tree-wide: prune some dead grsec leaves

The beginning of pruning grsecurity/PaX from the tree.

6 files changed, 1 insertions, 170 deletions

diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
deleted file mode 100644
index ccd46e20654f..000000000000
--- a/pkgs/build-support/grsecurity/default.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{ stdenv
-, lib
-, overrideDerivation
-
-# required for gcc plugins
-, gmp, libmpc, mpfr
-
-# the base kernel
-, kernel
-
-, grsecPatch
-, kernelPatches ? []
-
-, localver ? "-grsec"
-, modDirVersion ? "${kernel.version}${localver}"
-, extraConfig ? ""
-, ...
-} @ args:
-
-assert (kernel.version == grsecPatch.kver);
-
-overrideDerivation (kernel.override {
-  inherit modDirVersion;
-  kernelPatches = lib.unique ([ grsecPatch ] ++ kernelPatches ++ (kernel.kernelPatches or []));
-  extraConfig = ''
-    GRKERNSEC y
-    PAX y
-    ${extraConfig}
-  '';
-  ignoreConfigErrors = true;
-}) (attrs: {
-  nativeBuildInputs = (lib.chooseDevOutputs [ gmp libmpc mpfr ]) ++ (attrs.nativeBuildInputs or []);
-  preConfigure = ''
-    echo ${localver} >localversion-grsec
-    ${attrs.preConfigure or ""}
-  '';
-})
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
deleted file mode 100644
index ed8942b10669..000000000000
--- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
+++ /dev/null
@@ -1,63 +0,0 @@
-{ stdenv }:
-
-with stdenv.lib;
-
-''
-# Auto configuration with these constraints will enable most of the
-# important features (RAP, UDEREF, ASLR, memory sanitization).
-GRKERNSEC_CONFIG_AUTO y
-GRKERNSEC_CONFIG_DESKTOP y
-GRKERNSEC_CONFIG_PRIORITY_SECURITY y
-
-# We specify virt guest rather than host here, the latter deselects e.g.,
-# paravirtualization.
-GRKERNSEC_CONFIG_VIRT_GUEST y
-# Note: assumes platform supports CPU-level virtualization (so no pentium 4)
-GRKERNSEC_CONFIG_VIRT_EPT y
-GRKERNSEC_CONFIG_VIRT_KVM y
-
-# PaX control
-PAX_SOFTMODE y
-PAX_PT_PAX_FLAGS y
-PAX_XATTR_PAX_FLAGS y
-PAX_EI_PAX n
-
-PAX_INITIFY y
-
-# The bts instrumentation method is compatible with binary only modules.
-#
-# Note: if platform supports SMEP, we could do without this
-PAX_KERNEXEC_PLUGIN_METHOD_BTS y
-
-# Additional grsec hardening not implied by auto constraints
-GRKERNSEC_IO y
-GRKERNSEC_SYSFS_RESTRICT y
-GRKERNSEC_ROFS y
-
-GRKERNSEC_MODHARDEN y
-
-# Disable protections rendered useless by redistribution
-GRKERNSEC_HIDESYM n
-GRKERNSEC_RANDSTRUCT n
-
-# Disable protections covered by vanilla mechanisms
-GRKERNSEC_DMESG n
-GRKERNSEC_KMEM n
-GRKERNSEC_PROC n
-
-# Disable protections that are inappropriate for a general-purpose kernel
-GRKERNSEC_NO_SIMULT_CONNECT n
-
-# Enable additional audititing
-GRKERNSEC_AUDIT_MOUNT y
-GRKERNSEC_AUDIT_PTRACE y
-GRKERNSEC_FORKFAIL y
-
-# Wishlist: support trusted path execution
-GRKERNSEC_TPE n
-
-GRKERNSEC_SYSCTL y
-GRKERNSEC_SYSCTL_DISTRO y
-# Assume that appropriate sysctls are toggled once the system is up
-GRKERNSEC_SYSCTL_ON n
-''
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch b/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch
deleted file mode 100644
index e0430a69c950..000000000000
--- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -ru a/kernel/kmod.c b/kernel/kmod.c
---- a/kernel/kmod.c	2016-04-21 17:06:09.882281660 +0200
-+++ b/kernel/kmod.c	2016-04-21 17:08:17.458949309 +0200
-@@ -294,7 +294,9 @@
- 	     strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
- 	     strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
- 	     strncmp(sub_info->path, "/usr/sbin/", 10) && strcmp(sub_info->path, "/bin/false") && 
--	     strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
-+	     strcmp(sub_info->path, "/usr/share/apport/apport") &&
-+       strncmp(sub_info->path, "/nix/store/", 11) &&
-+       strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
- 		printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
- 		retval = -EPERM;
- 		goto out;
diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix
deleted file mode 100644
index 166836a3275c..000000000000
--- a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
-
-import ./generic.nix (args // rec {
-  version = "4.9.24";
-  extraMeta.branch = "4.9";
-
-  src = fetchurl {
-    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha512 = "3031ldw2f6dwkm3z1cn7rw8y4diq57rs3na64nzkw7xw4q74cfpzzp5866vf58y0fsyl8l2vgvwza7cdhxywmmxp7q0q5385jn8nnvd";
-  };
-
-  kernelPatches = args.kernelPatches;
-
-  features.iwlwifi = true;
-  features.efiBootStub = true;
-  features.needsCifsUtils = true;
-  features.netfilterRPFilter = true;
-} // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index ffc193efbf14..1747d34fe112 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -17,26 +17,6 @@ let
         '';
       };
     };
-
-  grsecPatch = { grbranch ? "test", grver ? "3.1", kver, grrev, sha512 }: rec {
-    name = "grsecurity-${grver}-${kver}-${grrev}";
-
-    # Pass these along to allow the caller to determine compatibility
-    inherit grver kver grrev;
-
-    patch = fetchurl {
-      urls = [
-        "https://grsecurity.net/${grbranch}/${name}.patch"
-        # When updating versions/hashes, ALWAYS use the official
-        # version; we use this mirror only because upstream removes
-        # source files immediately upon releasing a new version ...
-        "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${kver}/${name}.patch"
-      ];
-      inherit sha512;
-    };
-
-    features.grsecurity = true;
-  };
 in
 
 rec {
@@ -107,14 +87,6 @@ rec {
     for more information.
   '';
 
-  # This patch relaxes grsec constraints on the location of usermode helpers,
-  # e.g., modprobe, to allow calling into the Nix store.
-  grsecurity_nixos_kmod =
-    {
-      name  = "grsecurity-nixos-kmod";
-      patch = ./grsecurity-nixos-kmod.patch;
-    };
-
   crc_regression =
     { name = "crc-backport-regression";
       patch = ./crc-regression.patch;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 01a862c6c835..d9e85032790e 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -11922,16 +11922,7 @@ with pkgs;
   linuxPackages_grsec_nixos =
     recurseIntoAttrs (linuxPackagesFor linux_grsec_nixos);
 
-  # An unsupported grsec xen guest kernel
-  linux_grsec_server_xen = linux_grsec_nixos.override {
-    extraConfig = ''
-      GRKERNSEC_CONFIG_AUTO y
-      GRKERNSEC_CONFIG_PRIORITY_SECURITY y
-      GRKERNSEC_CONFIG_SERVER y
-      GRKERNSEC_CONFIG_VIRT_GUEST y
-      GRKERNSEC_CONFIG_VIRT_XEN y
-    '';
-  };
+  linux_grsec_server_xen = linux_grsec_nixos;
 
   # ChromiumOS kernels
   linuxPackages_chromiumos_3_18 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_chromiumos_3_18);