3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

5676 commits

Author SHA1 Message Date
Franz Pletz a30bf645f2 sinit: 0.9.2 -> 1.0, fix glibc static linking 2016-08-24 21:31:02 +02:00
Franz Pletz d5189fb7ad lxc: 2.0.3 -> 2.0.4, fixes hardened build 2016-08-24 21:31:02 +02:00
Robin Gloster c26de11551 linuxPackages.perf: fix build with new glibc and remove hack
elfutils now adds a eu- prefix to avoid collisions
2016-08-24 19:19:02 +00:00
Daiderd Jordan 8b8a74d5d6 Merge pull request #17864 from LnL7/darwin-libsecurity
darwin.libsecurity: fix for gnustep makefiles
2016-08-24 19:56:24 +02:00
Robin Gloster 9e47acb89d otpw: disable stackprotector hardening 2016-08-24 17:19:43 +00:00
Shea Levy 8b9b9fad31 Revert "Revert "Merge branch 'modprobe-fix' of git://github.com/abbradar/nixpkgs""
Revert a revert of a merge that shouldn't have been in master but was intentionally in staging.

Next time I'll do this right after the revert instead of so far down the line...

This reverts commit 9adad8612b.
2016-08-24 07:35:30 -04:00
obadz 0e8d2725dc Merge branch 'master' into staging 2016-08-23 18:50:06 +01:00
Joachim Fasting cf592a8969
grsecurity: 4.7.1-201608161813 -> 4.7.2-201608211829 2016-08-23 01:49:34 +02:00
obadz 24a9183f90 Merge branch 'hardened-stdenv' into staging
Closes #12895

Amazing work by @globin & @fpletz getting hardened compiler flags by
enabled default on the whole package set
2016-08-22 01:19:35 +01:00
obadz ba50fd7170 Merge branch 'master' into staging 2016-08-22 01:18:11 +01:00
Tim Steinbach 175028582c
linux: 4.7.1 -> 4.7.2 2016-08-21 13:56:45 +00:00
Daiderd Jordan a9e913ffbf
darwin.security_tool: fix for gnustep makefiles 2016-08-20 13:43:58 +02:00
Daiderd Jordan 0ec2ba9497
darwin.libsecurity: fix for gnustep makefiles 2016-08-20 13:32:10 +02:00
Mikael Brockman 1f50e2412f libselinux: fix Python binding
Applies unreleased patch from upstream.
2016-08-19 19:06:25 +03:00
Nikolay Amiantov 2abe917f18 kmod: 22 -> 23, add /lib/modules to module directories 2016-08-19 17:57:08 +03:00
Nikolay Amiantov ff22705793 treewide: replace several /sbin paths by /bin 2016-08-19 17:56:45 +03:00
Nikolay Amiantov 30c9aa2698 kmod: add patch to allow searching for modules in several directories 2016-08-19 17:56:39 +03:00
obadz 1047ed49d9 Merge branch 'master' into staging
Conflicts: pkgs/os-specific/linux/kmod/default.nix cc @abbradar
2016-08-19 15:28:58 +01:00
Tuomas Tynkkynen bd68309643 kernel config: Enable SECCOMP
This is used by systemd >= 231 and is not enabled in the ARM
multiplatform defconfig.
2016-08-18 16:33:46 +03:00
Joachim Fasting 66a3f0e988
gradm: 3.1-201607172312 -> 3.1-201608131257 2016-08-17 15:19:33 +02:00
Joachim Fasting ba20363f11
grsecurity: 4.7-201608151842 -> 4.7.1-201608161813 2016-08-17 15:19:27 +02:00
Franz Pletz 2571438988 linux: 4.7 -> 4.7.1 2016-08-17 05:46:00 +02:00
Franz Pletz 7a4407461b linux: 4.6.6 -> 4.6.7
Fixes CVE-2016-5696.
2016-08-17 05:45:59 +02:00
Franz Pletz da95fb368c linux: 4.4.17 -> 4.4.18
Fixes CVE-2016-5696.
2016-08-17 05:45:59 +02:00
Franz Pletz 2104d28bcd linux: 4.1.27 -> 4.1.30
Fixes CVE-2016-5696.
2016-08-17 05:45:59 +02:00
Frederik Rietdijk 5a501bd828 Remove top-level dbus_python and pythonDBus.
See #11567.

Furthermore, it renames pythonPackages.dbus to pythonPackages.dbus-
python as that's the name upstream uses.

There is a small rebuild but I couldn't figure out the actual cause.
2016-08-16 22:52:37 +02:00
Domen Kožar 40da4e6ce7 fix eval 2016-08-16 22:30:15 +02:00
Robert Helgesson f396a0b4d0
hd-idle: init at 1.05 2016-08-16 21:59:14 +02:00
Joachim Fasting d82ddd6dc0
grsecurity: 4.7-201608131240 -> 4.7-201608151842 2016-08-16 17:50:37 +02:00
Joachim Fasting b1cceeda84
grsecurity: enable pax size overflow plugin 2016-08-16 17:50:36 +02:00
Joachim Fasting 3fcb9e6f57
grsecurity: support non-enforcing mode
Until we've made sure that most things actually work out of the box, we
need to give people a way of continuing to use the system without
completely disabling grsecurity.

