grsecurity: use kernel version instead of testing / stable

nixos/modules/security/grsecurity.nix

@@ -26,19 +26,11 @@ in
         '';
       };
 
-      stable = mkOption {
+      kernelPatch = mkOption {
-        type = types.bool;
+        type = types.attrs;
-        default = false;
+        default = pkgs.kernelPatches.grsecurity_latest;
         description = ''
-          Enable the stable grsecurity patch, based on Linux 3.14.
+          Grsecurity patch to use.
-        '';
-      };
-
-      testing = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Enable the testing grsecurity patch, based on Linux 4.0.
         '';
       };
 
@@ -219,16 +211,7 @@ in
 
   config = mkIf cfg.enable {
     assertions =
-      [ { assertion = cfg.stable || cfg.testing;
+      [
-          message   = ''
-            If grsecurity is enabled, you must select either the
-            stable patch (with kernel 3.14), or the testing patch (with
-            kernel 4.0) to continue.
-          '';
-        }
-        { assertion = !(cfg.stable && cfg.testing);
-          message   = "Select either one of the stable or testing patch";
-        }
         { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) ||
                       (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc);
           message   = "You cannot enable both restrictProc and restrictProcWithGroup";

pkgs/build-support/grsecurity/default.nix

@@ -4,8 +4,7 @@ with lib;
 
 let
   cfg = {
-    stable  = grsecOptions.stable  or false;
+    kernelPatch = grsecOptions.kernelPatch;
-    testing = grsecOptions.testing or false;
     config = {
       mode = "auto";
       sysctl = false;
@@ -28,12 +27,7 @@ let
           inherit (patch) kernel patches grversion revision;
         };
 
-    test-patch = with pkgs.kernelPatches; grsecurity_testing;
+    grKernel = mkKernel cfg.kernelPatch;
-    stable-patch = with pkgs.kernelPatches; grsecurity_stable;
-
-    grKernel = if cfg.stable
-               then mkKernel stable-patch
-               else mkKernel test-patch;
 
     ## -- grsecurity configuration ---------------------------------------------
 
@@ -90,8 +84,8 @@ let
 
           # Disable restricting links under the testing kernel, as something
           # has changed causing it to fail miserably during boot.
-          restrictLinks = optionalString cfg.testing
+          #restrictLinks = optionalString cfg.testing
-            "GRKERNSEC_LINK n";
+          #  "GRKERNSEC_LINK n";
       in ''
         GRKERNSEC y
         ${grsecMainConfig}
@@ -109,7 +103,6 @@ let
         GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
         GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}
         GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
-        ${restrictLinks}
 
         ${cfg.config.kernelExtraConfig}
       '';

pkgs/build-support/grsecurity/flavors.nix

@@ -1,26 +1,17 @@
 let
-  mkOpts = ver: prio: sys: virt: swvirt: hwvirt:
+  mkOpts = prio: sys: virt: swvirt: hwvirt:
     { config.priority               = prio;
       config.system                 = sys;
       config.virtualisationConfig   = virt;
       config.hardwareVirtualisation = hwvirt;
       config.virtualisationSoftware = swvirt;
-    } // builtins.listToAttrs [ { name = ver; value = true; } ];
+    };
 in
 {
-  # Stable kernels
+  desktop =
-  linux_grsec_stable_desktop =
+    mkOpts "performance" "desktop" "host" "kvm" true;
-    mkOpts "stable" "performance" "desktop" "host" "kvm" true;
+  server  =
-  linux_grsec_stable_server  =
+    mkOpts "security" "server" "host" "kvm" true;
-    mkOpts "stable" "security" "server" "host" "kvm" true;
+  server_xen =
-  linux_grsec_stable_server_xen =
+    mkOpts "security" "server" "guest" "xen" true;
-    mkOpts "stable" "security" "server" "guest" "xen" true;
-
-  # Testing kernels
-  linux_grsec_testing_desktop =
-    mkOpts "testing" "performance" "desktop" "host" "kvm" true;
-  linux_grsec_testing_server  =
-    mkOpts "testing" "security" "server" "host" "kvm" true;
-  linux_grsec_testing_server_xen =
-    mkOpts "testing" "security" "server" "guest" "xen" true;
 }

pkgs/os-specific/linux/kernel/patches.nix

@@ -18,7 +18,7 @@ let
       };
     };
 
