1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-27 16:11:58 +00:00
Commit graph

1523 commits

Author SHA1 Message Date
Tuomas Tynkkynen 4085f4de5f Merge branch 'pr-newest-uboot' into master 2016-07-04 15:17:46 +03:00
Tuomas Tynkkynen 55aecd308e linux-rpi: 4.1.20-XXX -> 4.4.13-1.20160620-1
- Add a patch to unset CONFIG_LOCALVERSION in the v7 build.
- Copy all the device trees to match the upstream names so U-Boot can
  find them. (This is a hack.)
2016-07-04 15:13:29 +03:00
aszlig 566c990f33
linux-testing: 4.6-rc6 -> 4.7-rc6
The config option DEVPTS_MULTIPLE_INSTANCES now no longer exists since
torvalds/linux@eedf265aa0.

Built successfully on my Hydra instance:

https://headcounter.org/hydra/log/r4n6sv0zld0aj65r7l494757s2r8w8sr-linux-4.7-rc6.drv

Verified unpacked tarball with GnuPG:

ABAF 11C6 5A29 70B1 30AB  E3C4 79BE 3E43 0041 1886

gpg: Signature made Mon 04 Jul 2016 08:13:05 AM CEST
gpg:                using RSA key 79BE3E4300411886
gpg: Good signature from "Linus Torvalds <torvalds@linux-foundation.org>"

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-07-04 10:46:48 +02:00
Joachim Fasting 640ac5186f
grsecurity: 4.5.7-201606292300 -> 4.5.7-201606302132 2016-07-02 20:37:52 +02:00
Joachim Fasting 51c04b74c1
grsecurity: 4.5.7-201606280009 -> 4.5.7-201606292300 2016-06-30 11:09:59 +02:00
Joachim Fasting cdcdc25ef3
grsecurity: 4.5.7-201606262019 -> 4.5.7-201606280009 2016-06-28 14:57:20 +02:00
Joachim Fasting d5eec25ff9
grsecurity: 4.5.7-201606222150 -> 4.5.7-201606262019 2016-06-27 21:42:17 +02:00
Franz Pletz 7e9affa7ee linux_4_3: Remove, not maintained anymore 2016-06-27 00:11:16 +02:00
Franz Pletz eed51eccef linux: 3.10.101 -> 3.10.102 2016-06-27 00:11:16 +02:00
Franz Pletz b7e0b118d9 linux: 3.12.57 -> 3.12.61 2016-06-27 00:11:04 +02:00
Franz Pletz 0387eddb51 linux: 3.14.65 -> 3.14.73 2016-06-27 00:10:38 +02:00
Franz Pletz 6165af4db2 linux: 3.18.29 -> 3.18.36 2016-06-27 00:09:56 +02:00
Franz Pletz 5806b185bd linux: 4.1.25 -> 4.1.27 2016-06-27 00:09:30 +02:00
Franz Pletz 4a942499b4 linux: 4.4.13 -> 4.4.14 2016-06-27 00:08:11 +02:00
Joachim Fasting 4fb72b2fd3
grsecurity: 4.5.7-201606202152 -> 4.5.7-201606222150 2016-06-26 17:27:17 +02:00
Tim Steinbach 125ffff089 kernel: 4.6.2 -> 4.6.3 2016-06-24 22:18:16 +00:00
Joachim Fasting 9d052a2c39
grsecurity: 4.5.7-201606142010 -> 4.5.7-201606202152 2016-06-23 00:55:54 +02:00
Eelco Dolstra 453086a15f linux: 4.4.12 -> 4.4.13 2016-06-20 13:11:55 +02:00
zimbatm 7c32638439 Merge pull request #16259 from layus/update-mptcp
linux_mptcp: update 0.90 -> 0.90.1
2016-06-20 09:29:07 +01:00
Joachim Fasting 875fd5af73
grsecurity: 4.5.7-201606110914 -> 4.5.7-201606142010 2016-06-16 14:29:12 +02:00
Guillaume Maudoux d73b7d101f linux_mptcp: 0.90 -> 0.90.1 2016-06-15 22:56:11 +02:00
Joachim Fasting 130b06eb0b
grsecurity: 4.5.7-201606080852 -> 4.5.7-201606110914 2016-06-14 14:18:01 +02:00
Joachim Fasting 886c03ad2e Merge pull request #16107 from joachifm/grsec-ng
Rework grsecurity support
2016-06-14 03:52:50 +02:00
Joachim Fasting 75b9a7beac
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-14 00:08:20 +02:00
Joachim Fasting 4ae5eb97f1
kernel: set virtualization options regardless of grsec
Per my own testing, the NixOS grsecurity kernel works both as a
KVM-based virtualisation host and guest; there appears to be no good
reason to making these conditional on `features.grsecurity`.

