diff options
author | Jörg Thalheim <joerg@higgsboson.tk> | 2016-10-03 19:26:44 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-10-03 19:26:44 +0200 |
commit | 888f6a1280370de4f8268e0bae8d4b49d4db4cbc (patch) | |
tree | 80bd6b2ddfc435bf19ce2061867a2d8c5622f653 /pkgs/os-specific | |
parent | 54867a040055813462156809a33a260d8bf60642 (diff) | |
parent | 2ad13953a45a54816b73632277dcdbeda063827e (diff) | |
download | nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.tar nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.tar.gz nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.tar.bz2 nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.tar.lz nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.tar.xz nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.tar.zst nixlib-888f6a1280370de4f8268e0bae8d4b49d4db4cbc.zip |
Merge pull request #19199 from wizeman/u/fix-help2man-hash
help2man: fix hash
Diffstat (limited to 'pkgs/os-specific')
-rw-r--r-- | pkgs/os-specific/linux/jool/cli.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/jool/default.nix | 2 | ||||
-rw-r--r-- | pkgs/os-specific/linux/jool/source.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix | 46 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-4.8.nix | 20 | ||||
-rw-r--r-- | pkgs/os-specific/linux/wireguard/default.nix | 6 |
6 files changed, 59 insertions, 23 deletions
diff --git a/pkgs/os-specific/linux/jool/cli.nix b/pkgs/os-specific/linux/jool/cli.nix index 8fb37ed1c5b8..c8775eee48c6 100644 --- a/pkgs/os-specific/linux/jool/cli.nix +++ b/pkgs/os-specific/linux/jool/cli.nix @@ -13,6 +13,10 @@ stdenv.mkDerivation { buildInputs = [ autoreconfHook pkgconfig libnl ]; + postPatch = '' + chmod u+w -R ../common + ''; + meta = with stdenv.lib; { homepage = https://www.jool.mx/; description = "Fairly compliant SIIT and Stateful NAT64 for Linux - CLI tools"; diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index 274d0cc41394..79094ebb3e38 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -28,7 +28,5 @@ stdenv.mkDerivation { description = "Fairly compliant SIIT and Stateful NAT64 for Linux - kernel modules"; platforms = platforms.linux; maintainers = with maintainers; [ fpletz ]; - # kernel version 4.3 is the most recent supported version - broken = builtins.compareVersions kernel.version "4.3" == 1; }; } diff --git a/pkgs/os-specific/linux/jool/source.nix b/pkgs/os-specific/linux/jool/source.nix index 48ba70e620e8..0f2038fb2e39 100644 --- a/pkgs/os-specific/linux/jool/source.nix +++ b/pkgs/os-specific/linux/jool/source.nix @@ -1,9 +1,9 @@ { fetchzip }: rec { - version = "3.4.5"; + version = "3.5.0"; src = fetchzip { url = "https://github.com/NICMx/releases/raw/master/Jool/Jool-${version}.zip"; - sha256 = "045j3ax6c5jg8037hhrbgqgznr0a114xrmn03wkasnvsxpsx4hkb"; + sha256 = "06jp6gpfryn66q0z4w3gwkvfr17bcrjvys597nj49pxfiz4vczb2"; }; } diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix index 4c81cd5b6ad0..2193dabd0bc4 100644 --- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix +++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix @@ -3,42 +3,56 @@ with stdenv.lib; '' -GRKERNSEC y -PAX y - +# Auto configuration with these constraints will enable most of the +# important