Set sysctl kernel.pax.softmode=1 or boot with pax.softmode=1
2016-08-16 17:50:36 +02:00
Robin Gloster 33e1c78ae3 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-16 07:54:01 +00:00
Nikolay Amiantov 081ac25dc6 kmod: 22 -> 23, add /lib/modules to module directories 2016-08-16 02:42:19 +03:00
Shea Levy 9adad8612b Revert "Merge branch 'modprobe-fix' of git://github.com/abbradar/nixpkgs"
Was meant to go into staging, sorry

This reverts commit 57b2d1e9b0, reversing
changes made to 760b2b9048.
2016-08-15 19:05:52 -04:00
Shea Levy 57b2d1e9b0 Merge branch 'modprobe-fix' of git://github.com/abbradar/nixpkgs 2016-08-15 19:01:44 -04:00
Nikolay Amiantov 1afd250676 treewide: replace several /sbin paths by /bin 2016-08-16 00:19:25 +03:00
Nikolay Amiantov 131fca0a85 kmod: add patch to allow searching for modules in several directories 2016-08-16 00:19:25 +03:00
Joachim Fasting 9062c67914
grsecurity: 4.6.5-201607312210 -> 4.7-201608131240 2016-08-15 20:36:46 +02:00
Moritz Ulrich 21df40f85f systemd-cryptsetup-generator: Fix bug.
The annoying wrapper script also wraps `systemd-cryptsetup`. We need to
copy the original binary to $out too.
2016-08-15 12:42:44 +02:00
Nikolay Amiantov 5b296a1470 Merge branch 'master' into staging 2016-08-15 10:34:28 +03:00
Franz Pletz 64c79e8526 linux: 4.6.5 -> 4.6.6 2016-08-15 04:28:08 +02:00
Franz Pletz 2a8718fb0b linux_4_5: remove, not support by upstream anymore 2016-08-15 04:28:02 +02:00
Robin Gloster a37d695c95 linuxPackages.spl: remove unnecessary substituteInPlace
`substituteInPlace` was operating on a non-existant file.
Updated to use `autoreconfHook`.
2016-08-14 22:55:21 +00:00
Dan Peebles ea34fe82bc swift-corefoundation: some cleanup
I upstreamed some patches so I'm using those now
2016-08-14 18:22:19 -04:00
Dan Peebles 4705a9a6c1 swift-corefoundation: actually remove spurious dependency 2016-08-14 17:42:03 -04:00
Dan Peebles 6cf13bfe66 swift-corefoundation: remove spurious buildInput
libpthread is part of libSystem, so there's no need to depend on it
explicitly
2016-08-14 17:40:05 -04:00
Dan Peebles 1861744e7c swift-corefoundation: init
This currently only produces a static library, but is a start :) soon we
might be able to incorporate it into our stdenv, but we need to get the
build system to produce a proper .framework first.
2016-08-14 17:35:44 -04:00
Dan Peebles 98b5e3a531 darwin.libpthread: fix messed-up header
We don't actually need the private headers and the private qos.h was
overwriting the public one, causing weird issues downstream (especially
with Swift's CoreFoundation)
2016-08-14 17:34:55 -04:00
Michele Guerini Rocco 7522de2f4b btfs: 2.10 -> 2.11 (#17737)
(cherry picked from commit 340a9571f5)
2016-08-14 21:14:20 +00:00
Robin Gloster a6c5638565 Revert "btfs: 2.10 -> 2.11 (#17737)"
This reverts commit 340a9571f5.
2016-08-14 21:12:21 +00:00
Michele Guerini Rocco 340a9571f5 btfs: 2.10 -> 2.11 (#17737) 2016-08-14 22:48:56 +02:00
Nikolay Amiantov 3e84cbc4ca autofs5: 5.1.1 -> 5.1.2 2016-08-14 22:39:18 +03:00
Nikolay Amiantov c60deb0266 quote homepages for better clickability
Done while I was traversing packages which I maintain to save extra clicks on
urxvt (it captures semicolon as a part of URL).
2016-08-14 22:37:10 +03:00
Nikolay Amiantov b30f4e5e4f android-udev-rules: 2016-04-26 -> 20160805 2016-08-14 22:37:10 +03:00
Dan Peebles 948b7f23bb darwin.{xnu, Libc}: 10.9 -> 10.11
I can't submit this in smaller units because the various components all
depend on one another during the stdenv bootstrap, so I think this is
the smallest sensible change I can make.