More generally, it's unclear what `features.grsecurity` *means*. If
someone configures a grsecurity kernel in such a fashion that it breaks
KVM support, they should know to disable KVM themselves.
2016-06-10 19:27:59 +02:00
Joachim Fasting d8e4432fe2
kernel: unconditionally disable /dev/kmem
This was presumably set for grsecurity compatibility, but now appears
redundant.  Grsecurity does not expect nor require /dev/kmem to be
present and so it makes little sense to continue making its inclusion in
the standard kernel dependent on grsecurity.

More generally, given the large number of possible grsecurity
configurations, it is unclear what `features.grsecurity` even
*means* and its use should be discouraged.
2016-06-10 19:27:41 +02:00
Shea Levy 4fbafb2395 linux 4.6.1 -> 4.6.2 2016-06-10 09:30:11 -04:00
Joachim Fasting edc36a0091
grsecurity: 4.5.6-201606051644 -> 4.5.7-201606080852 2016-06-09 15:40:06 +02:00
Vladimír Čunát 20c2ce4954 Merge #16045: kernel: 4.6.0 -> 4.6.1 2016-06-09 14:37:32 +02:00
Vladimír Čunát c0895be3ee Merge #16044: kernel: 4.1.20 -> 4.1.25 2016-06-09 14:36:31 +02:00
Vladimír Čunát f9310c2eee Merge #16043: kernel: 4.4.11 -> 4.4.12 2016-06-09 14:34:50 +02:00
Tim Steinbach 269b7d30a7 kernel: 4.6.0 -> 4.6.1 2016-06-07 09:59:19 -04:00
Tim Steinbach 8f4755a0ae kernel: 4.5.5 -> 4.5.6 2016-06-07 09:58:24 -04:00
Tim Steinbach a57cbf6546 kernel: 4.4.11 -> 4.4.12 2016-06-07 09:57:47 -04:00
Tim Steinbach f3ebf13762 kernel: 4.1.20 -> 4.1.25 2016-06-07 09:57:07 -04:00
Joachim Fasting 72899d92d0
grsecurity: 4.5.5-201605291201 -> 4.5.6-201606051644 2016-06-07 15:04:24 +02:00
Tuomas Tynkkynen bac26e08db Fix lots of fetchgit hashes (fallout from #15469) 2016-06-03 17:17:08 +03:00
Alexander Kjeldaas 4c99d22f19 kernel: set nx bit on module ro segments
Fixes #4757.
2016-06-03 15:41:47 +02:00
Joachim Fasting bfefc54bc5
grsecurity: 4.5.5-201605211442 -> 4.5.5-201605291201 2016-05-29 20:34:24 +02:00
Eelco Dolstra 3ee6b22dc3 linux: 4.4.10 -> 4.4.11 2016-05-22 23:05:10 +02:00
Joachim Fasting 5a357d9731
grsecurity: 4.5.5-201605202102 -> 4.5.5-201605211442 2016-05-21 22:28:36 +02:00
Joachim Fasting 79481bd68f
linux: 4.5.4 -> 4.5.5 2016-05-21 07:37:41 +02:00
Joachim Fasting cdf2ffda9d
grsecurity: 4.5.4-201605131918 -> 4.5.5-201605202102 2016-05-21 07:37:41 +02:00
Shea Levy 1ea263ef03 linux-4.6: Fix copy-paste error.
Thanks to @NeQuissimus for the spot
2016-05-16 13:53:23 -04:00
Shea Levy 0373eb86f1 Linux 4.6 2016-05-16 11:56:39 -04:00
Joachim Fasting f99c86eec1
grsecurity: remove expressions for unsupported versions
Retain top-level attributes for now but consolidate compatibility
attributes.

Part of ongoing cleanup, doing it all at once is infeasible.
2016-05-16 09:10:27 +02:00
Joachim Fasting 6194e9d801
kernelPatches.grsecurity: 4.5.4-201605122039 -> 4.5.4-201605131918
Also revert to using the grsecurity-scrape mirror; relying on upstream
just isn't viable. Lately, updates have been so frequent that a new
version is released before Hydra even gets around to building the
previous one.
2016-05-14 05:15:35 +02:00
Joachim Fasting 7fdce2feb0
kernelPatches.grsecurity_4_5: 4.5.4-201605112030 -> 4.5.4-201605122039 2016-05-13 23:11:07 +02:00
Joachim Fasting 10aaca8c1f
grsecurity_4_5: 4.5.3-201605080858 -> 4.5.4-201605112030 2016-05-13 20:11:31 +02:00
Franz Pletz 006f6d9437 linux: 4.5.3 -> 4.5.4 2016-05-13 17:27:51 +02:00