3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

30 commits

Author SHA1 Message Date
Joachim Fasting d4d7bfe07b
grsecurity: add option to disable chroot caps restriction
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293

This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
2016-05-10 16:17:08 +02:00
Joachim Fasting 50d915c758
grsecurity: optionally disable features for redistributed kernels 2016-05-06 16:37:25 +02:00
Joachim Fasting da767356f2
grsecurity: support disabling TCP simultaneous connect
Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.

This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937

[1]: http://article.gmane.org/gmane.linux.documentation/9425
2016-05-04 03:53:24 +02:00
Joachim Fasting 39db90eaf6
grsecurity: simplify preConfigure 2016-05-02 11:28:06 +02:00
Joachim Fasting a69501a936
grsecurity: ensure that PaX ELF markings are enabled
The upstream default is to enable only xattr markings, breaking the
paxmarks facility.
2016-05-02 11:28:06 +02:00
Joachim Fasting 27035365ec build-support/grsecurity: simplify the grsecurityOverrider
Adding inputs required by gcc plugins to the ambient environment is sufficient.
2016-04-12 01:23:32 +02:00
Domen Kožar b07e7bfc7b Merge remote-tracking branch 'origin/staging' 2016-03-27 13:19:04 +01:00
Joachim Fasting 304c4a514e grsecurity: fix gcc plugin
Also needs mpfr and libmpc
2016-03-26 21:01:21 +01:00
tg(x) 38614d3f6a grsecurity: use kernel version instead of testing / stable 2016-02-28 04:10:59 +01:00
tg(x) 4e3d6d3e90 grsecurity: separate fix patches for testing & stable 2016-02-27 19:54:55 +01:00
tg(x) 7547960546 grsecurity: move version information to one place 2016-02-27 18:36:12 +01:00
tg(x) d95321b83e grsecurity: 4.3.4 -> 4.4.2 2016-02-27 18:36:12 +01:00
Dan Peebles 8f9aea9ccc grsecurity: fix kernel config and uncomment grsecurity kernels 2016-01-23 16:58:44 +00:00
Dan Peebles 33cf0792b1 grsecurity-testing: update patches and associated kernel version 2016-01-23 14:29:34 +00:00
Eelco Dolstra 16acdb45bd Revert "kernel: Remove unsupported 3.10, 3.12, 3.14"
This reverts commit 2441e002e2. The
motivation for removing them was not very convincing. Also, we need
3.14 on some Hydra build machines.
2015-11-19 14:25:16 +01:00
William A. Kennington III 2441e002e2 kernel: Remove unsupported 3.10, 3.12, 3.14
Our base kernel headers were bumped to 3.18 so we can no longer reliably
support kernels older than 3.18
2015-11-09 11:10:42 -08:00
William A. Kennington III 194357ad20 grsecurityUnstable: 4.1.7 -> 4.2.3 2015-10-15 10:41:04 -07:00
Vladimír Čunát 54c4aab662 nixos: kill services.virtualboxGuest to fix #9600 2015-09-02 04:54:31 +02:00
William A. Kennington III a5d6e61c2f grsecurity: Push testing from 4.0 -> 4.1 2015-08-04 13:28:16 -07:00
William A. Kennington III 0e4057b167 kernel: 4.0.1 -> 4.0.2 2015-05-07 20:32:24 -07:00
Joachim Fasting ba93a75724 grsecurity module: use types.enum
Also
- set desktop as default system
- make virtualisationSoftware nullOr
- make virtualisationConfig nullOr
2015-04-03 13:45:45 +02:00
Ricardo M. Correia 7c8247a8c5 grsecurity: Update stable and test patches
stable: 3.1-3.14.35-201503071140 -> 3.1-3.14.35-201503092203
test:   3.1-3.18.9-201503071142  -> 3.1-3.19.1-201503122205
2015-03-15 03:49:58 +01:00
Peter Simons cfce8509b8 grsecurity: add GRKERNSEC_DENYUSB option (disabled by default)
This option tells the kernel to ignore plug-in events of USB devices. Useful to
protect against attacks with malicious hardware. Currently disabled by default,
though.
2015-01-19 00:15:41 +03:00
Ricardo M. Correia 1d44322d53 grsecurity: Update stable and test patches
stable: 3.0-3.14.27-201412211908 -> 3.0-3.14.27-201412280859
test:   3.0-3.17.7-201412211910  -> 3.0-3.18.1-201412281149
2014-12-29 03:00:47 +01:00
aszlig 444987193e
nixos: Rename virtualbox to virtualboxGuest.
Especially new users could be confused by this, so we're now marking
services.virtualbox.enable as obsolete and defaulting to
services.virtualboxGuest.enable instead. I believe this now makes it
clear, that this option is for guest additions only.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:42:22 +01:00
Alexander Kjeldaas 005bb796e6 Updated grsec. 2014-10-22 02:18:41 +02:00
Ricardo M. Correia 238a84ac78 grsecurity: Update stable and test patches
stable: 3.0-3.14.17-201408260041 -> 3.0-3.14.18-201409060013
test:   3.0-3.15.10-201408212335 -> 3.0-3.16.2-201409060014
2014-09-08 15:16:38 +02:00
Austin Seipp 0399c5ee24 grsecurity: update stable/testing kernels, refactoring
This updates the new stable kernel to 3.14, and the new testing kernel
to 3.15.

This also removes the vserver kernel, since it's probably not nearly as
used.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-06-22 22:29:10 -05:00
Austin Seipp 85b5dc3949 grsec: Fix vserver/stable packaging
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 16:37:22 -05:00
Austin Seipp 4f27ad14a1 grsec: refactor grsecurity packages
This now provides a handful of different grsecurity kernels for slightly
different 'flavors' of packages. This doesn't change the grsecurity
module to use them just yet, however.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:43 -05:00