-e4fe7b31beb04937b08486a89e88c30e265f7211.tar.xz nixlib-e4fe7b31beb04937b08486a89e88c30e265f7211.tar.zst nixlib-e4fe7b31beb04937b08486a89e88c30e265f7211.zip | |
linux: fix features system
Diffstat (limited to 'pkgs/os-specific')
| -rw-r--r-- | pkgs/os-specific/linux/kernel/common-config.nix | 18 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/kernel/generic.nix | 2 |
2 files changed, 9 insertions, 11 deletions
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 3bebaab37d3b..a1ea3e126855 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -21,7 +21,7 @@ # legacy extraConfig as string , extraConfig ? "" -, features ? {} +, features ? { grsecurity = false; xen_dom0 = false; } }: assert (mkValueOverride == null) || (builtins.isFunction mkValueOverride); @@ -31,12 +31,8 @@ with stdenv.lib; with import ../../../../lib/kernel.nix { inherit (stdenv) lib; inherit version; }; let - # temporary hack - grsecurity = false; - xen_dom0 = false; - - # TODO configuration items have to be part of subattrs. Remove this constraint + # configuration items have to be part of a subattrs flattenKConf = nested: mapAttrs (_: head) (zipAttrs (attrValues nested)); options = { @@ -50,7 +46,7 @@ let DEBUG_NX_TEST = whenOlder "4.11" no; CPU_NOTIFIER_ERROR_INJECT = whenOlder "4.4" (option no); DEBUG_STACK_USAGE = no; - DEBUG_STACKOVERFLOW = when (!grsecurity) no; + DEBUG_STACKOVERFLOW = when (!features.grsecurity) no; RCU_TORTURE_TEST = no; SCHEDSTATS = no; DETECT_HUNG_TASK = yes; @@ -333,7 +329,7 @@ let SECURITY_SELINUX_BOOTPARAM_VALUE = "0"; # Disable SELinux by default # Prevent processes from ptracing non-children processes SECURITY_YAMA = option yes; - DEVKMEM = when (!grsecurity) no; # Disable /dev/kmem + DEVKMEM = when (!features.grsecurity) no; # Disable /dev/kmem USER_NS = yes; # Support for user namespaces @@ -408,7 +404,7 @@ let virtualisation = { PARAVIRT = option yes; - HYPERVISOR_GUEST = when (!grsecurity) yes; + HYPERVISOR_GUEST = when (!features.grsecurity) yes; PARAVIRT_SPINLOCKS = option yes; KVM_APIC_ARCHITECTURE = whenOlder "4.8" yes; @@ -416,7 +412,7 @@ let KVM_COMPAT = option (whenBetween "4.0" "4.12" yes); KVM_DEVICE_ASSIGNMENT = option (whenBetween "3.10" "4.12" yes); KVM_GENERIC_DIRTYLOG_READ_PROTECT = whenAtLeast "4.0" yes; - KVM_GUEST = when (!grsecurity) yes; + KVM_GUEST = when (!features.grsecurity) yes; KVM_MMIO = yes; KVM_VFIO = yes; KSM = yes; @@ -432,7 +428,7 @@ let # XXX: why isn't this in the xen-dom0 conditional section below? XEN_DOM0 = option yes; - } // optionalAttrs xen_dom0 { + } // optionalAttrs features.xen_dom0 { PCI_XEN = option yes; HVC_XEN = option yes; HVC_XEN_FRONTEND = option yes; diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix index fde6efd797d2..684955b9067d 100644 --- a/pkgs/os-specific/linux/kernel/generic.nix +++ b/pkgs/os-specific/linux/kernel/generic.nix @@ -61,6 +61,8 @@ let efiBootStub = true; needsCifsUtils = true; netfilterRPFilter = true; + grsecurity = false; + xen_dom0 = false; } // features) kernelPatches; intermediateNixConfig = import ./common-config.nix { |