From 75f353ffbdbd5345005e6231a93dd1eae95f6785 Mon Sep 17 00:00:00 2001
From: "tg(x)" <*@tg-x.net>
Date: Sat, 27 Feb 2016 19:33:35 +0100
Subject: grsecurity: decouple from mainline

---
 .../linux/kernel/linux-grsecurity-3.14.nix            | 19 +++++++++++++++++++
 .../os-specific/linux/kernel/linux-grsecurity-4.4.nix | 19 +++++++++++++++++++
 pkgs/os-specific/linux/kernel/patches.nix             |  8 +++++---
 pkgs/top-level/all-packages.nix                       | 18 ++++++++++++++++++
 4 files changed, 61 insertions(+), 3 deletions(-)
 create mode 100644 pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix
 create mode 100644 pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix

(limited to 'pkgs')

diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix
new file mode 100644
index 000000000000..a67a91b4d0c4
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix
@@ -0,0 +1,19 @@
+{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
+
+import ./generic.nix (args // rec {
+  version = "3.14.51";
+  extraMeta.branch = "3.14";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz";
+    sha256 = "1gqsd69cqijff4c4br4ydmcjl226d0yy6vrmgfvy16xiraavq1mk";
+  };
+
+  kernelPatches = args.kernelPatches;
+
+  features.iwlwifi = true;
+  features.efiBootStub = true;
+  features.needsCifsUtils = true;
+  features.canDisableNetfilterConntrackHelpers = true;
+  features.netfilterRPFilter = true;
+} // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix
new file mode 100644
index 000000000000..dff91095549c
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix
@@ -0,0 +1,19 @@
+{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
+
+import ./generic.nix (args // rec {
+  version = "4.4.2";
+  extraMeta.branch = "4.4";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "09l6y0nb8yv7l16arfwhy4i5h9pkxcbd7hlbw0015n7gm4i2mzc2";
+  };
+
+  kernelPatches = args.kernelPatches;
+
+  features.iwlwifi = true;
+  features.efiBootStub = true;
+  features.needsCifsUtils = true;
+  features.canDisableNetfilterConntrackHelpers = true;
+  features.netfilterRPFilter = true;
+} // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 3e745d9f2b55..8ff83b2d7ee4 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -23,7 +23,9 @@ let
     { name = "grsecurity-${grversion}-${kversion}";
       inherit grversion kernel kversion revision;
       patch = fetchurl {
-        url = "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true";
+        url = if branch == "stable"
+              then "https://github.com/kdave/grsecurity-patches/blob/master/grsecurity_patches/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"
+              else "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true";
         inherit sha256;
       };
       features.grsecurity = true;
@@ -81,7 +83,7 @@ rec {
   };
 
   grsecurity_stable = grsecPatch
-    { kernel    = pkgs.linux_3_14;
+    { kernel    = pkgs.linux_grsecurity_3_14;
       kversion  = "3.14.51";
       revision  = "201508181951";
       branch    = "stable";
@@ -89,7 +91,7 @@ rec {
     };
 
   grsecurity_testing = grsecPatch
-    { kernel    = pkgs.linux_4_4;
+    { kernel    = pkgs.linux_grsecurity_4_4;
       kversion  = "4.4.2";
       revision  = "201602182048";
       branch    = "test";
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 22dbfc41f438..d45c78d67a75 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -10407,6 +10407,24 @@ let
      to EC2, where Xen is the Hypervisor.
   */
 
+  linux_grsecurity_3_14 = callPackage ../os-specific/linux/kernel/linux-grsecurity-3.14.nix {
+    kernelPatches = [ kernelPatches.bridge_stp_helper ]
+      ++ lib.optionals ((platform.kernelArch or null) == "mips")
+      [ kernelPatches.mips_fpureg_emu
+        kernelPatches.mips_fpu_sigill
+        kernelPatches.mips_ext3_n32
+      ];
+  };
+
+  linux_grsecurity_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix {
+    kernelPatches = [ kernelPatches.bridge_stp_helper ]
+      ++ lib.optionals ((platform.kernelArch or null) == "mips")
+      [ kernelPatches.mips_fpureg_emu
+        kernelPatches.mips_fpu_sigill
+        kernelPatches.mips_ext3_n32
+      ];
+  };
+
   grFlavors = import ../build-support/grsecurity/flavors.nix;
 
   mkGrsecurity = opts:
-- 
cgit 1.4.1