diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2019-01-13 14:46:43 +0100 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2019-01-13 14:46:43 +0100 |
commit | bb9581cd881fa828c63c4ae9fad92b84adbe24dd (patch) | |
tree | 26a98c4cbd7c94ce6c79f277d26b31dcb6de652b /pkgs/os-specific | |
parent | a1a5ea59433257ab3a46bb67aaf05e9b7d8aa071 (diff) | |
parent | 3131a8ea84a35437b5617598dc3fd3d0bb135829 (diff) | |
download | nixlib-bb9581cd881fa828c63c4ae9fad92b84adbe24dd.tar nixlib-bb9581cd881fa828c63c4ae9fad92b84adbe24dd.tar.gz nixlib-bb9581cd881fa828c63c4ae9fad92b84adbe24dd.tar.bz2 nixlib-bb9581cd881fa828c63c4ae9fad92b84adbe24dd.tar.lz nixlib-bb9581cd881fa828c63c4ae9fad92b84adbe24dd.tar.xz nixlib-bb9581cd881fa828c63c4ae9fad92b84adbe24dd.tar.zst nixlib-bb9581cd881fa828c63c4ae9fad92b84adbe24dd.zip |
Merge staging-next into staging
Diffstat (limited to 'pkgs/os-specific')
-rw-r--r-- | pkgs/os-specific/linux/kernel/hardened-config.nix | 5 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/manual-config.nix | 18 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch | 12 | ||||
-rw-r--r-- | pkgs/os-specific/linux/nvidia-x11/generic.nix | 2 | ||||
-rw-r--r-- | pkgs/os-specific/linux/nvme-cli/default.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/powertop/default.nix | 8 | ||||
-rw-r--r-- | pkgs/os-specific/linux/sysdig/default.nix | 2 | ||||
-rw-r--r-- | pkgs/os-specific/linux/systemd/default.nix | 10 |
8 files changed, 47 insertions, 14 deletions
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 4fadd4476548..ed540a9e7518 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -125,6 +125,11 @@ ${optionalString (versionAtLeast version "4.20") '' GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin ''} +${optionalString (versionAtLeast version "4.13") '' + GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y +''} + # Disable various dangerous settings ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory PROC_KCORE n # Exposes kernel text image layout diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 6adc3a33bb06..4b570c1fe940 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -88,7 +88,10 @@ let inherit src; - patches = map (p: p.patch) kernelPatches; + patches = + map (p: p.patch) kernelPatches + # Required for deterministic builds along with some postPatch magic. + ++ optional (stdenv.lib.versionAtLeast version "4.13") ./randstruct-provide-seed.patch; prePatch = '' for mf in $(find -name Makefile -o -name Makefile.include -o -name install.sh); do @@ -99,6 +102,19 @@ let sed -i scripts/ld-version.sh -e "s|/usr/bin/awk|${buildPackages.gawk}/bin/awk|" ''; + postPatch = '' + # Set randstruct seed to a deterministic but diversified value. Note: + # we could have instead patched gen-random-seed.sh to take input from + # the buildFlags, but that would require also patching the kernel's + # toplevel Makefile to add a variable export. This would be likely to + # cause future patch conflicts. + if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then + substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \ + --replace NIXOS_RANDSTRUCT_SEED \ + $(echo ${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n') + fi + ''; + configurePhase = '' runHook preConfigure diff --git a/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch b/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch new file mode 100644 index 000000000000..1328b9cee3c9 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch @@ -0,0 +1,12 @@ +diff -ru a/scripts/gcc-plugins/gen-random-seed.sh b/scripts/gcc-plugins/gen-random-seed.sh +--- a/scripts/gcc-plugins/gen-random-seed.sh 2019-01-11 11:50:29.228258920 +0100 ++++ b/scripts/gcc-plugins/gen-random-seed.sh 2019-01-11 12:18:33.555902720 +0100 +@@ -2,7 +2,7 @@ + # SPDX-License-Identifier: GPL-2.0 + + if [ ! -f "$1" ]; then +- SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'` ++ SEED="NIXOS_RANDSTRUCT_SEED" + echo "const char *randstruct_seed = \"$SEED\";" > "$1" + HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'` + echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2" diff --git