commit 886c03ad2ec5fed59831bd552d34ba03327f2ac7 · pyrox.dev/nixpkgs

-2

nixos/modules/config/users-groups.nix

··· 468 468 home = "/root"; 469 469 shell = mkDefault cfg.defaultUserShell; 470 470 group = "root"; 471 - extraGroups = [ "grsecurity" ]; 472 471 initialHashedPassword = mkDefault config.security.initialRootPassword; 473 472 }; 474 473 nobody = { ··· 497 496 nixbld.gid = ids.gids.nixbld; 498 497 utmp.gid = ids.gids.utmp; 499 498 adm.gid = ids.gids.adm; 500 - grsecurity.gid = ids.gids.grsecurity; 501 499 input.gid = ids.gids.input; 502 500 }; 503 501

-2

nixos/modules/misc/ids.nix

··· 147 147 foundationdb = 118; 148 148 newrelic = 119; 149 149 starbound = 120; 150 - #grsecurity = 121; # unused 151 150 hydra = 122; 152 151 spiped = 123; 153 152 teamspeak = 124; ··· 396 395 foundationdb = 118; 397 396 newrelic = 119; 398 397 starbound = 120; 399 - grsecurity = 121; 400 398 hydra = 122; 401 399 spiped = 123; 402 400 teamspeak = 124;

+20

nixos/modules/rename.nix

··· 114 114 (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ]) 115 115 (mkRemovedOptionModule [ "services" "iodined" "client" ]) 116 116 117 + # Grsecurity 118 + (mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ]) 119 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ]) 120 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ]) 121 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ]) 122 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ]) 123 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ]) 124 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ]) 125 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ]) 126 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ]) 127 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ]) 128 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ]) 129 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ]) 130 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ]) 131 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ]) 132 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ]) 133 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ]) 134 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ]) 135 + (mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ]) 136 + 117 137 # Options that are obsolete and have no replacement. 118 138 (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ]) 119 139 (mkRemovedOptionModule [ "programs" "bash" "enable" ])

