Joachim Fasting
d4d7bfe07b
grsecurity: add option to disable chroot caps restriction
...
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293
This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
2016-05-10 16:17:08 +02:00
Joachim Fasting
50d915c758
grsecurity: optionally disable features for redistributed kernels
2016-05-06 16:37:25 +02:00
Joachim Fasting
da767356f2
grsecurity: support disabling TCP simultaneous connect
...
Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.
This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937
[1]: http://article.gmane.org/gmane.linux.documentation/9425
2016-05-04 03:53:24 +02:00
Joachim Fasting
39db90eaf6
grsecurity: simplify preConfigure
2016-05-02 11:28:06 +02:00
Joachim Fasting
a69501a936
grsecurity: ensure that PaX ELF markings are enabled
...
The upstream default is to enable only xattr markings, breaking the
paxmarks facility.
2016-05-02 11:28:06 +02:00
Joachim Fasting
27035365ec
build-support/grsecurity: simplify the grsecurityOverrider
...
Adding inputs required by gcc plugins to the ambient environment is sufficient.
2016-04-12 01:23:32 +02:00
Domen Kožar
b07e7bfc7b
Merge remote-tracking branch 'origin/staging'
2016-03-27 13:19:04 +01:00
Joachim Fasting
304c4a514e
grsecurity: fix gcc plugin
...
Also needs mpfr and libmpc
2016-03-26 21:01:21 +01:00
tg(x)
38614d3f6a
grsecurity: use kernel version instead of testing / stable
2016-02-28 04:10:59 +01:00
tg(x)
4e3d6d3e90
grsecurity: separate fix patches for testing & stable
2016-02-27 19:54:55 +01:00
tg(x)
7547960546
grsecurity: move version information to one place
2016-02-27 18:36:12 +01:00
tg(x)
d95321b83e
grsecurity: 4.3.4 -> 4.4.2
2016-02-27 18:36:12 +01:00
Dan Peebles
8f9aea9ccc
grsecurity: fix kernel config and uncomment grsecurity kernels
2016-01-23 16:58:44 +00:00
Dan Peebles
33cf0792b1
grsecurity-testing: update patches and associated kernel version
2016-01-23 14:29:34 +00:00
Eelco Dolstra
16acdb45bd
Revert "kernel: Remove unsupported 3.10, 3.12, 3.14"
...
This reverts commit 2441e002e2
. The
motivation for removing them was not very convincing. Also, we need
3.14 on some Hydra build machines.
2015-11-19 14:25:16 +01:00
William A. Kennington III
2441e002e2
kernel: Remove unsupported 3.10, 3.12, 3.14
...
Our base kernel headers were bumped to 3.18 so we can no longer reliably
support kernels older than 3.18
2015-11-09 11:10:42 -08:00
William A. Kennington III
194357ad20
grsecurityUnstable: 4.1.7 -> 4.2.3
2015-10-15 10:41:04 -07:00
Vladimír Čunát
54c4aab662
nixos: kill services.virtualboxGuest to fix #9600
2015-09-02 04:54:31 +02:00
William A. Kennington III
a5d6e61c2f
grsecurity: Push testing from 4.0 -> 4.1
2015-08-04 13:28:16 -07:00
William A. Kennington III
0e4057b167
kernel: 4.0.1 -> 4.0.2
2015-05-07 20:32:24 -07:00
Joachim Fasting
ba93a75724
grsecurity module: use types.enum
...
Also
- set desktop as default system
- make virtualisationSoftware nullOr
- make virtualisationConfig nullOr
2015-04-03 13:45:45 +02:00
Ricardo M. Correia
7c8247a8c5
grsecurity: Update stable and test patches
...
stable: 3.1-3.14.35-201503071140 -> 3.1-3.14.35-201503092203
test: 3.1-3.18.9-201503071142 -> 3.1-3.19.1-201503122205
2015-03-15 03:49:58 +01:00
Peter Simons
cfce8509b8
grsecurity: add GRKERNSEC_DENYUSB option (disabled by default)
...
This option tells the kernel to ignore plug-in events of USB devices. Useful to
protect against attacks with malicious hardware. Currently disabled by default,
though.
2015-01-19 00:15:41 +03:00
Ricardo M. Correia
1d44322d53
grsecurity: Update stable and test patches
...
stable: 3.0-3.14.27-201412211908 -> 3.0-3.14.27-201412280859
test: 3.0-3.17.7-201412211910 -> 3.0-3.18.1-201412281149
2014-12-29 03:00:47 +01:00
aszlig
444987193e
nixos: Rename virtualbox to virtualboxGuest.
...
Especially new users could be confused by this, so we're now marking
services.virtualbox.enable as obsolete and defaulting to
services.virtualboxGuest.enable instead. I believe this now makes it
clear, that this option is for guest additions only.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:42:22 +01:00
Alexander Kjeldaas
005bb796e6
Updated grsec.
2014-10-22 02:18:41 +02:00
Ricardo M. Correia
238a84ac78
grsecurity: Update stable and test patches
...
stable: 3.0-3.14.17-201408260041 -> 3.0-3.14.18-201409060013
test: 3.0-3.15.10-201408212335 -> 3.0-3.16.2-201409060014
2014-09-08 15:16:38 +02:00
Austin Seipp
0399c5ee24
grsecurity: update stable/testing kernels, refactoring
...
This updates the new stable kernel to 3.14, and the new testing kernel
to 3.15.
This also removes the vserver kernel, since it's probably not nearly as
used.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-06-22 22:29:10 -05:00
Austin Seipp
85b5dc3949
grsec: Fix vserver/stable packaging
...
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 16:37:22 -05:00
Austin Seipp
4f27ad14a1
grsec: refactor grsecurity packages
...
This now provides a handful of different grsecurity kernels for slightly
different 'flavors' of packages. This doesn't change the grsecurity
module to use them just yet, however.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:43 -05:00