features (RAP, UDEREF, ASLR, memory sanitization). GRKERNSEC_CONFIG_AUTO y GRKERNSEC_CONFIG_DESKTOP y -GRKERNSEC_CONFIG_VIRT_HOST y +GRKERNSEC_CONFIG_PRIORITY_SECURITY y + +# We specify virt guest rather than host here, the latter deselects e.g., +# paravirtualization. +GRKERNSEC_CONFIG_VIRT_GUEST y +# Note: assumes platform supports CPU-level virtualization (so no pentium 4) GRKERNSEC_CONFIG_VIRT_EPT y GRKERNSEC_CONFIG_VIRT_KVM y -GRKERNSEC_CONFIG_PRIORITY_SECURITY y +# PaX control PAX_SOFTMODE y - PAX_PT_PAX_FLAGS y PAX_XATTR_PAX_FLAGS y PAX_EI_PAX n -GRKERNSEC_PROC_GID 0 +# The bts instrumentation method is compatible with binary only modules. +# +# Note: if platform supports SMEP, we could do without this +PAX_KERNEXEC_PLUGIN_METHOD_BTS y -PAX_LATENT_ENTROPY n +# Additional grsec hardening not implied by auto constraints +GRKERNSEC_IO y +# Disable protections rendered useless by redistribution GRKERNSEC_HIDESYM n GRKERNSEC_RANDSTRUCT n -GRKERNSEC_PROC n -GRKERNSEC_SYSFS_RESTRICT n -GRKERNSEC_KMEM n -GRKERNSEC_MODHARDEN n -GRKERNSEC_NO_SIMULT_CONNECT n -PAX_KERNEXEC_PLUGIN_METHOD_BTS y +# Disable protections covered by vanilla mechanisms +GRKERNSEC_DMESG n +GRKERNSEC_KMEM n +GRKERNSEC_PROC n -GRKERNSEC_ACL_HIDEKERN y -GRKERNSEC_IO y +# Disable protections that are inappropriate for a general-purpose kernel +GRKERNSEC_NO_SIMULT_CONNECT n +# Enable additional audititing +GRKERNSEC_AUDIT_MOUNT y GRKERNSEC_AUDIT_PTRACE y GRKERNSEC_FORKFAIL y +# Wishlist: support trusted path execution +GRKERNSEC_TPE n + +# Wishlist: enable this, but breaks user initiated module loading +GRKERNSEC_MODHARDEN n + GRKERNSEC_SYSCTL y GRKERNSEC_SYSCTL_DISTRO y GRKERNSEC_SYSCTL_ON y diff --git a/pkgs/os-specific/linux/kernel/linux-4.8.nix b/pkgs/os-specific/linux/kernel/linux-4.8.nix new file mode 100644 index 000000000000..5c2112686235 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/linux-4.8.nix @@ -0,0 +1,20 @@ +{ stdenv, fetchurl, perl, buildLinux, ... } @ args: + +import ./generic.nix (args // rec { + version = "4.8"; + modDirVersion = "4.8.0"; + extraMeta.branch = "4.8"; + + src = fetchurl { + url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; + sha256 = "3e9150065f193d3d94bcf46a1fe9f033c7ef7122ab71d75a7fb5a2f0c9a7e11a"; + }; + + kernelPatches = args.kernelPatches; + + features.iwlwifi = true; + features.efiBootStub = true; + features.needsCifsUtils = true; + features.canDisableNetfilterConntrackHelpers = true; + features.netfilterRPFilter = true; +} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix index a885d40658b9..a8556fdbe07f 100644 --- a/pkgs/os-specific/linux/wireguard/default.nix +++ b/pkgs/os-specific/linux/wireguard/default.nix @@ -8,11 +8,11 @@ assert kernel != null -> !(kernel.features.grsecurity or false); let name = "wireguard-unstable-${version}"; - version = "2016-08-08"; + version = "2016-10-01"; src = fetchurl { - url = "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-experimental-0.0.20160808.tar.xz"; - sha256 = "0z9s9xi8dzkmjnki7ialf2haxb0mn2x5676sjwmjij1jfi9ypxhw"; + url = "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-experimental-0.0.20161001.tar.xz"; + sha256 = "1j1s276lgp17yrlc46bgsbpwp635cvvv6b3ap49aq5h7jixvnfmc"; }; meta = with stdenv.lib; { |