diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2016-12-09 19:11:05 +0100 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2016-12-09 19:11:05 +0100 |
commit | b05b1207797d5ac432ed24dad7c4cb1e381a79fb (patch) | |
tree | 52747b5bb913051916038edef466142d1a351186 /pkgs/os-specific | |
parent | ff62e8a72e20b641bd7006c9cb1966d63b656735 (diff) | |
parent | d14586c1c1819d1b2532fb7468081380359fae1f (diff) | |
download | nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.tar nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.tar.gz nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.tar.bz2 nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.tar.lz nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.tar.xz nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.tar.zst nixlib-b05b1207797d5ac432ed24dad7c4cb1e381a79fb.zip |
Merge branch 'master' into staging
Diffstat (limited to 'pkgs/os-specific')
-rw-r--r-- | pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix | 8 | ||||
-rw-r--r-- | pkgs/os-specific/linux/broadcom-sta/default.nix | 2 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix | 14 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-4.4.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-4.8.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-grsecurity.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-rpi.nix | 3 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-testing.nix | 6 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/patches.nix | 17 | ||||
-rw-r--r-- | pkgs/os-specific/linux/lxcfs/default.nix | 36 | ||||
-rw-r--r-- | pkgs/os-specific/linux/ndiswrapper/default.nix | 1 |
11 files changed, 77 insertions, 22 deletions
diff --git a/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix b/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix index 60b461a80408..0d5e21485b9a 100644 --- a/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix +++ b/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix @@ -2,15 +2,21 @@ stdenv.mkDerivation { name = "reattach-to-user-namespace-2.4"; + src = fetchgit { url = "https://github.com/ChrisJohnsen/tmux-MacOSX-pasteboard.git"; sha256 = "0hrh95di5dvpynq2yfcrgn93l077h28i6msham00byw68cx0dd3z"; rev = "2765aeab8f337c29e260a912bf4267a2732d8640"; }; + buildFlags = "ARCHES=x86_64"; + installPhase = '' mkdir -p $out/bin cp reattach-to-user-namespace $out/bin/ ''; -} + meta = { + platforms = stdenv.lib.platforms.darwin; + }; +} diff --git a/pkgs/os-specific/linux/broadcom-sta/default.nix b/pkgs/os-specific/linux/broadcom-sta/default.nix index 5814c184e660..c548b55105de 100644 --- a/pkgs/os-specific/linux/broadcom-sta/default.nix +++ b/pkgs/os-specific/linux/broadcom-sta/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation { name = "broadcom-sta-${version}-${kernel.version}"; src = fetchurl { - url = "http://www.broadcom.com/docs/linux_sta/${tarball}"; + url = "https://docs.broadcom.com/docs-and-downloads/docs/linux_sta/${tarball}"; sha256 = hashes."${stdenv.system}"; }; diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix index 2193dabd0bc4..895c0ec42ef8 100644 --- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix +++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix @@ -22,6 +22,10 @@ PAX_PT_PAX_FLAGS y PAX_XATTR_PAX_FLAGS y PAX_EI_PAX n +PAX_INITIFY y +# initify is a fairly recent feature, enable verbose mode to aid in debugging +PAX_INITIFY_VERBOSE y + # The bts instrumentation method is compatible with binary only modules. # # Note: if platform supports SMEP, we could do without this @@ -29,6 +33,10 @@ PAX_KERNEXEC_PLUGIN_METHOD_BTS y # Additional grsec hardening not implied by auto constraints GRKERNSEC_IO y +GRKERNSEC_SYSFS_RESTRICT y +GRKERNSEC_ROFS y + +GRKERNSEC_MODHARDEN y # Disable protections rendered useless by redistribution GRKERNSEC_HIDESYM n @@ -50,10 +58,8 @@ GRKERNSEC_FORKFAIL y # Wishlist: support trusted path execution GRKERNSEC_TPE n -# Wishlist: enable this, but breaks user initiated module loading -GRKERNSEC_MODHARDEN n - GRKERNSEC_SYSCTL y GRKERNSEC_SYSCTL_DISTRO y -GRKERNSEC_SYSCTL_ON y +# Assume that appropriate sysctls are toggled once the system is up +GRKERNSEC_SYSCTL_ON n '' diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix index 6d9fc79cd9f2..184e420373a9 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.4.36"; + version = "4.4.37"; extraMeta.branch = "4.4"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "1gh3i7ss0wnh3irpff3j079jwyccslbzkw9zxjjp600lcc5hva9h"; + sha256 = "1pyfva1ld4yfzc0gyz3q4m7j6k88l813akp5hhszfg8m69bzn27d"; }; kernelPatches = args.kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-4.8.nix b/pkgs/os-specific/linux/kernel/linux-4.8.nix index 715af76267ca..786589ca534c 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.8.