commit 0eddc015ffad6148a01687abfc92e0b2b0a58445
Author: Ricardo M. Correia <rcorreia@wizy.org>
Date:   Mon Aug 5 18:09:12 2013 +0000

    linux: add 'hardened' kernel with grsec/PaX+apparmor enabled

diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 561cdc8..df3fb05 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -137,6 +137,8 @@ rec {
         url = http://grsecurity.net/stable/grsecurity-2.9.1-3.2.50-201308052151.patch;
         sha256 = "178y68bx4h4r9gq1p4izbjah8vhjmb3yvr3sfjglz8blxxahgd6n";
       };
+      # The grsec kernel patch seems to include the apparmor patches as of 2.9.1-3.2.50
+      features.apparmor = true;
     };
 
 }
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 6701d2b..508dfa5 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -6399,6 +6399,26 @@ let
     '';
   });
 
+  linux_3_2_hardened = lowPrio (lib.overrideDerivation (linux_3_2.override (args: {
+    # The grsec kernel patch seems to include the apparmor patches as of 2.9.1-3.2.50
+    kernelPatches = args.kernelPatches ++ [ kernelPatches.grsecurity_2_9_1_3_2_50 ];
+    extraConfig = ''
+      ${if args ? extraConfig then args.extraConfig else ""}
+      SECURITY_APPARMOR y
+      DEFAULT_SECURITY_APPARMOR y
+      XEN n
+      HIBERNATION n
+      DEVKMEM? n
+      GRKERNSEC y
+      GRKERNSEC_CONFIG_AUTO y
+      GRKERNSEC_CONFIG_SERVER y
+      GRKERNSEC_CONFIG_VIRT_GUEST y
+      GRKERNSEC_CONFIG_VIRT_EPT y
+      GRKERNSEC_CONFIG_VIRT_VIRTUALBOX y
+      GRKERNSEC_CONFIG_PRIORITY_SECURITY y
+    '';
+  })) (args: { makeFlags = "DISABLE_PAX_PLUGINS=y";}));
+
   linux_3_2_xen = lowPrio (linux_3_2.override {
     extraConfig = ''
       XEN_DOM0 y
@@ -6579,6 +6599,7 @@ let
   linuxPackages_3_0 = recurseIntoAttrs (linuxPackagesFor linux_3_0 linuxPackages_3_0);
   linuxPackages_3_2 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_3_2 linuxPackages_3_2);
   linuxPackages_3_2_apparmor = linuxPackagesFor pkgs.linux_3_2_apparmor linuxPackages_3_2_apparmor;
+  linuxPackages_3_2_hardened = linuxPackagesFor pkgs.linux_3_2_hardened linuxPackages_3_2_hardened;
   linuxPackages_3_2_xen = linuxPackagesFor pkgs.linux_3_2_xen linuxPackages_3_2_xen;
   linuxPackages_3_4 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_3_4 linuxPackages_3_4);
   linuxPackages_3_4_apparmor = linuxPackagesFor pkgs.linux_3_4_apparmor linuxPackages_3_4_apparmor;