+90 -280

nixos/modules/security/grsecurity.nix

··· 1 - { config, lib, pkgs, ... }: 1 + { config, pkgs, lib, ... }: 2 2 3 3 with lib; 4 4 5 5 let 6 6 cfg = config.security.grsecurity; 7 + grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock"; 7 8 8 - customGrsecPkg = 9 - (import ../../../pkgs/build-support/grsecurity { 10 - grsecOptions = cfg; 11 - inherit pkgs lib; 12 - }).grsecPackage; 9 + # Ascertain whether ZFS is required for booting the system; grsecurity is 10 + # currently incompatible with ZFS, rendering the system unbootable. 11 + zfsNeededForBoot = filter 12 + (fs: (fs.neededForBoot 13 + || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ]) 14 + && fs.fsType == "zfs") 15 + (attrValues config.fileSystems) != []; 13 16 in 17 + 14 18 { 15 - options = { 16 - security.grsecurity = { 17 - enable = mkOption { 18 - type = types.bool; 19 - default = false; 20 - description = '' 21 - Enable grsecurity support. This enables advanced exploit 22 - hardening for the Linux kernel, and adds support for 23 - administrative Role-Based Acess Control (RBAC) via 24 - <literal>gradm</literal>. It also includes traditional 25 - utilities for PaX. 26 - ''; 27 - }; 19 + options.security.grsecurity = { 28 20 29 - kernelPatch = mkOption { 30 - type = types.attrs; 31 - example = lib.literalExample "pkgs.kernelPatches.grsecurity_4_1"; 32 - description = '' 33 - Grsecurity patch to use. 34 - ''; 35 - }; 21 + enable = mkEnableOption "Grsecurity/PaX"; 36 22 37 - config = { 38 - mode = mkOption { 39 - type = types.enum [ "auto" "custom" ]; 40 - default = "auto"; 41 - description = '' 42 - grsecurity configuration mode. This specifies whether 43 - grsecurity is auto-configured or otherwise completely 44 - manually configured. 45 - ''; 46 - }; 23 + lockTunables = mkOption { 24 + type = types.bool; 25 + example = false; 26 + default = true; 27 + description = '' 28 + Whether to automatically lock grsecurity tunables 29 + (<option>boot.kernel.sysctl."kernel.grsecurity.*"</option>). Disable 30 + this to allow configuration of grsecurity features while the system is 31 + running. The lock can be manually engaged by activating the 32 + <literal>grsec-lock</literal> service unit. 33 + ''; 34 + }; 47 35 48 - priority = mkOption { 49 - type = types.enum [ "security" "performance" ]; 50 - default = "security"; 51 - description = '' 52 - grsecurity configuration priority. This specifies whether 53 - the kernel configuration should emphasize speed or 54 - security. 55 - ''; 56 - }; 36 + }; 57 37 58 - system = mkOption { 59 - type = types.enum [ "desktop" "server" ]; 60 - default = "desktop"; 61 - description = '' 62 - grsecurity system configuration. 63 - ''; 64 - }; 38 + config = mkIf cfg.enable { 65 39 66 - virtualisationConfig = mkOption { 67 - type = types.nullOr (types.enum [ "host" "guest" ]); 68 - default = null; 69 - description = '' 70 - grsecurity virtualisation configuration. This specifies 71 - the virtualisation role of the machine - that is, whether 72 - it will be a virtual machine guest, a virtual machine 73 - host, or neither. 74 - ''; 75 - }; 40 + # Allow the user to select a different package set, subject to the stated 41 + # required kernel config 42 + boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos; 76 43 77 - hardwareVirtualisation = mkOption { 78 - type = types.nullOr types.bool; 79 - default = null; 80 - example = true; 81 - description = '' 82 - grsecurity hardware virtualisation configuration. Set to 83 - <literal>true</literal> if your machine supports hardware 84 - accelerated virtualisation. 85 - ''; 86 - }; 87 - 88 - virtualisationSoftware = mkOption { 89 - type = types.nullOr (types.enum [ "kvm" "xen" "vmware" "virtualbox" ]); 90 - default = null; 91 - description = '' 92 - Configure grsecurity for use with this virtualisation software. 93 - ''; 94 - }; 95 - 96 - sysctl = mkOption { 97 - type = types.bool; 98 - default = false; 99 - description = '' 100 - If true, then set <literal>GRKERN_SYSCTL y</literal>. If 101 - enabled then grsecurity can be controlled using sysctl 102 - (and turned off). You are advised to *never* enable this, 103 - but if you do, make sure to always set the sysctl 104 - <literal>kernel.grsecurity.grsec_lock</literal> to 105 - non-zero as soon as all sysctl options are set. *THIS IS 106 - EXTREMELY IMPORTANT*! 107 - ''; 108 - }; 109 - 110 - denyChrootChmod = mkOption { 111 - type = types.bool; 112 - default = false; 113 - description = '' 114 - If true, then set <literal>GRKERN_CHROOT_CHMOD 115 - y</literal>. If enabled, this denies processes inside a 116 - chroot from setting the suid or sgid bits using 117 - <literal>chmod</literal> or <literal>fchmod</literal>. 118 - 119 - By default this protection is disabled - it makes it 120 - impossible to use Nix to build software on your system, 121 - which is what most users want. 122 - 123 - If you are using NixOps to deploy your software to a 124 - remote machine, you're encouraged to enable this as you 125 - won't need to compile code. 126 - ''; 127 - }; 128 - 129 - denyChrootCaps = mkOption { 130 - type = types.bool; 131 - default = false; 132 - description = '' 133 - Whether to lower capabilities of all processes within a chroot, 134 - preventing commands that require <literal>CAP_SYS_ADMIN</literal>. 135 - 136 - This protection is disabled by default because it breaks 137 - <literal>nixos-rebuild</literal>. Whenever possible, it is 138 - highly recommended to enable this protection. 139 - ''; 140 - }; 141 - 142 - denyUSB = mkOption { 143 - type = types.bool; 144 - default = false; 145 - description = '' 146 - If true, then set <literal>GRKERNSEC_DENYUSB y</literal>. 44 + system.requiredKernelConfig = with config.lib.kernelConfig; 45 + [ (isEnabled "GRKERNSEC") 46 + (isEnabled "PAX") 47 + (isYES "GRKERNSEC_SYSCTL") 48 + (isYES "GRKERNSEC_SYSCTL_DISTRO") 49 + ]; 147 50 148 - This enables a sysctl with name 149 - <literal>kernel.grsecurity.deny_new_usb</literal>. Setting 150 - its value to <literal>1</literal> will prevent any new USB 151 - devices from being recognized by the OS. Any attempted 152 - USB device insertion will be logged. 51 + # Crashing on an overflow in kernel land is user unfriendly and may prevent 52 + # the system from booting, which is too severe for our use case. 53 + boot.kernelParams = [ "pax_size_overflow_report_only" ]; 153 54 154 - This option is intended to be used against custom USB 155 - devices designed to exploit vulnerabilities in various USB 156 - device drivers. 157 - ''; 158 - }; 55 + # Install PaX related utillities into the system profile. Eventually, we 56 + # also want to include gradm here. 57 + environment.systemPackages = with pkgs; [ paxctl pax-utils ]; 159 58 160 - restrictProc = mkOption { 161 - type = types.bool; 162 - default = false; 163 - description = '' 164 - If true, then set <literal>GRKERN_PROC_USER 165 - y</literal>. This restricts non-root users to only viewing 166 - their own processes and restricts network-related 167 - information, kernel symbols, and module information. 168 - ''; 169 - }; 59 + # Install rules for the grsec device node 60 + services.udev.packages = [ pkgs.gradm ]; 170 61 171 - restrictProcWithGroup = mkOption { 172 - type = types.bool; 173 - default = true; 174 - description = '' 175 - If true, then set <literal>GRKERN_PROC_USERGROUP 176 - y</literal>. This is similar to 177 - <literal>restrictProc</literal> except it allows a special 178 - group (specified by <literal>unrestrictProcGid</literal>) 179 - to still access otherwise classified information in 180 - <literal>/proc</literal>. 