3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

3737 commits

Author SHA1 Message Date
kraem fca903c7dd
linux/hardened-patches/4.19.117: init at 4.19.117.a 2020-04-22 02:12:28 +02:00
kraem 99f30a5635
linux/hardened-patches/5.4.34: init at 5.4.34.a 2020-04-22 02:12:25 +02:00
kraem 3c81b3df4e
linux/hardened-patches/5.5.19: init at 5.5.19.a 2020-04-22 02:12:21 +02:00
kraem c8b5e37764
linux/hardened-patches/5.6.6: init at 5.6.6.a 2020-04-22 02:12:17 +02:00
kraem efafc50f5c
linux/hardened-patches/4.19.116: remove 2020-04-21 22:18:03 +02:00
kraem 8f2e9fcadd
linux/hardened-patches/5.5.18: remove 2020-04-21 22:18:03 +02:00
kraem 9ed70f4e46
linux/hardened-patches/5.6.5: remove 2020-04-21 22:18:03 +02:00
kraem 15807c58ad
linux/hardened-patches/5.4.33: remove 2020-04-21 22:18:02 +02:00
kraem c9cf25bc61
linux: 5.6.5 -> 5.6.6 2020-04-21 21:59:59 +02:00
kraem 1e23dcbf22
linux: 5.5.18 -> 5.5.19 2020-04-21 21:59:22 +02:00
kraem 18c2b5a9aa
linux: 5.4.33 -> 5.4.34 2020-04-21 21:58:45 +02:00
kraem e074301be8
linux: 4.19.116 -> 4.19.117 2020-04-21 21:58:03 +02:00
Frederik Rietdijk 803b3d296c Merge staging-next into staging 2020-04-21 08:29:51 +02:00
kraem 523fe98821 linux/hardened-patches/4.19.116: 4.19.116.NixOS-a -> 4.19.116.a 2020-04-20 10:05:36 -04:00
kraem 45343beffe linux/hardened-patches/5.4.33: 5.4.33.NixOS-a -> 5.4.33.a 2020-04-20 10:05:36 -04:00
kraem 48d908b731 linux/hardened-patches/5.5.18: init at 5.5.18.a 2020-04-20 10:05:36 -04:00
kraem 0fd9293703 linux/hardened-patches/5.6.5: init at 5.6.5.a 2020-04-20 10:05:36 -04:00
kraem e7a65e6c41 linux/hardened-patches/5.5.17: remove 2020-04-20 10:05:36 -04:00
kraem eb41f8122e linux/hardened-patches/5.6.4: remove 2020-04-20 10:05:36 -04:00
kraem 8879086cfc linux: 5.5.17 -> 5.5.18 2020-04-20 10:05:36 -04:00
kraem 4307923b86 linux: 5.6.4 -> 5.6.5 2020-04-20 10:05:36 -04:00
Yegor Timoshenko 6f1165a0cb
Merge pull request #84522 from emilazy/add-linux-hardened-patches
linux_*_hardened: use linux-hardened patch set
2020-04-19 20:01:35 +03:00
Vladimír Čunát d96487b9ca
Merge branch 'master' into staging-next
Hydra nixpkgs: ?compare=1582510
2020-04-18 07:42:26 +02:00
John Ericson 33c2a76c5e Merge remote-tracking branch 'upstream/master' into staging 2020-04-17 18:40:51 -04:00
Emily 7fdfe5381d linux_*_hardened: don't set FORTIFY_SOURCE
Upstreamed in anthraxx/linux-hardened@d12c0d5f0c.
2020-04-17 16:13:39 +01:00
Emily ed89b5b3f1 linux_*_hardened: don't set PANIC_ON_OOPS
Upstreamed in anthraxx/linux-hardened@366e0216f1.
2020-04-17 16:13:39 +01:00
Emily 0d5f1697b7 linux_*_hardened: don't set SLAB_FREELIST_{RANDOM,HARDENED}
Upstreamed in anthraxx/linux-hardened@786126f177,
anthraxx/linux-hardened@44822ebeb7.
2020-04-17 16:13:39 +01:00
Emily 4fb796e341 linux_*_hardened: don't set HARDENED_USERCOPY_FALLBACK
Upstreamed in anthraxx/linux-hardened@c1fe7a68e3,
anthraxx/linux-hardened@2c553a2bb1.
2020-04-17 16:13:39 +01:00
Emily 3eeb5240ac linux_*_hardened: don't set DEBUG_LIST
Upstreamed in anthraxx/linux-hardened@6b20124185.
2020-04-17 16:13:39 +01:00
Emily 0611462e33 linux_*_hardened: don't set {,IO_}STRICT_DEVMEM
STRICT_DEVMEM is on by default in upstream 5.6.2; IO_STRICT_DEVMEM is
turned on by anthraxx/linux-hardened@103d23cb66.

