summary refs log tree commit diff
path: root/pkgs
diff options
context:
space:
mode:
authorRobin Gloster <mail@glob.in>2016-05-02 11:56:11 +0200
committerRobin Gloster <mail@glob.in>2016-05-02 11:56:11 +0200
commit1ea32f8235fbe53bef5d0350d569640e2fe7f8bf (patch)
tree141d19b75652068c7263e4e26f1556b782f82f6f /pkgs
parent5a2b26cf7b4de3c8a2c86e5230eb9423e4a3dfaa (diff)
parent60a27781d6d358e0c5cd144c7c90642761c1a31f (diff)
downloadnixlib-1ea32f8235fbe53bef5d0350d569640e2fe7f8bf.tar
nixlib-1ea32f8235fbe53bef5d0350d569640e2fe7f8bf.tar.gz
nixlib-1ea32f8235fbe53bef5d0350d569640e2fe7f8bf.tar.bz2
nixlib-1ea32f8235fbe53bef5d0350d569640e2fe7f8bf.tar.lz
nixlib-1ea32f8235fbe53bef5d0350d569640e2fe7f8bf.tar.xz
nixlib-1ea32f8235fbe53bef5d0350d569640e2fe7f8bf.tar.zst
nixlib-1ea32f8235fbe53bef5d0350d569640e2fe7f8bf.zip
Merge pull request #15158 from joachifm/grsecurity
Grsecurity updates & improvements
Diffstat (limited to 'pkgs')
-rw-r--r--pkgs/build-support/grsecurity/default.nix7
-rw-r--r--pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch14
-rw-r--r--pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix (renamed from pkgs/os-specific/linux/kernel/linux-grsecurity-4.1.nix)6
-rw-r--r--pkgs/os-specific/linux/kernel/patches.nix23
-rw-r--r--pkgs/top-level/all-packages.nix20
5 files changed, 46 insertions, 24 deletions
diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
index 6c2e98b9cc1d..0ba270366671 100644
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@@ -90,6 +90,10 @@ let
         GRKERNSEC y
         ${grsecMainConfig}
 
+        # The paxmarks mechanism relies on ELF header markings, but the default
+        # grsecurity configuration only enables xattr markings
+        PAX_PT_PAX_FLAGS y
+
         ${if cfg.config.restrictProc then
             "GRKERNSEC_PROC_USER y"
           else
@@ -117,8 +121,7 @@ let
       # additional build inputs for gcc plugins, required by some PaX/grsec features
       nativeBuildInputs = args.nativeBuildInputs ++ (with pkgs; [ gmp libmpc mpfr ]);
 
-      preConfigure = args.preConfigure or "" + ''
-        rm localversion-grsec
+      preConfigure = (args.preConfigure or "") + ''
         echo ${localver grkern} > localversion-grsec
       '';
     };
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch b/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch
new file mode 100644
index 000000000000..e0430a69c950
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch
@@ -0,0 +1,14 @@
+diff -ru a/kernel/kmod.c b/kernel/kmod.c
+--- a/kernel/kmod.c	2016-04-21 17:06:09.882281660 +0200
++++ b/kernel/kmod.c	2016-04-21 17:08:17.458949309 +0200
+@@ -294,7 +294,9 @@
+ 	     strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
+ 	     strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
+ 	     strncmp(sub_info->path, "/usr/sbin/", 10) && strcmp(sub_info->path, "/bin/false") && 
+-	     strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
++	     strcmp(sub_info->path, "/usr/share/apport/apport") &&
++       strncmp(sub_info->path, "/nix/store/", 11) &&
++       strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
+ 		printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
+ 		retval = -EPERM;
+ 		goto out;
diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.1.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix
index 4359f4586c50..267d0d58de41 100644
--- a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.1.nix
+++ b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.1.7";
-  extraMeta.branch = "4.1";
+  version = "4.5.2";
+  extraMeta.branch = "4.5";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0g1dnvak0pd03d4miy1025bw64wq71w29a058dzspdr6jcf9qwbn";
+    sha256 = "17r063zx880ka3ayv9cf1yjfilvxlifhja1rhw5z3w35hgdkj8z3";
   };
 
   kernelPatches = args.kernelPatches;
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 707ebb544bf4..14b0692dbada 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -96,14 +96,6 @@ rec {
       sha256    = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f";
     };
 
