+6 -22

nixos/modules/security/grsecurity.nix

··· 26 26 ''; 27 27 }; 28 28 29 29 - stable = mkOption { 30 30 - type = types.bool; 31 31 - default = false; 29 29 + kernelPatch = mkOption { 30 30 + type = types.attrs; 31 31 + default = pkgs.kernelPatches.grsecurity_latest; 32 32 + example = pkgs.kernelPatches.grsecurity_4_1; 32 33 description = '' 33 33 - Enable the stable grsecurity patch, based on Linux 3.14. 34 34 - ''; 35 35 - }; 36 36 - 37 37 - testing = mkOption { 38 38 - type = types.bool; 39 39 - default = false; 40 40 - description = '' 41 41 - Enable the testing grsecurity patch, based on Linux 4.0. 34 34 + Grsecurity patch to use. 42 35 ''; 43 36 }; 44 37 ··· 219 212 220 213 config = mkIf cfg.enable { 221 214 assertions = 222 222 - [ { assertion = cfg.stable || cfg.testing; 223 223 - message = '' 224 224 - If grsecurity is enabled, you must select either the 225 225 - stable patch (with kernel 3.14), or the testing patch (with 226 226 - kernel 4.0) to continue. 227 227 - ''; 228 228 - } 229 229 - { assertion = !(cfg.stable && cfg.testing); 230 230 - message = "Select either one of the stable or testing patch"; 231 231 - } 215 215 + [ 232 216 { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) || 233 217 (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc); 234 218 message = "You cannot enable both restrictProc and restrictProcWithGroup";

+9 -16

pkgs/build-support/grsecurity/default.nix

··· 4 4 5 5 let 6 6 cfg = { 7 7 - stable = grsecOptions.stable or false; 8 8 - testing = grsecOptions.testing or false; 7 7 + kernelPatch = grsecOptions.kernelPatch; 9 8 config = { 10 9 mode = "auto"; 11 10 sysctl = false; ··· 22 21 23 22 vals = rec { 24 23 25 25 - mkKernel = kernel: patch: 26 26 - assert patch.kversion == kernel.version; 27 27 - { inherit kernel patch; 28 28 - inherit (patch) grversion revision; 24 24 + mkKernel = patch: 25 25 + { 26 26 + inherit patch; 27 27 + inherit (patch) kernel patches grversion revision; 29 28 }; 30 29 31 31 - test-patch = with pkgs.kernelPatches; grsecurity_unstable; 32 32 - stable-patch = with pkgs.kernelPatches; grsecurity_stable; 33 33 - 34 34 - grKernel = if cfg.stable 35 35 - then mkKernel pkgs.linux_3_14 stable-patch 36 36 - else mkKernel pkgs.linux_4_3 test-patch; 30 30 + grKernel = mkKernel cfg.kernelPatch; 37 31 38 32 ## -- grsecurity configuration --------------------------------------------- 39 33 ··· 90 84 91 85 # Disable restricting links under the testing kernel, as something 92 86 # has changed causing it to fail miserably during boot. 93 93 - restrictLinks = optionalString cfg.testing 94 94 - "GRKERNSEC_LINK n"; 87 87 + #restrictLinks = optionalString cfg.testing 88 88 + # "GRKERNSEC_LINK n"; 95 89 in '' 96 90 GRKERNSEC y 97 91 ${grsecMainConfig} ··· 109 103 GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} 110 104 GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB} 111 105 GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC} 112 112 - ${restrictLinks} 113 106 114 107 ${cfg.config.kernelExtraConfig} 115 108 ''; ··· 136 129 137 130 mkGrsecKern = grkern: 138 131 lowPrio (overrideDerivation (grkern.kernel.override (args: { 139 139 - kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ]; 132 132 + kernelPatches = args.kernelPatches ++ [ grkern.patch ] ++ grkern.patches; 140 133 argsOverride = { 141 134 modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}"; 142 135 };

