diff options
Diffstat (limited to 'pkgs/build-support')
-rw-r--r-- | pkgs/build-support/fetchpatch/default.nix | 22 | ||||
-rw-r--r-- | pkgs/build-support/grsecurity/default.nix | 154 | ||||
-rw-r--r-- | pkgs/build-support/grsecurity/flavors.nix | 32 |
3 files changed, 208 insertions, 0 deletions
diff --git a/pkgs/build-support/fetchpatch/default.nix b/pkgs/build-support/fetchpatch/default.nix new file mode 100644 index 000000000000..768d173934d5 --- /dev/null +++ b/pkgs/build-support/fetchpatch/default.nix @@ -0,0 +1,22 @@ +# This function downloads and normalizes a patch/diff file. +# This is primarily useful for dynamically generated patches, +# such as GitHub's or cgit's, where the non-significant content parts +# often change with updating of git or cgit. +# stripLen acts as the -p parameter when applying a patch. + +{ fetchurl, patchutils }: +{ stripLen ? 0, ... }@args: + +fetchurl ({ + postFetch = '' + tmpfile="$TMPDIR/${args.sha256}" + "${patchutils}/bin/lsdiff" "$out" \ + | sort -u | sed -e 's/[*?]/\\&/g' \ + | xargs -I{} \ + "${patchutils}/bin/filterdiff" \ + --include={} \ + --strip=${toString stripLen} \ + --clean "$out" > "$tmpfile" + mv "$tmpfile" "$out" + ''; +} // args) diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix new file mode 100644 index 000000000000..a9c60a2afbd0 --- /dev/null +++ b/pkgs/build-support/grsecurity/default.nix @@ -0,0 +1,154 @@ +{ grsecOptions, lib, pkgs }: + +with lib; + +let + cfg = { + stable = grsecOptions.stable or false; + vserver = grsecOptions.vserver or false; + testing = grsecOptions.testing or false; + config = { + mode = "auto"; + sysctl = false; + denyChrootChmod = false; + restrictProc = false; + restrictProcWithGroup = true; + unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid + disableRBAC = false; + verboseVersion = false; + kernelExtraConfig = ""; + } // grsecOptions.config; + }; + + vals = rec { + + mkKernel = kernel: patch: + assert patch.kversion == kernel.version; + { inherit kernel patch; + inherit (patch) grversion revision; + }; + + test-patch = with pkgs.kernelPatches; grsecurity_unstable; + stable-patch = with pkgs.kernelPatches; + if cfg.vserver then grsecurity_vserver else grsecurity_stable; + + grKernel = if (cfg.stable || cfg.vserver) + then mkKernel pkgs.linux_3_2 stable-patch + else mkKernel pkgs.linux_3_14 test-patch; + + ## -- grsecurity configuration --------------------------------------------- + + grsecPrioCfg = + if cfg.config.priority == "security" then + "GRKERNSEC_CONFIG_PRIORITY_SECURITY y" + else + "GRKERNSEC_CONFIG_PRIORITY_PERF y"; + + grsecSystemCfg = + if cfg.config.system == "desktop" then + "GRKERNSEC_CONFIG_DESKTOP y" + else + "GRKERNSEC_CONFIG_SERVER y"; + + grsecVirtCfg = + if cfg.config.virtualisationConfig == "none" then + "GRKERNSEC_CONFIG_VIRT_NONE y" + else if cfg.config.virtualisationConfig == "host" then + "GRKERNSEC_CONFIG_VIRT_HOST y" + else + "GRKERNSEC_CONFIG_VIRT_GUEST y"; + + grsecHwvirtCfg = if cfg.config.virtualisationConfig == "none" then "" else + if cfg.config.hardwareVirtualisation == true then + "GRKERNSEC_CONFIG_VIRT_EPT y" + else + "GRKERNSEC_CONFIG_VIRT_SOFT y"; + + grsecVirtswCfg = + let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y"; + in + if cfg.config.virtualisationConfig == "none" then "" + else if cfg.config.virtualisationSoftware == "xen" then virtCfg "XEN" + else if cfg.config.virtualisationSoftware == "kvm" then virtCfg "KVM" + else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE" + else virtCfg "VIRTUALBOX"; + + grsecMainConfig = if cfg.config.mode == "custom" then "" else '' + GRKERNSEC_CONFIG_AUTO y + ${grsecPrioCfg} + ${grsecSystemCfg} + ${grsecVirtCfg} + ${grsecHwvirtCfg} + ${grsecVirtswCfg} + ''; + + grsecConfig = + let