2016-02-27 16:33:18 +01:00
|
|
|
{ stdenv, fetchurl, pkgs }:
|
2009-12-14 16:28:55 +01:00
|
|
|
|
|
|
|
let
|
|
|
|
|
2011-03-21 16:53:22 +01:00
|
|
|
makeTuxonicePatch = { version, kernelVersion, sha256,
|
2013-11-19 21:36:55 +01:00
|
|
|
url ? "http://tuxonice.nigelcunningham.com.au/downloads/all/tuxonice-for-linux-${kernelVersion}-${version}.patch.bz2" }:
|
2011-03-21 16:53:22 +01:00
|
|
|
{ name = "tuxonice-${kernelVersion}";
|
|
|
|
patch = stdenv.mkDerivation {
|
|
|
|
name = "tuxonice-${version}-for-${kernelVersion}.patch";
|
|
|
|
src = fetchurl {
|
|
|
|
inherit url sha256;
|
|
|
|
};
|
|
|
|
phases = [ "installPhase" ];
|
|
|
|
installPhase = ''
|
|
|
|
source $stdenv/setup
|
|
|
|
bunzip2 -c $src > $out
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2016-02-28 04:10:59 +01:00
|
|
|
grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch ? "test", sha256 }:
|
2016-02-27 16:33:18 +01:00
|
|
|
assert kversion == kernel.version;
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 21:18:12 +02:00
|
|
|
{ name = "grsecurity-${grversion}-${kversion}";
|
2016-02-27 19:54:55 +01:00
|
|
|
inherit grversion kernel patches kversion revision;
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 21:18:12 +02:00
|
|
|
patch = fetchurl {
|
2016-02-27 19:33:35 +01:00
|
|
|
url = if branch == "stable"
|
|
|
|
then "https://github.com/kdave/grsecurity-patches/blob/master/grsecurity_patches/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"
|
|
|
|
else "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true";
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 21:18:12 +02:00
|
|
|
inherit sha256;
|
|
|
|
};
|
|
|
|
features.grsecurity = true;
|
2013-05-11 07:44:30 +02:00
|
|
|
};
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 21:18:12 +02:00
|
|
|
|
2009-12-14 16:28:55 +01:00
|
|
|
in
|
|
|
|
|
2011-07-11 15:59:40 +02:00
|
|
|
rec {
|
2009-12-14 16:28:55 +01:00
|
|
|
|
2015-01-14 00:49:14 +01:00
|
|
|
bridge_stp_helper =
|
|
|
|
{ name = "bridge-stp-helper";
|
|
|
|
patch = ./bridge-stp-helper.patch;
|
|
|
|
};
|
|
|
|
|
2010-07-18 23:10:46 +02:00
|
|
|
no_xsave =
|
|
|
|
{ name = "no-xsave";
|
2012-07-02 16:16:27 +02:00
|
|
|
patch = ./no-xsave.patch;
|
2010-07-18 23:10:46 +02:00
|
|
|
features.noXsave = true;
|
2010-06-20 22:52:08 +02:00
|
|
|
};
|
2010-07-25 14:15:59 +02:00
|
|
|
|
2012-06-16 12:49:03 +02:00
|
|
|
mips_fpureg_emu =
|
|
|
|
{ name = "mips-fpureg-emulation";
|
|
|
|
patch = ./mips-fpureg-emulation.patch;
|
|
|
|
};
|
|
|
|
|
|
|
|
mips_fpu_sigill =
|
|
|
|
{ name = "mips-fpu-sigill";
|
|
|
|
patch = ./mips-fpu-sigill.patch;
|
|
|
|
};
|
|
|
|
|
2012-11-06 00:16:13 +01:00
|
|
|
mips_ext3_n32 =
|
|
|
|
{ name = "mips-ext3-n32";
|
|
|
|
patch = ./mips-ext3-n32.patch;
|
|
|
|
};
|
|
|
|
|
2015-08-10 01:13:40 +02:00
|
|
|
ubuntu_fan =
|
|
|
|
{ name = "ubuntu-fan";
|
|
|
|
patch = ./ubuntu-fan-3.patch;
|
|
|
|
};
|
|
|
|
|
|
|
|
ubuntu_fan_4 =
|
|
|
|
{ name = "ubuntu-fan";
|
|
|
|
patch = ./ubuntu-fan-4.patch;
|
|
|
|
};
|
|
|
|
|
2015-09-25 23:42:16 +02:00
|
|
|
ubuntu_unprivileged_overlayfs =
|
|
|
|
{ name = "ubuntu-unprivileged-overlayfs";
|
|
|
|
patch = ./ubuntu-unprivileged-overlayfs.patch;