+8 -17

pkgs/build-support/grsecurity/flavors.nix

··· 1 1 let 2 2 - mkOpts = ver: prio: sys: virt: swvirt: hwvirt: 2 2 + mkOpts = prio: sys: virt: swvirt: hwvirt: 3 3 { config.priority = prio; 4 4 config.system = sys; 5 5 config.virtualisationConfig = virt; 6 6 config.hardwareVirtualisation = hwvirt; 7 7 config.virtualisationSoftware = swvirt; 8 8 - } // builtins.listToAttrs [ { name = ver; value = true; } ]; 8 8 + }; 9 9 in 10 10 { 11 11 - # Stable kernels 12 12 - linux_grsec_stable_desktop = 13 13 - mkOpts "stable" "performance" "desktop" "host" "kvm" true; 14 14 - linux_grsec_stable_server = 15 15 - mkOpts "stable" "security" "server" "host" "kvm" true; 16 16 - linux_grsec_stable_server_xen = 17 17 - mkOpts "stable" "security" "server" "guest" "xen" true; 18 18 - 19 19 - # Testing kernels 20 20 - linux_grsec_testing_desktop = 21 21 - mkOpts "testing" "performance" "desktop" "host" "kvm" true; 22 22 - linux_grsec_testing_server = 23 23 - mkOpts "testing" "security" "server" "host" "kvm" true; 24 24 - linux_grsec_testing_server_xen = 25 25 - mkOpts "testing" "security" "server" "guest" "xen" true; 11 11 + desktop = 12 12 + mkOpts "performance" "desktop" "host" "kvm" true; 13 13 + server = 14 14 + mkOpts "security" "server" "host" "kvm" true; 15 15 + server_xen = 16 16 + mkOpts "security" "server" "guest" "xen" true; 26 17 }

pkgs/os-specific/linux/kernel/grsec-path.patch pkgs/os-specific/linux/kernel/grsecurity-path-3.14.patch

+18

pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch

··· 1 1 + diff --git a/kernel/kmod.c b/kernel/kmod.c 2 2 + index a689506..30747b4 100644 3 3 + --- a/kernel/kmod.c 4 4 + +++ b/kernel/kmod.c 5 5 + @@ -294,11 +294,8 @@ static int ____call_usermodehelper(void *data) 6 6 + out the path to be used prior to this point and are now operating 7 7 + on that copy 8 8 + */ 9 9 + - if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) && 10 10 + - strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) && 11 11 + - strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) && 12 12 + - strncmp(sub_info->path, "/usr/sbin/", 10) && 13 13 + - strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) { 14 14 + + if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) && 15 15 + + strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) { 16 16 + printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path); 17 17 + retval = -EPERM; 18 18 + goto out;

+19

pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix

··· 1 1 + { stdenv, fetchurl, perl, buildLinux, ... } @ args: 2 2 + 3 3 + import ./generic.nix (args // rec { 4 4 + version = "3.14.51"; 5 5 + extraMeta.branch = "3.14"; 6 6 + 7 7 + src = fetchurl { 8 8 + url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz"; 9 9 + sha256 = "1gqsd69cqijff4c4br4ydmcjl226d0yy6vrmgfvy16xiraavq1mk"; 10 10 + }; 11 11 + 12 12 + kernelPatches = args.kernelPatches; 13 13 + 14 14 + features.iwlwifi = true; 15 15 + features.efiBootStub = true; 16 16 + features.needsCifsUtils = true; 17 17 + features.canDisableNetfilterConntrackHelpers = true; 18 18 + features.netfilterRPFilter = true; 19 19 + } // (args.argsOverride or {}))

+19

pkgs/os-specific/linux/kernel/linux-grsecurity-4.1.nix

··· 1 1 + { stdenv, fetchurl, perl, buildLinux, ... } @ args: 2 2 + 3 3 + import ./generic.nix (args // rec { 4 4 + version = "4.1.7"; 5 5 + extraMeta.branch = "4.1"; 6 6 + 7 7 + src = fetchurl { 8 8 + url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; 9 9 + sha256 = "0g1dnvak0pd03d4miy1025bw64wq71w29a058dzspdr6jcf9qwbn"; 10 10 + }; 11 11 + 12 12 + kernelPatches = args.kernelPatches; 13 13 + 14 14 + features.iwlwifi = true; 15 15 + features.efiBootStub = true; 16 16 + features.needsCifsUtils = true; 17 17 + features.canDisableNetfilterConntrackHelpers = true; 18 18 + features.netfilterRPFilter = true; 19 19 + } // (args.argsOverride or {}))

+19

pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix

··· 1 1 + { stdenv, fetchurl, perl, buildLinux, ... } @ args: 2 2 + 3 3 + import ./generic.nix (args // rec { 4 4 + version = "4.4.2"; 5 5 + extraMeta.branch = "4.4"; 6 6 + 7 7 + src = fetchurl { 8 8 + url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; 9 9 + sha256 = "09l6y0nb8yv7l16arfwhy4i5h9pkxcbd7hlbw0015n7gm4i2mzc2"; 10 10 + }; 11 11 + 12 12 + kernelPatches = args.kernelPatches; 13 13 + 14 14 + features.iwlwifi = true; 15 15 + features.efiBootStub = true; 16 16 + features.needsCifsUtils = true; 17 17 + features.canDisableNetfilterConntrackHelpers = true; 18 18 + features.netfilterRPFilter = true; 19 19 + } // (args.argsOverride or {}))