I also removed the symbol-hiding shenanigans in Libsystem. It might mess
up compatibility with 10.9 but I don't really want to support the added
complexity and I see little evidence of anyone else wanting to support
it. If someone cares, we might be able to revive compatibility, but for
now it'll stay like this.
2016-08-14 12:53:33 -04:00
Eric Sagnes f0fef4defb wireguard-unstable: 2016-07-22 -> 2016-08-08 (#17727) 2016-08-14 10:47:16 +00:00
Robin Gloster 99cb230b47 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-14 09:09:20 +00:00
Robin Gloster 8071cafe66 linuxPackages.rtl8812au: fix build 2016-08-14 08:59:55 +00:00
Robin Gloster 2676cf9525 linuxPackages.lttng-modules: fix build 2016-08-14 08:59:19 +00:00
Domen Kožar a7f8787dbd Merge pull request #17705 from womfoo/bump/hwdata-0.291
hwdata: 0.276 -> 0.291
2016-08-13 17:00:08 +02:00
Franz Pletz bd4490e277 Merge branch 'master' into hardened-stdenv 2016-08-13 16:59:55 +02:00
Franz Pletz fa3a35b241 linuxPackages.fusionio-vsl: disable pic hardening (still broken) 2016-08-13 16:55:26 +02:00
Franz Pletz b2c6d28a1d linuxPackages.ndiswrapper: disable pic hardening (still broken) 2016-08-13 16:50:43 +02:00
Franz Pletz 9e7d118ea2 linuxPackages.nvidia-x11: disable pic & format hardening 2016-08-13 16:49:42 +02:00
Franz Pletz 5103e70a37 linuxPackages.nvidiabl: disable pic hardening 2016-08-13 16:44:39 +02:00
Franz Pletz 73a9ce2ce3 linuxPackages.psmouse_alps: remove, driver in kernel since 3.9 2016-08-13 16:42:35 +02:00
Franz Pletz 62e6bc0bd9 linuxPackages.prl-tools: disable pic hardening 2016-08-13 16:40:42 +02:00
Franz Pletz f55fd87c8a linuxPackages.ixgbevf: disable pic hardening 2016-08-13 16:30:35 +02:00
Franz Pletz 5e085b7fea linuxPackages.e1000e: disable pic hardening 2016-08-13 16:25:29 +02:00
Franz Pletz d836b811cb linuxPackages.cryptodev: 1.6 -> 1.8, disable pic hardening 2016-08-13 16:24:38 +02:00
Franz Pletz f5c9f99877 linuxPackages.ati_drivers_x11: disable pic & format hardening 2016-08-13 16:06:57 +02:00
Franz Pletz a8deb8d647 linuxPackages.frandom: disable pic hardening 2016-08-13 16:03:32 +02:00
Franz Pletz 7d9d2d6872 linuxPackages.broadcom_sta: disable pic hardening 2016-08-13 16:02:02 +02:00
Robin Gloster 0f274be2fd linuxPackages.ena: disable pic 2016-08-13 10:12:07 +00:00
Kranium Gikos Mendoza 1bbcc7e378 hwdata: 0.276 -> 0.291 2016-08-13 10:06:34 +08:00
Luca Bruno fda17cfd0e Merge pull request #17703 from womfoo/bump/microcode-intel-20160714
microcode-intel: 20150121 -> 20160714
2016-08-12 21:44:34 +01:00
Kranium Gikos Mendoza 050452dd7f microcode-intel: 20150121 -> 20160714 2016-08-13 03:53:03 +08:00
obadz b2efe2babd Revert "linux kernel 4.4: fix race during build"
Removes patch. Was fixed upstream.

This reverts commit 4788ec1372.
2016-08-12 16:42:25 +01:00
Guillaume Maudoux b1817fa8a3 linux_mptcp: 0.90.1 (kernel 3.18) -> 0.91 (kernel 4.1) (#17675) 2016-08-12 15:14:24 +02:00
Robin Gloster b7787d932e Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-12 09:46:53 +00:00
obadz 18947c9e36 Revert "ecryptfs: fix kernel bug introduced in 4.4.14"
The Linux 4.4.17 release fixes the underlying issue

This reverts commit fad9a8841b.
2016-08-11 17:15:54 +01:00
Michael Raskin b893d84d53 firejail: 0.9.40-rc1 -> 0.9.42-rc1 2016-08-11 17:57:35 +02:00
Michael Raskin 8b4eb6fa4d eudev: 3.1.5 -> 3.2 2016-08-11 17:57:35 +02:00
Eelco Dolstra e26ac7afd4 linux: 4.4.16 -> 4.4.17 2016-08-11 15:20:07 +02:00
obadz 1cd9c58834 Merge pull request #17461 from rasendubi/powerpc
cross-compilation: fixes for powerpc-linux-uclibc
2016-08-11 00:51:51 +01:00
Kranium Gikos Mendoza 33166b7434 wireguard: require Linux >= 4.1 for module build (#17632) 2016-08-11 00:25:57 +02:00
Frederik Rietdijk 111d7a2af4 Merge pull request #17623 from matthewbauer/misc
Misc. hydra fixes
2016-08-10 11:35:44 +02:00
Franz Pletz bba9728cd6 jool: 3.4.2 -> 3.4.4 2016-08-10 07:12:08 +02:00
Franz Pletz aec9abc8e1 iputils: 20121221 -> 20151218 2016-08-10 07:12:08 +02:00
Matthew 0540e567a8 uksmtools: delete
Sources are not available from GitHub anymore and it appears to be
unmantained. A request was sent to the AUR mailing list to delete it on
May 26, 2016:

https://lists.archlinux.org/pipermail/aur-requests/2016-May/011706.html
2016-08-09 21:06:27 +00:00
Moritz Ulrich 9626707e2b systemd-cryptsetup-generator: Add note to revert 3efadce. 2016-08-09 19:21:58 +02:00
Moritz Ulrich 3efadce03b systemd-cryptsetup-generator: Fix installPhase. 2016-08-09 19:21:25 +02:00
Tuomas Tynkkynen 9a5427f667 klibc: Broken on i686 2016-08-06 17:06:45 +03:00
Tuomas Tynkkynen 088bcf4ec4 kernel config: Fix 3.10, 3.12, 3.14 builds 2016-08-06 17:06:45 +03:00
Tuomas Tynkkynen 44f462bf4d generate-config.pl: Be more verbose about missing options
For instance, the current 3.10 kernel build fails at the end with:

unused option: BRCMFMAC_PCIE
unused option: FW_LOADER_USER_HELPER_FALLBACK
unused option: KEXEC_FILE
unused option: RANDOMIZE_BASE

However, it's not obvious that only the _last_ one is actually fatal to
the build. After this change it's at least somewhat better:

warning: unused option: BRCMFMAC_PCIE
warning: unused option: FW_LOADER_USER_HELPER_FALLBACK
warning: unused option: KEXEC_FILE
error: unused option: RANDOMIZE_BASE
2016-08-06 17:06:45 +03:00
Robin Gloster bc025e83bd uclibc: disable stackprotector hardening 2016-08-05 18:15:27 +00:00
Michal Rus 7281740c2e
linux: enable DRM_GMA600 and DRM_GMA3600
Adds basic support for Intel GMA3600/3650 (Intel Cedar Trail) platforms
and support for GMA600 (Intel Moorestown/Oaktrail) platforms with LVDS
ports via the gma500_gfx module.