181 - ''; 182 - }; 62 + # This service unit is responsible for locking the Grsecurity tunables. The 63 + # unit is always defined, but only activated on bootup if lockTunables is 64 + # toggled. When lockTunables is toggled, failure to activate the unit will 65 + # enter emergency mode. The intent is to make it difficult to silently 66 + # enter multi-user mode without having locked the tunables. Some effort is 67 + # made to ensure that starting the unit is an idempotent operation. 68 + systemd.services.grsec-lock = { 69 + description = "Lock grsecurity tunables"; 183 70 184 - unrestrictProcGid = mkOption { 185 - type = types.int; 186 - default = config.ids.gids.grsecurity; 187 - description = '' 188 - If set, specifies a GID which is exempt from 189 - <literal>/proc</literal> restrictions (set by 190 - <literal>GRKERN_PROC_USERGROUP</literal>). By default, 191 - this is set to the GID for <literal>grsecurity</literal>, 192 - a predefined NixOS group, which the 193 - <literal>root</literal> account is a member of. You may 194 - conveniently add other users to this group if you need 195 - access to <literal>/proc</literal> 196 - ''; 197 - }; 71 + wantedBy = optional cfg.lockTunables "multi-user.target"; 198 72 199 - disableRBAC = mkOption { 200 - type = types.bool; 201 - default = false; 202 - description = '' 203 - If true, then set <literal>GRKERN_NO_RBAC 204 - y</literal>. This disables the 205 - <literal>/dev/grsec</literal> device, which in turn 206 - disables the RBAC system (and <literal>gradm</literal>). 207 - ''; 208 - }; 73 + wants = [ "local-fs.target" "systemd-sysctl.service" ]; 74 + after = [ "local-fs.target" "systemd-sysctl.service" ]; 75 + conflicts = [ "shutdown.target" ]; 209 76 210 - disableSimultConnect = mkOption { 211 - type = types.bool; 212 - default = false; 213 - description = '' 214 - Disable TCP simultaneous connect. The TCP simultaneous connect 215 - feature allows two clients to connect without either of them 216 - entering the listening state. This feature of the TCP specification 217 - is claimed to enable an attacker to deny the target access to a given 218 - server by guessing the source port the target would use to make the 219 - connection. 77 + restartIfChanged = false; 220 78 221 - This option is OFF by default because TCP simultaneous connect has 222 - some legitimate uses. Enable this option if you know what this TCP 223 - feature is for and know that you do not need it. 224 - ''; 225 - }; 79 + script = '' 80 + if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then 81 + echo -n 1 > ${grsecLockPath} 82 + fi 83 + ''; 226 84 227 - verboseVersion = mkOption { 228 - type = types.bool; 229 - default = false; 230 - description = "Use verbose version in kernel localversion."; 231 - }; 85 + unitConfig = { 86 + ConditionPathIsReadWrite = grsecLockPath; 87 + DefaultDependencies = false; 88 + } // optionalAttrs cfg.lockTunables { 89 + OnFailure = "emergency.target"; 90 + }; 232 91 233 - kernelExtraConfig = mkOption { 234 - type = types.str; 235 - default = ""; 236 - description = "Extra kernel configuration parameters."; 237 - }; 92 + serviceConfig = { 93 + Type = "oneshot"; 94 + RemainAfterExit = true; 238 95 }; 239 96 }; 240 - }; 241 97 242 - config = mkIf cfg.enable { 243 - assertions = 244 - [ 245 - { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) || 246 - (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc); 247 - message = "You cannot enable both restrictProc and restrictProcWithGroup"; 248 - } 249 - { assertion = config.boot.kernelPackages.kernel.features ? grsecurity 250 - && config.boot.kernelPackages.kernel.features.grsecurity; 251 - message = "grsecurity enabled, but kernel doesn't have grsec support"; 252 - } 253 - { assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) -> 254 - cfg.config.hardwareVirtualisation != null; 255 - message = "when using auto grsec mode with virtualisation, you must specify if your hardware has virtualisation extensions"; 256 - } 257 - { assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) -> 258 - cfg.config.virtualisationSoftware != null; 259 - message = "grsecurity configured for virtualisation but no virtualisation software specified"; 260 - } 261 - ]; 262 - 263 - security.grsecurity.kernelPatch = lib.mkDefault pkgs.kernelPatches.grsecurity_latest; 264 - 265 - systemd.services.grsec-lock = mkIf cfg.config.sysctl { 266 - description = "grsecurity sysctl-lock Service"; 267 - wants = [ "systemd-sysctl.service" ]; 268 - after = [ "systemd-sysctl.service" ]; 269 - wantedBy = [ "multi-user.target" ]; 270 - serviceConfig.Type = "oneshot"; 271 - serviceConfig.RemainAfterExit = "yes"; 272 - unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel/grsecurity/grsec_lock"; 273 - script = '' 274 - locked=`cat /proc/sys/kernel/grsecurity/grsec_lock` 275 - if [ "$locked" == "0" ]; then 276 - echo 1 > /proc/sys/kernel/grsecurity/grsec_lock 277 - echo grsecurity sysctl lock - enabled 278 - else 279 - echo grsecurity sysctl lock already enabled - doing nothing 280 - fi 281 - ''; 98 + # Configure system tunables 99 + boot.kernel.sysctl = { 100 + # Removed under grsecurity 101 + "kernel.kptr_restrict" = mkForce null; 102 + } // optionalAttrs config.nix.useSandbox { 103 + # chroot(2) restrictions that conflict with sandboxed Nix builds 104 + "kernel.grsecurity.chroot_caps" = mkForce 0; 105 + "kernel.grsecurity.chroot_deny_chroot" = mkForce 0; 106 + "kernel.grsecurity.chroot_deny_mount" = mkForce 0; 107 + "kernel.grsecurity.chroot_deny_pivot" = mkForce 0; 108 + } // optionalAttrs config.boot.enableContainers { 109 + # chroot(2) restrictions that conflict with NixOS lightweight containers 110 + "kernel.grsecurity.chroot_deny_chmod" = mkForce 0; 111 + "kernel.grsecurity.chroot_deny_mount" = mkForce 0; 112 + "kernel.grsecurity.chroot_restrict_nice" = mkForce 0; 282 113 }; 283 114 284 - # systemd.services.grsec-learn = { 285 - # description = "grsecurity learning Service"; 286 - # wantedBy = [ "local-fs.target" ]; 287 - # serviceConfig = { 288 - # Type = "oneshot"; 289 - # RemainAfterExit = "yes"; 290 - # ExecStart = "${pkgs.gradm}/sbin/gradm -VFL /etc/grsec/learning.logs"; 291 - # ExecStop = "${pkgs.gradm}/sbin/gradm -D"; 292 - # }; 293 - # }; 115 + assertions = [ 116 + { assertion = !zfsNeededForBoot; 117 + message = "grsecurity is currently incompatible with ZFS"; 118 + } 119 + ]; 294 120 295 - system.activationScripts = lib.optionalAttrs (!cfg.config.disableRBAC) { grsec = '' 296 - mkdir -p /etc/grsec 297 - if [ ! -f /etc/grsec/learn_config ]; then 298 - cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec 299 - fi 300 - if [ ! -f /etc/grsec/policy ]; then 301 - cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec 302 - fi 303 - chmod -R 0600 /etc/grsec 304 - ''; }; 305 - 306 - # Enable AppArmor, gradm udev rules, and utilities 307 - security.apparmor.enable = true; 308 - boot.kernelPackages = customGrsecPkg; 309 - services.udev.packages = lib.optional (!cfg.config.disableRBAC) pkgs.gradm; 310 - environment.systemPackages = [ pkgs.paxctl pkgs.pax-utils ] ++ lib.optional (!cfg.config.disableRBAC) pkgs.gradm; 311 121 }; 312 122 }

