3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

337 commits

Author SHA1 Message Date
Graham Christensen ff5cf3abff linux-3.10: fix build by upstream patch 2016-09-28 19:18:34 +02:00
Joachim Fasting 98a9d815e0
grsecurity: 4.7.4-201609211951 -> 4.7.5-201609261522 2016-09-27 01:43:50 +02:00
Franz Pletz 31ff655e46
kernelPatches: remove unneeded patches 2016-09-25 14:20:45 +02:00
Joachim Fasting 64816cd972
grsecurity: 4.7.4-201609152234 -> 201609211951 2016-09-22 23:40:50 +02:00
Joachim Fasting e2659de1b2
kernelPatches: remove legacy grsecurity attrs 2016-09-18 15:26:57 +02:00
Joachim Fasting d082a7c0fd
grsecurity: 4.7.3-201609072139 -> 4.7.4-201609152234 2016-09-16 11:18:42 +02:00
Joachim Fasting 91674b75d3
grsecurity: 4.7.2-201608312326 -> 4.7.3-201609072139 2016-09-10 17:06:42 +02:00
Joachim Fasting 0ce7b31b09
grsecurity: 4.7.2-201608211829 -> 201608312326 2016-09-01 14:51:33 +02:00
aszlig f19c961b4e
linux-testing: Fix arg list too long in modinst
With the default kernel and thus with the build I have tested in
74ec94bfa2, we get an error during
modules_install:

make[2]: execvp: /nix/store/.../bin/bash: Argument list too long

I haven't noticed this build until I actually tried booting using this
kernel because make didn't fail here.

The reason this happens within Nix and probably didn't yet surface in
other distros is that programs only have a limited amount of memory
available for storing the environment and the arguments.

Environment variables however are quite common on Nix and thus we
stumble on problems like this way earlier - in this case Linux 4.8 - but
I have noticed this in 4.7-next as well already.

The fix is far from perfect and suffers performance overhead because we
now run grep for every *.mod file instead of passing all *.mod files
into one single invocation of grep.

But comparing the performance overhead (around 1s on my machine) with
the overall build time of the kernel I think the overhead really is
neglicible.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-08-30 06:55:52 +02:00
Joachim Fasting e5c3a52afc
grsecurity: fix features.grsecurity
Previously, features.grsecurity wasn't actually set due to a bug in the
grsec builder. We now rely on the generic kernel builder to set features
from kernelPatches.
2016-08-29 04:09:40 +02:00
Shea Levy 2b1fa9da8b Add initial patches for CPU Controller on Control Group v2 2016-08-25 13:01:40 -04:00
Joachim Fasting cf592a8969
grsecurity: 4.7.1-201608161813 -> 4.7.2-201608211829 2016-08-23 01:49:34 +02:00
Joachim Fasting ba20363f11
grsecurity: 4.7-201608151842 -> 4.7.1-201608161813 2016-08-17 15:19:27 +02:00
Joachim Fasting d82ddd6dc0
grsecurity: 4.7-201608131240 -> 4.7-201608151842 2016-08-16 17:50:37 +02:00
Joachim Fasting 9062c67914
grsecurity: 4.6.5-201607312210 -> 4.7-201608131240 2016-08-15 20:36:46 +02:00
obadz b2efe2babd Revert "linux kernel 4.4: fix race during build"
Removes patch. Was fixed upstream.

This reverts commit 4788ec1372.
2016-08-12 16:42:25 +01:00
obadz 18947c9e36 Revert "ecryptfs: fix kernel bug introduced in 4.4.14"
The Linux 4.4.17 release fixes the underlying issue