Resolves #14727 Closes #17519
2016-08-05 19:07:40 +02:00
Franz Pletz 2d6b7aa545 linux: enable some useful networking options
All options are enabled by default on Debian and some other
distributions, so these should be safe.
2016-08-05 04:07:31 +02:00
Robin Gloster 1b979d8384 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-03 13:34:44 +00:00
Frederik Rietdijk db06460257 Merge pull request #17447 from FRidh/nvidia
nvidia-x11: fix driSupport32Bit
2016-08-03 08:36:24 +02:00
Alexey Shmalko 5ab8e0d2aa
uclibc: claim maintainership 2016-08-03 03:35:54 +03:00
Tuomas Tynkkynen 21f17d69f6 treewide: Add lots of meta.platforms
Build-tested on x86_64 Linux & Mac.
2016-08-02 21:42:43 +03:00
Tuomas Tynkkynen 2258b21e4b treewide: Add lots of platforms to packages with no meta
Build-tested on x86_64 Linux and on Darwin.
2016-08-02 21:17:44 +03:00
Tuomas Tynkkynen 59ce911810 treewide: Some EOF-whitespace fixes 2016-08-02 21:17:44 +03:00
Franz Pletz f2a66d4c16 criu: fix merge fail
d020caa5b2 vs. e3d0fe898b
2016-08-02 17:52:51 +02:00
Robin Gloster 1be4907ca2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-02 13:46:36 +00:00
Frederik Rietdijk 8eb4b3af10 nvidia-x11: fix driSupport32Bit 2016-08-02 13:03:44 +02:00
aszlig fef4b62657
broadcom_sta: Add patch to fix NULL pointer deref
The patch is from the following Gentoo bug:

https://bugs.gentoo.org/show_bug.cgi?id=523326#c24

Built successfully against Linux 3.18.36, 4.4.16 and 4.7.0.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @phreedom, @vcunat
2016-08-01 21:05:15 +02:00
aszlig 8f08399671
broadcom_sta: Reindent file, no code changes
Let's make sure we indent using two spaces, because the unpackPhase was
indented using four spaces.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-08-01 21:05:15 +02:00
aszlig 4d3545f2a5
broadcom_sta: Add patch for supporting Linux 4.7
Patch is from Arch Linux at:

https://aur.archlinux.org/cgit/aur.git/tree/?h=broadcom-wl

I've tested building against 3.18.36, 4.4.16 and 4.7.0.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @phreedom, @vcunat
2016-08-01 21:05:15 +02:00
aszlig bd7ce1581d
broadcom_sta: 6.30.223.248 -> 6.30.223.271
The patch for kernel version 3.18 is already applied upstream, so we
don't need it any longer.

Without i686-build-failure.patch, the build for i686-linux fails because
it references rdtscl(), which is no longer available in Linux 4.3.0.

Patch for missing rdtscl() is from Arch Linux:

https://aur.archlinux.org/cgit/aur.git/tree/002-rdtscl.patch?h=broadcom-wl-ck

I've tested building against 32 and 64 bit Linux versions 3.18.36,
4.4.16 and 4.7.0.

The hashes were verified using the ones from the AUR (using the 16 bit
hashes of course):

$ nix-hash --type sha256 --to-base16 1kaqa2dw3nb8k23ffvx46g8jj3wdhz8xa6jp1v3wb35cjfr712sg
4f8b70b293ac8cc5c70e571ad5d1878d0f29d133a46fe7869868d9c19b5058cd
$ nix-hash --type sha256 --to-base16 1gj485qqr190idilacpxwgqyw21il03zph2rddizgj7fbd6pfyaz
5f79774d5beec8f7636b59c0fb07a03108eef1e3fd3245638b20858c714144be

AUR hashes can be found at:

https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=broadcom-wl&id=9d6f10b1b7745fbf5d140ac749e2253caf70daa8#n26