+35 -14

pkgs/os-specific/linux/kernel/patches.nix

··· 1 1 - { stdenv, fetchurl }: 1 1 + { stdenv, fetchurl, pkgs }: 2 2 3 3 let 4 4 ··· 18 18 }; 19 19 }; 20 20 21 21 - grsecPatch = { grversion ? "3.1", kversion, revision, branch, sha256 }: 21 21 + grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch ? "test", sha256 }: 22 22 + assert kversion == kernel.version; 22 23 { name = "grsecurity-${grversion}-${kversion}"; 23 23 - inherit grversion kversion revision; 24 24 + inherit grversion kernel patches kversion revision; 24 25 patch = fetchurl { 25 25 - url = "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"; 26 26 + url = if branch == "stable" 27 27 + then "https://github.com/kdave/grsecurity-patches/blob/master/grsecurity_patches/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true" 28 28 + else "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"; 26 29 inherit sha256; 27 30 }; 28 31 features.grsecurity = true; ··· 79 82 sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j"; 80 83 }; 81 84 82 82 - grsecurity_stable = grsecPatch 83 83 - { kversion = "3.14.51"; 85 85 + grsecurity_3_14 = grsecPatch 86 86 + { kernel = pkgs.grsecurity_base_linux_3_14; 87 87 + patches = [ grsecurity_fix_path_3_14 ]; 88 88 + kversion = "3.14.51"; 84 89 revision = "201508181951"; 85 90 branch = "stable"; 86 91 sha256 = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f"; 87 92 }; 88 93 89 89 - grsecurity_unstable = grsecPatch 90 90 - { kversion = "4.3.4"; 91 91 - revision = "201601231215"; 92 92 - branch = "test"; 93 93 - sha256 = "1dacld4zlp8mk6ykc0f1v5crppvq3znbdw9rwfrf6qi90984x0mr"; 94 94 + grsecurity_4_1 = grsecPatch 95 95 + { kernel = pkgs.grsecurity_base_linux_4_1; 96 96 + patches = [ grsecurity_fix_path_3_14 ]; 97 97 + kversion = "4.1.7"; 98 98 + revision = "201509201149"; 99 99 + sha256 = "1agv8c3c4vmh5algbzmrq2f6vwk72rikrlcbm4h7jbrb9js6fxk4"; 100 100 + }; 101 101 + 102 102 + grsecurity_4_4 = grsecPatch 103 103 + { kernel = pkgs.grsecurity_base_linux_4_4; 104 104 + patches = [ grsecurity_fix_path_4_4 ]; 105 105 + kversion = "4.4.2"; 106 106 + revision = "201602182048"; 107 107 + sha256 = "0dm0nzzja6ynzdz2k5h0ckys7flw307i3w0k1lwjxfj80civ73wr"; 94 108 }; 95 109 96 96 - grsec_fix_path = 97 97 - { name = "grsec-fix-path"; 98 98 - patch = ./grsec-path.patch; 110 110 + grsecurity_latest = grsecurity_4_4; 111 111 + 112 112 + grsecurity_fix_path_3_14 = 113 113 + { name = "grsecurity-fix-path-3.14"; 114 114 + patch = ./grsecurity-path-3.14.patch; 115 115 + }; 116 116 + 117 117 + grsecurity_fix_path_4_4 = 118 118 + { name = "grsecurity-fix-path-4.4"; 119 119 + patch = ./grsecurity-path-4.4.patch; 99 120 }; 100 121 101 122 crc_regression =

