From 13f89aee64e9a2ba69b32672253728f51b7c7f81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabi=C3=A1n=20Heredia=20Montiel?= Date: Sun, 23 Oct 2022 11:28:32 -0500 Subject: [PATCH] linux: further cleanup config after drop of 4.9 --- .../linux/kernel/common-config.nix | 5 ++--- .../linux/kernel/hardened/config.nix | 20 ++++++++----------- .../linux/kernel/manual-config.nix | 9 ++++----- 3 files changed, 14 insertions(+), 20 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 83c72f881a1f..1351008886a3 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -390,7 +390,7 @@ let TMPFS = yes; TMPFS_POSIX_ACL = yes; - FS_ENCRYPTION = if (versionAtLeast version "5.1") then yes else whenAtLeast "4.9" (option module); + FS_ENCRYPTION = if (versionAtLeast version "5.1") then yes else option module; EXT2_FS_XATTR = yes; EXT2_FS_POSIX_ACL = yes; @@ -628,7 +628,6 @@ let media = { MEDIA_DIGITAL_TV_SUPPORT = yes; MEDIA_CAMERA_SUPPORT = yes; - MEDIA_RC_SUPPORT = whenOlder "4.14" yes; MEDIA_CONTROLLER = yes; MEDIA_PCI_SUPPORT = yes; MEDIA_USB_SUPPORT = yes; @@ -708,7 +707,7 @@ let LOCK_TORTURE_TEST = option no; MTD_TESTS = option no; NOTIFIER_ERROR_INJECTION = option no; - RCU_PERF_TEST = whenBetween "4.13" "5.9" no; + RCU_PERF_TEST = whenOlder "5.9" no; RCU_SCALE_TEST = whenAtLeast "5.10" no; RCU_TORTURE_TEST = option no; TEST_ASYNC_DRIVER_PROBE = option no; diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index c90027f3eb14..198cd8681646 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -21,10 +21,6 @@ assert (stdenv.hostPlatform.isx86_64 -> versions.majorMinor version != "5.4"); # Report BUG() conditions and kill the offending process. BUG = yes; - # Safer page access permissions (wrt. code injection). Default on >=4.11. - DEBUG_RODATA = whenOlder "4.11" yes; - DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes; - # Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter # implicitly marks LSM hooks read-only after init. @@ -33,10 +29,10 @@ assert (stdenv.hostPlatform.isx86_64 -> versions.majorMinor version != "5.4"); # # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the # config builder fails to detect that it has indeed been unset. - SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no; - SECURITY_WRITABLE_HOOKS = whenAtLeast "4.12" (option no); + SECURITY_SELINUX_DISABLE = no; + SECURITY_WRITABLE_HOOKS = option no; - STRICT_KERNEL_RWX = whenAtLeast "4.11" yes; + STRICT_KERNEL_RWX = yes; # Perform additional validation of commonly targeted structures. DEBUG_CREDENTIALS = yes; @@ -46,7 +42,7 @@ assert (stdenv.hostPlatform.isx86_64 -> versions.majorMinor version != "5.4"); DEBUG_SG = yes; SCHED_STACK_END_CHECK = yes; - REFCOUNT_FULL = whenBetween "4.13" "5.5" yes; + REFCOUNT_FULL = whenOlder "5.5" yes; # Randomize page allocator when page_alloc.shuffle=1 SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes; @@ -69,11 +65,11 @@ assert (stdenv.hostPlatform.isx86_64 -> versions.majorMinor version != "5.4"); # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. GCC_PLUGIN_LATENT_ENTROPY = yes; - GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin - GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address + GCC_PLUGIN_STRUCTLEAK = yes; # A port of the PaX structleak plugin + GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = yes; # Also cover structs passed by address GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin - GCC_PLUGIN_RANDSTRUCT = whenBetween "4.13" "5.19" yes; # A port of the PaX randstruct plugin - GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenBetween "4.13" "5.19" yes; + GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes; # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19. RANDSTRUCT = whenAtLeast "5.19" yes; diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index d046c8c7d192..edfd1f7dbc28 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -55,8 +55,7 @@ let hasAttr getAttr optional optionals optionalString optionalAttrs maintainers platforms; # Dependencies that are required to build kernel modules - moduleBuildDependencies = [ perl ] - ++ optional (lib.versionAtLeast version "4.14") libelf + moduleBuildDependencies = [ perl libelf ] ++ optional (lib.versionAtLeast version "5.13") zstd; drvAttrs = config_: kernelConf: kernelPatches: configfile: @@ -100,7 +99,7 @@ let patches = map (p: p.patch) kernelPatches # Required for deterministic builds along with some postPatch magic. - ++ optional (lib.versionAtLeast version "4.13" && lib.versionOlder version "5.19") ./randstruct-provide-seed.patch + ++ optional (lib.versionOlder version "5.19") ./randstruct-provide-seed.patch ++ optional (lib.versionAtLeast version "5.19") ./randstruct-provide-seed-5.19.patch # Fixes determinism by normalizing metadata for the archive of kheaders ++ optional (lib.versionAtLeast version "5.2" && lib.versionOlder version "5.4") ./gen-kheaders-metadata.patch; @@ -353,7 +352,7 @@ let }; in -assert (lib.versionAtLeast version "4.14" && lib.versionOlder version "5.8") -> libelf != null; +assert lib.versionOlder version "5.8" -> libelf != null; assert lib.versionAtLeast version "5.8" -> elfutils != null; stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.linux-kernel kernelPatches configfile) // { @@ -365,7 +364,7 @@ stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.linux-kernel kernelPat depsBuildBuild = [ buildPackages.stdenv.cc ]; nativeBuildInputs = [ perl bc nettools openssl rsync gmp libmpc mpfr zstd python3Minimal ] ++ optional (stdenv.hostPlatform.linux-kernel.target == "uImage") buildPackages.ubootTools - ++ optional (lib.versionAtLeast version "4.14" && lib.versionOlder version "5.8") libelf + ++ optional (lib.versionOlder version "5.8") libelf # Removed util-linuxMinimal since it should not be a dependency. ++ optionals (lib.versionAtLeast version "4.16") [ bison flex ] ++ optionals (lib.versionAtLeast version "5.2") [ cpio pahole zlib ]