This reverts commit fad9a8841b.
2016-08-11 17:15:54 +01:00
Joachim Fasting 76f2e827a7
grsecurity: 4.6.5-201607272152 -> 4.6.5-201607312210 2016-08-01 12:46:48 +02:00
Joachim Fasting 83f783c00f
grsecurity: 4.6.4-201607242014 -> 4.6.5-201607272152 2016-07-29 00:24:00 +02:00
Joachim Fasting e725c927d4
grsecurity: 4.6.4-201607192040 -> 4.6.4-201607242014 2016-07-25 09:11:28 +02:00
Joachim Fasting 55120ac4cb
grsecurity: 4.6.4-201607112205 -> 4.6.4-201607192040 2016-07-20 10:17:35 +02:00
obadz fad9a8841b ecryptfs: fix kernel bug introduced in 4.4.14
Introduced by mainline commit 2f36db7
Patch is from http://www.spinics.net/lists/stable/msg137350.html
Fixes #16766
2016-07-13 11:04:07 +02:00
Franz Pletz dde259dfb5 linux: Add patch to fix CVE-2016-5829 (#16824)
Fixed for all available 4.x series kernels.

From CVE-2016-5829:

  Multiple heap-based buffer overflows in the hiddev_ioctl_usage function
  in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow
  local users to cause a denial of service or possibly have unspecified
  other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl
  call.
2016-07-12 20:56:50 +02:00
Joachim Fasting 416120e0c7
grsecurity: 4.6.3-201607070721 -> 4.6.4-201607112205 2016-07-12 15:15:09 +02:00
Joachim Fasting a2ebf45b47
grsecurity: 4.5.7-201606302132 -> 4.6.3-201607070721 2016-07-07 19:34:58 +02:00
Joachim Fasting 640ac5186f
grsecurity: 4.5.7-201606292300 -> 4.5.7-201606302132 2016-07-02 20:37:52 +02:00
Joachim Fasting 51c04b74c1
grsecurity: 4.5.7-201606280009 -> 4.5.7-201606292300 2016-06-30 11:09:59 +02:00
Joachim Fasting cdcdc25ef3
grsecurity: 4.5.7-201606262019 -> 4.5.7-201606280009 2016-06-28 14:57:20 +02:00
Joachim Fasting d5eec25ff9
grsecurity: 4.5.7-201606222150 -> 4.5.7-201606262019 2016-06-27 21:42:17 +02:00
Joachim Fasting 4fb72b2fd3
grsecurity: 4.5.7-201606202152 -> 4.5.7-201606222150 2016-06-26 17:27:17 +02:00
Joachim Fasting 9d052a2c39
grsecurity: 4.5.7-201606142010 -> 4.5.7-201606202152 2016-06-23 00:55:54 +02:00
Joachim Fasting 875fd5af73
grsecurity: 4.5.7-201606110914 -> 4.5.7-201606142010 2016-06-16 14:29:12 +02:00
Joachim Fasting 130b06eb0b
grsecurity: 4.5.7-201606080852 -> 4.5.7-201606110914 2016-06-14 14:18:01 +02:00
Joachim Fasting 75b9a7beac
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-14 00:08:20 +02:00
Joachim Fasting edc36a0091
grsecurity: 4.5.6-201606051644 -> 4.5.7-201606080852 2016-06-09 15:40:06 +02:00
Joachim Fasting 72899d92d0
grsecurity: 4.5.5-201605291201 -> 4.5.6-201606051644 2016-06-07 15:04:24 +02:00
Joachim Fasting bfefc54bc5
grsecurity: 4.5.5-201605211442 -> 4.5.5-201605291201 2016-05-29 20:34:24 +02:00
Joachim Fasting 5a357d9731
grsecurity: 4.5.5-201605202102 -> 4.5.5-201605211442 2016-05-21 22:28:36 +02:00
Joachim Fasting cdf2ffda9d
grsecurity: 4.5.4-201605131918 -> 4.5.5-201605202102 2016-05-21 07:37:41 +02:00
Joachim Fasting f99c86eec1
grsecurity: remove expressions for unsupported versions
Retain top-level attributes for now but consolidate compatibility
attributes.