+85 -26

pkgs/top-level/all-packages.nix

··· 10409 10409 to EC2, where Xen is the Hypervisor. 10410 10410 */ 10411 10411 10412 10412 + # Base kernels to apply the grsecurity patch onto 10413 10413 + 10414 10414 + grsecurity_base_linux_3_14 = callPackage ../os-specific/linux/kernel/linux-grsecurity-3.14.nix { 10415 10415 + kernelPatches = [ kernelPatches.bridge_stp_helper ] 10416 10416 + ++ lib.optionals ((platform.kernelArch or null) == "mips") 10417 10417 + [ kernelPatches.mips_fpureg_emu 10418 10418 + kernelPatches.mips_fpu_sigill 10419 10419 + kernelPatches.mips_ext3_n32 10420 10420 + ]; 10421 10421 + }; 10422 10422 + 10423 10423 + grsecurity_base_linux_4_1 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.1.nix { 10424 10424 + kernelPatches = [ kernelPatches.bridge_stp_helper ] 10425 10425 + ++ lib.optionals ((platform.kernelArch or null) == "mips") 10426 10426 + [ kernelPatches.mips_fpureg_emu 10427 10427 + kernelPatches.mips_fpu_sigill 10428 10428 + kernelPatches.mips_ext3_n32 10429 10429 + ]; 10430 10430 + }; 10431 10431 + 10432 10432 + grsecurity_base_linux_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix { 10433 10433 + kernelPatches = [ kernelPatches.bridge_stp_helper ] 10434 10434 + ++ lib.optionals ((platform.kernelArch or null) == "mips") 10435 10435 + [ kernelPatches.mips_fpureg_emu 10436 10436 + kernelPatches.mips_fpu_sigill 10437 10437 + kernelPatches.mips_ext3_n32 10438 10438 + ]; 10439 10439 + }; 10440 10440 + 10412 10441 grFlavors = import ../build-support/grsecurity/flavors.nix; 10413 10442 10414 10414 - mkGrsecurity = opts: 10443 10443 + mkGrsecurity = patch: opts: 10415 10444 (callPackage ../build-support/grsecurity { 10416 10416 - grsecOptions = opts; 10445 10445 + grsecOptions = { kernelPatch = patch; } // opts; 10417 10446 }); 10418 10447 10419 10419 - grKernel = opts: (mkGrsecurity opts).grsecKernel; 10420 10420 - grPackage = opts: recurseIntoAttrs (mkGrsecurity opts).grsecPackage; 10448 10448 + grKernel = patch: opts: (mkGrsecurity patch opts).grsecKernel; 10449 10449 + grPackage = patch: opts: recurseIntoAttrs (mkGrsecurity patch opts).grsecPackage; 10421 10450 10422 10422 - # Stable kernels 10423 10423 - # This is no longer supported. Please see the official announcement on the 10424 10424 - # grsecurity page. https://grsecurity.net/announce.php 10425 10425 - linux_grsec_stable_desktop = throw "No longer supported due to https://grsecurity.net/announce.php. " 10426 10426 - + "Please use linux_grsec_testing_desktop."; 10427 10427 - linux_grsec_stable_server = throw "No longer supported due to https://grsecurity.net/announce.php. " 10428 10428 - + "Please use linux_grsec_testing_server."; 10429 10429 - linux_grsec_stable_server_xen = throw "No longer supporteddue to https://grsecurity.net/announce.php. " 10430 10430 - + "Please use linux_grsec_testing_server_xen."; 10451 10451 + # grsecurity kernels (see also linuxPackages_grsec_*) 10452 10452 + 10453 10453 + linux_grsec_desktop_3_14 = grKernel kernelPatches.grsecurity_3_14 grFlavors.desktop; 10454 10454 + linux_grsec_server_3_14 = grKernel kernelPatches.grsecurity_3_14 grFlavors.server; 10455 10455 + linux_grsec_server_xen_3_14 = grKernel kernelPatches.grsecurity_3_14 grFlavors.server_xen; 10431 10456 10432 10432 - # Testing kernels 10433 10433 - linux_grsec_testing_desktop = grKernel grFlavors.linux_grsec_testing_desktop; 10434 10434 - linux_grsec_testing_server = grKernel grFlavors.linux_grsec_testing_server; 10435 10435 - linux_grsec_testing_server_xen = grKernel grFlavors.linux_grsec_testing_server_xen; 10457 10457 + linux_grsec_desktop_4_1 = grKernel kernelPatches.grsecurity_4_1 grFlavors.desktop; 10458 10458 + linux_grsec_server_4_1 = grKernel kernelPatches.grsecurity_4_1 grFlavors.server; 10459 10459 + linux_grsec_server_xen_4_1 = grKernel kernelPatches.grsecurity_4_1 grFlavors.server_xen; 10460 10460 + 10461 10461 + linux_grsec_desktop_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.desktop; 10462 10462 + linux_grsec_server_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.server; 10463 10463 + linux_grsec_server_xen_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.server_xen; 10464 10464 + 10465 10465 + linux_grsec_desktop_latest = grKernel kernelPatches.grsecurity_latest grFlavors.desktop; 10466 10466 + linux_grsec_server_latest = grKernel kernelPatches.grsecurity_latest grFlavors.server; 10467 10467 + linux_grsec_server_xen_latest = grKernel kernelPatches.grsecurity_latest grFlavors.server_xen; 10468 10468 + 10469 10469 + # grsecurity: old names 10470 10470 + 10471 10471 + linux_grsec_testing_desktop = linux_grsec_desktop_latest; 10472 10472 + linux_grsec_testing_server = linux_grsec_server_latest; 10473 10473 + linux_grsec_testing_server_xen = linux_grsec_server_xen_latest; 10474 10474 + 10475 10475 + linux_grsec_stable_desktop = linux_grsec_desktop_3_14; 10476 10476 + linux_grsec_stable_server = linux_grsec_server_3_14; 10477 10477 + linux_grsec_stable_server_xen = linux_grsec_server_xen_3_14; 10436 10478 10437 10479 /* Linux kernel modules are inherently tied to a specific kernel. So 10438 10480 rather than provide specific instances of those packages for a ··· 10573 10615 # Build a kernel for Xen dom0 10574 10616 linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }) linuxPackages_latest); 10575 10617 10576 10576 - # grsecurity flavors 10577 10577 - # Stable kernels 10578 10578 - linuxPackages_grsec_stable_desktop = grPackage grFlavors.linux_grsec_stable_desktop; 10579 10579 - linuxPackages_grsec_stable_server = grPackage grFlavors.linux_grsec_stable_server; 10580 10580 - linuxPackages_grsec_stable_server_xen = grPackage grFlavors.linux_grsec_stable_server_xen; 10618 10618 + # grsecurity packages 10619 10619 + 10620 10620 + linuxPackages_grsec_desktop_3_14 = grPackage kernelPatches.grsecurity_3_14 grFlavors.desktop; 10621 10621 + linuxPackages_grsec_server_3_14 = grPackage kernelPatches.grsecurity_3_14 grFlavors.server; 10622 10622 + linuxPackages_grsec_server_xen_3_14 = grPackage kernelPatches.grsecurity_3_14 grFlavors.server_xen; 10623 10623 + 10624 10624 + linuxPackages_grsec_desktop_4_1 = grPackage kernelPatches.grsecurity_4_1 grFlavors.desktop; 10625 10625 + linuxPackages_grsec_server_4_1 = grPackage kernelPatches.grsecurity_4_1 grFlavors.server; 10626 10626 + linuxPackages_grsec_server_xen_4_1 = grPackage kernelPatches.grsecurity_4_1 grFlavors.server_xen; 10627 10627 + 10628 10628 + linuxPackages_grsec_desktop_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.desktop; 10629 10629 + linuxPackages_grsec_server_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.server; 10630 10630 + linuxPackages_grsec_server_xen_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.server_xen; 10631 10631 + 10632 10632 + linuxPackages_grsec_desktop_latest = grPackage kernelPatches.grsecurity_latest grFlavors.desktop; 10633 10633 + linuxPackages_grsec_server_latest = grPackage kernelPatches.grsecurity_latest grFlavors.server; 10634 10634 + linuxPackages_grsec_server_xen_latest = grPackage kernelPatches.grsecurity_latest grFlavors.server_xen; 10635 10635 + 10636 10636 + # grsecurity: old names 10637 10637 + 10638 10638 + linuxPackages_grsec_testing_desktop = linuxPackages_grsec_desktop_latest; 10639 10639 + linuxPackages_grsec_testing_server = linuxPackages_grsec_server_latest; 10640 10640 + linuxPackages_grsec_testing_server_xen = linuxPackages_grsec_server_xen_latest; 10581 10641 10582 10582 - # Testing kernels 10583 10583 - linuxPackages_grsec_testing_desktop = grPackage grFlavors.linux_grsec_testing_desktop; 10584 10584 - linuxPackages_grsec_testing_server = grPackage grFlavors.linux_grsec_testing_server; 10585 10585 - linuxPackages_grsec_testing_server_xen = grPackage grFlavors.linux_grsec_testing_server_xen; 10642 10642 + linuxPackages_grsec_stable_desktop = linuxPackages_grsec_desktop_3_14; 10643 10643 + linuxPackages_grsec_stable_server = linuxPackages_grsec_server_3_14; 10644 10644 + linuxPackages_grsec_stable_server_xen = linuxPackages_grsec_server_xen_3_14; 10586 10645 10587 10646 # ChromiumOS kernels 10588 10647 linuxPackages_chromiumos_3_14 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_chromiumos_3_14 linuxPackages_chromiumos_3_14);