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @phreedom, @vcunat
2016-08-01 21:05:15 +02:00
Karn Kallio 5d11dac8bb nvidia-x11: advance to 365.35 and patch kernel 4.7. 2016-08-01 10:19:57 -04:00
Joachim Fasting 76f2e827a7
grsecurity: 4.6.5-201607272152 -> 4.6.5-201607312210 2016-08-01 12:46:48 +02:00
Robin Gloster 63c7b4f9a7 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-31 20:51:34 +00:00
Robin Gloster 43ba8d295f nvidia-x11: disable pic/format hardening 2016-07-31 20:38:38 +00:00
Eric Sagnes d6452987fb wireguard: 20160708 -> 2016-07-22 (#17362) 2016-07-31 13:57:37 +02:00
Franz Pletz 2fa9bd5059 hostapd: add patch to fix build with libressl
Fixes #17315.
2016-07-29 12:03:08 +02:00
Joachim Fasting 83f783c00f
grsecurity: 4.6.4-201607242014 -> 4.6.5-201607272152 2016-07-29 00:24:00 +02:00
Franz Pletz 9aee2a17af linux: 4.6.4 -> 4.6.5
Removed patch was applied upstream.
2016-07-28 23:05:27 +02:00
Franz Pletz b68fe1a572 linux: 4.5.6 -> 4.5.7 2016-07-28 23:05:27 +02:00
Eelco Dolstra 42f8df10a2 linux: 4.4.16 -> 4.4.16 2016-07-28 17:03:55 +02:00
Eelco Dolstra 51871dfb37 systemd: 230 -> 231 2016-07-28 17:03:55 +02:00
rnhmjoj 50cbb5bd30
rewritefs: 2016-02-08 -> 2016-07-27 2016-07-27 03:51:08 +02:00
Vladimír Čunát 375ae11a34 tiptop: init at 2.3 2016-07-26 11:55:23 +02:00
Robin Gloster f222d98746 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-25 12:47:13 +00:00
Joachim Fasting e725c927d4
grsecurity: 4.6.4-201607192040 -> 4.6.4-201607242014 2016-07-25 09:11:28 +02:00
Shea Levy ac93e9f2c8 Linux 4.7 2016-07-24 18:30:08 -04:00
Joachim Fasting f1187c4605
gradm: ensure that udev rules are actually installed
Another regression on my part: gradm won't install the rules unless
$(DESTDIR)/etc/udev/rules.d exists.
2016-07-24 12:54:07 +02:00
Tuomas Tynkkynen 9cccf35f98 dmraid: Fix typo 2016-07-23 13:24:18 +03:00
Matthew Robbetts e434ce8f49 hostapd: 2.4 -> v2.5, fixes #17164 2016-07-23 00:56:53 +02:00
Daiderd Jordan 44c5b729b8 osx-private-sdk: Fix hash (#17185)
- use fetchFromGitHub
2016-07-23 00:54:25 +02:00
Joachim Fasting e4b7b7b028
gradm: 3.1-201507191652 -> 3.1-201607172312 2016-07-22 17:57:26 +02:00
Lluís Batlle i Rossell dd02b6f118 perf: depend on libiberty to get c++ demangling. 2016-07-21 17:27:15 +02:00
Robin Gloster 1f04b4a566 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-21 00:56:43 +00:00
Robin Gloster cc540843fe linuxPackages.wireguard: disable pic 2016-07-21 00:01:20 +00:00
Markus Hauck 2a3fe4df43 sysdig: 0.10.0 -> 0.11.0 2016-07-20 21:27:40 +02:00
Joachim Fasting 55120ac4cb
grsecurity: 4.6.4-201607112205 -> 4.6.4-201607192040 2016-07-20 10:17:35 +02:00
Joachim Fasting c93ffb95bc
grsecurity: enable support for setting pax flags via xattrs
While useless for binaries within the Nix store, user xattrs are a convenient
alternative for setting PaX flags to executables outside of the store.

To use disable secure memory protections for a non-store file foo, do
  $ setfattr -n user.pax.flags -v em foo
2016-07-20 10:17:11 +02:00
Tuomas Tynkkynen 2fefa331e7 busybox: Fix cross build with musl 2016-07-20 02:38:10 +03:00
Graham Christensen 46655e4524 Merge pull request #17085 from j1r1k/gfxtablet-1.4
gfxtablet: git-2013-10-21 -> 1.4
2016-07-19 19:23:47 +00:00
Jiri Marsicek 4a86f9a44f gfxtablet: git-2013-10-21 -> 1.4 2016-07-19 20:47:00 +02:00
Robin Gloster 04d873a626 osx-private-sdk: Fix hash 2016-07-19 12:19:58 +00:00
Joachim F bb6fb70d6b Merge pull request #16979 from markus1189/sysdig
sysdig: 0.9.0 -> 0.10.0
2016-07-19 12:49:05 +02:00
Robin Gloster 203846b9de Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-19 10:37:02 +00:00
Franz Pletz 039f0e5cb0 firmwareLinuxNonfree: 2016-05-18 -> 2016-07-12 2016-07-19 07:55:27 +02:00
Nikolay Amiantov 28740462e7 busybox: fix static build 2016-07-19 05:20:02 +03:00
Tuomas Tynkkynen 6e0ab36de0 Merge pull request #16963 from womfoo/init/cking-kernel-tools
Init {fnotify,fork,power,smem}stat kernel tools
2016-07-16 21:15:23 +03:00
Tuomas Tynkkynen a4dfa90139 Merge pull request #17012 from womfoo/fix/lightum
lightum: fix build against systemd-230
2016-07-16 17:12:27 +03:00
Kranium Gikos Mendoza eb34cf1b6d lightum: fix build against systemd-230 2016-07-16 21:57:23 +08:00
Rickard Nilsson 8fa4dc174f Merge pull request #16899 from kragniz/lxc-2.0.3
lxc: 2.0.1 -> 2.0.3
2016-07-16 10:37:12 +02:00
Kranium Gikos Mendoza b68689ebb2 smemstat: init at 0.01.14 2016-07-16 12:09:40 +08:00
Kranium Gikos Mendoza a28dda1102 powerstat: init at 0.02.10 2016-07-16 12:09:40 +08:00
Kranium Gikos Mendoza f88f31c4f0 forkstat: init at 0.01.13 2016-07-16 12:09:32 +08:00
Robin Gloster 5185bc1773 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-15 14:41:01 +00:00
Markus Hauck 36c906e7c0 sysdig: 0.9.0 -> 0.10.0 2016-07-15 10:35:19 +02:00
Arseniy Seroka 658579cc57 Merge pull request #16961 from womfoo/bump/eventstat-0.03.02
eventstat: 0.02.02 -> 0.03.02
2016-07-14 22:19:33 +04:00
Kranium Gikos Mendoza b795186f2e fnotifystat: init at 0.01.14 2016-07-15 00:44:41 +08:00
Kranium Gikos Mendoza cbeb320c47 eventstat: 0.02.02 -> 0.03.02 2016-07-15 00:06:39 +08:00
Vladimír Čunát 1b5ac05845 Merge branch 'staging'
Includes security fixes in gd and libarchive.
2016-07-14 15:51:28 +02:00
Eric Sagnes c6f99a3a92 wireguard: split module and tools (#16883) 2016-07-13 21:15:11 +02:00
obadz 927a984de6 kernel: make KEXEC_FILE & KEXEC_JUMP optional to fix i686 build
cc @edolstra @dezgeg @domenkozar
2016-07-13 12:49:18 +02:00
obadz fad9a8841b ecryptfs: fix kernel bug introduced in 4.4.14
Introduced by mainline commit 2f36db7
Patch is from http://www.spinics.net/lists/stable/msg137350.html
Fixes #16766
2016-07-13 11:04:07 +02:00
Nikolay Amiantov d9aafc885f Merge branch 'early-kbd' into staging 2016-07-13 03:56:07 +03:00
Nikolay Amiantov 1848bfc92d Merge branch 'plymouth' into staging 2016-07-13 03:54:38 +03:00
Louis Taylor f51f6a36e8 lxc: 2.0.1 -> 2.0.3 2016-07-13 00:35:20 +01:00
Vladimír Čunát 40785f0dac Merge branch 'master' into staging
Hydra nixpkgs: ?compare=1282763
2016-07-12 22:00:10 +02:00
Nikolay Amiantov 6e21246dc4 plymouth: 0.9.0 -> 0.9.2
Use system-wide directories for various resources.
2016-07-12 22:22:28 +03:00
Franz Pletz dde259dfb5 linux: Add patch to fix CVE-2016-5829 (#16824)
Fixed for all available 4.x series kernels.