+31 -9

nixos/tests/grsecurity.nix

··· 3 3 import ./make-test.nix ({ pkgs, ...} : { 4 4 name = "grsecurity"; 5 5 meta = with pkgs.stdenv.lib.maintainers; { 6 - maintainers = [ copumpkin ]; 6 + maintainers = [ copumpkin joachifm ]; 7 7 }; 8 8 9 9 machine = { config, pkgs, ... }: 10 - { boot.kernelPackages = pkgs.linuxPackages_grsec_testing_server; }; 10 + { security.grsecurity.enable = true; 11 + boot.kernel.sysctl."kernel.grsecurity.deter_bruteforce" = 0; 12 + security.apparmor.enable = true; 13 + }; 11 14 12 - testScript = 13 - '' 14 - $machine->succeed("uname -a") =~ /grsec/; 15 - # FIXME: this seems to hang the whole test. Unclear why, but let's fix it 16 - # $machine->succeed("${pkgs.paxtest}/bin/paxtest blackhat"); 17 - ''; 18 - }) 15 + testScript = '' 16 + subtest "grsec-lock", sub { 17 + $machine->succeed("systemctl is-active grsec-lock"); 18 + $machine->succeed("grep -Fq 1 /proc/sys/kernel/grsecurity/grsec_lock"); 19 + $machine->fail("echo -n 0 >/proc/sys/kernel/grsecurity/grsec_lock"); 20 + }; 19 21 22 + subtest "paxtest", sub { 23 + # TODO: running paxtest blackhat hangs the vm 24 + $machine->succeed("${pkgs.paxtest}/lib/paxtest/anonmap") =~ /Killed/ or die; 25 + $machine->succeed("${pkgs.paxtest}/lib/paxtest/execbss") =~ /Killed/ or die; 26 + $machine->succeed("${pkgs.paxtest}/lib/paxtest/execdata") =~ /Killed/ or die; 27 + $machine->succeed("${pkgs.paxtest}/lib/paxtest/execheap") =~ /Killed/ or die; 28 + $machine->succeed("${pkgs.paxtest}/lib/paxtest/execstack") =~ /Killed/ or die; 29 + $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotanon") =~ /Killed/ or die; 30 + $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotbss") =~ /Killed/ or die; 31 + $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotdata") =~ /Killed/ or die; 32 + $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotheap") =~ /Killed/ or die; 33 + $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotstack") =~ /Killed/ or die; 34 + }; 35 + 36 + subtest "tcc", sub { 37 + $machine->execute("echo -e '#include <stdio.h>\nint main(void) { puts(\"hello\"); return 0; }' >main.c"); 38 + $machine->succeed("${pkgs.tinycc.bin}/bin/tcc -run main.c"); 39 + }; 40 + ''; 41 + })

+7

pkgs/applications/virtualization/qemu/default.nix

··· 60 60 ++ optional stdenv.isDarwin "--enable-cocoa" 61 61 ++ optional stdenv.isLinux "--enable-linux-aio"; 62 62 63 + postFixup = 64 + '' 65 + for exe in $out/bin/qemu-system-* ; do 66 + paxmark m $exe 67 + done 68 + ''; 69 + 63 70 postInstall = 64 71 '' 65 72 # Add a ‘qemu-kvm’ wrapper for compatibility/convenience.

