Commit Graph

121 Commits

Author SHA1 Message Date
Ricardo M. Correia
5d5ca7b260 grsecurity: Update all patches
stable:  3.0-3.2.57-201404131252            -> 3.0-3.2.57-201404182109
test:    3.0-3.13.10-201404141717           -> 3.0-3.14.1-201404201132
vserver: 3.0-3.2.57-vs2.3.2.16-201404131253 -> 3.0-3.2.57-vs2.3.2.16-201404182110
2014-04-21 18:46:41 +02:00
Ricardo M. Correia
1b113178ee grsecurity: Update test patch from 3.0-3.13.9-201404131254 -> 3.0-3.13.10-201404141717 2014-04-15 00:16:29 +02:00
Austin Seipp
788d9a13fb grsecurity: stable/vserver/testing updates
- stable:  201404111812            -> 201404131252
 - vserver: vs2.3.2.16-201404111814 -> vs2.3.2.16-201404131253
 - testing: 201404111815            -> 201404131254

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-13 13:11:17 -05:00
Austin Seipp
172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Ricardo M. Correia
5dfc6584a5 grsecurity: Update stable patch from 3.0-3.2.56-201404062126 -> 3.0-3.2.57-201404091758 2014-04-10 00:37:33 +02:00
Ricardo M. Correia
807fad571a grsecurity: Update stable and test patches
stable: 3.0-3.2.56-201404012135 -> 3.0-3.2.56-201404062126
test:   3.0-3.13.8-201404011912 -> 3.0-3.13.9-201404062127
2014-04-07 15:31:12 +02:00
Ricardo M. Correia
52d233af22 grsecurity: Update stable patch from 3.0-3.2.55-201403300851 -> 3.0-3.2.56-201404012135 2014-04-02 15:11:33 +02:00
Ricardo M. Correia
407a6857c6 grsecurity: Update stable and test patches
stable: 3.0-3.2.55-201403252026 -> 3.0-3.2.55-201403300851
test:   3.0-3.13.7-201403252047 -> 3.0-3.13.8-201404011912
2014-04-02 02:16:59 +02:00
Ricardo M. Correia
911f332279 grsecurity: Update stable and test patches
stable: 3.0-3.2.55-201403202347 -> 3.0-3.2.55-201403252026
test:   3.0-3.13.6-201403202349 -> 3.0-3.13.7-201403252047
2014-03-26 23:07:57 +00:00
Ricardo M. Correia
9db587bf7d grsecurity: Update stable and test patches
stable: 3.0-3.2.55-201403172027 -> 3.0-3.2.55-201403202347
test:   3.0-3.13.6-201403172032 -> 3.0-3.13.6-201403202349
2014-03-21 15:41:32 +01:00
Shea Levy
e4961c63f7 Remove sec_perm patch that was needed by AUFS
Now the kernel is unpatched by default on non-MIPS!
2014-03-21 04:37:23 -04:00
Ricardo M. Correia
cc69228119 grsecurity: Update stable and test patches
stable: 3.0-3.2.55-201403142107 -> 3.0-3.2.55-201403172027
test:   3.0-3.13.6-201403142112 -> 3.0-3.13.6-201403172032
2014-03-18 16:51:25 +01:00
Ricardo M. Correia
ceec014020 grsecurity: Update stable and test patches
stable: 3.0-3.2.55-201403122114 -> 3.0-3.2.55-201403142107
test:   3.0-3.13.6-201403122116 -> 3.0-3.13.6-201403142112
2014-03-15 04:15:28 +01:00
Ricardo M. Correia
86b8cf954a grsecurity: Update stable and test patches
stable: 3.0-3.2.55-201403072107 -> 3.0-3.2.55-201403122114
test:   3.0-3.13.6-201403072241 -> 3.0-3.13.6-201403122116
2014-03-13 02:28:58 +01:00
Ricardo M. Correia
d999872b8d grsecurity: Update stable and test patches
stable: 3.0-3.2.55-201403022154 -> 3.0-3.2.55-201403072107
test:   3.0-3.13.5-201403031445 -> 3.0-3.13.6-201403072241
2014-03-10 17:23:17 +01:00
Austin Seipp
c4d5757e29 grsecurity updates
- stable:  3.0-3.2.55-201402241936 -> 3.0-3.2.55-201403022154
  - testing: 3.0-3.13.5-201402241943 -> 3.0-3.13.5-201403031445

