3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

85139 commits

Author SHA1 Message Date
Joachim Fasting 09cf92ccee
nixos: flesh out the grsecurity test suite
I've failed to figure out what why `paxtest blackhat` hangs the vm, and
have resigned to running individual `paxtest` programs.  This provides
limited coverage, but at least verifies that some important features are
in fact working.

Ideas for future work includes a subtest for basic desktop
functionality.
2016-06-14 03:38:18 +02:00
Joachim Fasting a53452f3e1
nixos: remove the grsecurity GID
This GID was used to exempt users from Grsecurity's
`/proc` restrictions; we now prefer to rely on
`security.hideProcessInformation`, which uses the `proc` group
for this purpose.  That leaves no use for the grsecurity GID.

More generally, having only a single GID to, presumably, serve as the
default for all of grsecurity's GID based exemption/resriction schemes
would be problematic in any event, so if we decide to enable those
grsecurity features in the future, more specific GIDs should be added.
2016-06-14 03:38:17 +02:00
Joachim Fasting 0677cc61c8
nixos: rewrite the grsecurity module
The new module is specifically adapted to the NixOS Grsecurity/PaX
kernel.  The module declares the required kernel configurations and
so *should* be somewhat compatible with custom Grsecurity kernels.

The module exposes only a limited number of options, minimising the need
for user intervention beyond enabling the module. For experts,
Grsecurity/PaX behavior may be configured via `boot.kernelParams` and
`boot.kernel.sysctl`.

The module assumes the user knows what she's doing (esp. if she decides
to modify configuration values not directly exposed by the module).

Administration of Grsecurity's role based access control system is yet
to be implemented.
2016-06-14 03:38:12 +02:00
Joachim Fasting 75b9a7beac
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-14 00:08:20 +02:00
Joachim Fasting 4ae5eb97f1
kernel: set virtualization options regardless of grsec
Per my own testing, the NixOS grsecurity kernel works both as a
KVM-based virtualisation host and guest; there appears to be no good
reason to making these conditional on `features.grsecurity`.

More generally, it's unclear what `features.grsecurity` *means*. If
someone configures a grsecurity kernel in such a fashion that it breaks
KVM support, they should know to disable KVM themselves.
2016-06-10 19:27:59 +02:00
Joachim Fasting d8e4432fe2
kernel: unconditionally disable /dev/kmem
This was presumably set for grsecurity compatibility, but now appears
redundant.  Grsecurity does not expect nor require /dev/kmem to be
present and so it makes little sense to continue making its inclusion in
the standard kernel dependent on grsecurity.

More generally, given the large number of possible grsecurity
configurations, it is unclear what `features.grsecurity` even
*means* and its use should be discouraged.
2016-06-10 19:27:41 +02:00
Joachim Fasting c1cb5ca57e
oauth2_proxy module: fix manual build 2016-06-10 01:02:40 +02:00
Joachim Fasting 589082646a Merge pull request #16097 from mimadrid/update/klavaro-3.02
klavaro: 3.01 -> 3.02
2016-06-10 00:18:39 +02:00
Rushmore Mushambi 902b6d5691 Merge pull request #16093 from rushmorem/update-go
go: v1.5.3 -> v1.5.4
2016-06-10 00:14:56 +02:00
mimadrid 830c748ea4 Add myself as maintainer 2016-06-09 23:41:17 +02:00
Joachim Fasting 7bd515979c
tinycc: fix paxmark call
I missed this due to testing on a checkout that didn't contain
the paxmark fix ...
2016-06-09 23:06:01 +02:00
Joachim Fasting e2e2840aa7 Merge pull request #15283 from jml/oauth2proxy-moduleu
oauth2_proxy: create new module for service
2016-06-09 22:52:17 +02:00
rushmorem 6e709b180e storebrowse: mark broken
`storebrowse` depends on https://code.google.com/archive/p/gosqlite/
which leads to gosqlite.googlecode.com/hg/sqlite which now 404s.
2016-06-09 22:09:07 +02:00
Peter Simons 3a4ff5fc7e haskell-darcs: switch to LTS package set to fix the build 2016-06-09 21:51:19 +02:00
Peter Simons bcd46a3d9b haskell-cryptol: switch to LTS package set to fix the build 2016-06-09 21:51:09 +02:00
Peter Simons 7914242b37 haskell-timezone-series: fix build with GHC 8.0.1
- Fix the incorrect sha256 hash of the patch.
 - Apply the patch only when compiling with GHC 8.0.x.
2016-06-09 21:51:09 +02:00
Peter Simons cf042ae750 hackage-packages.nix: update Haskell package set
This update was generated by hackage2nix v20160406-38-g2269395 using the following inputs:

  - Hackage: 65d1dbe8dd
  - LTS Haskell: 1a80e0660e
  - Stackage Nightly: 5863aeaee3
2016-06-09 21:51:00 +02:00
Nikolay Amiantov 69e97f8a45 Merge pull request #15891 from abbradar/krita
krita: init at 3.0
2016-06-09 23:34:07 +04:00
Thomas Tuegel e6fdc9f7f0 Merge pull request #16092 from abbradar/qt561
Qt: 5.6.0 -> 5.6.1
2016-06-09 14:32:53 -05:00
rushmorem 2a258d13ad go: make 1.6 default 2016-06-09 21:32:37 +02:00
mimadrid f8a0f1ce68 klavaro: 3.01 -> 3.02 2016-06-09 20:49:26 +02:00
Nikolay Amiantov 7b84294bd9 tdesktop: fix with new Qt 2016-06-09 21:37:24 +03:00
Thomas Tuegel 04ad2ebfb2 Merge branch 'kde-propagate' 2016-06-09 12:40:04 -05:00
Thomas Tuegel c608230a61 nixos/kde5: include setup hook and icons with sddm theme
Fixes #16094.
2016-06-09 12:39:10 -05:00
Thomas Tuegel aea0ff96de sddm: run phase hooks 2016-06-09 12:39:02 -05:00
rushmorem 0e262f52f3 go: v1.5.3 -> v1.5.4 2016-06-09 19:18:07 +02:00
Nikolay Amiantov 97d791978c qt56: 5.6.0 -> 5.6.1 2016-06-09 18:44:56 +03:00
Thomas Tuegel 09d63127de Revert "qt56: 5.6.0 -> 5.6.1"
This reverts commit 4d2cf4baac.
2016-06-09 10:42:52 -05:00
Franz Pletz a0996c2c60 libressl: 2.3.4 -> 2.3.5 2016-06-09 17:37:29 +02:00
Franz Pletz 45d4d62122 luaPackages.luaexpat: fix case of LUA_LDIR make flag 2016-06-09 17:37:29 +02:00
Rushmore Mushambi 83c40ada7e Merge pull request #16017 from kamilchm/rework-go
Rework goPackages
2016-06-09 17:09:13 +02:00
Thomas Tuegel c9ffb7e5f9 Merge branch 'qt-5.6' 2016-06-09 09:40:18 -05:00
Thomas Tuegel 4d2cf4baac qt56: 5.6.0 -> 5.6.1 2016-06-09 09:39:55 -05:00
Thomas Tuegel 98bb89b9d0 kde5.extra-cmake-modules: propagate build inputs correctly 2016-06-09 09:14:20 -05:00
Thomas Tuegel de842765be qt56.qtbase: propagate build inputs correctly 2016-06-09 09:14:06 -05:00
zimbatm a5a1d45636 git-lfs: 1.2.0 -> 2016-06-07
Fixes import issues after go1.5+
2016-06-09 16:11:33 +02:00
zimbatm 943d59268a packer: fix compilation
* Remove duplicate "packer" source
* Use the same version of go everywhere
2016-06-09 16:11:25 +02:00
zimbatm f870d6aeb6 goBuildPackage: export go
This is useful to make sure to use the same version of go in further
derivations.
2016-06-09 16:11:17 +02:00
Kamil Chmielewski 3a41ffe8aa ipfs: build fails with Go 1.6, revert to 1.5 2016-06-09 16:10:50 +02:00
Jonathan Lange 58599744ee Add module for oauth2_proxy 2016-06-09 15:00:23 +01:00
Joachim Fasting edc36a0091
grsecurity: 4.5.6-201606051644 -> 4.5.7-201606080852 2016-06-09 15:40:06 +02:00
Nikolay Amiantov 2f1b355747 Merge pull request #15983 from ryantm/zsnes
zsnes: add desktop item
2016-06-09 17:34:09 +04:00
Ryan Mulligan b54fa1e351 zsnes: add desktop item
add desktop item so zsnes can be used without the terminal
add icons
2016-06-09 06:22:13 -07:00
Vladimír Čunát 20c2ce4954 Merge #16045: kernel: 4.6.0 -> 4.6.1 2016-06-09 14:37:32 +02:00
Vladimír Čunát c0895be3ee Merge #16044: kernel: 4.1.20 -> 4.1.25 2016-06-09 14:36:31 +02:00
Vladimír Čunát f9310c2eee Merge #16043: kernel: 4.4.11 -> 4.4.12 2016-06-09 14:34:50 +02:00
Joachim Fasting e52194f17d Merge pull request #16061 from vrthra/io
io: 2013.12.04 -> 2015.11.11
2016-06-09 14:15:55 +02:00
Vladimír Čunát cbca34b1a7 Merge #13977: ffmpeg: add 3.0 version
I made the default not change for now.
2016-06-09 14:11:30 +02:00
Joachim Fasting 35f177fcc9 Merge pull request #15951 from nfjinjing/shadowsocks-libev
shadowsocks-libev: 2.4.6 -> 2.4.7
2016-06-09 14:10:18 +02:00
Vladimír Čunát 9bf6114147 ffmpeg: use 2 as the default for now 2016-06-09 14:07:39 +02:00