-  grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch, sha256 }:
+  grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch ? "test", sha256 }:
     assert kversion == kernel.version;
     { name = "grsecurity-${grversion}-${kversion}";
       inherit grversion kernel patches kversion revision;
@@ -82,8 +82,8 @@ rec {
     sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
   };
 
-  grsecurity_stable = grsecPatch
+  grsecurity_3_14 = grsecPatch
-    { kernel    = pkgs.linux_grsecurity_3_14;
+    { kernel    = pkgs.grsecurity_base_linux_3_14;
       patches   = [ grsecurity_fix_path_3_14 ];
       kversion  = "3.14.51";
       revision  = "201508181951";
@@ -91,15 +91,16 @@ rec {
       sha256    = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f";
     };
 
-  grsecurity_testing = grsecPatch
+  grsecurity_4_4 = grsecPatch
-    { kernel    = pkgs.linux_grsecurity_4_4;
+    { kernel    = pkgs.grsecurity_base_linux_4_4;
       patches   = [ grsecurity_fix_path_4_4 ];
       kversion  = "4.4.2";
       revision  = "201602182048";
-      branch    = "test";
       sha256    = "0dm0nzzja6ynzdz2k5h0ckys7flw307i3w0k1lwjxfj80civ73wr";
     };
 
+  grsecurity_latest = grsecurity_4_4;
+
   grsecurity_fix_path_3_14 =
     { name = "grsecurity-fix-path-3.14";
       patch = ./grsecurity-path-3.14.patch;

pkgs/top-level/all-packages.nix

@@ -10407,7 +10407,9 @@ let
      to EC2, where Xen is the Hypervisor.
   */
 
-  linux_grsecurity_3_14 = callPackage ../os-specific/linux/kernel/linux-grsecurity-3.14.nix {
+  # Base kernels to apply the grsecurity patch onto
+
+  grsecurity_base_linux_3_14 = callPackage ../os-specific/linux/kernel/linux-grsecurity-3.14.nix {
     kernelPatches = [ kernelPatches.bridge_stp_helper ]
       ++ lib.optionals ((platform.kernelArch or null) == "mips")
       [ kernelPatches.mips_fpureg_emu
@@ -10416,7 +10418,7 @@ let
       ];
   };
 
-  linux_grsecurity_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix {
+  grsecurity_base_linux_4_4 = callPackage ../os-specific/linux/kernel/linux-grsecurity-4.4.nix {
     kernelPatches = [ kernelPatches.bridge_stp_helper ]
       ++ lib.optionals ((platform.kernelArch or null) == "mips")
       [ kernelPatches.mips_fpureg_emu
@@ -10427,28 +10429,37 @@ let
 
   grFlavors = import ../build-support/grsecurity/flavors.nix;
 
-  mkGrsecurity = opts:
+  mkGrsecurity = patch: opts:
     (callPackage ../build-support/grsecurity {
-      grsecOptions = opts;
+      grsecOptions = { kernelPatch = patch; } // opts;
     });
 
-  grKernel  = opts: (mkGrsecurity opts).grsecKernel;
+  grKernel  = patch: opts: (mkGrsecurity patch opts).grsecKernel;
-  grPackage = opts: recurseIntoAttrs (mkGrsecurity opts).grsecPackage;
+  grPackage = patch: opts: recurseIntoAttrs (mkGrsecurity patch opts).grsecPackage;
 
-  # Stable kernels
+  # grsecurity kernels (see also linuxPackages_grsec_*)
-  # This is no longer supported. Please see the official announcement on the
-  # grsecurity page. https://grsecurity.net/announce.php
-  linux_grsec_stable_desktop    = throw "No longer supported due to https://grsecurity.net/announce.php. "
-    + "Please use linux_grsec_testing_desktop.";
-  linux_grsec_stable_server     = throw "No longer supported due to https://grsecurity.net/announce.php. "
-    + "Please use linux_grsec_testing_server.";
-  linux_grsec_stable_server_xen = throw "No longer supporteddue to https://grsecurity.net/announce.php. "
-    + "Please use linux_grsec_testing_server_xen.";
 
