summary refs log tree commit diff
path: root/pkgs/os-specific
diff options
context:
space:
mode:
authorVladimír Čunát <vcunat@gmail.com>2016-12-09 19:11:05 +0100
committerVladimír Čunát <vcunat@gmail.com>2016-12-09 19:11:05 +0100
commitb05b1207797d5ac432ed24dad7c4cb1e381a79fb (patch)
tree52747b5bb913051916038edef466142d1a351186 /pkgs/os-specific
parentff62e8a72e20b641bd7006c9cb1966d63b656735 (diff)
parentd14586c1c1819d1b2532fb7468081380359fae1f (diff)
downloadnixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.tar
nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.tar.gz
nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.tar.bz2
nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.tar.lz
nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.tar.xz
nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.tar.zst
nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.zip
Merge branch 'master' into staging
Diffstat (limited to 'pkgs/os-specific')
-rw-r--r--pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix8


-rw-r--r--pkgs/os-specific/linux/broadcom-sta/default.nix2


-rw-r--r--pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix14


-rw-r--r--pkgs/os-specific/linux/kernel/linux-4.4.nix4


-rw-r--r--pkgs/os-specific/linux/kernel/linux-4.8.nix4


-rw-r--r--pkgs/os-specific/linux/kernel/linux-grsecurity.nix4


-rw-r--r--pkgs/os-specific/linux/kernel/linux-rpi.nix3


-rw-r--r--pkgs/os-specific/linux/kernel/linux-testing.nix6


-rw-r--r--pkgs/os-specific/linux/kernel/patches.nix17


-rw-r--r--pkgs/os-specific/linux/lxcfs/default.nix36


-rw-r--r--pkgs/os-specific/linux/ndiswrapper/default.nix1


11 files changed, 77 insertions, 22 deletions
diff --git a/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix b/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix
index 60b461a80408..0d5e21485b9a 100644
--- a/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix
+++ b/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix
@@ -2,15 +2,21 @@
 
 stdenv.mkDerivation {
   name = "reattach-to-user-namespace-2.4";
+
   src = fetchgit {
     url = "https://github.com/ChrisJohnsen/tmux-MacOSX-pasteboard.git";
     sha256 = "0hrh95di5dvpynq2yfcrgn93l077h28i6msham00byw68cx0dd3z";
     rev = "2765aeab8f337c29e260a912bf4267a2732d8640";
   };
+
   buildFlags = "ARCHES=x86_64";
+
   installPhase = ''
     mkdir -p $out/bin
     cp reattach-to-user-namespace $out/bin/
   '';
-}
 
+  meta = {
+    platforms = stdenv.lib.platforms.darwin;
+  };
+}
diff --git a/pkgs/os-specific/linux/broadcom-sta/default.nix b/pkgs/os-specific/linux/broadcom-sta/default.nix
index 5814c184e660..c548b55105de 100644
--- a/pkgs/os-specific/linux/broadcom-sta/default.nix
+++ b/pkgs/os-specific/linux/broadcom-sta/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation {
   name = "broadcom-sta-${version}-${kernel.version}";
 
   src = fetchurl {
-    url = "http://www.broadcom.com/docs/linux_sta/${tarball}";
+    url = "https://docs.broadcom.com/docs-and-downloads/docs/linux_sta/${tarball}";
     sha256 = hashes."${stdenv.system}";
   };
 
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
index 2193dabd0bc4..895c0ec42ef8 100644
--- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
+++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
@@ -22,6 +22,10 @@ PAX_PT_PAX_FLAGS y
 PAX_XATTR_PAX_FLAGS y
 PAX_EI_PAX n
 
+PAX_INITIFY y
+# initify is a fairly recent feature, enable verbose mode to aid in debugging
+PAX_INITIFY_VERBOSE y
+
 # The bts instrumentation method is compatible with binary only modules.
 #
 # Note: if platform supports SMEP, we could do without this
@@ -29,6 +33,10 @@ PAX_KERNEXEC_PLUGIN_METHOD_BTS y
 
 # Additional grsec hardening not implied by auto constraints
 GRKERNSEC_IO y
+GRKERNSEC_SYSFS_RESTRICT y
+GRKERNSEC_ROFS y
+
+GRKERNSEC_MODHARDEN y
 
 # Disable protections rendered useless by redistribution
 GRKERNSEC_HIDESYM n
@@ -50,10 +58,8 @@ GRKERNSEC_FORKFAIL y
 # Wishlist: support trusted path execution
 GRKERNSEC_TPE n
 
-# Wishlist: enable this, but breaks user initiated module loading
-GRKERNSEC_MODHARDEN n
-
 GRKERNSEC_SYSCTL y
 GRKERNSEC_SYSCTL_DISTRO y
-GRKERNSEC_SYSCTL_ON y
+# Assume that appropriate sysctls are toggled once the system is up
+GRKERNSEC_SYSCTL_ON n
 ''
diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix
index 6d9fc79cd9f2..184e420373a9 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.4.36";
+  version = "4.4.37";
   extraMeta.branch = "4.4";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1gh3i7ss0wnh3irpff3j079jwyccslbzkw9zxjjp600lcc5hva9h";
+    sha256 = "1pyfva1ld4yfzc0gyz3q4m7j6k88l813akp5hhszfg8m69bzn27d";
   };
 
   kernelPatches = args.kernelPatches;
diff --git a/pkgs/os-specific/linux/kernel/linux-4.8.nix b/pkgs/os-specific/linux/kernel/linux-4.8.nix
index 715af76267ca..786589ca534c 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.8.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.8.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.8.12";
+  version = "4.8.13";
   extraMeta.branch = "4.8";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "03i5q36aqlxir3dy213civkaz1lnwzzv6s3vaafgkdj7fzvqcx44";
+    sha256 = "06sp47ivgqfnbjk73hdk70jhjh7xv3xbj1xzarch9sbj9as6cp8d";
   };
 