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.8.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.8.12"; + version = "4.8.13"; extraMeta.branch = "4.8"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "03i5q36aqlxir3dy213civkaz1lnwzzv6s3vaafgkdj7fzvqcx44"; + sha256 = "06sp47ivgqfnbjk73hdk70jhjh7xv3xbj1xzarch9sbj9as6cp8d"; }; kernelPatches = args.kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix index 4937c2271c7a..786589ca534c 100644 --- a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix +++ b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.8.11"; + version = "4.8.13"; extraMeta.branch = "4.8"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "03w90vfjfcya38mcp1njasa5c67za203sgp9n3w52gms13s443yc"; + sha256 = "06sp47ivgqfnbjk73hdk70jhjh7xv3xbj1xzarch9sbj9as6cp8d"; }; kernelPatches = args.kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-rpi.nix b/pkgs/os-specific/linux/kernel/linux-rpi.nix index 3d046ee8f59a..f41c53da5a68 100644 --- a/pkgs/os-specific/linux/kernel/linux-rpi.nix +++ b/pkgs/os-specific/linux/kernel/linux-rpi.nix @@ -16,6 +16,9 @@ stdenv.lib.overrideDerivation (import ./generic.nix (args // rec { }; features.iwlwifi = true; + features.needsCifsUtils = true; + features.canDisableNetfilterConntrackHelpers = true; + features.netfilterRPFilter = true; extraMeta.hydraPlatforms = []; })) (oldAttrs: { diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix index 95e89005b0fb..394469d06fab 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing.nix @@ -1,13 +1,13 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.9-rc7"; - modDirVersion = "4.9.0-rc7"; + version = "4.9-rc8"; + modDirVersion = "4.9.0-rc8"; extraMeta.branch = "4.9"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/testing/linux-${version}.tar.xz"; - sha256 = "0da5bf5cizvbn68d8pb5kyli3zkgsc8g61kn1b4d8gwvfxrb75hx"; + sha256 = "1xyham8by966mavk5wxy6va5cq2lf2d1jiqps70kcc4064v365r7"; }; features.iwlwifi = true; diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index fa5984ebf8bc..3fab12b64a6e 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -25,10 +25,13 @@ let inherit grver kver grrev; patch = fetchurl { - # When updating versions/hashes, ALWAYS use the official version; we use - # this mirror only because upstream removes sources files immediately upon - # releasing a new version ... - url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch"; + urls = [ + "https://grsecurity.net/${grbranch}/${name}.patch" + # When updating versions/hashes, ALWAYS use the official + # version; we use this mirror only because upstream removes + # source files immediately upon releasing a new version ... + "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch" + ]; inherit sha256; }; @@ -86,9 +89,9 @@ rec { }; grsecurity_testing = grsecPatch - { kver = "4.8.11"; - grrev = "201611271225"; - sha256 = "12vcy030vxi7h2dxyikfj8cirrifk9j186dbc2vk45dv4flcxpac"; + { kver = "4.8.13"; + grrev = "201612082118"; + sha256 = "0cvw6sbinzlcxap8mf934ksgksgdd8w8pf8jfp82fbyiz53klfn1"; }; # This patch relaxes grsec constraints on the location of usermode helpers, diff --git a/pkgs/os-specific/linux/lxcfs/default.nix b/pkgs/os-specific/linux/lxcfs/default.nix new file mode 100644 index 000000000000..ceaed205db96 --- /dev/null +++ b/pkgs/os-specific/linux/lxcfs/default.nix @@ -0,0 +1,36 @@ +{ stdenv, fetchurl, pkgconfig, help2man, fuse, pam }: + +with stdenv.lib; +stdenv.mkDerivation rec { + name = "lxcfs-${version}"; + version = "2.0.4"; + + src = fetchurl { + url = "https://linuxcontainers.org/downloads/lxcfs/lxcfs-${version}.tar.gz"; + sha256 = "0pfrsn7hqccpcnwg4xk8ds0avb2yc9gyvj7bk2bl90vpwsm35j7y"; + }; + + nativeBuildInputs = [ pkgconfig help2man ]; + buildInputs = [ fuse pam ]; + + configureFlags = [ + "--with-init-script=systemd" + "--sysconfdir=/etc" + "--localstatedir=/var" + ]; + + installFlags = [ "SYSTEMD_UNIT_DIR=\${out}/lib/systemd" ]; + + postFixup = '' + # liblxcfs.so is reloaded with dlopen() + patchelf --set-rpath "$(patchelf --print-rpath "$out/bin/lxcfs"):$out/lib" "$out/bin/lxcfs" + ''; + + meta = { + homepage = https://linuxcontainers.org/lxcfs; + description = "FUSE filesystem for LXC"; + license = licenses.asl20; + platforms = platforms.linux; + maintainers = with maintainers; [ mic92 ]; + }; +} diff --git a/pkgs/os-specific/linux/ndiswrapper/default.nix b/pkgs/os-specific/linux/ndiswrapper/default.nix index eabc2840881e..c22ffb60df85 100644 --- a/pkgs/os-specific/linux/ndiswrapper/default.nix +++ b/pkgs/os-specific/linux/ndiswrapper/default.nix @@ -38,5 +38,6 @@ stdenv.mkDerivation { description = "Ndis driver wrapper for the Linux kernel"; homepage = http://sourceforge.net/projects/ndiswrapper; license = "GPL"; + broken = true; }; } |