+27 -152

pkgs/build-support/grsecurity/default.nix

··· 1 - { grsecOptions, lib, pkgs }: 1 + { stdenv 2 + , overrideDerivation 2 3 3 - with lib; 4 + # required for gcc plugins 5 + , gmp, libmpc, mpfr 4 6 5 - let 6 - cfg = { 7 - kernelPatch = grsecOptions.kernelPatch; 8 - config = { 9 - mode = "auto"; 10 - sysctl = false; 11 - denyChrootCaps = false; 12 - denyChrootChmod = false; 13 - denyUSB = false; 14 - restrictProc = false; 15 - restrictProcWithGroup = true; 16 - unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid 17 - disableRBAC = false; 18 - disableSimultConnect = false; 19 - redistKernel = true; 20 - verboseVersion = false; 21 - kernelExtraConfig = ""; 22 - } // grsecOptions.config; 23 - }; 24 - 25 - vals = rec { 26 - 27 - mkKernel = patch: 28 - { 29 - inherit patch; 30 - inherit (patch) kernel patches grversion revision; 31 - }; 32 - 33 - grKernel = mkKernel cfg.kernelPatch; 34 - 35 - ## -- grsecurity configuration --------------------------------------------- 36 - 37 - grsecPrioCfg = 38 - if cfg.config.priority == "security" then 39 - "GRKERNSEC_CONFIG_PRIORITY_SECURITY y" 40 - else 41 - "GRKERNSEC_CONFIG_PRIORITY_PERF y"; 7 + # the base kernel 8 + , kernel 42 9 43 - grsecSystemCfg = 44 - if cfg.config.system == "desktop" then 45 - "GRKERNSEC_CONFIG_DESKTOP y" 46 - else 47 - "GRKERNSEC_CONFIG_SERVER y"; 10 + , grsecPatch 11 + , kernelPatches ? [] 48 12 49 - grsecVirtCfg = 50 - if cfg.config.virtualisationConfig == null then 51 - "GRKERNSEC_CONFIG_VIRT_NONE y" 52 - else if cfg.config.virtualisationConfig == "host" then 53 - "GRKERNSEC_CONFIG_VIRT_HOST y" 54 - else 55 - "GRKERNSEC_CONFIG_VIRT_GUEST y"; 13 + , localver ? "-grsec" 14 + , modDirVersion ? "${kernel.version}${localver}" 15 + , extraConfig ? "" 16 + , ... 17 + } @ args: 56 18 57 - grsecHwvirtCfg = if cfg.config.virtualisationConfig == null then "" else 58 - if cfg.config.hardwareVirtualisation == true then 59 - "GRKERNSEC_CONFIG_VIRT_EPT y" 60 - else 61 - "GRKERNSEC_CONFIG_VIRT_SOFT y"; 19 + assert (kernel.version == grsecPatch.kver); 62 20 63 - grsecVirtswCfg = 64 - let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y"; 65 - in 66 - if cfg.config.virtualisationConfig == null then "" 67 - else if cfg.config.virtualisationSoftware == "xen" then virtCfg "XEN" 68 - else if cfg.config.virtualisationSoftware == "kvm" then virtCfg "KVM" 69 - else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE" 70 - else virtCfg "VIRTUALBOX"; 71 - 72 - grsecMainConfig = if cfg.config.mode == "custom" then "" else '' 73 - GRKERNSEC_CONFIG_AUTO y 74 - ${grsecPrioCfg} 75 - ${grsecSystemCfg} 76 - ${grsecVirtCfg} 77 - ${grsecHwvirtCfg} 78 - ${grsecVirtswCfg} 79 - ''; 80 - 81 - grsecConfig = 82 - let boolToKernOpt = b: if b then "y" else "n"; 83 - # Disable RANDSTRUCT under virtualbox, as it has some kind of 84 - # breakage with the vbox guest drivers 85 - #randstruct = optionalString config.virtualisation.virtualbox.guest.enable 86 - # "GRKERNSEC_RANDSTRUCT n"; 87 - 88 - # Disable restricting links under the testing kernel, as something 89 - # has changed causing it to fail miserably during boot. 90 - #restrictLinks = optionalString cfg.testing 91 - # "GRKERNSEC_LINK n"; 92 - in '' 93 - GRKERNSEC y 94 - ${grsecMainConfig} 95 - 96 - # Disable features rendered useless by redistributing the kernel 97 - ${optionalString cfg.config.redistKernel '' 98 - GRKERNSEC_RANDSTRUCT n 99 - GRKERNSEC_HIDESYM n 100 - ''} 101 - 102 - # The paxmarks mechanism relies on ELF header markings, but the default 103 - # grsecurity configuration only enables xattr markings 104 - PAX_PT_PAX_FLAGS y 105 - 106 - ${if cfg.config.restrictProc then 107 - "GRKERNSEC_PROC_USER y" 108 - else 109 - optionalString cfg.config.restrictProcWithGroup '' 110 - GRKERNSEC_PROC_USERGROUP y 111 - GRKERNSEC_PROC_GID ${toString cfg.config.unrestrictProcGid} 112 - '' 113 - } 114 - 115 - GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl} 116 - GRKERNSEC_CHROOT_CAPS ${boolToKernOpt cfg.config.denyChrootCaps} 117 - GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} 118 - GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB} 119 - GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC} 120 - GRKERNSEC_NO_SIMULT_CONNECT ${boolToKernOpt cfg.config.disableSimultConnect} 121 - 122 - ${cfg.config.kernelExtraConfig} 123 - ''; 124 - 125 - ## -- grsecurity kernel packages ------------------------------------------- 126 - 127 - localver = grkern: 128 - "-grsec" + optionalString cfg.config.verboseVersion 129 - "-${grkern.grversion}-${grkern.revision}"; 130 - 131 - grsecurityOverrider = args: grkern: { 132 - # additional build inputs for gcc plugins, required by some PaX/grsec features 133 - nativeBuildInputs = args.nativeBuildInputs ++ (with pkgs; [ gmp libmpc mpfr ]); 134 - 135 - preConfigure = (args.preConfigure or "") + '' 136 - echo ${localver grkern} > localversion-grsec 137 - ''; 138 - }; 139 - 140 - mkGrsecKern = grkern: 141 - lowPrio (overrideDerivation (grkern.kernel.override (args: { 142 - kernelPatches = args.kernelPatches ++ [ grkern.patch ] ++ grkern.patches; 143 - argsOverride = { 144 - modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}"; 145 - }; 146 - extraConfig = grsecConfig; 147 - features.grsecurity = true; 148 - ignoreConfigErrors = true; # Too lazy to model the config options that work with grsecurity and don't for now 149 - })) (args: grsecurityOverrider args grkern)); 150 - 151 - mkGrsecPkg = grkern: pkgs.linuxPackagesFor grkern (mkGrsecPkg grkern); 152 - 153 - ## -- Kernel packages ------------------------------------------------------ 154 - 155 - grsecKernel = mkGrsecKern grKernel; 156 - grsecPackage = mkGrsecPkg grsecKernel; 157 - }; 158 - in vals 21 + overrideDerivation (kernel.override { 22 + inherit modDirVersion; 23 + kernelPatches = [ { inherit (grsecPatch) name patch; } ] ++ kernelPatches ++ (kernel.kernelPatches or []); 24 + features = (kernel.features or {}) // { grsecurity = true; }; 25 + inherit extraConfig; 26 + ignoreConfigErrors = true; 27 + }) (attrs: { 28 + nativeBuildInputs = [ gmp libmpc mpfr ] ++ (attrs.nativeBuildInputs or []); 29 + preConfigure = '' 30 + echo ${localver} >localversion-grsec 31 + ${attrs.preConfigure or ""} 32 + ''; 33 + })