a/pkgs/os-specific/linux/nvidia-x11/generic.nix b/pkgs/os-specific/linux/nvidia-x11/generic.nix index 906e59eb1c1f..1a08a89dc233 100644 --- a/pkgs/os-specific/linux/nvidia-x11/generic.nix +++ b/pkgs/os-specific/linux/nvidia-x11/generic.nix @@ -90,7 +90,7 @@ let description = "X.org driver and kernel module for NVIDIA graphics cards"; license = licenses.unfreeRedistributable; platforms = [ "i686-linux" "x86_64-linux" ]; - maintainers = [ ]; + maintainers = with maintainers; [ baracoder ]; priority = 4; # resolves collision with xorg-server's "lib/xorg/modules/extensions/libglx.so" inherit broken; }; diff --git a/pkgs/os-specific/linux/nvme-cli/default.nix b/pkgs/os-specific/linux/nvme-cli/default.nix index b40b6125bd91..49171697ffec 100644 --- a/pkgs/os-specific/linux/nvme-cli/default.nix +++ b/pkgs/os-specific/linux/nvme-cli/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { name = "nvme-cli-${version}"; - version = "1.6"; + version = "1.7"; src = fetchFromGitHub { owner = "linux-nvme"; repo = "nvme-cli"; rev = "v${version}"; - sha256 = "0pp00yzj9c398bzd7jrjhzr7q1pk7d069dnbzyq1qqssszgcj599"; + sha256 = "1wwr31s337km3v528hvsq72j2ph17fir0j3rr622z74k68pzdh1x"; }; makeFlags = [ "DESTDIR=$(out)" "PREFIX=" ]; diff --git a/pkgs/os-specific/linux/powertop/default.nix b/pkgs/os-specific/linux/powertop/default.nix index 5ec708dd69fd..f24f5a5d06fd 100644 --- a/pkgs/os-specific/linux/powertop/default.nix +++ b/pkgs/os-specific/linux/powertop/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, fetchpatch, gettext, libnl, ncurses, pciutils, pkgconfig, zlib }: stdenv.mkDerivation rec { - name = "powertop-${version}"; - version = "2.9"; + pname = "powertop"; + version = "2.10"; src = fetchurl { - url = "https://01.org/sites/default/files/downloads/powertop/powertop-v${version}.tar.gz"; - sha256 = "0l4jjlf05li2mc6g8nrss3h435wjhmnqd8m7v3kha3x0x7cbfzxa"; + url = "https://01.org/sites/default/files/downloads/${pname}-v${version}.tar.gz"; + sha256 = "0xaazqccyd42v2q532dxx40nqhb9sfsa6cyx8641rl57mfg4bdyk"; }; outputs = [ "out" "man" ]; diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix index 2a614e22c9a6..33f1bbdd893f 100644 --- a/pkgs/os-specific/linux/sysdig/default.nix +++ b/pkgs/os-specific/linux/sysdig/default.nix @@ -57,7 +57,7 @@ stdenv.mkDerivation rec { license = with licenses; [ asl20 gpl2 mit ]; maintainers = [maintainers.raskin]; platforms = ["x86_64-linux"] ++ platforms.darwin; - broken = kernel != null && (versionOlder kernel.version "4.14" || versionAtLeast kernel.version "4.20"); + broken = kernel != null && versionOlder kernel.version "4.14"; homepage = "https://sysdig.com/opensource/"; downloadPage = "https://github.com/draios/sysdig/releases"; }; diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 1d45109ac852..d4623ccd633d 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -18,7 +18,7 @@ let pythonLxmlEnv = buildPackages.python3Packages.python.withPackages ( ps: with ps; [ python3Packages.lxml ]); in stdenv.mkDerivation rec { - version = "239"; + version = "239.20190110"; name = "systemd-${version}"; # When updating, use https://github.com/systemd/systemd-stable tree, not the development one! @@ -26,8 +26,8 @@ in stdenv.mkDerivation rec { src = fetchFromGitHub { owner = "NixOS"; repo = "systemd"; - rev = "31859ddd35fc3fa82a583744caa836d356c31d7f"; - sha256 = "1xci0491j95vdjgs397n618zii3sgwnvanirkblqqw6bcvcjvir1"; + rev = "nixos-v${version}"; + sha256 = "1m9mhv7b4kfa43z79106gpgxx51zlhvvfjrlmimdsvsiw72nzldj"; }; prePatch = let @@ -37,8 +37,8 @@ in stdenv.mkDerivation rec { # When the URL disappears, it typically means that Debian has new patches # (probably security) and updating to new tarball will apply them as well. name = "systemd-debian-patches.tar.xz"; - url = mirror://debian/pool/main/s/systemd/systemd_239-11~bpo9+1.debian.tar.xz; - sha256 = "136f6p4jbi4z94mf4g099dfcacwka8jwhza0wxxw2q5l5q3xiysh"; + url = mirror://debian/pool/main/s/systemd/systemd_239-12~bpo9+1.debian.tar.xz; + sha256 = "0v9f62gyfiw5icdrdlcvjcipsqrsm49w6n8bqp9nb8s2ih6rsfhg"; }; # Note that we skip debian-specific patches, i.e. ./debian/patches/debian/* in '' |