diff options
author | obadz <obadz-git@obadz.com> | 2016-08-22 01:19:35 +0100 |
---|---|---|
committer | obadz <obadz-git@obadz.com> | 2016-08-22 01:19:35 +0100 |
commit | 24a9183f907cec515724484d84b0cf236de2e8d0 (patch) | |
tree | 67ab37c4de5d8e8f17b78cc8c6680f25edf7d930 /pkgs/tools/networking | |
parent | ba50fd71700bf796ea2339115733ca5a850015ea (diff) | |
parent | b092538811a2bd4454ed9b056952c0a10f091076 (diff) | |
download | nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.gz nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.bz2 nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.lz nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.xz nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.zst nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.zip |
Merge branch 'hardened-stdenv' into staging
Closes #12895 Amazing work by @globin & @fpletz getting hardened compiler flags by enabled default on the whole package set
Diffstat (limited to 'pkgs/tools/networking')
22 files changed, 48 insertions, 104 deletions
diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix index 9d2afe752571..f5b5893d5437 100644 --- a/pkgs/tools/networking/chrony/default.nix +++ b/pkgs/tools/networking/chrony/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap; nativeBuildInputs = [ pkgconfig ]; + hardeningEnable = [ "pie" ]; + configureFlags = [ "--chronyvardir=$(out)/var/lib/chrony" ]; diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix index 778cfc3b5ed6..91232b4ffa74 100644 --- a/pkgs/tools/networking/dhcpdump/default.nix +++ b/pkgs/tools/networking/dhcpdump/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [libpcap perl]; + hardeningDisable = [ "fortify" ]; + installPhase = '' mkdir -pv $out/bin cp dhcpdump $out/bin diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix index 6b47e0cae840..14bde9a5fa5b 100644 --- a/pkgs/tools/networking/dnsmasq/default.nix +++ b/pkgs/tools/networking/dnsmasq/default.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { "LOCALEDIR=$(out)/share/locale" ]; + hardeningEnable = [ "pie" ]; + postBuild = optionalString stdenv.isLinux '' make -C contrib/lease-tools ''; diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index 623b42d6fc1b..a9f2419b1368 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -1,20 +1,19 @@ -{ stdenv, fetchurl, tcl }: +{ stdenv, fetchFromGitHub, tcl }: stdenv.mkDerivation rec { name = "eggdrop-${version}"; - version = "1.6.21"; + version = "1.6.21-nix1"; - src = fetchurl { - url = "ftp://ftp.eggheads.org/pub/eggdrop/GNU/1.6/eggdrop${version}.tar.gz"; - sha256 = "1galvbh9y4c3msrg1s9na0asm077mh1g2i2vsv1vczmfrbgq92vs"; + src = fetchFromGitHub { + owner = "eggheads"; + repo = "eggdrop"; + rev = "9ec109a13c016c4cdc7d52b7e16e4b9b6fbb9331"; + sha256 = "0mf1vcbmpnvmf5mxk7gi3z32fxpcbynsh9jni8z8frrscrdf5lp5"; }; buildInputs = [ tcl ]; - patches = [ - # https://github.com/eggheads/eggdrop/issues/123 - ./b34a33255f56bbd2317c26da12d702796d67ed50.patch - ]; + hardeningDisable = [ "format" ]; preConfigure = '' prefix=$out/eggdrop diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 33d8ee2fd636..13f8cedc673d 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; description = "Tool to measure IP bandwidth using UDP or TCP"; diff --git a/pkgs/tools/networking/lsh/default.nix b/pkgs/tools/networking/lsh/default.nix deleted file mode 100644 index 5d788af1682e..000000000000 --- a/pkgs/tools/networking/lsh/default.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ stdenv, fetchurl, gperf, guile, gmp, zlib, liboop, readline, gnum4, pam -, nettools, lsof, procps }: - -stdenv.mkDerivation rec { - name = "lsh-2.0.4"; - src = fetchurl { - url = "mirror://gnu/lsh/${name}.tar.gz"; - sha256 = "614b9d63e13ad3e162c82b6405d1f67713fc622a8bc11337e72949d613713091"; - }; - - patches = [ ./pam-service-name.patch ./lshd-no-root-login.patch ]; - - preConfigure = '' - # Patch `lsh-make-seed' so that it can gather enough entropy. - sed -i "src/lsh-make-seed.c" \ - -e "s|/usr/sbin/arp|${nettools}/sbin/arp|g ; - s|/usr/bin/netstat|${nettools}/bin/netstat|g ; - s|/usr/local/bin/lsof|${lsof}/bin/lsof|g ; - s|/bin/vmstat|${procps}/bin/vmstat|g ; - s|/bin/ps|${procps}/bin/sp|g ; - s|/usr/bin/w|${procps}/bin/w|g ; - s|/usr/bin/df|$(type -P df)|g ; - s|/usr/bin/ipcs|$(type -P ipcs)|g ; - s|/usr/bin/uptime|$(type -P uptime)|g" - - # Skip the `configure' script that checks whether /dev/ptmx & co. work as - # expected, because it relies on impurities (for instance, /dev/pts may - # be unavailable in chroots.) - export lsh_cv_sys_unix98_ptys=yes - ''; - - NIX_CFLAGS_COMPILE = "-std=gnu90"; - - buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam ]; - - meta = { - description = "GPL'd implementation of the SSH protocol"; - - longDescription = '' - lsh is a free implementation (in the GNU sense) of the ssh - version 2 protocol, currently being standardised by the IETF - SECSH working group. - ''; - - homepage = http://www.lysator.liu.se/~nisse/lsh/; - license = stdenv.lib.licenses.gpl2Plus; - - maintainers = [ ]; - platforms = [ "x86_64-linux" ]; - }; -} diff --git a/pkgs/tools/networking/lsh/lshd-no-root-login.patch b/pkgs/tools/networking/lsh/lshd-no-root-login.patch deleted file mode 100644 index 9dd81de3fbc1..000000000000 --- a/pkgs/tools/networking/lsh/lshd-no-root-login.patch +++ /dev/null @@ -1,16 +0,0 @@ -Correctly handle the `--no-root-login' option. - ---- lsh-2.0.4/src/lshd.c 2006-05-01 13:47:44.000000000 +0200 -+++ lsh-2.0.4/src/lshd.c 2009-09-08 12:20:36.000000000 +0200 -@@ -758,6 +758,10 @@ main_argp_parser(int key, char *arg, str - self->allow_root = 1; - break; - -+ case OPT_NO_ROOT_LOGIN: -+ self->allow_root = 0; -+ break; -+ - case OPT_KERBEROS_PASSWD: - self->pw_helper = PATH_KERBEROS_HELPER; - break; - diff --git a/pkgs/tools/networking/lsh/pam-service-name.patch b/pkgs/tools/networking/lsh/pam-service-name.patch deleted file mode 100644 index 6a6156855c51..000000000000 --- a/pkgs/tools/networking/lsh/pam-service-name.patch +++ /dev/null @@ -1,14 +0,0 @@ -Tell `lsh-pam-checkpw', the PAM password helper program, to use a more -descriptive service name. - ---- lsh-2.0.4/src/lsh-pam-checkpw.c 2003-02-16 22:30:10.000000000 +0100 -+++ lsh-2.0.4/src/lsh-pam-checkpw.c 2008-11-28 16:16:58.000000000 +0100 -@@ -38,7 +38,7 @@ - #include <security/pam_appl.h> - - #define PWD_MAXLEN 1024 --#define SERVICE_NAME "other" -+#define SERVICE_NAME "lshd" - #define TIMEOUT 600 - - static int diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix index 4b1633947b09..0ae993db332e 100644 --- a/pkgs/tools/networking/mailutils/default.nix +++ b/pkgs/tools/networking/mailutils/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65"; }; + hardeningDisable = [ "format" ]; + patches = [ ./path-to-cat.patch ./no-gets.patch ./scm_c_string.patch ]; configureFlags = [ diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix index 0f75bd44d69b..7a1eac59eeae 100644 --- a/pkgs/tools/networking/netboot/default.nix +++ b/pkgs/tools/networking/netboot/default.nix @@ -9,10 +9,12 @@ stdenv.mkDerivation rec { buildInputs = [ yacc lzo db4 ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Mini PXE server"; maintainers = [ maintainers.raskin ]; platforms = ["x86_64-linux"]; license = stdenv.lib.licenses.free; }; -} \ No newline at end of file +} diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 433a3349702d..4c42771be170 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ libcap openssl ]; + hardeningEnable = [ "pie" ]; + postInstall = '' rm -rf $out/share/doc ''; diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix index d0e8ea4b1d9b..e3e2053e2ce6 100644 --- a/pkgs/tools/networking/openfortivpn/default.nix +++ b/pkgs/tools/networking/openfortivpn/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, automake, autoconf, openssl, ppp }: +{ stdenv, fetchFromGitHub, autoreconfHook, openssl, ppp }: with stdenv.lib; @@ -15,13 +15,11 @@ in stdenv.mkDerivation { sha256 = "08ycz053wa29ckgr93132hr3vrd84r3bks9q807qanri0n35y256"; }; - buildInputs = [ openssl automake autoconf ppp ]; + buildInputs = [ openssl ppp autoreconfHook ]; - preConfigure = '' - aclocal - autoconf - automake --add-missing + hardeningDisable = [ "format" ]; + preConfigure = '' substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd" ''; diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index dab638301820..8f4c0aa54dfa 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -71,6 +71,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningEnable = [ "pie" ]; + postInstall = '' # Install