-  # Testing kernels
+  linux_grsec_desktop_3_14    = grKernel kernelPatches.grsecurity_3_14 grFlavors.desktop;
-  linux_grsec_testing_desktop = grKernel grFlavors.linux_grsec_testing_desktop;
+  linux_grsec_server_3_14     = grKernel kernelPatches.grsecurity_3_14 grFlavors.server;
-  linux_grsec_testing_server  = grKernel grFlavors.linux_grsec_testing_server;
+  linux_grsec_server_xen_3_14 = grKernel kernelPatches.grsecurity_3_14 grFlavors.server_xen;
-  linux_grsec_testing_server_xen = grKernel grFlavors.linux_grsec_testing_server_xen;
+
+  linux_grsec_desktop_4_4    = grKernel kernelPatches.grsecurity_4_4 grFlavors.desktop;
+  linux_grsec_server_4_4     = grKernel kernelPatches.grsecurity_4_4 grFlavors.server;
+  linux_grsec_server_xen_4_4 = grKernel kernelPatches.grsecurity_4_4 grFlavors.server_xen;
+
+  linux_grsec_desktop_latest    = grKernel kernelPatches.grsecurity_latest grFlavors.desktop;
+  linux_grsec_server_latest     = grKernel kernelPatches.grsecurity_latest grFlavors.server;
+  linux_grsec_server_xen_latest = grKernel kernelPatches.grsecurity_latest grFlavors.server_xen;
+
+  # grsecurity: old names
+
+  linux_grsec_testing_desktop    = linux_grsec_desktop_latest;
+  linux_grsec_testing_server     = linux_grsec_server_latest;
+  linux_grsec_testing_server_xen = linux_grsec_server_xen_latest;
+
+  linux_grsec_stable_desktop    = linux_grsec_desktop_3_14;
+  linux_grsec_stable_server     = linux_grsec_server_3_14;
+  linux_grsec_stable_server_xen = linux_grsec_server_xen_3_14;
 
   /* Linux kernel modules are inherently tied to a specific kernel.  So
      rather than provide specific instances of those packages for a
@@ -10589,16 +10600,29 @@ let
   # Build a kernel for Xen dom0
   linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }) linuxPackages_latest);
 
-  # grsecurity flavors
+  # grsecurity packages
-  # Stable kernels
-  linuxPackages_grsec_stable_desktop    = grPackage grFlavors.linux_grsec_stable_desktop;
-  linuxPackages_grsec_stable_server     = grPackage grFlavors.linux_grsec_stable_server;
-  linuxPackages_grsec_stable_server_xen = grPackage grFlavors.linux_grsec_stable_server_xen;
 
-  # Testing kernels
+  linuxPackages_grsec_desktop_3_14    = grPackage kernelPatches.grsecurity_3_14 grFlavors.desktop;
-  linuxPackages_grsec_testing_desktop = grPackage grFlavors.linux_grsec_testing_desktop;
+  linuxPackages_grsec_server_3_14     = grPackage kernelPatches.grsecurity_3_14 grFlavors.server;
-  linuxPackages_grsec_testing_server  = grPackage grFlavors.linux_grsec_testing_server;
+  linuxPackages_grsec_server_xen_3_14 = grPackage kernelPatches.grsecurity_3_14 grFlavors.server_xen;
-  linuxPackages_grsec_testing_server_xen = grPackage grFlavors.linux_grsec_testing_server_xen;
+
+  linuxPackages_grsec_desktop_4_4    = grPackage kernelPatches.grsecurity_4_4 grFlavors.desktop;
+  linuxPackages_grsec_server_4_4     = grPackage kernelPatches.grsecurity_4_4 grFlavors.server;
+  linuxPackages_grsec_server_xen_4_4 = grPackage kernelPatches.grsecurity_4_4 grFlavors.server_xen;
+
+  linuxPackages_grsec_desktop_latest    = grPackage kernelPatches.grsecurity_latest grFlavors.desktop;
+  linuxPackages_grsec_server_latest     = grPackage kernelPatches.grsecurity_latest grFlavors.server;
+  linuxPackages_grsec_server_xen_latest = grPackage kernelPatches.grsecurity_latest grFlavors.server_xen;
+
+  # grsecurity: old names
+
+  linuxPackages_grsec_testing_desktop    = linuxPackages_grsec_desktop_latest;
+  linuxPackages_grsec_testing_server     = linuxPackages_grsec_server_latest;
+  linuxPackages_grsec_testing_server_xen = linuxPackages_grsec_server_xen_latest;
+
+  linuxPackages_grsec_stable_desktop    = linuxPackages_grsec_desktop_3_14;
+  linuxPackages_grsec_stable_server     = linuxPackages_grsec_server_3_14;
+  linuxPackages_grsec_stable_server_xen = linuxPackages_grsec_server_xen_3_14;
 
   # ChromiumOS kernels
   linuxPackages_chromiumos_3_14 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_chromiumos_3_14 linuxPackages_chromiumos_3_14);