2016-02-27 16:33:18 +01:00
|
|
|
{ stdenv, fetchurl, pkgs }:
|
2009-12-14 16:28:55 +01:00
|
|
|
|
|
|
|
let
|
|
|
|
|
2011-03-21 16:53:22 +01:00
|
|
|
makeTuxonicePatch = { version, kernelVersion, sha256,
|
2013-11-19 21:36:55 +01:00
|
|
|
url ? "http://tuxonice.nigelcunningham.com.au/downloads/all/tuxonice-for-linux-${kernelVersion}-${version}.patch.bz2" }:
|
2011-03-21 16:53:22 +01:00
|
|
|
{ name = "tuxonice-${kernelVersion}";
|
|
|
|
patch = stdenv.mkDerivation {
|
|
|
|
name = "tuxonice-${version}-for-${kernelVersion}.patch";
|
|
|
|
src = fetchurl {
|
|
|
|
inherit url sha256;
|
|
|
|
};
|
|
|
|
phases = [ "installPhase" ];
|
|
|
|
installPhase = ''
|
|
|
|
source $stdenv/setup
|
|
|
|
bunzip2 -c $src > $out
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2016-02-28 04:10:59 +01:00
|
|
|
grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch ? "test", sha256 }:
|
2016-02-27 16:33:18 +01:00
|
|
|
assert kversion == kernel.version;
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 21:18:12 +02:00
|
|
|
{ name = "grsecurity-${grversion}-${kversion}";
|
2016-02-27 19:54:55 +01:00
|
|
|
inherit grversion kernel patches kversion revision;
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 21:18:12 +02:00
|
|
|
patch = fetchurl {
|
grsecurity: drop support for 4.4 kernels
From now on, only the testing branch of grsecurity will be supported.
Additionally, use only patches from upstream.
It's impossible to provide meaningful support for grsecurity stable.
First, because building and testing \(m \times n \times z) [1], packages
is infeasible. Second, because stable patches are only available from
upstream for-pay, making us reliant on third-parties for patches. In
addition to creating yet more work for the maintainers, using stable
patches provided by a third-party goes against the wishes of upstream.
nixpkgs provides the tools necessary to build grsecurity kernels for any
version the user chooses, however, provided they pay for, or otherwise
acquire, the patch themselves.
Eventually, we'll want to remove the now obsolete top-level attributes,
but leave them in for now to smoothe migration (they have been removed
from top-level/release.nix, though, because it makes no sense to have
them there).
[1]: where \(m\) is the number of grsecurity flavors, \(n\) is the
number of kernel versions, and z is the size of the `linuxPackages` set
2016-05-03 19:24:40 +02:00
|
|
|
url = "https://grsecurity.net/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch";
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 21:18:12 +02:00
|
|
|
inherit sha256;
|
|
|
|
};
|
|
|
|
features.grsecurity = true;
|
2013-05-11 07:44:30 +02:00
|
|
|
};
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 21:18:12 +02:00
|
|
|
|
2009-12-14 16:28:55 +01:00
|
|
|
in
|
|
|
|
|
2011-07-11 15:59:40 +02:00
|
|
|
rec {
|
2009-12-14 16:28:55 +01:00
|
|
|
|
2016-03-25 10:50:08 +01:00
|
|
|
link_lguest =
|
|
|
|
{ name = "gcc5-link-lguest";
|
|
|
|
patch = ./gcc5-link-lguest.patch;
|
|
|
|
};
|
|
|
|
|
|
|
|
link_apm =
|
|
|
|
{ name = "gcc5-link-apm";
|
|
|
|
patch = ./gcc5-link-apm.patch;
|
|
|
|
};
|
|
|
|
|
2015-01-14 00:49:14 +01:00
|
|
|
bridge_stp_helper =
|
|
|
|
{ name = "bridge-stp-helper";
|
|
|
|
patch = ./bridge-stp-helper.patch;
|
|
|
|
};
|
|
|
|
|
2010-07-18 23:10:46 +02:00
|
|
|
no_xsave =
|
|
|
|
{ name = "no-xsave";
|
2012-07-02 16:16:27 +02:00
|
|
|
patch = ./no-xsave.patch;
|
2010-07-18 23:10:46 +02:00
|
|
|
features.noXsave = true;
|
2010-06-20 22:52:08 +02:00
|
|
|
};
|
2010-07-25 14:15:59 +02:00
|
|
|
|
2012-06-16 12:49:03 +02:00
|
|
|
mips_fpureg_emu =
|
|
|
|
{ name = "mips-fpureg-emulation";
|
|
|
|
patch = ./mips-fpureg-emulation.patch;
|
|
|
|
};
|
|
|
|
|
|
|
|
mips_fpu_sigill =
|
|
|
|
{ name = "mips-fpu-sigill";
|
|
|
|
patch = ./mips-fpu-sigill.patch;
|
|
|
|
};
|
|
|
|
|
2012-11-06 00:16:13 +01:00
|
|
|
mips_ext3_n32 =
|
|
|
|
{ name = "mips-ext3-n32";
|
|
|
|
patch = ./mips-ext3-n32.patch;
|
|
|
|