Note that anthraxx/linux-hardened@db1d27e10e
disables DEVMEM by default, so this is only relevant if that default is
overridden to turn it back on.
2020-04-17 16:13:39 +01:00
Emily 303bb60fb1 linux_*_hardened: don't set DEBUG_WX
Upstreamed in anthraxx/linux-hardened@55ee7417f3.
2020-04-17 16:13:39 +01:00
Emily 33b94e5a44 linux_*_hardened: don't set BUG_ON_DATA_CORRUPTION
Upstreamed in anthraxx/linux-hardened@3fcd15014c.
2020-04-17 16:13:39 +01:00
Emily db6b327508 linux_*_hardened: don't set LEGACY_VSYSCALL_NONE
Upstreamed in anthraxx/linux-hardened@d300b0fdad.
2020-04-17 16:13:39 +01:00
Emily 130f6812be linux_*_hardened: don't set RANDOMIZE_{BASE,MEMORY}
These are on by default for x86 in upstream linux-5.6.2, and turned on
for arm64 by anthraxx/linux-hardened@90f9670bc3.
2020-04-17 16:13:39 +01:00
Emily 8c68055432 linux_*_hardened: don't set MODIFY_LDT_SYSCALL
Upstreamed in anthraxx/linux-hardened@05644876fa.
2020-04-17 16:13:39 +01:00
Emily 8efe83c22e linux_*_hardened: don't set DEFAULT_MMAP_MIN_ADDR
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd.
2020-04-17 16:13:39 +01:00
Emily 3d4c8ae901 linux_*_hardened: don't set VMAP_STACK
This has been on by default upstream for as long as it's been an option.
2020-04-17 16:13:39 +01:00
Emily 7d5352df31 linux_*_hardened: don't set X86_X32
As far as I can tell, this has never defaulted to on upstream, and our
common kernel configuration doesn't turn it on, so the attack surface
reduction here is somewhat homeopathic.
2020-04-17 16:13:39 +01:00
Emily 0d4f35efd4 linux_*_hardened: use linux-hardened patch set
This is an updated version of the former upstream,
https://github.com/AndroidHardeningArchive/linux-hardened, and provides
a minimal set of additional hardening patches on top of upstream.