From CVE-2016-5829:

  Multiple heap-based buffer overflows in the hiddev_ioctl_usage function
  in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow
  local users to cause a denial of service or possibly have unspecified
  other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl
  call.
2016-07-12 20:56:50 +02:00
Joachim Fasting 416120e0c7
grsecurity: 4.6.3-201607070721 -> 4.6.4-201607112205 2016-07-12 15:15:09 +02:00
Tim Steinbach 47da65923b kernel: 4.6.3 -> 4.6.4 (#16875) 2016-07-12 09:54:57 +02:00
Tim Steinbach 9672c36651 conky: 1.10.1 -> 1.10.3 2016-07-11 23:20:25 +00:00
Eric Sagnes 1b41283eb3 wireguard: init at 20160708 (#16856) 2016-07-11 18:05:23 +02:00
Louis Taylor b2b8a89945 linux-testing: 4.7-rc6 -> 4.7-rc7 (#16854) 2016-07-11 17:53:41 +02:00
Eelco Dolstra ecc26d7a40 linux: Disable the old IDE subsystem
This has long been deprecated in favour of the new ATA support
(CONFIG_ATA).
2016-07-11 15:05:21 +02:00
Eelco Dolstra 7b9c493d60 linux: Enable some kernel features
This enables a few features that should be useful and safe (they're
all used by the default Ubuntu kernel config), in particular zswap,
wakelocks, kernel load address randomization, userfaultfd (useful for
QEMU), paravirtualized spinlocks and automatic process group
scheduling.

Also removes some configuration conditional on kernel versions that we
no longer support.
2016-07-11 15:04:56 +02:00
Eelco Dolstra 1cd7dbc00b linux: Bump NR_CPUS
The default limit (64) is too low for systems like EC2 x1.* instances
or Xeon Phis, so let's increase it.
2016-07-11 14:32:18 +02:00
Eelco Dolstra 8710672225 ena: Init at 20160629
This adds the Amazon Elastic Network Adapter kernel module required by
EC2 x1.* instances.
2016-07-11 14:32:18 +02:00
Franz Pletz 0f96c69026 batman-adv: 2016.1 -> 2016.2 2016-07-11 04:04:49 +02:00
Vladimír Čunát 6f07fdf469 v4l-utils: 1.6.3 -> 1.10.1
This fixes build after libjpeg(-turbo) update.
/cc maintainers: @codypoel, @viric.
2016-07-09 18:54:44 +02:00
Nikolay Amiantov da97ba359e busybox: set default keymap path 2016-07-08 20:44:01 +03:00
Nikolay Amiantov 8b92103ae8 Merge branch 'master' into staging 2016-07-08 20:36:44 +03:00
Nikolay Amiantov 4ae98c2064 Merge branch 'kbd-paths' into staging
Closes #16642
2016-07-08 20:35:25 +03:00
Nikolay Amiantov 00e67f0df0 systemd: use plymouth from system path 2016-07-08 15:23:47 +03:00
Nikolay Amiantov 8bbfba48c4 systemd: move hwdb patch to the fork itself 2016-07-08 15:23:47 +03:00
Nikolay Amiantov 1ac6f1fe25 systemd: update fork revision 2016-07-08 15:23:07 +03:00
Nikolay Amiantov c89843b604 kbd: split keymaps into kbdKeymaps 2016-07-08 12:52:39 +03:00
zimbatm 2459ddd4f6 Merge pull request #16703 from zimbatm/nologin-error
Nologin error
2016-07-07 22:58:53 +01:00
Joachim Fasting a2ebf45b47
grsecurity: 4.5.7-201606302132 -> 4.6.3-201607070721 2016-07-07 19:34:58 +02:00
Eelco Dolstra 04eb7492dc ixgbevf: Init at 3.2.2
This driver is necessary for Enhanced Networking on most EC2 instance
types.
2016-07-07 17:51:10 +02:00
Joachim Fasting 2dd009ec97 Merge pull request #16622 from womfoo/bump/sysstat-11.2.5
sysstat: 11.0.7 -> 11.2.5
2016-07-05 19:53:58 +02:00
Tobias Geerinckx-Rice cb86518fd3
radeontop: 2016-07-03 -> 2016-07-04
Add support for unprivileged use on both the Linux console and X.
2016-07-05 09:29:42 +02:00
zimbatm c1a202de05 shadow: fix passthru
The shadow package's shellPath wasn't detected properly