   kernelPatches = args.kernelPatches;
diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix
index 4937c2271c7a..786589ca534c 100644
--- a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix
+++ b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.8.11";
+  version = "4.8.13";
   extraMeta.branch = "4.8";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "03w90vfjfcya38mcp1njasa5c67za203sgp9n3w52gms13s443yc";
+    sha256 = "06sp47ivgqfnbjk73hdk70jhjh7xv3xbj1xzarch9sbj9as6cp8d";
   };
 
   kernelPatches = args.kernelPatches;
diff --git a/pkgs/os-specific/linux/kernel/linux-rpi.nix b/pkgs/os-specific/linux/kernel/linux-rpi.nix
index 3d046ee8f59a..f41c53da5a68 100644
--- a/pkgs/os-specific/linux/kernel/linux-rpi.nix
+++ b/pkgs/os-specific/linux/kernel/linux-rpi.nix
@@ -16,6 +16,9 @@ stdenv.lib.overrideDerivation (import ./generic.nix (args // rec {
   };
 
   features.iwlwifi = true;
+  features.needsCifsUtils = true;
+  features.canDisableNetfilterConntrackHelpers = true;
+  features.netfilterRPFilter = true;
 
   extraMeta.hydraPlatforms = [];
 })) (oldAttrs: {
diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix
index 95e89005b0fb..394469d06fab 100644
--- a/pkgs/os-specific/linux/kernel/linux-testing.nix
+++ b/pkgs/os-specific/linux/kernel/linux-testing.nix
@@ -1,13 +1,13 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.9-rc7";
-  modDirVersion = "4.9.0-rc7";
+  version = "4.9-rc8";
+  modDirVersion = "4.9.0-rc8";
   extraMeta.branch = "4.9";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/testing/linux-${version}.tar.xz";
-    sha256 = "0da5bf5cizvbn68d8pb5kyli3zkgsc8g61kn1b4d8gwvfxrb75hx";
+    sha256 = "1xyham8by966mavk5wxy6va5cq2lf2d1jiqps70kcc4064v365r7";
   };
 
   features.iwlwifi = true;
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index fa5984ebf8bc..3fab12b64a6e 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -25,10 +25,13 @@ let
     inherit grver kver grrev;
 
     patch = fetchurl {
-      # When updating versions/hashes, ALWAYS use the official version; we use
-      # this mirror only because upstream removes sources files immediately upon
-      # releasing a new version ...
-      url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch";
+      urls = [
+        "https://grsecurity.net/${grbranch}/${name}.patch"
+        # When updating versions/hashes, ALWAYS use the official
+        # version; we use this mirror only because upstream removes
+        # source files immediately upon releasing a new version ...
+        "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch"
+      ];
       inherit sha256;
     };
 
@@ -86,9 +89,9 @@ rec {
   };
 
   grsecurity_testing = grsecPatch
-    { kver   = "4.8.11";
-      grrev  = "201611271225";
-      sha256 = "12vcy030vxi7h2dxyikfj8cirrifk9j186dbc2vk45dv4flcxpac";
+    { kver   = "4.8.13";
+      grrev  = "201612082118";
+      sha256 = "0cvw6sbinzlcxap8mf934ksgksgdd8w8pf8jfp82fbyiz53klfn1";
     };
 
   # This patch relaxes grsec constraints on the location of usermode helpers,
diff --git a/pkgs/os-specific/linux/lxcfs/default.nix b/pkgs/os-specific/linux/lxcfs/default.nix
new file mode 100644
index 000000000000..ceaed205db96
--- /dev/null
+++ b/pkgs/os-specific/linux/lxcfs/default.nix
@@ -0,0 +1,36 @@
+{ stdenv, fetchurl, pkgconfig, help2man, fuse, pam }:
+
+with stdenv.lib;
+stdenv.mkDerivation rec {
+  name = "lxcfs-${version}";
+  version = "2.0.4";
+
+  src = fetchurl {
+    url = "https://linuxcontainers.org/downloads/lxcfs/lxcfs-${version}.tar.gz";
+    sha256 = "0pfrsn7hqccpcnwg4xk8ds0avb2yc9gyvj7bk2bl90vpwsm35j7y";
+  };
+
+  nativeBuildInputs = [ pkgconfig help2man ];
+  buildInputs = [ fuse pam ];
+
+  configureFlags = [
+    "--with-init-script=systemd"
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+  ];
+
+  installFlags = [ "SYSTEMD_UNIT_DIR=\${out}/lib/systemd" ];
+
+  postFixup = ''
+    # liblxcfs.so is reloaded with dlopen()
+    patchelf --set-rpath "$(patchelf --print-rpath "$out/bin/lxcfs"):$out/lib" "$out/bin/lxcfs"
+  '';
+
+  meta = {
+    homepage = https://linuxcontainers.org/lxcfs;
+    description = "FUSE filesystem for LXC";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mic92 ];
+  };
+}
diff --git a/pkgs/os-specific/linux/ndiswrapper/default.nix b/pkgs/os-specific/linux/ndiswrapper/default.nix
index eabc2840881e..c22ffb60df85 100644
--- a/pkgs/os-specific/linux/ndiswrapper/default.nix
+++ b/pkgs/os-specific/linux/ndiswrapper/default.nix
@@ -38,5 +38,6 @@ stdenv.mkDerivation {
     description = "Ndis driver wrapper for the Linux kernel";
     homepage = http://sourceforge.net/projects/ndiswrapper;
     license = "GPL";
+    broken = true;
   };
 }

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-16 21:14:42 +0000