-17

pkgs/build-support/grsecurity/flavors.nix

··· 1 - let 2 - mkOpts = prio: sys: virt: swvirt: hwvirt: 3 - { config.priority = prio; 4 - config.system = sys; 5 - config.virtualisationConfig = virt; 6 - config.hardwareVirtualisation = hwvirt; 7 - config.virtualisationSoftware = swvirt; 8 - }; 9 - in 10 - { 11 - desktop = 12 - mkOpts "performance" "desktop" "host" "kvm" true; 13 - server = 14 - mkOpts "security" "server" "host" "kvm" true; 15 - server_xen = 16 - mkOpts "security" "server" "guest" "xen" true; 17 - }

+7 -13

pkgs/os-specific/linux/kernel/common-config.nix

··· 261 261 # Security related features. 262 262 STRICT_DEVMEM y # Filter access to /dev/mem 263 263 SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default 264 - ${optionalString (!(features.grsecurity or false)) '' 265 - DEVKMEM n # Disable /dev/kmem 266 - ''} 264 + DEVKMEM n # Disable /dev/kmem 267 265 ${if versionOlder version "3.14" then '' 268 266 CC_STACKPROTECTOR? y # Detect buffer overflows on the stack 269 267 '' else '' ··· 422 420 423 421 # Virtualisation. 424 422 PARAVIRT? y 425 - ${optionalString (!(features.grsecurity or false)) 426 - (if versionAtLeast version "3.10" then '' 427 - HYPERVISOR_GUEST y 428 - '' else '' 429 - PARAVIRT_GUEST? y 430 - '') 431 - } 423 + ${if versionAtLeast version "3.10" then '' 424 + HYPERVISOR_GUEST y 425 + '' else '' 426 + PARAVIRT_GUEST? y 427 + ''} 432 428 KVM_APIC_ARCHITECTURE y 433 429 KVM_ASYNC_PF y 434 430 ${optionalString (versionOlder version "3.7") '' ··· 443 439 ${optionalString (versionAtLeast version "4.0") '' 444 440 KVM_GENERIC_DIRTYLOG_READ_PROTECT y 445 441 ''} 446 - ${optionalString (!features.grsecurity or true) '' 447 - KVM_GUEST y 448 - ''} 442 + KVM_GUEST y 449 443 KVM_MMIO y 450 444 ${optionalString (versionAtLeast version "3.13") '' 451 445 KVM_VFIO y

+43

pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix

··· 1 + { stdenv }: 2 + 3 + with stdenv.lib; 4 + 5 + '' 6 + GRKERNSEC y 7 + PAX y 8 + 9 + GRKERNSEC_CONFIG_AUTO y 10 + GRKERNSEC_CONFIG_DESKTOP y 11 + GRKERNSEC_CONFIG_VIRT_HOST y 12 + GRKERNSEC_CONFIG_VIRT_EPT y 13 + GRKERNSEC_CONFIG_VIRT_KVM y 14 + GRKERNSEC_CONFIG_PRIORITY_SECURITY y 15 + 16 + PAX_PT_PAX_FLAGS y 17 + PAX_XATTR_PAX_FLAGS n 18 + PAX_EI_PAX n 19 + 20 + GRKERNSEC_PROC_GID 0 21 + 22 + PAX_LATENT_ENTROPY n 23 + PAX_SIZE_OVERFLOW n 24 + GRKERNSEC_HIDESYM n 25 + GRKERNSEC_RANDSTRUCT n 26 + GRKERNSEC_PROC n 27 + GRKERNSEC_SYSFS_RESTRICT n 28 + GRKERNSEC_KMEM n 29 + GRKERNSEC_MODHARDEN n 30 + GRKERNSEC_NO_SIMULT_CONNECT n 31 + 32 + PAX_KERNEXEC_PLUGIN_METHOD_BTS y 33 + 34 + GRKERNSEC_ACL_HIDEKERN y 35 + GRKERNSEC_IO y 36 + 37 + GRKERNSEC_AUDIT_PTRACE y 38 + GRKERNSEC_FORKFAIL y 39 + 40 + GRKERNSEC_SYSCTL y 41 + GRKERNSEC_SYSCTL_DISTRO y 42 + GRKERNSEC_SYSCTL_ON y 43 + ''

pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch

pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix pkgs/os-specific/linux/kernel/linux-grsecurity.nix