Part of ongoing cleanup, doing it all at once is infeasible.
2016-05-16 09:10:27 +02:00
Joachim Fasting 6194e9d801
kernelPatches.grsecurity: 4.5.4-201605122039 -> 4.5.4-201605131918
Also revert to using the grsecurity-scrape mirror; relying on upstream
just isn't viable. Lately, updates have been so frequent that a new
version is released before Hydra even gets around to building the
previous one.
2016-05-14 05:15:35 +02:00
Joachim Fasting 7fdce2feb0
kernelPatches.grsecurity_4_5: 4.5.4-201605112030 -> 4.5.4-201605122039 2016-05-13 23:11:07 +02:00
Joachim Fasting 10aaca8c1f
grsecurity_4_5: 4.5.3-201605080858 -> 4.5.4-201605112030 2016-05-13 20:11:31 +02:00
Joachim Fasting 52477b0a0b
kernelPatches.grsecurity_4_5: 201605060852 -> 201605080858 2016-05-09 16:38:44 +02:00
Joachim Fasting 27061905bd
linuxPackages_grsec_4_5: 3.1-4.5.2-201604290633 -> 3.1-4.5.3-201605060852 2016-05-06 16:37:25 +02:00
Joachim Fasting 0bd31bce10
grsecurity: drop support for 4.4 kernels
From now on, only the testing branch of grsecurity will be supported.
Additionally, use only patches from upstream.

It's impossible to provide meaningful support for grsecurity stable.
First, because building and testing \(m \times n \times z) [1], packages
is infeasible.  Second, because stable patches are only available from
upstream for-pay, making us reliant on third-parties for patches. In
addition to creating yet more work for the maintainers, using stable
patches provided by a third-party goes against the wishes of upstream.

nixpkgs provides the tools necessary to build grsecurity kernels for any
version the user chooses, however, provided they pay for, or otherwise
acquire, the patch themselves.

Eventually, we'll want to remove the now obsolete top-level attributes,
but leave them in for now to smoothe migration (they have been removed
from top-level/release.nix, though, because it makes no sense to have
them there).

[1]: where \(m\) is the number of grsecurity flavors, \(n\) is the
number of kernel versions, and z is the size of the `linuxPackages` set
2016-05-04 01:07:53 +02:00
Joachim Fasting 7893cb1aea
linuxPackages_grsec_4_1: delete
Upstream supports 3.14, 4.4, and 4.5
2016-05-02 11:28:05 +02:00
Joachim Fasting fecb56fc3f
linuxPackages_grsec_4_5: init at 3.1-4.5.2-201604290633 2016-05-02 11:28:05 +02:00
obadz 4788ec1372 linux kernel 4.4: fix race during build
Patch drivers/crypto/qat/qat_common/Makefile so that qat_asym_algs.o
explicitly depends on headers qat_rsaprivkey-asn1.h and qat_rsapubkey-asn1.h

Hopefully fixes #14595
2016-04-12 22:45:57 +01:00
Charles Strahan ad7b1e24c2 fan-networking: updated patches from Ubuntu
This pulls in updated Fan Networking patches from Ubuntu.
(https://wiki.ubuntu.com/FanNetworking)

