Merge pull request #19199 from wizeman/u/fix-help2man-hash

help2man: fix hash

6 files changed, 59 insertions, 23 deletions

diff --git a/pkgs/os-specific/linux/jool/cli.nix b/pkgs/os-specific/linux/jool/cli.nix
index 8fb37ed1c5b8..c8775eee48c6 100644
--- a/pkgs/os-specific/linux/jool/cli.nix
+++ b/pkgs/os-specific/linux/jool/cli.nix
@@ -13,6 +13,10 @@ stdenv.mkDerivation {
 
   buildInputs = [ autoreconfHook pkgconfig libnl ];
 
+  postPatch = ''
+    chmod u+w -R ../common
+  '';
+
   meta = with stdenv.lib; {
     homepage = https://www.jool.mx/;
     description = "Fairly compliant SIIT and Stateful NAT64 for Linux - CLI tools";
diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix
index 274d0cc41394..79094ebb3e38 100644
--- a/pkgs/os-specific/linux/jool/default.nix
+++ b/pkgs/os-specific/linux/jool/default.nix
@@ -28,7 +28,5 @@ stdenv.mkDerivation {
     description = "Fairly compliant SIIT and Stateful NAT64 for Linux - kernel modules";
     platforms = platforms.linux;
     maintainers = with maintainers; [ fpletz ];
-    # kernel version 4.3 is the most recent supported version
-    broken = builtins.compareVersions kernel.version "4.3" == 1;
   };
 }
diff --git a/pkgs/os-specific/linux/jool/source.nix b/pkgs/os-specific/linux/jool/source.nix
index 48ba70e620e8..0f2038fb2e39 100644
--- a/pkgs/os-specific/linux/jool/source.nix
+++ b/pkgs/os-specific/linux/jool/source.nix
@@ -1,9 +1,9 @@
 { fetchzip }:
 
 rec {
-  version = "3.4.5";
+  version = "3.5.0";
   src = fetchzip {
     url = "https://github.com/NICMx/releases/raw/master/Jool/Jool-${version}.zip";
-    sha256 = "045j3ax6c5jg8037hhrbgqgznr0a114xrmn03wkasnvsxpsx4hkb";
+    sha256 = "06jp6gpfryn66q0z4w3gwkvfr17bcrjvys597nj49pxfiz4vczb2";
   };
 }
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
index 4c81cd5b6ad0..2193dabd0bc4 100644
--- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
+++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
@@ -3,42 +3,56 @@
 with stdenv.lib;
 
 ''
-GRKERNSEC y
-PAX y
-
+# Auto configuration with these constraints will enable most of the
+# important features (RAP, UDEREF, ASLR, memory sanitization).
 GRKERNSEC_CONFIG_AUTO y
 GRKERNSEC_CONFIG_DESKTOP y
-GRKERNSEC_CONFIG_VIRT_HOST y
+GRKERNSEC_CONFIG_PRIORITY_SECURITY y
+
+# We specify virt guest rather than host here, the latter deselects e.g.,
+# paravirtualization.
+GRKERNSEC_CONFIG_VIRT_GUEST y
+# Note: assumes platform supports CPU-level virtualization (so no pentium 4)
 GRKERNSEC_CONFIG_VIRT_EPT y
 GRKERNSEC_CONFIG_VIRT_KVM y
-GRKERNSEC_CONFIG_PRIORITY_SECURITY y
 
+# PaX control
 PAX_SOFTMODE y
-
 PAX_PT_PAX_FLAGS y
 PAX_XATTR_PAX_FLAGS y
 PAX_EI_PAX n
 
-GRKERNSEC_PROC_GID 0
+# The bts instrumentation method is compatible with binary only modules.
+#
+# Note: if platform supports SMEP, we could do without this
+PAX_KERNEXEC_PLUGIN_METHOD_BTS y
 
-PAX_LATENT_ENTROPY n
+# Additional grsec hardening not implied by auto constraints
+GRKERNSEC_IO y
 
+# Disable protections rendered useless by redistribution
 GRKERNSEC_HIDESYM n
 GRKERNSEC_RANDSTRUCT n
-GRKERNSEC_PROC n
-GRKERNSEC_SYSFS_RESTRICT n
-GRKERNSEC_KMEM n
-GRKERNSEC_MODHARDEN n
-GRKERNSEC_NO_SIMULT_CONNECT n
 
-PAX_KERNEXEC_PLUGIN_METHOD_BTS y
+# Disable protections covered by vanilla mechanisms
+GRKERNSEC_DMESG n
+GRKERNSEC_KMEM n
+GRKERNSEC_PROC n
 
-GRKERNSEC_ACL_HIDEKERN y
-GRKERNSEC_IO y
+# Disable protections that are inappropriate for a general-purpose kernel
+GRKERNSEC_NO_SIMULT_CONNECT n
 
+# Enable additional audititing
+GRKERNSEC_AUDIT_MOUNT y
 GRKERNSEC_AUDIT_PTRACE y
 GRKERNSEC_FORKFAIL y
 
+# Wishlist: support trusted path execution
+GRKERNSEC_TPE n
+
+# Wishlist: enable this, but breaks user initiated module loading
+GRKERNSEC_MODHARDEN n
+
 GRKERNSEC_SYSCTL y
 GRKERNSEC_SYSCTL_DISTRO y
 GRKERNSEC_SYSCTL_ON y
diff --git a/pkgs/os-specific/linux/kernel/linux-4.8.nix b/pkgs/os-specific/linux/kernel/linux-4.8.nix
new file mode 100644
index 000000000000..5c2112686235
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-4.8.nix
@@ -0,0 +1,20 @@
+{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
+
+import ./generic.nix (args // rec {
+  version = "4.8";
+  modDirVersion = "4.8.0";
+  extraMeta.branch = "4.8";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "3e9150065f193d3d94bcf46a1fe9f033c7ef7122ab71d75a7fb5a2f0c9a7e11a";
+  };
+
+  kernelPatches = args.kernelPatches;
+
+  features.iwlwifi = true;
+  features.efiBootStub = true;
+  features.needsCifsUtils = true;
+  features.canDisableNetfilterConntrackHelpers = true;
+  features.netfilterRPFilter = true;
+} // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix
index a885d40658b9..a8556fdbe07f 100644
--- a/pkgs/os-specific/linux/wireguard/default.nix
+++ b/pkgs/os-specific/linux/wireguard/default.nix
@@ -8,11 +8,11 @@ assert kernel != null -> !(kernel.features.grsecurity or false);
 let
   name = "wireguard-unstable-${version}";
 
-  version = "2016-08-08";
+  version = "2016-10-01";
 
   src = fetchurl {
-    url    = "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-experimental-0.0.20160808.tar.xz";
-    sha256 = "0z9s9xi8dzkmjnki7ialf2haxb0mn2x5676sjwmjij1jfi9ypxhw";
+    url    = "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-experimental-0.0.20161001.tar.xz";
+    sha256 = "1j1s276lgp17yrlc46bgsbpwp635cvvv6b3ap49aq5h7jixvnfmc";
   };
 
   meta = with stdenv.lib; {