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-04 01:13:22 +01:00
Ricardo M. Correia
69a83ba99f grsecurity: Update stable and test patches
stable: 3.0-3.2.55-201402221305 -> 3.0-3.2.55-201402241936
test:   3.0-3.13.4-201402221308 -> 3.0-3.13.5-201402241943
2014-03-03 02:16:58 +01:00
Austin Seipp
7f4b97d495 grsecurity: stable/testing updates
- stable:  3.0-3.2.55-201402201903 -> 3.0-3.2.55-201402221305
 - testing: 3.0-3.13.4-201402201908 -> 3.0-3.13.4-201402221308

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-02-22 20:29:25 +01:00
Austin Seipp
18f65f3640 grsecurity: stable/testing updates
- stable:  3.0-3.2.55-201402192249 -> 3.0-3.2.55-201402201903
  - testing: 3.0-3.13.3-201402192252 -> 3.0-3.13.4-201402201908

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-02-20 20:21:16 -06:00
Austin Seipp
58e08a1a4f grsecurity: stable/testing updates
- stable:  3.0-3.2.55-201402152203 -> 3.0-3.2.55-201402192249
  - testing: 3.0-3.13.3-201402152204 -> 3.0-3.13.3-201402192252

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-02-20 04:53:19 -06:00
Austin Seipp
c137015328 grsecurity updates.
- stable:  3.0-3.2.54-201402062221 -> 3.0-3.2.55-201402152203
  - testing: 3.0-3.13.3-201402132113 -> 3.0-3.13.3-201402152204

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-02-17 07:27:51 -06:00
Evgeny Egorochkin
daa2827b99 grsecurity: update patch 2014-02-14 18:13:05 +02:00
Ricardo M. Correia
b31547654d grsecurity: Update stable and test patches
stable: 3.0-3.2.54-201401191012 -> 3.0-3.2.54-201402062221
test:   3.0-3.12.8-201401191015 -> 3.0-3.13.2-201402062224
2014-02-08 16:16:58 +01:00
Ricardo M. Correia
aeda8d63b9 grsecurity: Update stable and test patches
stable: 3.0-3.2.53-201312021727 -> 3.0-3.2.54-201401191012
test:   3.0-3.12.2-201312021733 -> 3.0-3.12.8-201401191015
2014-01-22 02:14:35 +01:00
Shea Levy
a589bfae17 Update and fix kernel packages to new kernel build
In most cases, this just meant changing kernelDev (now removed from
linuxPackagesFor) to kernel.dev. Some packages needed more work (though
whether that was because of my changes or because they were already
broken, I'm not sure). Specifics:

* psmouse-alps builds on 3.4 but not 3.10, as noted in the comments that
  were already there
* blcr builds on 3.4 but not 3.10, as noted in comments that were
  already there
* open-iscsi, ati-drivers, wis-go7007, and openafsClient don't build on
  3.4 or 3.10 on this branch or on master, so they're marked broken
* A version-specific kernelHeaders package was added

The following packages were removed:

* atheros/madwifi is superceded by official ath*k modules
* aufs is no longer used by any of our kernels
* broadcom-sta v6 (which was already packaged) replaces broadcom-sta
* exmap has not been updated since 2011 and doesn't build
* iscis-target has not been updated since 2010 and doesn't build
* iwlwifi is part of mainline now and doesn't build
* nivida-x11-legacy-96 hasn't been updated since 2008 and doesn't build

Everything not specifically mentioned above builds successfully on 3.10.
I haven't yet tested on 3.4, but will before opening a pull request.