closes #14328
2016-04-10 16:07:03 -04:00
Domen Kožar b95a1c4f77 kernel: fix build of 3.10 and 3.12 on i686
(cherry picked from commit 23730413fe)
Signed-off-by: Domen Kožar <domen@dev.si>
2016-04-06 10:36:04 +01:00
Tim Steinbach a5d8256df4 grsecurity: 4.4.4 -> 4.4.5 2016-03-14 21:29:42 +00:00
Franz Pletz 255d710757 grsecurity: 4.4.2 -> 4.4.4
See #13505.
2016-03-08 01:03:47 +01:00
tg(x) be3bd972d5 grsecurity: add 4.1 kernel 2016-02-28 15:00:16 +01:00
tg(x) 38614d3f6a grsecurity: use kernel version instead of testing / stable 2016-02-28 04:10:59 +01:00
tg(x) 4e3d6d3e90 grsecurity: separate fix patches for testing & stable 2016-02-27 19:54:55 +01:00
tg(x) 75f353ffbd grsecurity: decouple from mainline 2016-02-27 19:33:35 +01:00
tg(x) 7547960546 grsecurity: move version information to one place 2016-02-27 18:36:12 +01:00
tg(x) d95321b83e grsecurity: 4.3.4 -> 4.4.2 2016-02-27 18:36:12 +01:00
tg(x) 42deddb17a grsecurity: use source URL from a scraped repository as grsecurity.net only has the latest version 2016-02-10 00:46:11 +01:00
Dan Peebles 78956c77c0 linux: 4.3.3 -> 4.34 (and update grsecurity patches, too) 2016-01-24 03:53:46 +00:00
Dan Peebles 33cf0792b1 grsecurity-testing: update patches and associated kernel version 2016-01-23 14:29:34 +00:00
Al Zohali a3a5bc6095 linux_chromiumos_3_14: init at 3.14.0
Co-authored-by: Nikolay Amiantov <ab@fmap.me>
2016-01-13 22:43:19 +03:00
Al Zohali ee9e7b7224 linux_chromiumos_3_18: init at 3.18.0
Co-authored-by: Nikolay Amiantov <ab@fmap.me>
2016-01-13 22:43:19 +03:00
William A. Kennington III 194357ad20 grsecurityUnstable: 4.1.7 -> 4.2.3 2015-10-15 10:41:04 -07:00
Paul Colomiets 84c0098117 Unprivileged overlayfs mounts kernel patch from ubuntu
This allows to create overlayfs mounts by unprivileged containers (i.e.
in user and mount namespace). It's super-useful for containers.

The patch is trivial as I understand from the patch description it's
does not have security implications (on top of what user namespaces
already have). And it's enabled in ubuntu long time ago. Here is a proof:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1357025
2015-09-26 00:42:16 +03:00
William A. Kennington III 84505bd36a grsecurity: Update patches 2015-09-16 13:35:41 -07:00
William A. Kennington III d70c01daec grsecurity: Update patches 2015-08-18 21:06:45 -07:00
Charles Strahan c1ee8fefd4 nixos: add support for Ubuntu Fan Networking
This provides support for Ubuntu Fan Networking [1].

This includes:

* The fanctl package, and a corresponding NixOS service.
* iproute patches.
* kernel patches.