};
|
|
|
|
|
2016-04-10 01:36:02 +02:00
|
|
|
ubuntu_fan_4_4 =
|
2015-08-10 01:13:40 +02:00
|
|
|
{ name = "ubuntu-fan";
|
2016-04-10 01:36:02 +02:00
|
|
|
patch = ./ubuntu-fan-4.4.patch;
|
2015-08-10 01:13:40 +02:00
|
|
|
};
|
|
|
|
|
2015-09-25 23:42:16 +02:00
|
|
|
ubuntu_unprivileged_overlayfs =
|
|
|
|
{ name = "ubuntu-unprivileged-overlayfs";
|
|
|
|
patch = ./ubuntu-unprivileged-overlayfs.patch;
|
|
|
|
};
|
|
|
|
|
2013-11-19 21:36:55 +01:00
|
|
|
tuxonice_3_10 = makeTuxonicePatch {
|
|
|
|
version = "2013-11-07";
|
|
|
|
kernelVersion = "3.10.18";
|
|
|
|
sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
|
|
|
|
};
|
|
|
|
|
2016-02-28 04:10:59 +01:00
|
|
|
grsecurity_3_14 = grsecPatch
|
|
|
|
{ kernel = pkgs.grsecurity_base_linux_3_14;
|
2016-02-27 19:54:55 +01:00
|
|
|
patches = [ grsecurity_fix_path_3_14 ];
|
2016-02-27 16:33:18 +01:00
|
|
|
kversion = "3.14.51";
|
2015-08-19 06:06:45 +02:00
|
|
|
revision = "201508181951";
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 21:18:12 +02:00
|
|
|
branch = "stable";
|
2015-08-19 06:06:45 +02:00
|
|
|
sha256 = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f";
|
2013-07-22 21:44:31 +02:00
|
|
|
};
|
|
|
|
|
2016-02-28 04:10:59 +01:00
|
|
|
grsecurity_4_4 = grsecPatch
|
|
|
|
{ kernel = pkgs.grsecurity_base_linux_4_4;
|
2016-02-27 19:54:55 +01:00
|
|
|
patches = [ grsecurity_fix_path_4_4 ];
|
2016-03-14 22:29:42 +01:00
|
|
|
kversion = "4.4.5";
|
|
|
|
revision = "201603131305";
|
|
|
|
sha256 = "04k4nhshl6r5n41ha5620s7cd70dmmmvyf9mnn5359jr1720kxpf";
|
2013-11-02 12:43:11 +01:00
|
|
|
};
|
2013-11-26 23:08:51 +01:00
|
|
|
|
2016-05-02 07:06:36 +02:00
|
|
|
grsecurity_4_5 = grsecPatch
|
|
|
|
{ kernel = pkgs.grsecurity_base_linux_4_5;
|
|
|
|
patches = [ grsecurity_fix_path_4_5 ];
|
2016-05-06 15:14:19 +02:00
|
|
|
kversion = "4.5.3";
|
|
|
|
revision = "201605060852";
|
|
|
|
sha256 = "1yg5fp60nay2cvnpxnx29995wk04r995y9030dwkgk3xpxifr6z1";
|
2016-05-02 07:06:36 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
grsecurity_latest = grsecurity_4_5;
|
2016-02-28 04:10:59 +01:00
|
|
|
|
2016-02-27 19:54:55 +01:00
|
|
|
grsecurity_fix_path_3_14 =
|
|
|
|
{ name = "grsecurity-fix-path-3.14";
|
|
|
|
patch = ./grsecurity-path-3.14.patch;
|
|
|
|
};
|
|
|
|
|
|
|
|
grsecurity_fix_path_4_4 =
|
|
|
|
{ name = "grsecurity-fix-path-4.4";
|
|
|
|
patch = ./grsecurity-path-4.4.patch;
|
2013-11-26 23:08:51 +01:00
|
|
|
};
|
2015-02-10 13:45:20 +01:00
|
|
|
|
2016-05-02 07:06:36 +02:00
|
|
|
grsecurity_fix_path_4_5 =
|
|
|
|
{ name = "grsecurity-fix-path-4.5";
|
|
|
|
patch = ./grsecurity-path-4.5.patch;
|
|
|
|
};
|
|
|
|
|
2015-02-10 13:45:20 +01:00
|
|
|
crc_regression =
|
|
|
|
{ name = "crc-backport-regression";
|
|
|
|
patch = ./crc-regression.patch;
|
|
|
|
};
|
2015-04-08 14:13:42 +02:00
|
|
|
|
2016-01-10 20:07:45 +01:00
|
|
|
genksyms_fix_segfault =
|
|
|
|
{ name = "genksyms-fix-segfault";
|
|
|
|
patch = ./genksyms-fix-segfault.patch;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2016-01-10 20:10:11 +01:00
|
|
|
chromiumos_Kconfig_fix_entries_3_14 =
|
|
|
|
{ name = "Kconfig_fix_entries_3_14";
|
|
|
|
patch = ./chromiumos-patches/fix-double-Kconfig-entry-3.14.patch;
|
|
|
|
};
|
|
|
|
|
2016-01-10 20:07:45 +01:00
|
|
|
chromiumos_Kconfig_fix_entries_3_18 =
|
|
|
|
{ name = "Kconfig_fix_entries_3_18";
|
|
|
|
patch = ./chromiumos-patches/fix-double-Kconfig-entry-3.18.patch;
|
|
|
|
};
|
|
|
|
|
|
|
|
chromiumos_no_link_restrictions =
|
|
|
|
{ name = "chromium-no-link-restrictions";
|
|
|
|
patch = ./chromiumos-patches/no-link-restrictions.patch;
|
|
|
|
};
|
2016-01-10 20:10:11 +01:00
|
|
|
|
|
|
|
chromiumos_mfd_fix_dependency =
|
|
|
|
{ name = "mfd_fix_dependency";
|
|
|
|
patch = ./chromiumos-patches/mfd-fix-dependency.patch;
|
|
|
|
};
|
2016-04-12 20:30:14 +02:00
|
|
|
qat_common_Makefile =
|
|
|
|
{ name = "qat_common_Makefile";
|
|
|
|
patch = ./qat_common_Makefile.patch;
|
|
|
|
};
|
2009-12-14 16:28:55 +01:00
|
|
|
}
|