+20 -21

pkgs/os-specific/linux/kernel/patches.nix

··· 18 18 }; 19 19 }; 20 20 21 - grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch ? "test", sha256 }: 22 - assert kversion == kernel.version; 23 - { name = "grsecurity-${grversion}-${kversion}"; 24 - inherit grversion kernel patches kversion revision; 21 + grsecPatch = { grbranch ? "test", grver ? "3.1", kver, grrev, sha256 }: rec { 22 + name = "grsecurity-${grver}-${kver}-${grrev}"; 23 + 24 + # Pass these along to allow the caller to determine compatibility 25 + inherit grver kver grrev; 26 + 27 + patch = fetchurl { 25 28 # When updating versions/hashes, ALWAYS use the official version; we use 26 29 # this mirror only because upstream removes sources files immediately upon 27 30 # releasing a new version ... 28 - patch = fetchurl { 29 - url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/test/grsecurity-${grversion}-${kversion}-${revision}.patch"; 30 - inherit sha256; 31 - }; 32 - features.grsecurity = true; 31 + url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch"; 32 + inherit sha256; 33 33 }; 34 - 34 + }; 35 35 in 36 36 37 37 rec { ··· 92 92 93 93 grsecurity_4_4 = throw "grsecurity stable is no longer supported"; 94 94 95 - grsecurity_4_5 = grsecPatch 96 - { kernel = pkgs.grsecurity_base_linux_4_5; 97 - patches = [ grsecurity_fix_path_4_5 ]; 98 - kversion = "4.5.7"; 99 - revision = "201606080852"; 100 - sha256 = "1vgc314nh6bd7zw9r927lnbjq29z32g0s02jgvf635y9zz550nsh"; 95 + grsecurity_testing = grsecPatch 96 + { kver = "4.5.7"; 97 + grrev = "201606080852"; 98 + sha256 = "1vgc314nh6bd7zw9r927lnbjq29z32g0s02jgvf635y9zz550nsh"; 101 99 }; 102 100 103 - grsecurity_latest = grsecurity_4_5; 104 - 105 - grsecurity_fix_path_4_5 = 106 - { name = "grsecurity-fix-path-4.5"; 107 - patch = ./grsecurity-path-4.5.patch; 101 + # This patch relaxes grsec constraints on the location of usermode helpers, 102 + # e.g., modprobe, to allow calling into the Nix store. 103 + grsecurity_nixos_kmod = 104 + { 105 + name = "grsecurity-nixos-kmod"; 106 + patch = ./grsecurity-nixos-kmod.patch; 108 107 }; 109 108 110 109 crc_regression =