The patch already incorporates many of our hardened profile defaults,
and releases are timely (Linux 5.5.15 and 5.6.2 were released on
2020-04-02; linux-hardened patches for them came out on 2020-04-03 and
2020-04-04 respectively).
2020-04-17 16:13:39 +01:00
Emily 3d01e802bd linux: explicitly enable SYSVIPC
The linux-hardened patch set removes this default, probably because of
its original focus on Android kernel hardening.
2020-04-17 16:12:29 +01:00
Tim Steinbach e341107367
linux: 5.4.32 -> 5.4.33 2020-04-17 08:34:01 -04:00
Tim Steinbach d9258d33be
linux: 4.19.115 -> 4.19.116 2020-04-17 08:34:01 -04:00
Niklas Hambüchen f16ae2da3e linux: Enable CONFIG_NET_DROP_MONITOR by default.
Needed for subscribing to dropped packets (e.g. via `dropwatch`).
2020-04-14 20:07:51 +02:00
Jan Tojnar b4a6714571
Merge branch 'staging-next' into staging 2020-04-13 18:54:59 +02:00
Jan Tojnar a04625379a
Merge branch 'master' into staging-next 2020-04-13 18:50:35 +02:00
Tim Steinbach f6e64feb14
linux: 5.6.3 -> 5.6.4 2020-04-13 08:36:35 -04:00
Tim Steinbach bba4a30f8c
linux: 5.5.16 -> 5.5.17 2020-04-13 08:36:27 -04:00
Tim Steinbach 2b6e16abe0
linux: 5.4.31 -> 5.4.32 2020-04-13 08:36:19 -04:00
Tim Steinbach f47969645b
linux: 4.9.218 -> 4.9.219 2020-04-13 08:36:11 -04:00
Tim Steinbach e06d2a4682
linux: 4.19.114 -> 4.19.115 2020-04-13 08:36:04 -04:00
Tim Steinbach f717bfeedb
linux: 4.14.175 -> 4.14.176 2020-04-13 08:35:56 -04:00
Tim Steinbach 3a8f6159cb
linux: 4.4.218 -> 4.4.219 2020-04-13 08:35:32 -04:00
Michael Reilly 84cf00f980
treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
Jan Tojnar 55a5c128d4
Merge branch 'staging-next' into staging 2020-04-10 12:13:27 +02:00
Jan Tojnar 1ab03c3a76
Merge branch 'master' into staging-next 2020-04-10 12:12:56 +02:00
Tim Steinbach 7bd91fe7af
linux: 5.6.2 -> 5.6.3 2020-04-08 08:51:08 -04:00
Tim Steinbach 1c637d2326
linux: 5.5.15 -> 5.5.16 2020-04-08 08:51:07 -04:00
Tim Steinbach 5653337922
linux: 5.4.30 -> 5.4.31 2020-04-08 08:51:07 -04:00
Eelco Dolstra 50913242ab
Merge pull request #81500 from primeos/tcp-cong-switch-to-cubic
linux config: Set TCP_CONG_CUBIC=yes to restore the default
2020-04-06 17:11:31 +02:00
Jörg Thalheim a737f030cf
Merge pull request #71481 from eadwu/bcachefs/update-10
bcachefs: update 10
2020-04-06 15:43:36 +01:00
Edmund Wu 04a5e5ab7c
linux_testing_bcachefs: 5.3.2020.03.25 -> 5.3.2020.04.04 2020-04-06 10:29:33 -04:00
Frederik Rietdijk edaa972160 Merge staging-next into staging 2020-04-03 21:55:10 +02:00
Florian Klink 35916a8c4b Merge pull request #83658 from Emantor/topic/kernel-snd-ca0132
linux config: enable Creative Soundblaster DSP loading
2020-04-02 22:41:57 +02:00
Tim Steinbach c36ec10158
linux: 4.9.217 -> 4.9.218 2020-04-02 14:03:09 -04:00
Tim Steinbach e2df587f25
linux: 4.4.217 -> 4.4.218 2020-04-02 14:03:02 -04:00
Tim Steinbach 782db49b5a
linux: 4.14.174 -> 4.14.175 2020-04-02 14:02:48 -04:00
Tim Steinbach 4fbd9e3ab8
linux: 5.6.1 -> 5.6.2 2020-04-02 10:03:15 -04:00
Tim Steinbach f2025f2d6d
linux: 5.5.14 -> 5.5.15 2020-04-02 10:03:07 -04:00
Tim Steinbach bf0b6ab809
linux: 5.4.29 -> 5.4.30 2020-04-02 10:02:52 -04:00
