diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-06-16 06:56:35 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-06-16 06:56:35 +0000 |
commit | 99fcaeccb89621dd492203ce1f2d551c06f228ed (patch) | |
tree | 41cb730ae07383004789779b0f6e11cb3f4642a3 /nixpkgs/pkgs/os-specific/linux/kernel/hardened | |
parent | 59c5f5ac8682acc13bb22bc29c7cf02f7d75f01f (diff) | |
parent | 75a5ebf473cd60148ba9aec0d219f72e5cf52519 (diff) | |
download | nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.gz nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.bz2 nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.lz nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.xz nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.zst nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.zip |
Merge branch 'nixos-unstable' of https://github.com/NixOS/nixpkgs
Conflicts: nixpkgs/nixos/modules/config/console.nix nixpkgs/nixos/modules/services/mail/mailman.nix nixpkgs/nixos/modules/services/mail/public-inbox.nix nixpkgs/nixos/modules/services/mail/rss2email.nix nixpkgs/nixos/modules/services/networking/ssh/sshd.nix nixpkgs/pkgs/applications/networking/instant-messengers/dino/default.nix nixpkgs/pkgs/applications/networking/irc/weechat/default.nix nixpkgs/pkgs/applications/window-managers/sway/default.nix nixpkgs/pkgs/build-support/go/module.nix nixpkgs/pkgs/build-support/rust/build-rust-package/default.nix nixpkgs/pkgs/development/interpreters/python/default.nix nixpkgs/pkgs/development/node-packages/overrides.nix nixpkgs/pkgs/development/tools/b4/default.nix nixpkgs/pkgs/servers/dict/dictd-db.nix nixpkgs/pkgs/servers/mail/public-inbox/default.nix nixpkgs/pkgs/tools/security/pinentry/default.nix nixpkgs/pkgs/tools/text/unoconv/default.nix nixpkgs/pkgs/top-level/all-packages.nix
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/kernel/hardened')
3 files changed, 48 insertions, 48 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix index 3e3cd149c4d9..5a1a710ba3b7 100644 --- a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -8,7 +8,7 @@ # # See also <nixos/modules/profiles/hardened.nix> -{ lib, version }: +{ stdenv, lib, version }: with lib; with lib.kernel; @@ -20,10 +20,6 @@ assert (versionAtLeast version "4.9"); # Report BUG() conditions and kill the offending process. BUG = yes; - # Safer page access permissions (wrt. code injection). Default on >=4.11. - DEBUG_RODATA = whenOlder "4.11" yes; - DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes; - # Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter # implicitly marks LSM hooks read-only after init. @@ -32,10 +28,10 @@ assert (versionAtLeast version "4.9"); # # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the # config builder fails to detect that it has indeed been unset. - SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no; - SECURITY_WRITABLE_HOOKS = whenAtLeast "4.12" (option no); + SECURITY_SELINUX_DISABLE = no; + SECURITY_WRITABLE_HOOKS = option no; - STRICT_KERNEL_RWX = whenAtLeast "4.11" yes; + STRICT_KERNEL_RWX = yes; # Perform additional validation of commonly targeted structures. DEBUG_CREDENTIALS = yes; @@ -45,7 +41,7 @@ assert (versionAtLeast version "4.9"); DEBUG_SG = yes; SCHED_STACK_END_CHECK = yes; - REFCOUNT_FULL = whenBetween "4.13" "5.5" yes; + REFCOUNT_FULL = whenOlder "5.5" yes; # Randomize page allocator when page_alloc.shuffle=1 SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes; @@ -68,11 +64,15 @@ assert (versionAtLeast version "4.9"); # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. GCC_PLUGIN_LATENT_ENTROPY = yes; - GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin - GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address + GCC_PLUGIN_STRUCTLEAK = option yes; # A port of the PaX structleak plugin + GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = option yes; # Also cover structs passed by address GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin - GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin - GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes; + GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes; + + # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19. + RANDSTRUCT = whenAtLeast "5.19" yes; + RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes; # Disable various dangerous settings ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json index 35ef199c9d6a..ceec23139f94 100644 --- a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -2,61 +2,61 @@ "4.14": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-4.14.290-hardened1.patch", - "sha256": "14bnps4y5k2aa0fd2g4bdbiir1w7xfrvgsqd3cfzni8zhf4xrw0l", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.290-hardened1/linux-hardened-4.14.290-hardened1.patch" + "name": "linux-hardened-4.14.316-hardened1.patch", + "sha256": "1j0yx7i742mgbdn0lqq4mvcywk9jlm5k3zp40fdarsa0kscijxn0", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.316-hardened1/linux-hardened-4.14.316-hardened1.patch" }, - "sha256": "0zyxb99a7fa2l85vnzmvg2nry99clj20d4j38piqm921iqxak2j4", - "version": "4.14.290" + "sha256": "0xlg93va7dbz2w428kiw7vr2sds3542fqq57rwyf51ykq7qii0xc", + "version": "4.14.316" }, "4.19": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-4.19.255-hardened1.patch", - "sha256": "1pi0na6gr0l56479dzny8fvb3yzvxvjbvwn7c6kxf0gdhdqjzsc9", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.255-hardened1/linux-hardened-4.19.255-hardened1.patch" + "name": "linux-hardened-4.19.284-hardened1.patch", + "sha256": "0xqdhbsckkyg007x4247da0zza1sqq1y5a6li4z11y3xjf71dlxn", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.284-hardened1/linux-hardened-4.19.284-hardened1.patch" }, - "sha256": "0hwa3g09cmllc2z01s2jqbczpznzdp3ldngx18k5c2ac7w394fbp", - "version": "4.19.255" + "sha256": "0gnhgxcpx9s96wa3dqgxmdjb7x12i94yh0gmv7k9nbz5qwhfxfbz", + "version": "4.19.284" }, "5.10": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.10.136-hardened1.patch", - "sha256": "1mw30dy0xk2l12gds0kf7mjxbfamjxdwshkwc4kcics9rf57mgx6", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.136-hardened1/linux-hardened-5.10.136-hardened1.patch" + "name": "linux-hardened-5.10.182-hardened1.patch", + "sha256": "1230wh6wjvmv3mv2sylwcqvqbz83b4vwwpbn7zikd7mmz2619k5w", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.182-hardened1/linux-hardened-5.10.182-hardened1.patch" }, - "sha256": "0naiwihlj6aswnqwdz3xzmga98xpj5lf2iy9vxqzdng7b46rs28w", - "version": "5.10.136" + "sha256": "1xp9bxk2vyw29bq3z854ly4cj94z8i52yl5hq4a3l3j6564wb3ny", + "version": "5.10.182" }, "5.15": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.15.60-hardened1.patch", - "sha256": "1w93qgwycicwjp3aiklm6c6yvg0gq674pxcxvbsdd0c1p0b4y8dk", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.60-hardened1/linux-hardened-5.15.60-hardened1.patch" + "name": "linux-hardened-5.15.115-hardened1.patch", + "sha256": "1gkmhhfv86vnja37xfrnl65n6hzq429lc5zlxjvjmrpagl2x1pfc", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.115-hardened1/linux-hardened-5.15.115-hardened1.patch" }, - "sha256": "0yi3bvqz4qn8nvgr910ic09zvpisafwi282j0y2gvbvgr7vlb59d", - "version": "5.15.60" + "sha256": "050j9z0wg5glgxwbmzfq4l8lv8y7g3nc2rz8342yjdcjfxh6h1qv", + "version": "5.15.115" }, - "5.18": { + "5.4": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.18.17-hardened1.patch", - "sha256": "0vic9y72d3vfw66y32yrgh7q2wgjk902780ik2viylwr3f5xq1yq", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.18.17-hardened1/linux-hardened-5.18.17-hardened1.patch" + "name": "linux-hardened-5.4.245-hardened1.patch", + "sha256": "0n5ifykd1gq8yiw3snw6lhpz2hhydj3nk9k2f80b9svmza2h4vi6", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.245-hardened1/linux-hardened-5.4.245-hardened1.patch" }, - "sha256": "0i7yms65b8kxjm92ahic0787vb9h7xblbwp1v6cq8zpns3ivv0ih", - "version": "5.18.17" + "sha256": "195ixy9l18mhwvzj7v63fkyifb9mysq950afxh6ixlpvg0c8h1wn", + "version": "5.4.245" }, - "5.4": { + "6.1": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.4.210-hardened1.patch", - "sha256": "0qbz9h97m0lxa45j85sv2lhhmrlx9nv5z0bf5vdhyq6g0h7d2mm9", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.210-hardened1/linux-hardened-5.4.210-hardened1.patch" + "name": "linux-hardened-6.1.32-hardened1.patch", + "sha256": "00sg3zmvvnyvc4j82lcj4r7yw5hwvc253w0g2fr1hqqvh4fhinhw", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.32-hardened1/linux-hardened-6.1.32-hardened1.patch" }, - "sha256": "13l8zh5balciqhi4k4328sznza30v8g871wxcqqka61cij3rc0wl", - "version": "5.4.210" + "sha256": "0v0saai735jzaj3dbpgp6sbdi95n3lmv78pbg1xy9fd2kfhbg23w", + "version": "6.1.32" } } diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/update.py b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/update.py index d0f8c77c783f..5d6a2eba966a 100755 --- a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/update.py +++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/update.py @@ -1,5 +1,5 @@ #! /usr/bin/env nix-shell -#! nix-shell -i python -p "python38.withPackages (ps: [ps.PyGithub])" git gnupg +#! nix-shell -i python -p "python3.withPackages (ps: [ps.pygithub])" git gnupg # This is automatically called by ../update.sh. @@ -138,7 +138,7 @@ def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]: if not sig_ok: return None - kernel_ver = release_info.release.tag_name.replace("-hardened1", "") + kernel_ver = re.sub(r"(.*)(-hardened[\d]+)$", r'\1', release_info.release.tag_name) major = kernel_ver.split('.')[0] sha256_kernel, _ = nix_prefetch_url(f"mirror://kernel/linux/kernel/v{major}.x/linux-{kernel_ver}.tar.xz") @@ -201,7 +201,7 @@ for filename in os.listdir(NIXPKGS_KERNEL_PATH): (callPackage {NIXPKGS_KERNEL_PATH / filename} {{}}).version """ kernel_version_json = run( - "nix-instantiate", "--eval", "--json", "--expr", nix_version_expr, + "nix-instantiate", "--eval", "--system", "x86_64-linux", "--json", "--expr", nix_version_expr, ).stdout kernel_version = parse_version(json.loads(kernel_version_json)) if kernel_version < MIN_KERNEL_VERSION: |