boolToKernOpt = b: if b then "y" else "n"; + # Disable RANDSTRUCT under virtualbox, as it has some kind of + # breakage with the vbox guest drivers + #randstruct = optionalString config.services.virtualbox.enable + # "GRKERNSEC_RANDSTRUCT n"; + + # Disable restricting links under the testing kernel, as something + # has changed causing it to fail miserably during boot. + restrictLinks = optionalString cfg.testing + "GRKERNSEC_LINK n"; + in '' + GRKERNSEC y + ${grsecMainConfig} + + ${if cfg.config.restrictProc then + "GRKERNSEC_PROC_USER y" + else + optionalString cfg.config.restrictProcWithGroup '' + GRKERNSEC_PROC_USERGROUP y + GRKERNSEC_PROC_GID ${toString cfg.config.unrestrictProcGid} + '' + } + + GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl} + GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} + GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC} + ${restrictLinks} + + ${cfg.config.kernelExtraConfig} + ''; + + ## -- grsecurity kernel packages ------------------------------------------- + + localver = grkern: + "-grsec" + optionalString cfg.config.verboseVersion + "-${grkern.grversion}-${grkern.revision}"; + + grsecurityOverrider = args: grkern: { + # Apparently as of gcc 4.6, gcc-plugin headers (which are needed by PaX plugins) + # include libgmp headers, so we need these extra tweaks + buildInputs = args.buildInputs ++ [ pkgs.gmp ]; + preConfigure = '' + ${args.preConfigure or ""} + sed -i 's|-I|-I${pkgs.gmp}/include -I|' scripts/gcc-plugin.sh + sed -i 's|HOST_EXTRACFLAGS +=|HOST_EXTRACFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile + sed -i 's|HOST_EXTRACXXFLAGS +=|HOST_EXTRACXXFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile + rm localversion-grsec + echo ${localver grkern} > localversion-grsec + ''; + }; + + mkGrsecKern = grkern: + lowPrio (overrideDerivation (grkern.kernel.override (args: { + kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ]; + argsOverride = { + modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}"; + }; + extraConfig = grsecConfig; + features.grsecurity = true; + })) (args: grsecurityOverrider args grkern)); + + mkGrsecPkg = grkern: pkgs.linuxPackagesFor grkern (mkGrsecPkg grkern); + + ## -- Kernel packages ------------------------------------------------------ + + grsecKernel = mkGrsecKern grKernel; + grsecPackage = mkGrsecPkg grsecKernel; + }; +in vals diff --git a/pkgs/build-support/grsecurity/flavors.nix b/pkgs/build-support/grsecurity/flavors.nix new file mode 100644 index 000000000000..57d52e7cf943 --- /dev/null +++ b/pkgs/build-support/grsecurity/flavors.nix @@ -0,0 +1,32 @@ +let + mkOpts = ver: prio: sys: virt: swvirt: hwvirt: + { config.priority = prio; + config.system = sys; + config.virtualisationConfig = virt; + config.hardwareVirtualisation = hwvirt; + config.virtualisationSoftware = swvirt; + } // builtins.listToAttrs [ { name = ver; value = true; } ]; +in +{ + # Stable kernels + linux_grsec_stable_desktop = + mkOpts "stable" "performance" "desktop" "host" "kvm" true; + linux_grsec_stable_server = + mkOpts "stable" "security" "server" "host" "kvm" true; + linux_grsec_stable_server_xen = + mkOpts "stable" "security" "server" "guest" "xen" true; + + # Stable+vserver kernels - server versions only + linux_grsec_vserver_server = + mkOpts "vserver" "security" "server" "host" "kvm" true; + linux_grsec_vserver_server_xen = + mkOpts "vserver" "security" "server" "guest" "xen" true; + + # Testing kernels + linux_grsec_testing_desktop = + mkOpts "testing" "performance" "desktop" "host" "kvm" true; + linux_grsec_testing_server = + mkOpts "testing" "security" "server" "host" "kvm" true; + linux_grsec_testing_server_xen = + mkOpts "testing" "security" "server" "guest" "xen" true; +} \ No newline at end of file |