26fa60ac55
Nota bene: this probably does not work! Caveat emptor, etc.
This inverts the grsecurity builder, making it much simpler. Instead,
users just give a full description of the type of kernel they want to
build, and the result is an attribute set containing kernel and
kernelPackages results.
Now, in order to build a custom grsecurity kernel, you do something more
like:
let
kver = "4.0.4";
grver = "3.1-${kver}-201505222222";
kernel = rec
{ version = kver;
localver = "-grsec";
src = fetchurl rec {
name = "linux-${kver}.tar.xz";
url = "mirror://kernel/linux/kernel/v4.x/${name}.tar.xz";
sha256 = "1j5l87z6gd05cqzg680id0x1nk38kd6sjffd2lifl0fz5k6iqr9h";
};
};
patches =
[ fetchurl rec {
name = "grsecurity-${grver}.patch";
url = "https://grsecurity.net/test/grsecurity-${grver}.patch";
sha256 = "0ampby10y3kr36f7rvzm5fdk9f2gcfmcdgkzf67b5kj78y52ypfz";
}
];
customGrsecKern = customGrsecKernelPackages { inherit kernel patches; };
in
{
...
boot.kernelPackages = customGrsecKern.kernelPackages;
}
Which is far more flexible and easier to think about; plus, it gives
full control over the kernel localver and modDirVer, as well as support
for other patches (because you may have other patches to apply on-top of
grsec, or you may bundle grsec with some other distribution, and still
need the builder support.) It also gives you full control of the kernel
tarball, in case you want to use e.g. libre-linux.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
19 lines
1007 B
Diff
19 lines
1007 B
Diff
diff --git a/kernel/kmod.c b/kernel/kmod.c
|
|
index a26e825..29baec1 100644
|
|
--- a/kernel/kmod.c
|
|
+++ b/kernel/kmod.c
|
|
@@ -294,10 +294,9 @@ static int ____call_usermodehelper(void *data)
|
|
out the path to be used prior to this point and are now operating
|
|
on that copy
|
|
*/
|
|
- if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
|
|
- strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
|
|
- strncmp(sub_info->path, "/usr/libexec/", 13) &&
|
|
- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
|
|
+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
|
|
+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) ||
|
|
+ strstr(sub_info->path, "..")) {
|
|
printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of /sbin and system library paths\n", sub_info->path);
|
|
retval = -EPERM;
|
|
goto out;
|