Tim Steinbach d47ba3e4b5
linux: 4.19.113 -> 4.19.114 2020-04-02 10:02:40 -04:00
Tim Steinbach ef3f3f2728
linux_latest-libre: 17387 -> 17402 2020-04-01 10:46:07 -04:00
Tim Steinbach 902ebcdd44
linux: 5.5.13 -> 5.5.14 2020-04-01 10:46:06 -04:00
Tim Steinbach 7bae57f249
linux: 5.4.28 -> 5.4.29 2020-04-01 10:46:06 -04:00
Tim Steinbach 7f56fdd997
linux: Init 5.6.1
Change linux_latest to 5.6
2020-04-01 10:46:02 -04:00
Tim Steinbach c76bad0ec0
linux: 5.6-rc5 -> 5.6-rc7 2020-03-29 16:50:02 -04:00
Rouven Czerwinski 62cdbd678c linux config: enable SND CA0132 DSP loading
Since we select everything as a module, snd_hda_codec_ca0132 is built as
well. DSP loading is not enabled by default, but without it the
soundcard produces timeouts within ALSA and does not emit sound.
Explicitly enable the firmware loading to ensure Soundblaster
Z/Zx/ZxR/Recon devices can be used with NixOS.
The patch to enable this by default in the kernel is staged for 5.8.
2020-03-29 21:11:17 +02:00
Jörg Thalheim ac45e96d2f
Merge pull request #83220 from dasj19/linux-libre-fix
linux-libre: added --force flag for deblobbing.
2020-03-29 15:03:22 +01:00
Edmund Wu 00e7a675f7
linux_testing_bcachefs: 5.2.2019.10.12 -> 5.3.2020.03.25 2020-03-26 12:12:43 -04:00
Tim Steinbach ec87ed26e6
linux: 5.5.11 -> 5.5.13 2020-03-25 13:03:19 -04:00
Tim Steinbach bec620d85b
linux: 5.4.27 -> 5.4.28 2020-03-25 13:03:10 -04:00
Tim Steinbach 9105efdcde
linux: 4.19.112 -> 4.19.113 2020-03-25 13:02:56 -04:00
Daniel Șerbănescu 8431497dd2 linux-libre: added --force flag for deblobbing. 2020-03-23 16:07:13 +01:00
Tim Steinbach f0d17c2a17
linux_latest-libre: 17322 -> 17387 2020-03-22 12:05:45 -04:00
Tim Steinbach 8055a37aca
linux: 5.5.9 -> 5.5.11 2020-03-22 12:05:34 -04:00
Tim Steinbach 05716b70b0
linux: 5.4.25 -> 5.4.27 2020-03-22 12:05:08 -04:00
Tim Steinbach 07ffdf9de3
linux: 4.9.216 -> 4.9.217 2020-03-22 12:04:42 -04:00
Tim Steinbach 04d15d1839
linux: 4.4.216 -> 4.4.217 2020-03-22 12:04:20 -04:00
Tim Steinbach 8e278a8e2d
linux: 4.19.109 -> 4.19.112 2020-03-22 12:03:57 -04:00
Tim Steinbach 1315193c36
linux: 4.14.173 -> 4.14.174 2020-03-22 12:02:43 -04:00
Graham Christensen 244178e166
Merge pull request #82006 from emilazy/enable-linux-hardened-ia32-emulation
linuxPackages_{,_latest,_testing}_hardened: enable 32-bit emulation
2020-03-14 09:20:58 -04:00
Tim Steinbach f9fcf29ef2
linux: 5.4.24 -> 5.4.25 2020-03-14 04:58:48 -04:00
Silvan Mosberger eff447b321
Merge pull request #70157 from teto/lib_kernel
Add lib.kernel
2020-03-12 23:53:42 +01:00
Tim Steinbach cd167a02b8
linux: 5.6-rc3 -> 5.6-rc5 2020-03-12 05:57:21 -04:00
Tim Steinbach 85c46f5a5a
linux: 5.5.8 -> 5.5.9 2020-03-12 05:57:20 -04:00
Tim Steinbach 930fc70bfc
linux: 4.9.215 -> 4.9.216 2020-03-12 05:57:20 -04:00
Tim Steinbach 3d12317a7e
linux: 4.4.215 -> 4.4.216 2020-03-12 05:57:20 -04:00
Tim Steinbach 24898ff826
linux: 4.19.108 -> 4.19.109 2020-03-12 05:57:20 -04:00
Tim Steinbach ff6e097af1
linux: 4.14.172 -> 4.14.173 2020-03-12 05:57:19 -04:00
Emily b628400f5e linuxPackages_{,_latest,_testing}_hardened: enable 32-bit emulation
Per discussion in #81943.