ssh-copy-id, it's very useful. cp contrib/ssh-copy-id $out/bin/ diff --git a/pkgs/tools/networking/quicktun/default.nix b/pkgs/tools/networking/quicktun/default.nix index f07cfe4d0724..ed559f5d5c9f 100644 --- a/pkgs/tools/networking/quicktun/default.nix +++ b/pkgs/tools/networking/quicktun/default.nix @@ -11,8 +11,6 @@ stdenv.mkDerivation rec { sha256 = "0m7gvlgs1mhyw3c8s2dg05j7r7hz8kjpb0sk245m61ir9dmwlf8i"; }; - CFLAGS = "-fPIE -fPIC -pie -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now"; - buildInputs = [ libsodium ]; phases = [ "unpackPhase" "buildPhase" "installPhase" ]; diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix index 42d4a8177563..1c8ef67a7830 100644 --- a/pkgs/tools/networking/radvd/default.nix +++ b/pkgs/tools/networking/radvd/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libdaemon bison flex check ]; + hardeningEnable = [ "pie" ]; + meta = with stdenv.lib; { homepage = http://www.litech.org/radvd/; description = "IPv6 Router Advertisement Daemon"; diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix index f9eff5b12d55..19cdb884bd1a 100644 --- a/pkgs/tools/networking/socat/default.nix +++ b/pkgs/tools/networking/socat/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ]; + hardeningEnable = [ "pie" ]; + meta = { description = "A utility for bidirectional data transfer between two independent data channels"; homepage = http://www.dest-unreach.org/socat/; diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix index 2f12aaa7ee23..114247682c7a 100644 --- a/pkgs/tools/networking/stunnel/default.nix +++ b/pkgs/tools/networking/stunnel/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { name = "stunnel-${version}"; - version = "5.29"; + version = "5.31"; src = fetchurl { url = "http://www.stunnel.org/downloads/${name}.tar.gz"; - sha256 = "0lgmdpsm36a6j5s0jabv3cfg3rzqz9c9sfdqgkx399iy80jrd423"; + sha256 = "1dz0p85ha78vxc2hjhrkr4xf8w3q8r177bqdrgm26v6wncdbfim7"; }; buildInputs = [ openssl ]; diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix index 9827b62c6c4a..3a5117653c83 100644 --- a/pkgs/tools/networking/telnet/default.nix +++ b/pkgs/tools/networking/telnet/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ncurses]; meta = { diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix index d10e645dc874..1c8829a07b27 100644 --- a/pkgs/tools/networking/trickle/default.nix +++ b/pkgs/tools/networking/trickle/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0s1qq3k5mpcs9i7ng0l9fvr1f75abpbzfi1jaf3zpzbs1dz50dlx"; }; - buildInputs = [libevent]; + buildInputs = [ libevent ]; preConfigure = '' sed -i 's|libevent.a|libevent.so|' configure @@ -22,6 +22,8 @@ stdenv.mkDerivation rec { configureFlags = "--with-libevent"; + hardeningDisable = [ "format" ]; + meta = { description = "Lightweight userspace bandwidth shaper"; license = stdenv.lib.licenses.bsd3; diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix index 9d4ae5d671ac..c2c707fbc77a 100644 --- a/pkgs/tools/networking/uwimap/default.nix +++ b/pkgs/tools/networking/uwimap/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation { # -fPIC is required to compile php with imap on x86_64 systems + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC"; + hardeningDisable = [ "format" ]; + buildInputs = [ openssl ] ++ stdenv.lib.optional (!stdenv.isDarwin) pam; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index 88ee459f8168..3a3709a9df00 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://vde.sourceforge.net/; description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network"; diff --git a/pkgs/tools/networking/vlan/default.nix b/pkgs/tools/networking/vlan/default.nix index 9c9376550dfb..41ece0537ab4 100644 --- a/pkgs/tools/networking/vlan/default.nix +++ b/pkgs/tools/networking/vlan/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1jjc5f26hj7bk8nkjxsa8znfxcf8pgry2ipnwmj2fr6ky0dhm3rv"; }; + hardeningDisable = [ "format" ]; + preBuild = '' # Ouch, the tarball contains pre-compiled binaries. @@ -18,12 +20,12 @@ stdenv.mkDerivation rec { '' mkdir -p $out/sbin cp vconfig $out/sbin/ - + mkdir -p $out/share/man/man8 cp vconfig.8 $out/share/man/man8/ ''; - meta = { + meta = { description = "User mode programs to enable VLANs on Ethernet devices"; platforms = stdenv.lib.platforms.linux; }; |