-  grsecurity_4_1 = grsecPatch
-    { kernel    = pkgs.grsecurity_base_linux_4_1;
-      patches   = [ grsecurity_fix_path_3_14 ];
-      kversion  = "4.1.7";
-      revision  = "201509201149";
-      sha256    = "1agv8c3c4vmh5algbzmrq2f6vwk72rikrlcbm4h7jbrb9js6fxk4";
-    };
-
   grsecurity_4_4 = grsecPatch
     { kernel    = pkgs.grsecurity_base_linux_4_4;
       patches   = [ grsecurity_fix_path_4_4 ];
@@ -112,7 +104,15 @@ rec {
       sha256    = "04k4nhshl6r5n41ha5620s7cd70dmmmvyf9mnn5359jr1720kxpf";
     };
 
-  grsecurity_latest = grsecurity_4_4;
+  grsecurity_4_5 = grsecPatch
+    { kernel    = pkgs.grsecurity_base_linux_4_5;
+      patches   = [ grsecurity_fix_path_4_5 ];
+      kversion  = "4.5.2";
+      revision  = "201604290633";
+      sha256    = "0qrs4fk6lyqngq3fnsmrv0y3yp1lrbiwadfc6v7hy4lyv77wz107";
+    };
+
+  grsecurity_latest = grsecurity_4_5;
 
   grsecurity_fix_path_3_14 =
     { name = "grsecurity-fix-path-3.14";
@@ -124,6 +124,11 @@ rec {
       patch = ./grsecurity-path-4.4.patch;
     };
 
+  grsecurity_fix_path_4_5 =
+    { name = "grsecurity-fix-path-4.5";
+      patch = ./grsecurity-path-4.5.patch;
+    };
+
   crc_regression =
     { name = "crc-backport-regression";
       patch = ./crc-regression.patch;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index b8d6090a2447..4126d518076a 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -10637,7 +10637,7 @@ in
       ];
   };
 
-  grsecurity_base_linux_4_1 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.1.nix {
+  grsecurity_base_linux_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix {
     kernelPatches = [ kernelPatches.bridge_stp_helper ]
       ++ lib.optionals ((platform.kernelArch or null) == "mips")
       [ kernelPatches.mips_fpureg_emu
@@ -10646,7 +10646,7 @@ in
       ];
   };
 
-  grsecurity_base_linux_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix {
+  grsecurity_base_linux_4_5 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.5.nix {
     kernelPatches = [ kernelPatches.bridge_stp_helper ]
       ++ lib.optionals ((platform.kernelArch or null) == "mips")
       [ kernelPatches.mips_fpureg_emu
@@ -10671,14 +10671,14 @@ in
   linux_grsec_server_3_14     = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.server;
   linux_grsec_server_xen_3_14 = self.grKernel kernelPatches.grsecurity_3_14 self.grFlavors.server_xen;
 
-  linux_grsec_desktop_4_1    = self.grKernel kernelPatches.grsecurity_4_1 self.grFlavors.desktop;
-  linux_grsec_server_4_1     = self.grKernel kernelPatches.grsecurity_4_1 self.grFlavors.server;
-  linux_grsec_server_xen_4_1 = self.grKernel kernelPatches.grsecurity_4_1 self.grFlavors.server_xen;
-
   linux_grsec_desktop_4_4    = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.desktop;
   linux_grsec_server_4_4     = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server;
   linux_grsec_server_xen_4_4 = self.grKernel kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
 
+  linux_grsec_desktop_4_5    = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
+  linux_grsec_server_4_5     = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server;
+  linux_grsec_server_xen_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
+
   linux_grsec_desktop_latest    = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.desktop;
   linux_grsec_server_latest     = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server;
   linux_grsec_server_xen_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server_xen;
@@ -10842,14 +10842,14 @@ in
   linuxPackages_grsec_server_3_14     = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server;
   linuxPackages_grsec_server_xen_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server_xen;
 
-  linuxPackages_grsec_desktop_4_1    = self.grPackage kernelPatches.grsecurity_4_1 self.grFlavors.desktop;
-  linuxPackages_grsec_server_4_1     = self.grPackage kernelPatches.grsecurity_4_1 self.grFlavors.server;
-  linuxPackages_grsec_server_xen_4_1 = self.grPackage kernelPatches.grsecurity_4_1 self.grFlavors.server_xen;
-
   linuxPackages_grsec_desktop_4_4    = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.desktop;
   linuxPackages_grsec_server_4_4     = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server;
   linuxPackages_grsec_server_xen_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server_xen;
 
+  linuxPackages_grsec_desktop_4_5    = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.desktop;
+  linuxPackages_grsec_server_4_5     = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server;
+  linuxPackages_grsec_server_xen_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server_xen;
+
   linuxPackages_grsec_desktop_latest    = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.desktop;
   linuxPackages_grsec_server_latest     = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server;
   linuxPackages_grsec_server_xen_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server_xen;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-19 21:48:18 +0000