From 4f27ad14a1ca4fcac1c572c7309cf6b8ef9e3d00 Mon Sep 17 00:00:00 2001
From: Austin Seipp <aseipp@pobox.com>
Date: Wed, 14 May 2014 12:04:40 -0500
Subject: grsec: refactor grsecurity packages

This now provides a handful of different grsecurity kernels for slightly
different 'flavors' of packages. This doesn't change the grsecurity
module to use them just yet, however.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
---
 nixos/modules/security/grsecurity.nix | 125 ++--------------------------------
 1 file changed, 4 insertions(+), 121 deletions(-)

(limited to 'nixos/modules/security/grsecurity.nix')

diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index a0f63cdf3a9e..78baa0cc5c3f 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -3,128 +3,11 @@
 with lib;
 
 let
-  cfg = config.security.grsecurity;
-
-  mkKernel = kernel: patch:
-    assert patch.kversion == kernel.version;
-      { inherit kernel patch;
-        inherit (patch) grversion revision;
+  customGrsecPkg =
+    (import ../../../pkgs/build-support/grsecurity
+      { grsecOptions = config.security.grsecurity;
       };
-
-  stable-patch = with pkgs.kernelPatches;
-    if cfg.vserver then grsecurity_vserver else grsecurity_stable;
-  stableKernel = mkKernel pkgs.linux_3_2  stable-patch;
-  testKernel   = mkKernel pkgs.linux_3_14 pkgs.kernelPatches.grsecurity_unstable;
-
-  ## -- grsecurity configuration -----------------------------------------------
-
-  grsecPrioCfg =
-    if cfg.config.priority == "security" then
-      "GRKERNSEC_CONFIG_PRIORITY_SECURITY y"
-    else
-      "GRKERNSEC_CONFIG_PRIORITY_PERF y";
-
-  grsecSystemCfg =
-    if cfg.config.system == "desktop" then
-      "GRKERNSEC_CONFIG_DESKTOP y"
-    else
-      "GRKERNSEC_CONFIG_SERVER y";
-
-  grsecVirtCfg =
-    if cfg.config.virtualisationConfig == "none" then
-      "GRKERNSEC_CONFIG_VIRT_NONE y"
-    else if cfg.config.virtualisationConfig == "host" then
-      "GRKERNSEC_CONFIG_VIRT_HOST y"
-    else
-      "GRKERNSEC_CONFIG_VIRT_GUEST y";
-
-  grsecHwvirtCfg = if cfg.config.virtualisationConfig == "none" then "" else
-    if cfg.config.hardwareVirtualisation == true then
-      "GRKERNSEC_CONFIG_VIRT_EPT y"
-    else
-      "GRKERNSEC_CONFIG_VIRT_SOFT y";
-
-  grsecVirtswCfg =
-    let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y";
-    in
-      if cfg.config.virtualisationConfig == "none" then ""
-      else if cfg.config.virtualisationSoftware == "xen"    then virtCfg "XEN"
-      else if cfg.config.virtualisationSoftware == "kvm"    then virtCfg "KVM"
-      else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE"
-      else                                                       virtCfg "VIRTUALBOX";
-
-  grsecMainConfig = if cfg.config.mode == "custom" then "" else ''
-    GRKERNSEC_CONFIG_AUTO y
-    ${grsecPrioCfg}
-    ${grsecSystemCfg}
-    ${grsecVirtCfg}
-    ${grsecHwvirtCfg}
-    ${grsecVirtswCfg}
-  '';
-
-  grsecConfig =
-    let boolToKernOpt = b: if b then "y" else "n";
-        # Disable RANDSTRUCT under virtualbox, as it has some kind of
-        # breakage with the vbox guest drivers
-        randstruct = optionalString config.services.virtualbox.enable
-          "GRKERNSEC_RANDSTRUCT n";
-        # Disable restricting links under the testing kernel, as something
-        # has changed causing it to fail miserably during boot.
-        restrictLinks = optionalString cfg.testing
-          "GRKERNSEC_LINK n";
-    in ''
-      GRKERNSEC y
-      ${grsecMainConfig}
-
-      ${if cfg.config.restrictProc then
-          "GRKERNSEC_PROC_USER y"
-        else
-          optionalString cfg.config.restrictProcWithGroup ''
-            GRKERNSEC_PROC_USERGROUP y
-            GRKERNSEC_PROC_GID ${toString cfg.config.unrestrictProcGid}
-          ''
-      }
-
-      GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}
-      GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
-      GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
-      ${randstruct}
-      ${restrictLinks}
-
-      ${cfg.config.kernelExtraConfig}
-    '';
-
-  ## -- grsecurity kernel packages ---------------------------------------------
-
-  localver = grkern:
-    "-grsec" + optionalString cfg.config.verboseVersion
-       "-${grkern.grversion}-${grkern.revision}";
-
-  grsecurityOverrider = args: grkern: {
-    # Apparently as of gcc 4.6, gcc-plugin headers (which are needed by PaX plugins)
-    # include libgmp headers, so we need these extra tweaks
-    buildInputs = args.buildInputs ++ [ pkgs.gmp ];
-    preConfigure = ''
-      ${args.preConfigure or ""}
-      sed -i 's|-I|-I${pkgs.gmp}/include -I|' scripts/gcc-plugin.sh
-      sed -i 's|HOST_EXTRACFLAGS +=|HOST_EXTRACFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
-      sed -i 's|HOST_EXTRACXXFLAGS +=|HOST_EXTRACXXFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
-      rm localversion-grsec
-      echo ${localver grkern} > localversion-grsec
-    '';
-  };
-
-  mkGrsecPkg = grkern:
-    let kernelPkg = lowPrio (overrideDerivation (grkern.kernel.override (args: {
-          kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ];
-          argsOverride = {
-            modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
-          };
-          extraConfig = grsecConfig;
-        })) (args: grsecurityOverrider args grkern));
-    in pkgs.linuxPackagesFor kernelPkg (mkGrsecPkg grkern);
-
-  grsecPackage = mkGrsecPkg (if cfg.stable then stableKernel else testKernel);
+    ).grsecPackage;
 in
 {
   options = {
-- 
cgit 1.4.1