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-04 21:17:04 -05:00
Ricardo M. Correia
61adb5962c grsecurity: Update to 3.0-3.2.53-201312021727 and 3.0-3.12.2-201312021733 2013-12-04 15:28:21 +01:00
Ricardo M. Correia
2106191003 grsecurity: Fix module loading during boot due to path restrictions 2013-11-27 01:32:50 +01:00
Ricardo M. Correia
36955aa721 grsecurity: Update to 3.0-3.2.52-201311261307 and add patch for 3.12 2013-11-27 01:32:14 +01:00
Cillian de Róiste
a34354ef81 TuxOnIce: Add a 3.10 linux kernel with the TuxOnIce hibernation patch 2013-11-23 17:21:19 +01:00
Shea Levy
504ea7662c Remove EOL'd kernels
Signed-off-by: Shea Levy <shea@shealevy.com>
2013-11-01 11:10:05 -04:00
Ricardo M. Correia
57e9fd8bcf grsecurity: Update to 2.9.1-3.2.52-201310271550 2013-10-29 13:32:53 +01:00
Ricardo M. Correia
d32636dac4 grsecurity: Update to 2.9.1-3.2.51-201309281102 2013-10-20 08:14:28 +03:00
Ricardo M. Correia
90a2341300 grsecurity: generate linuxPackages and declare that apparmor is included 2013-10-20 08:14:28 +03:00
Ricardo M. Correia
342fcfc82f grsecurity: Update to 2.9.1-3.2.51-201309101928 2013-09-13 05:13:25 +02:00
Mathijs Kwik
273689bcbd linux-3.10: remove the btrfs send patch
it helps, but is incomplete.
more fixes are coming, but including these would change too much
generic btrfs code, which might cause trouble for others.

so the best advice is not to use btrfs send yet and wait for 3.11 or 3.12
2013-08-19 07:04:18 +02:00
Evgeny Egorochkin
27dcd771c3 Merge pull request #802 from wizeman/kernel_update
Kernel update
2013-08-11 15:08:45 -07:00
Mathijs Kwik
59025453e7 linux-3.10: backport a fix for "btrfs send"
It has been submitted for inclusion in mainline, so it will probably
make it into 3.11 (or 3.12 as 3.11 is fairly close to release).

It is very local, only affecting people who use the "send" feature.
Without it, send is unstable/unsafe to use incrementally.

It can probably be applied to 3.9 and 3.8 as well, but as I only
tested it against 3.10, so I didn't bother.
2013-08-10 13:53:17 +02:00
Ricardo M. Correia
36c2711f8b linux: update grsecurity patch 2013-08-06 02:21:00 +00:00
Eelco Dolstra
c564d012f8 Style fix 2013-08-01 01:40:41 +02:00
Eelco Dolstra
b976e00ff2 linux: Remove obsolete AUFS 3.7 patch 2013-08-01 01:40:40 +02:00
Eelco Dolstra
ff99631753 linux: Remove CIFS timeout patch
We longer use CIFS in the VM tests so we don't need this anymore.
2013-08-01 01:40:40 +02:00
Eelco Dolstra
956d71f843 linux: Remove some unused patches 2013-08-01 01:40:40 +02:00
Rob Vermaas
af2a127551 Add linux 3.2.48 with grsecurity patches 2013-07-22 21:44:31 +02:00
Ricardo M. Correia
22689567ed apparmor: Update to kernel 3.4 series (the current default) 2013-07-22 18:03:26 +02:00
Mathijs Kwik
e18f4eb50f apparmor patch: should have a name, broke nixpkgs tarball 2013-05-12 13:11:49 +02:00
Evgeny Egorochkin
8d7e1a79cc AppArmor: add a sample patched kernel. 2013-05-11 08:50:34 +03:00
Eelco Dolstra
916c1adb84 Delete all kernels older than 2.6.39
Systemd doesn't support those kernels, so there is no point in keeping
them around.
2013-03-27 23:00:02 +01:00
Shea Levy
af26af6fc7 Remove EOL'd Linux 3.6 2013-02-14 14:33:42 -05:00
Shea Levy
0ad870eb5e Remove EOL'd Linux 3.5 2013-02-14 14:32:44 -05:00
Shea Levy
c23084906b Remove EOL'd Linux 3.3 2013-02-14 14:30:31 -05:00