+54 -54

pkgs/top-level/all-packages.nix

··· 10822 10822 10823 10823 linux_chromiumos_latest = self.linux_chromiumos_3_18; 10824 10824 10825 - # grsecurity configuration 10826 - 10827 - grsecurity_base_linux_4_5 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.5.nix { 10828 - inherit (linux_4_5) kernelPatches; 10829 - }; 10830 - 10831 - grFlavors = import ../build-support/grsecurity/flavors.nix; 10832 - 10833 - mkGrsecurity = patch: opts: 10834 - (callPackage ../build-support/grsecurity { 10835 - grsecOptions = { kernelPatch = patch; } // opts; 10836 - }); 10837 - 10838 - grKernel = patch: opts: (self.mkGrsecurity patch opts).grsecKernel; 10839 - grPackage = patch: opts: recurseIntoAttrs (self.mkGrsecurity patch opts).grsecPackage; 10840 - 10841 - # grsecurity kernels (see also linuxPackages_grsec_*) 10842 - 10843 - linux_grsec_desktop_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.desktop; 10844 - linux_grsec_server_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server; 10845 - linux_grsec_server_xen_4_5 = self.grKernel kernelPatches.grsecurity_4_5 self.grFlavors.server_xen; 10846 - 10847 - linux_grsec_desktop_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.desktop; 10848 - linux_grsec_server_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server; 10849 - linux_grsec_server_xen_latest = self.grKernel kernelPatches.grsecurity_latest self.grFlavors.server_xen; 10850 - 10851 10825 /* Linux kernel modules are inherently tied to a specific kernel. So 10852 10826 rather than provide specific instances of those packages for a 10853 10827 specific kernel, we have a function that builds those packages ··· 10997 10971 # Build a kernel for Xen dom0 10998 10972 linuxPackages_latest_xen_dom0 = recurseIntoAttrs (self.linuxPackagesFor (self.linux_latest.override { features.xen_dom0=true; }) linuxPackages_latest); 10999 10973 11000 - # grsecurity packages 10974 + # Grsecurity packages 10975 + 10976 + linux_grsec_nixos = callPackage ../build-support/grsecurity { 10977 + inherit (lib) overrideDerivation; 10978 + kernel = callPackage ../os-specific/linux/kernel/linux-grsecurity.nix { 10979 + inherit (self.linux_4_5) kernelPatches; 10980 + }; 10981 + grsecPatch = self.kernelPatches.grsecurity_testing; 10982 + kernelPatches = [ self.kernelPatches.grsecurity_nixos_kmod ]; 10983 + extraConfig = callPackage ../os-specific/linux/kernel/grsecurity-nixos-config.nix { }; 10984 + }; 11001 10985 11002 - linuxPackages_grsec_desktop_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.desktop; 11003 - linuxPackages_grsec_server_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server; 11004 - linuxPackages_grsec_server_xen_4_5 = self.grPackage kernelPatches.grsecurity_4_5 self.grFlavors.server_xen; 10986 + linuxPackages_grsec_nixos = 10987 + let self = linuxPackagesFor linux_grsec_nixos self; 10988 + in recurseIntoAttrs self; 11005 10989 11006 - linuxPackages_grsec_desktop_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.desktop; 11007 - linuxPackages_grsec_server_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server; 11008 - linuxPackages_grsec_server_xen_latest = self.grPackage kernelPatches.grsecurity_latest self.grFlavors.server_xen; 10990 + # An unsupported grsec xen guest kernel 10991 + linux_grsec_server_xen = linux_grsec_nixos.override { 10992 + extraConfig = '' 10993 + GRKERNSEC y 10994 + PAX y 10995 + GRKERNSEC_CONFIG_AUTO y 10996 + GRKERNSEC_CONFIG_PRIORITY_SECURITY y 10997 + GRKERNSEC_CONFIG_SERVER y 10998 + GRKERNSEC_CONFIG_VIRT_GUEST y 10999 + GRKERNSEC_CONFIG_VIRT_XEN y 11000 + ''; 11001 + }; 11009 11002 11010 11003 # grsecurity: legacy 11011 11004 11012 11005 grsecurity_base_linux_3_14 = throw "grsecurity stable is no longer supported"; 11013 11006 grsecurity_base_linux_4_4 = throw "grsecurity stable is no longer supported"; 11014 11007 11015 - linux_grsec_desktop_3_14 = throw "grsecurity stable is no longer supported"; 11016 - linux_grsec_server_3_14 = throw "grsecurity stable is no longer supported"; 11017 - linux_grsec_server_xen_3_14 = throw "grsecurity stable is no longer supported"; 11008 + linuxPackages_grsec_desktop_3_14 = throw "linuxPackages_grsec_desktop has been removed"; 11009 + linuxPackages_grsec_desktop_4_4 = throw "linuxPackages_grsec_desktop has been removed"; 11010 + linuxPackages_grsec_desktop_4_5 = throw "linuxPackages_grsec_desktop has been removed"; 11011 + linuxPackages_grsec_desktop_latest = throw "linuxPackages_grsec_desktop has been removed"; 11018 11012 11013 + linuxPackages_grsec_server_3_14 = throw "linuxPackages_grsec_server has been removed"; 11014 + linuxPackages_grsec_server_4_4 = throw "linuxPackages_grsec_server has been removed"; 11015 + linuxPackages_grsec_server_4_5 = throw "linuxPackages_grsec_server has been removed"; 11016 + linuxPackages_grsec_server_latest = throw "linuxPackages_grsec_server has been removed"; 11017 + 11018 + linuxPackages_grsec_server_xen_3_14 = throw "linuxPackages_grsec_server_xen has been removed"; 11019 + linuxPackages_grsec_server_xen_4_4 = throw "linuxPackages_grsec_server_xen has been removed"; 11020 + linuxPackages_grsec_server_xen_4_5 = throw "linuxPackages_grsec_server_xen has been removed"; 11021 + linuxPackages_grsec_server_xen_latest = throw "linuxPackages_grsec_server_xen has been removed"; 11022 + 11023 + linux_grsec_desktop_3_14 = throw "grsecurity stable is no longer supported"; 11019 11024 linux_grsec_desktop_4_4 = throw "grsecurity stable is no longer supported"; 11025 + linux_grsec_desktop_4_5 = throw "linux_grsec_desktop has been removed"; 11026 + linux_grsec_desktop_latest = throw "linux_grsec_desktop has been removed"; 11027 + 11028 + linux_grsec_server_3_14 = throw "grsecurity stable is no longer supported"; 11020 11029 linux_grsec_server_4_4 = throw "grsecurity stable is no longer supported"; 11030 + linux_grsec_server_4_5 = throw "linux_grsec_server has been removed"; 11031 + linux_grsec_server_latest = throw "linux_grsec_server_latest has been removed"; 11032 + 11033 + linux_grsec_server_xen_3_14 = throw "grsecurity stable is no longer supported"; 11021 11034 linux_grsec_server_xen_4_4 = throw "grsecurity stable is no longer supported"; 11022 - 11023 - linux_grsec_testing_desktop = self.linux_grsec_desktop_latest; 11024 - linux_grsec_testing_server = self.linux_grsec_server_latest; 11025 - linux_grsec_testing_server_xen = self.linux_grsec_server_xen_latest; 11035 + linux_grsec_server_xen_4_5 = throw "linux_grsec_server_xen has been removed"; 11036 + linux_grsec_server_xen_latest = throw "linux_grsec_server_xen has been removed"; 11026 11037 11027 11038 linux_grsec_stable_desktop = self.linux_grsec_desktop_3_14; 11028 11039 linux_grsec_stable_server = self.linux_grsec_server_3_14; 11029 11040 linux_grsec_stable_server_xen = self.linux_grsec_server_xen_3_14; 11030 11041 11031 - linuxPackages_grsec_desktop_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.desktop; 11032 - linuxPackages_grsec_server_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server; 11033 - linuxPackages_grsec_server_xen_3_14 = self.grPackage kernelPatches.grsecurity_3_14 self.grFlavors.server_xen; 11034 - 11035 - linuxPackages_grsec_desktop_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.desktop; 11036 - linuxPackages_grsec_server_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server; 11037 - linuxPackages_grsec_server_xen_4_4 = self.grPackage kernelPatches.grsecurity_4_4 self.grFlavors.server_xen; 11038 - 11039 - linuxPackages_grsec_testing_desktop = self.linuxPackages_grsec_desktop_latest; 11040 - linuxPackages_grsec_testing_server = self.linuxPackages_grsec_server_latest; 11041 - linuxPackages_grsec_testing_server_xen = self.linuxPackages_grsec_server_xen_latest; 11042 + linux_grsec_testing_desktop = self.linux_grsec_desktop_latest; 11043 + linux_grsec_testing_server = self.linux_grsec_server_latest; 11044 + linux_grsec_testing_server_xen = self.linux_grsec_server_xen_latest; 11042 11045 11043 - linuxPackages_grsec_stable_desktop = self.linuxPackages_grsec_desktop_3_14; 11044 - linuxPackages_grsec_stable_server = self.linuxPackages_grsec_server_3_14; 11045 - linuxPackages_grsec_stable_server_xen = self.linuxPackages_grsec_server_xen_3_14; 11046 11046 11047 11047 # ChromiumOS kernels 11048 11048 linuxPackages_chromiumos_3_14 = recurseIntoAttrs (self.linuxPackagesFor self.linux_chromiumos_3_14 linuxPackages_chromiumos_3_14);

-5

pkgs/top-level/release.nix

··· 332 332 xfwm4 = linux; 333 333 }; 334 334 335 - linuxPackages_testing = { }; 336 - linuxPackages_grsec_testing_desktop = { }; 337 - linuxPackages_grsec_testing_server = { }; 338 - linuxPackages_grsec_testing_server_xen = { }; 339 - 340 335 } )); 341 336 342 337 in jobs