Resolves #79798.
2020-03-07 18:50:40 +00:00
Tim Steinbach 028bf0f722
linux: 5.5.7 -> 5.5.8 2020-03-06 07:52:25 -05:00
Tim Steinbach 0c9564891c
linux: 5.4.23 -> 5.4.24 2020-03-06 07:52:25 -05:00
Tim Steinbach 2377b03970
linux: 4.19.107 -> 4.19.108 2020-03-06 07:52:19 -05:00
Michael Weiss 60f4345e37
linux config: Set TCP_CONG_CUBIC=yes to restore the default
This will switch the default TCP congestion control algorithm from
new Reno to CUBIC. CUBIC is the default since Linux kernel 2.6.19
(see 597811ec167fa) and most (all?) distributions keep this default
(e.g. Debian and Ubuntu). On NixOS the default was still new Reno
because generate-config.pl changes TCP_CONG_CUBIC from y to m (since we
try to build everything as a module by default).

To check the active and available algorithms:
$ sysctl net.ipv4.tcp_congestion_control
net.ipv4.tcp_congestion_control = cubic
$ sysctl net.ipv4.tcp_available_congestion_control
net.ipv4.tcp_available_congestion_control = cubic reno

Note: E.g. x86_64_defconfig sets TCP_CONG_CUBIC=y indirectly via
CONFIG_TCP_CONG_ADVANCED=y (but CUBIC is also the default if set to no,
see net/ipv4/Kconfig).
2020-03-02 10:57:47 +01:00
Florian Klink 0a8af284e5
Merge pull request #81415 from NinjaTrappeur/nin-routing-policy-aarch-kernel
linux: add policy routing config flag
2020-03-01 14:50:45 -08:00
Félix Baylac-Jacqué 6896b1cb1d
linux: add policy routing config flag for aarch64
CONFIG_IP_MULTIPLE_TABLES is part of the default x86 kernel config but
absent from the Aarch64 one. Adding explicitely this flag together
with its dependency IP_ADVANCED_ROUTER.

Both of these config flags are needed to use the routing policy
facilities.
2020-03-01 20:25:44 +01:00
Tim Steinbach 1e41aa8030
linux: 5.6-rc2 -> 5.6-rc3 2020-03-01 10:40:36 -05:00
Tim Steinbach b4af096c4c
linux: 5.5.6 -> 5.5.7 2020-02-28 15:31:15 -05:00
Tim Steinbach fc8e5c65ca
linux: 5.4.22 -> 5.4.23 2020-02-28 15:30:05 -05:00
Tim Steinbach 24720dd250
linux: 4.9.214 -> 4.9.215 2020-02-28 11:06:35 -05:00
Tim Steinbach 44523d0bda
linux: 4.4.214 -> 4.4.215 2020-02-28 11:05:20 -05:00
Tim Steinbach 28fee3fea5
linux: 4.19.106 -> 4.19.107 2020-02-28 11:04:31 -05:00
Tim Steinbach 9f5fa90435
linux: 4.14.171 -> 4.14.172 2020-02-28 11:03:33 -05:00
Tim Steinbach faaa55f4c3
linux: 5.5.5 -> 5.5.6 2020-02-24 08:13:14 -05:00
Tim Steinbach 33780083d7
linux: 5.4.21 -> 5.4.22 2020-02-24 08:12:12 -05:00
Tim Steinbach e6e1f767d2
linux: 4.19.105 -> 4.19.106 2020-02-24 08:11:28 -05:00
Tim Steinbach 86bdbe2c9b
linux: 5.5.4 -> 5.5.5 2020-02-20 08:22:22 -05:00
Tim Steinbach 887d2886e3
linux: 5.4.20 -> 5.4.21 2020-02-20 08:22:21 -05:00
Tim Steinbach 49b4266ad2
linux: 4.19.104 -> 4.19.105 2020-02-20 08:22:21 -05:00
Tim Steinbach 3f448f08aa
linux: 5.6-rc1 -> 5.6-rc2 2020-02-18 16:53:57 -05:00
Tim Steinbach fe61323050
linux: 5.5.3 -> 5.5.4 2020-02-15 15:43:28 -05:00
Tim Steinbach f5357bbe1f
linux: 5.4.19 -> 5.4.20 2020-02-15 15:43:28 -05:00
Tim Steinbach 4c407a299f
linux: 4.9.213 -> 4.9.214 2020-02-15 15:43:27 -05:00
Tim Steinbach e2315d6a7e
linux: 4.4.213 -> 4.4.214 2020-02-15 15:43:27 -05:00
Tim Steinbach f350e37773
linux: 4.19.103 -> 4.19.104 2020-02-15 15:43:26 -05:00
Tim Steinbach daee1daf5d
linux: 4.14.170 -> 4.14.171 2020-02-15 15:43:26 -05:00
Tim Steinbach 25f706b26c
linux: 5.5-rc7 -> 5.6-rc1 2020-02-13 07:41:37 -05:00
Tim Steinbach 0b3dd6026e
linux_latest-libre: 17318 -> 17322 2020-02-12 09:11:05 -05:00
Tim Steinbach da8c2896e8
linux: 5.5.2 -> 5.5.3 2020-02-11 14:42:38 -05:00
Tim Steinbach 05b407ac81
linux: 5.4.18 -> 5.4.19 2020-02-11 14:42:30 -05:00
Tim Steinbach ae4b390551
linux: 4.19.102 -> 4.19.103 2020-02-11 14:42:18 -05:00
Tim Steinbach 657582e43a
linux_latest-libre: 17262 -> 17318 2020-02-10 07:23:08 -05:00
Tim Steinbach 4d8f7a7905
linux: 5.4.17 -> 5.4.18 2020-02-10 07:23:08 -05:00
Tim Steinbach 54c0c2ee70
linux: 4.19.101 -> 4.19.102 2020-02-10 07:23:07 -05:00
Tim Steinbach 854eb8f3ef
linux: 4.14.169 -> 4.14.170 2020-02-10 07:23:07 -05:00
Vladimír Čunát 8130f3c1c2
linux config: revert BPF_JIT_ALWAYS_ON=yes
This reverts a small bit of af808bd82 from PR #73328.  Fixes #79304:
tests.installer.simpleUefiSystemdBoot.x86_64-linux

