grsecurity: make GRKERNSEC y and PAX y implicit

These options should always be specified. Note, an implication of this change is that not specifying any grsec/PaX options results in a build failure.
NixOS · Oct 2, 2016 · 1bb7b44 · 1bb7b44
1 parent a58f5ff
commit 1bb7b44
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 8 deletions.
diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml
@@ -208,8 +208,6 @@
         let
           kernel = pkgs.linux_grsec_nixos.override {
             extraConfig = ''
-              GRKERNSEC y
-              PAX y
               GRKERNSEC_CONFIG_AUTO y
               GRKERNSEC_CONFIG_SERVER y
               GRKERNSEC_CONFIG_SECURITY y

diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
@@ -22,7 +22,11 @@ assert (kernel.version == grsecPatch.kver);
 overrideDerivation (kernel.override {
   inherit modDirVersion;
   kernelPatches = [ grsecPatch ] ++ kernelPatches ++ (kernel.kernelPatches or []);
-  inherit extraConfig;
+  extraConfig = ''
+    GRKERNSEC y
+    PAX y
+    ${extraConfig}
+  '';
   ignoreConfigErrors = true;
 }) (attrs: {
   nativeBuildInputs = (lib.chooseDevOutputs [ gmp libmpc mpfr ]) ++ (attrs.nativeBuildInputs or []);

diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
@@ -3,9 +3,6 @@
 with stdenv.lib;
 
 ''
-GRKERNSEC y
-PAX y
-
 GRKERNSEC_CONFIG_AUTO y
 GRKERNSEC_CONFIG_DESKTOP y
 GRKERNSEC_CONFIG_VIRT_HOST y

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
@@ -10955,8 +10955,6 @@ in
   # An unsupported grsec xen guest kernel
   linux_grsec_server_xen = linux_grsec_nixos.override {
     extraConfig = ''
-      GRKERNSEC y
-      PAX y
       GRKERNSEC_CONFIG_AUTO y
       GRKERNSEC_CONFIG_PRIORITY_SECURITY y
       GRKERNSEC_CONFIG_SERVER y