closes #9188

1: https://wiki.ubuntu.com/FanNetworking
2015-08-13 14:27:14 -04:00
William A. Kennington III 52e55d85cb kernel: 3.14.49 -> 3.14.50 2015-08-10 23:35:43 -07:00
William A. Kennington III 974b9cc8cc kernel: 4.1.4 -> 4.1.5 2015-08-10 23:34:31 -07:00
William A. Kennington III 04f1b451d7 kernel: 3.14.48 -> 3.14.49 2015-08-04 13:30:08 -07:00
William A. Kennington III a5d6e61c2f grsecurity: Push testing from 4.0 -> 4.1 2015-08-04 13:28:16 -07:00
William A. Kennington III 0245b28796 kernel: 3.14.47 -> 3.14.48 2015-07-11 20:15:05 -07:00
William A. Kennington III 3284b216a4 kernel: 4.0.7 -> 4.0.8 2015-07-11 20:15:05 -07:00
Eelco Dolstra 5c9f437d2f linux: 3.14.46 -> 3.14.47
CVE-2014-7822
2015-07-09 15:10:12 +02:00
William A. Kennington III d64b3c8a5c kernel: 3.14.45 -> 3.14.46 2015-06-30 11:28:59 -07:00
William A. Kennington III b25930c4c8 kernel: 4.0.6 -> 4.0.7 2015-06-30 11:20:41 -07:00
William A. Kennington III b08d384da8 kernel: 3.14.44 -> 3.14.45 2015-06-24 18:12:20 -07:00
William A. Kennington III 2f255eafd9 kernel: 4.0.5 -> 4.0.6 2015-06-24 18:11:25 -07:00
Ricardo M. Correia e26bfbe26f grsecurity: Update stable and test patches
stable: 3.1-3.14.43-201506021902 -> 3.1-3.14.44-201506082249
test:   3.1-4.0.4-201506021902   -> 3.1-4.0.5-201506082251
2015-06-10 18:33:28 +02:00
Ricardo M. Correia 07c26ee680 grsecurity: Update stable and test patches
stable: 3.1-3.14.43-201505272112 -> 3.1-3.14.43-201506021902
test:   3.1-4.0.4-201505272113   -> 3.1-4.0.4-201506021902
2015-06-03 19:38:05 +02:00
Ricardo M. Correia b59d52daf7 grsecurity: Update stable and test patches
stable: 3.1-3.14.43-201505222221 -> 3.1-3.14.43-201505272112
test:   3.1-4.0.4-201505222222   -> 3.1-4.0.4-201505272113
2015-05-29 19:49:46 +02:00
Ricardo M. Correia c0f09411e8 grsecurity: Update stable and test patches
stable: 3.1-3.14.43-201505191737 -> 3.1-3.14.43-201505222221
test:   3.1-4.0.4-201505182014   -> 3.1-4.0.4-201505222222
2015-05-27 20:27:43 +02:00
Ricardo M. Correia 5277bf945d grsecurity: Update stable patch from 3.1-3.14.43-201505181929 -> 3.1-3.14.43-201505191737 2015-05-21 14:45:56 +02:00
Ricardo M. Correia 0cb3c2d684 grsecurity: Update stable and test patches
stable: 3.1-3.14.43-201505171736 -> 3.1-3.14.43-201505181929
test:   3.1-4.0.4-201505171737   -> 3.1-4.0.4-201505182014
2015-05-19 19:21:31 +02:00
William A. Kennington III 9265918fea kernel: 3.14.42 -> 3.14.43 2015-05-18 01:45:49 -07:00
William A. Kennington III 4a7a3cd8a5 kernel: 4.0.3 -> 4.0.4 2015-05-18 01:43:03 -07:00
William A. Kennington III fcf15de248 kernel: 3.14.41 -> 3.14.42 2015-05-15 18:38:14 -07:00
William A. Kennington III 90659e2735 kernel: 4.0.2 -> 4.0.3 2015-05-15 18:38:14 -07:00
Ricardo M. Correia aa75bb25d8 grsecurity: Update stable and test patches
stable: 3.1-3.14.41-201505072056 -> 3.1-3.14.41-201505101121
test:   3.1-4.0.2-201505072057   -> 3.1-4.0.2-201505101122
2015-05-11 02:45:38 +02:00
William A. Kennington III 8209d3f78b kernel: 3.14.40 -> 3.14.41 2015-05-07 20:34:26 -07:00
William A. Kennington III 0e4057b167 kernel: 4.0.1 -> 4.0.2 2015-05-07 20:32:24 -07:00
Ricardo M. Correia b95fa1c852 grsecurity: Update stable and test patches
stable: 3.1-3.14.40-201504290821 -> 3.1-3.14.40-201504302118
test:   3.1-3.19.6-201504290821  -> 3.1-3.19.6-201504302119
2015-05-02 01:03:05 +02:00
William A. Kennington III 084d1143e6 kernel: 3.14.39 -> 3.14.40 2015-04-29 14:34:11 -07:00
William A. Kennington III dfd7b26e3a kernel: 3.19.5 -> 3.19.6 2015-04-29 14:33:23 -07:00
William A. Kennington III dbaeb7c428 kernel: 3.14.38 -> 3.14.39 2015-04-20 22:41:47 -07:00
William A. Kennington III 2c35a4aa39 kernel: 3.19.4 -> 3.19.5 2015-04-20 22:40:31 -07:00
William A. Kennington III 0fd4774781 kernel: 3.14.37 -> 3.14.38 2015-04-15 16:22:42 -07:00
William A. Kennington III 2ded7833ed kernel: 3.19.3 -> 3.19.4 2015-04-15 16:22:42 -07:00