Fixes #16428
2016-07-04 15:12:27 +01:00
Eelco Dolstra 03fcbf6317 Merge pull request #16697 from mimadrid/update/perf-tools-20160418
perf-tools: 20150723 -> 20160418
2016-07-04 14:26:05 +02:00
Tuomas Tynkkynen 4085f4de5f Merge branch 'pr-newest-uboot' into master 2016-07-04 15:17:46 +03:00
Tuomas Tynkkynen 55aecd308e linux-rpi: 4.1.20-XXX -> 4.4.13-1.20160620-1
- Add a patch to unset CONFIG_LOCALVERSION in the v7 build.
- Copy all the device trees to match the upstream names so U-Boot can
  find them. (This is a hack.)
2016-07-04 15:13:29 +03:00
mimadrid b9315a6e24
perf-tools: 20150723 -> 20160418 2016-07-04 12:29:31 +02:00
aszlig 566c990f33
linux-testing: 4.6-rc6 -> 4.7-rc6
The config option DEVPTS_MULTIPLE_INSTANCES now no longer exists since
torvalds/linux@eedf265aa0.

Built successfully on my Hydra instance:

https://headcounter.org/hydra/log/r4n6sv0zld0aj65r7l494757s2r8w8sr-linux-4.7-rc6.drv

Verified unpacked tarball with GnuPG:

ABAF 11C6 5A29 70B1 30AB  E3C4 79BE 3E43 0041 1886

gpg: Signature made Mon 04 Jul 2016 08:13:05 AM CEST
gpg:                using RSA key 79BE3E4300411886
gpg: Good signature from "Linus Torvalds <torvalds@linux-foundation.org>"

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-07-04 10:46:48 +02:00
Tuomas Tynkkynen 1d069ff6ac rtl8723bs: Support all Linux 2016-07-04 02:07:13 +03:00
Tuomas Tynkkynen d8cd615720 raspberrypifw: 1.20160315 -> 1.20160620
- Use fetchFromGitHub
- Some files in bin/ are now shell scripts, so skip patchelf on any
  non-ELF files.

With this U-Boot can be successfully launched on a RPi 3.
2016-07-04 01:53:13 +03:00
Rastus Vernon 77d9966d93 cryptsetup: update project homepage
The project was moved from code.google.com to gitlab.com.
2016-07-03 21:43:52 +02:00
Tobias Geerinckx-Rice d01af30994
radeontop: 2015-11-24 -> 2016-07-03 2016-07-03 21:25:19 +02:00
Nikolay Amiantov 8530181246 kbd: add system-wise search paths for NixOS 2016-07-03 03:23:05 +03:00
Joachim Fasting 640ac5186f
grsecurity: 4.5.7-201606292300 -> 4.5.7-201606302132 2016-07-02 20:37:52 +02:00
Michele Guerini Rocco d75c7d0dcd btfs: 2.9 -> 2.10 (#16603) 2016-06-30 23:39:15 +02:00
Kranium Gikos Mendoza 84a1057b41 sysstat: 11.0.7 -> 11.2.5 2016-06-30 21:39:50 +08:00
Joachim Fasting 51c04b74c1
grsecurity: 4.5.7-201606280009 -> 4.5.7-201606292300 2016-06-30 11:09:59 +02:00
Al Zohali c4b346a539 conky: added double buffer support
Closes #16515.
2016-06-30 09:48:06 +02:00
Ruslan Babayev d515d72aba dpdk: pktgen: odp-dpdk: upgrades (#16585)
* dpdk: fix a typo

* dpdk: separate configure phase

* odp-dpdk: 1.8.0.0 -> 1.10.1.0

* pktgen: 3.0.00 -> 3.0.04

* pktgen: add withGtk build option
2016-06-29 10:34:17 +02:00
Vladimír Čunát 3afa246038 Merge branch 'staging'
This includes a security update of expat.
2016-06-29 07:47:04 +02:00
Joachim Fasting cd3da41b18 Merge pull request #16523 from grahamc/acpitool-patches
acpitool: port debian patches
2016-06-29 00:59:07 +02:00
Joachim Fasting cdcdc25ef3
grsecurity: 4.5.7-201606262019 -> 4.5.7-201606280009 2016-06-28 14:57:20 +02:00
Joachim Fasting d5eec25ff9
grsecurity: 4.5.7-201606222150 -> 4.5.7-201606262019 2016-06-27 21:42:17 +02:00
Franz Pletz 4bbb5c7e4c firmwareLinuxNonfree: 2016-01-26 -> 2016-05-18 2016-06-27 00:21:26 +02:00
Franz Pletz 4a16066852 linuxPackages.netatop: 0.7 -> 1.0 2016-06-27 00:20:13 +02:00
Franz Pletz 7e9affa7ee linux_4_3: Remove, not maintained anymore 2016-06-27 00:11:16 +02:00
Franz Pletz eed51eccef linux: 3.10.101 -> 3.10.102 2016-06-27 00:11:16 +02:00
Franz Pletz b7e0b118d9 linux: 3.12.57 -> 3.12.61 2016-06-27 00:11:04 +02:00
Franz Pletz 0387eddb51 linux: 3.14.65 -> 3.14.73 2016-06-27 00:10:38 +02:00
Franz Pletz 6165af4db2 linux: 3.18.29 -> 3.18.36 2016-06-27 00:09:56 +02:00
Franz Pletz 5806b185bd linux: 4.1.25 -> 4.1.27 2016-06-27 00:09:30 +02:00
Franz Pletz 4a942499b4 linux: 4.4.13 -> 4.4.14 2016-06-27 00:08:11 +02:00
Graham Christensen 085f98490e
acpitool: port debian patches
Without these patches, specifically the
0001-Do-not-assume-fixed-line-lengths-for-proc-acpi-wakeu.patch (wakeu
patch typo from upstream,) acpitool will consume 100% CPU when reading
long lines (>40 characters) like:

    ADP1	  S4	*disabled  platform:ACPI0003:00
2016-06-26 13:14:10 -05:00
Joachim Fasting 4fb72b2fd3
grsecurity: 4.5.7-201606202152 -> 4.5.7-201606222150 2016-06-26 17:27:17 +02:00
Joachim Fasting 5313f1096a Merge pull request #16510 from womfoo/guvcview
guvcview: 2.0.2 -> 2.0.4
2016-06-26 13:24:54 +02:00
Kranium Gikos Mendoza 66073374af guvcview: 2.0.2 -> 2.0.4 2016-06-26 13:44:24 +08:00
Tim Steinbach 125ffff089 kernel: 4.6.2 -> 4.6.3 2016-06-24 22:18:16 +00:00
Vladimír Čunát 6b27ceb006 Merge 'master' into staging and re-revert merge
... from staging to master, reverted temporarily in aa9a04883e.
2016-06-23 12:09:03 +02:00
Vladimír Čunát aa9a04883e Revert "Merge branch 'staging'" due to glibc
The main output started to retain dependency on bootstrap-tools; see
https://github.com/NixOS/nixpkgs/pull/15867#issuecomment-227949096

This reverts commit c05d829598, reversing
changes made to f073df60d6.
2016-06-23 09:25:10 +02:00
Joachim Fasting 9d052a2c39
grsecurity: 4.5.7-201606142010 -> 4.5.7-201606202152 2016-06-23 00:55:54 +02:00
Vladimír Čunát c05d829598 Merge branch 'staging' 2016-06-22 10:49:56 +02:00
Tobias Geerinckx-Rice eec8d44335
nvidia_x11_legacy*: remove unused nvidia-340.76-kernel-4.0.patch 2016-06-22 03:58:55 +02:00
Gabriel Ebner 0d9bb144d9 dstat: 0.7.2 -> 0.7.3 2016-06-20 18:08:31 +02:00
Bjørn Forsman bd01fad0ed Captialize meta.description of all packages
In line with the Nixpkgs manual.

A mechanical change, done with this command:

  find pkgs -name "*.nix" | \
      while read f; do \
          sed -e 's/description\s*=\s*"\([a-z]\)/description = "\u\1/' -i "$f"; \
      done

I manually skipped some:

* Descriptions starting with an abbreviation, a user name or package name
* Frequently generated expressions (haskell-packages.nix)
2016-06-20 13:55:52 +02:00
Eelco Dolstra 453086a15f linux: 4.4.12 -> 4.4.13 2016-06-20 13:11:55 +02:00
zimbatm 7c32638439 Merge pull request #16259 from layus/update-mptcp
linux_mptcp: update 0.90 -> 0.90.1
2016-06-20 09:29:07 +01:00
zimbatm 31c158ad45 Merge pull request #16189 from zimbatm/usershell-config
User shell config
2016-06-19 23:36:45 +01:00
Vladimír Čunát e757404555 Merge branch 'master' into staging
Hydra nixpkgs: ?compare=1279790
2016-06-19 12:33:04 +02:00
Vladimír Čunát 97c484a10f treewide: fix #include errors after gcc-5.4
They were mostly missing <cmath> or <math.h>.
2016-06-19 10:18:30 +02:00
Aristid Breitkreuz 6a3dcb70bc Merge pull request #16112 from abuibrahim/master
odp-dpdk: init at 1.8.0.0
2016-06-18 17:09:13 +02:00
Joachim Fasting 875fd5af73
grsecurity: 4.5.7-201606110914 -> 4.5.7-201606142010 2016-06-16 14:29:12 +02:00
Ruslan Babayev de67e77e3f odp-dpdk: init at 1.8.0.0
Signed-off-by: Ruslan Babayev <ruslan@babayev.com>
2016-06-15 22:17:03 -07:00
Guillaume Maudoux d73b7d101f linux_mptcp: 0.90 -> 0.90.1 2016-06-15 22:56:11 +02:00
Joachim Fasting 130b06eb0b
grsecurity: 4.5.7-201606080852 -> 4.5.7-201606110914 2016-06-14 14:18:01 +02:00
Franz Pletz 99cc3fa6ca systemd: Disable stackprotector hardening flag 2016-06-14 10:19:05 +00:00
Joachim Fasting 886c03ad2e Merge pull request #16107 from joachifm/grsec-ng
Rework grsecurity support
2016-06-14 03:52:50 +02:00
Joachim Fasting 75b9a7beac
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-14 00:08:20 +02:00
zimbatm ae34904ee9 Merge pull request #16160 from vrthra/mupdf
mupdf: 1.8 -> 1.9
2016-06-12 23:26:34 +01:00
zimbatm e2413ad5a8 shadow: add shellPath passthru
This one is a bit special, it's used to deny users from logging in.
2016-06-12 20:13:32 +01:00
Christoph Hrdinka 473062c9a7 kmod-debian-aliases: 21-1 -> 22-1.1 2016-06-12 20:15:42 +02:00
Rahul Gopinath b8a525a8b6 jfbview: update mupdf 1.8 -> 1.9 2016-06-12 09:48:34 -07:00