commit 1e97d62dfd5f8c488360dcf1bbae070b12a56cde · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

fork atom

linuxPackages_grsec_4_5: init at 3.1-4.5.2-201604290633

(cherry picked from commit fecb56fc3febd6e2bab58f6701f044296cf4835e)

Joachim Fasting 9 years ago 1e97d62d b799be83

+64 -1

4 changed files

expand all

unified split

pkgs

os-specific

linux

kernel

grsecurity-path-4.5.patch

linux-grsecurity-4.5.nix

patches.nix

top-level

all-packages.nix

+14

pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch

··· 1 + diff -ru a/kernel/kmod.c b/kernel/kmod.c 2 + --- a/kernel/kmod.c 2016-04-21 17:06:09.882281660 +0200 3 + +++ b/kernel/kmod.c 2016-04-21 17:08:17.458949309 +0200 4 + @@ -294,7 +294,9 @@ 5 + strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) && 6 + strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) && 7 + strncmp(sub_info->path, "/usr/sbin/", 10) && strcmp(sub_info->path, "/bin/false") && 8 + - strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) { 9 + + strcmp(sub_info->path, "/usr/share/apport/apport") && 10 + + strncmp(sub_info->path, "/nix/store/", 11) && 11 + + strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) { 12 + printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path); 13 + retval = -EPERM; 14 + goto out;

+19

pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix

··· 1 + { stdenv, fetchurl, perl, buildLinux, ... } @ args: 2 + 3 + import ./generic.nix (args // rec { 4 + version = "4.5.2"; 5 + extraMeta.branch = "4.5"; 6 + 7 + src = fetchurl { 8 + url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; 9 + sha256 = "17r063zx880ka3ayv9cf1yjfilvxlifhja1rhw5z3w35hgdkj8z3"; 10 + }; 11 + 12 + kernelPatches = args.kernelPatches; 13 + 14 + features.iwlwifi = true; 15 + features.efiBootStub = true; 16 + features.needsCifsUtils = true; 17 + features.canDisableNetfilterConntrackHelpers = true; 18 + features.netfilterRPFilter = true; 19 + } // (args.argsOverride or {}))

+14 -1

pkgs/os-specific/linux/kernel/patches.nix

··· 117 117 sha256 = "04k4nhshl6r5n41ha5620s7cd70dmmmvyf9mnn5359jr1720kxpf"; 118 118 }; 119 119 120 - grsecurity_latest = grsecurity_4_4; 120 + grsecurity_4_5 = grsecPatch 121 + { kernel = pkgs.grsecurity_base_linux_4_5; 122 + patches = [ grsecurity_fix_path_4_5 ]; 123 + kversion = "4.5.2"; 124 + revision = "201604290633"; 125 + sha256 = "0qrs4fk6lyqngq3fnsmrv0y3yp1lrbiwadfc6v7hy4lyv77wz107"; 126 + }; 127 + 128 + grsecurity_latest = grsecurity_4_5; 121 129 122 130 grsecurity_fix_path_3_14 = 123 131 { name = "grsecurity-fix-path-3.14"; ··· 127 135 grsecurity_fix_path_4_4 = 128 136 { name = "grsecurity-fix-path-4.4"; 129 137 patch = ./grsecurity-path-4.4.patch; 138 + }; 139 + 140 + grsecurity_fix_path_4_5 = 141 + { name = "grsecurity-fix-path-4.5"; 142 + patch = ./grsecurity-path-4.5.patch; 130 143 }; 131 144 132 145 crc_regression =

+17

pkgs/top-level/all-packages.nix

··· 10511 10511 ]; 10512 10512 }; 10513 10513 10514 + grsecurity_base_linux_4_5 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.5.nix { 10515 + kernelPatches = [ kernelPatches.bridge_stp_helper ] 10516 + ++ lib.optionals ((platform.kernelArch or null) == "mips") 10517 + [ kernelPatches.mips_fpureg_emu 10518 + kernelPatches.mips_fpu_sigill 10519 + kernelPatches.mips_ext3_n32 10520 + ]; 10521 + }; 10522 + 10514 10523 grFlavors = import ../build-support/grsecurity/flavors.nix; 10515 10524 10516 10525 mkGrsecurity = patch: opts: ··· 10534 10543 linux_grsec_desktop_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.desktop; 10535 10544 linux_grsec_server_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.server; 10536 10545 linux_grsec_server_xen_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.server_xen; 10546 + 10547 + linux_grsec_desktop_4_5 = grKernel kernelPatches.grsecurity_4_5 grFlavors.desktop; 10548 + linux_grsec_server_4_5 = grKernel kernelPatches.grsecurity_4_5 grFlavors.server; 10549 + linux_grsec_server_xen_4_5 = grKernel kernelPatches.grsecurity_4_5 grFlavors.server_xen; 10537 10550 10538 10551 linux_grsec_desktop_latest = grKernel kernelPatches.grsecurity_latest grFlavors.desktop; 10539 10552 linux_grsec_server_latest = grKernel kernelPatches.grsecurity_latest grFlavors.server; ··· 10704 10717 linuxPackages_grsec_desktop_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.desktop; 10705 10718 linuxPackages_grsec_server_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.server; 10706 10719 linuxPackages_grsec_server_xen_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.server_xen; 10720 + 10721 + linuxPackages_grsec_desktop_4_5 = grPackage kernelPatches.grsecurity_4_5 grFlavors.desktop; 10722 + linuxPackages_grsec_server_4_5 = grPackage kernelPatches.grsecurity_4_5 grFlavors.server; 10723 + linuxPackages_grsec_server_xen_4_5 = grPackage kernelPatches.grsecurity_4_5 grFlavors.server_xen; 10707 10724 10708 10725 linuxPackages_grsec_desktop_latest = grPackage kernelPatches.grsecurity_latest grFlavors.desktop; 10709 10726 linuxPackages_grsec_server_latest = grPackage kernelPatches.grsecurity_latest grFlavors.server;