I still don't know why the regression happened, but this feature doesn't
seem important enough to block channel now, though it reportedly helps
to mitigate spectre 2 attack CVE-2017-5715.
2020-02-09 08:22:00 +01:00
Frederik Rietdijk 419bc0a4cd Revert "Revert "Merge master into staging-next""
In 87a19e9048 I merged staging-next into master using the GitHub gui as intended.
In ac241fb7a5 I merged master into staging-next for the next staging cycle, however, I accidentally pushed it to master.
Thinking this may cause trouble, I reverted it in 0be87c7979. This was however wrong, as it "removed" master.

This reverts commit 0be87c7979.
2020-02-05 19:41:25 +01:00
Frederik Rietdijk 0be87c7979 Revert "Merge master into staging-next"
I merged master into staging-next but accidentally pushed it to master.
This should get us back to 87a19e9048.

This reverts commit ac241fb7a5, reversing
changes made to 76a439239e.
2020-02-05 19:18:35 +01:00
Tim Steinbach ab0e69030e
linux: 5.5.1 -> 5.5.2 2020-02-05 08:30:01 -05:00
Tim Steinbach 447c14e62f
linux: 4.9.212 -> 4.9.213 2020-02-05 08:29:45 -05:00
Tim Steinbach 5b5f9d23f4
linux: 4.4.212 -> 4.4.213 2020-02-05 08:29:30 -05:00
misuzu 149737a2a4 linux: Enable NVME_HWMON
This is available for 5.5+ and enables support for
NVMe drives temperature reporting
2020-02-03 19:08:45 +02:00
Tim Steinbach 508fdb7a7c
linux: 5.5 -> 5.5.1 2020-02-01 09:23:08 -05:00
Tim Steinbach 9b668eb4cc
linux: 5.4.16 -> 5.4.17 2020-02-01 09:18:52 -05:00
Tim Steinbach 0f20047e4c
linux: 4.19.100 -> 4.19.101 2020-02-01 09:18:52 -05:00
Tim Steinbach 38854fa22c
linux: 5.4.15 -> 5.4.16 2020-01-30 16:41:12 -05:00
Tim Steinbach 586fd9a43a
linux: 4.9.211 -> 4.9.212 2020-01-30 16:41:12 -05:00
Tim Steinbach 53c76abcae
linux: 4.4.211 -> 4.4.212 2020-01-30 16:41:12 -05:00
Tim Steinbach 104287202b
linux: 4.19.98 -> 4.19.100 2020-01-30 16:41:11 -05:00
Tim Steinbach 713b0ec29a
linux: 4.14.167 -> 4.14.169 2020-01-30 16:41:11 -05:00
Jörg Thalheim 0fc20ed4fb
perf: fix build on 5.5 2020-01-30 12:11:16 +00:00