|
|
|
|
};
|
|
|
|
|
2013-11-19 21:36:55 +01:00
|
|
|
tuxonice_3_10 = makeTuxonicePatch {
|
|
|
|
version = "2013-11-07";
|
|
|
|
kernelVersion = "3.10.18";
|
|
|
|
sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
|
|
|
|
};
|
|
|
|
|
2016-02-28 04:10:59 +01:00
|
|
|
grsecurity_3_14 = grsecPatch
|
|
|
|
{ kernel = pkgs.grsecurity_base_linux_3_14;
|
2016-02-27 19:54:55 +01:00
|
|
|
patches = [ grsecurity_fix_path_3_14 ];
|
2016-02-27 16:33:18 +01:00
|
|
|
kversion = "3.14.51";
|
2015-08-19 06:06:45 +02:00
|
|
|
revision = "201508181951";
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 21:18:12 +02:00
|
|
|
branch = "stable";
|
2015-08-19 06:06:45 +02:00
|
|
|
sha256 = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f";
|
2013-07-22 21:44:31 +02:00
|
|
|
};
|
|
|
|
|
2016-02-28 15:00:05 +01:00
|
|
|
grsecurity_4_1 = grsecPatch
|
|
|
|
{ kernel = pkgs.grsecurity_base_linux_4_1;
|
|
|
|
patches = [ grsecurity_fix_path_3_14 ];
|
|
|
|
kversion = "4.1.7";
|
|
|
|
revision = "201509201149";
|
|
|
|
sha256 = "1agv8c3c4vmh5algbzmrq2f6vwk72rikrlcbm4h7jbrb9js6fxk4";
|
|
|
|
};
|
|
|
|
|
2016-02-28 04:10:59 +01:00
|
|
|
grsecurity_4_4 = grsecPatch
|
|
|
|
{ kernel = pkgs.grsecurity_base_linux_4_4;
|
2016-02-27 19:54:55 +01:00
|
|
|
patches = [ grsecurity_fix_path_4_4 ];
|
2016-02-27 16:33:18 +01:00
|
|
|
kversion = "4.4.2";
|
2016-02-27 16:13:08 +01:00
|
|
|
revision = "201602182048";
|
|
|
|
sha256 = "0dm0nzzja6ynzdz2k5h0ckys7flw307i3w0k1lwjxfj80civ73wr";
|
2013-11-02 12:43:11 +01:00
|
|
|
};
|
2013-11-26 23:08:51 +01:00
|
|
|
|
2016-02-28 04:10:59 +01:00
|
|
|
grsecurity_latest = grsecurity_4_4;
|
|
|
|
|
2016-02-27 19:54:55 +01:00
|
|
|
grsecurity_fix_path_3_14 =
|
|
|
|
{ name = "grsecurity-fix-path-3.14";
|
|
|
|
patch = ./grsecurity-path-3.14.patch;
|
|
|
|
};
|
|
|
|
|
|
|
|
grsecurity_fix_path_4_4 =
|
|
|
|
{ name = "grsecurity-fix-path-4.4";
|
|
|
|
patch = ./grsecurity-path-4.4.patch;
|
2013-11-26 23:08:51 +01:00
|
|
|
};
|
2015-02-10 13:45:20 +01:00
|
|
|
|
|
|
|
crc_regression =
|
|
|
|
{ name = "crc-backport-regression";
|
|
|
|
patch = ./crc-regression.patch;
|
|
|
|
};
|
2015-04-08 14:13:42 +02:00
|
|
|
|
2016-01-10 20:07:45 +01:00
|
|
|
genksyms_fix_segfault =
|
|
|
|
{ name = "genksyms-fix-segfault";
|
|
|
|
patch = ./genksyms-fix-segfault.patch;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2016-01-10 20:10:11 +01:00
|
|
|
chromiumos_Kconfig_fix_entries_3_14 =
|
|
|
|
{ name = "Kconfig_fix_entries_3_14";
|
|
|
|
patch = ./chromiumos-patches/fix-double-Kconfig-entry-3.14.patch;
|
|
|
|
};
|
|
|
|
|
2016-01-10 20:07:45 +01:00
|
|
|
chromiumos_Kconfig_fix_entries_3_18 =
|
|
|
|
{ name = "Kconfig_fix_entries_3_18";
|
|
|
|
patch = ./chromiumos-patches/fix-double-Kconfig-entry-3.18.patch;
|
|
|
|
};
|
|
|
|
|
|
|
|
chromiumos_no_link_restrictions =
|
|
|
|
{ name = "chromium-no-link-restrictions";
|
|
|
|
patch = ./chromiumos-patches/no-link-restrictions.patch;
|
|
|
|
};
|
2016-01-10 20:10:11 +01:00
|
|
|
|
|
|
|
chromiumos_mfd_fix_dependency =
|
|
|
|
{ name = "mfd_fix_dependency";
|
|
|
|
patch = ./chromiumos-patches/mfd-fix-dependency.patch;
|
|
|
|
};
|
2009-12-14 16:28:55 +01:00
|
|
|
}
|