mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-09-11 15:08:33 +01:00
Code Issues Wiki Activity
127459 commits 218 branches 122 tags 7.1 GiB
Commit graph

2306 commits

Author SHA1 Message Date
Jan Malakhovski 616a7fe237
linuxPackages: hardened-config: disable BUG_ON_DATA_CORRUPTION for older kernels 
They don't support it.
 2017-09-16 13:14:03 +02:00
Joachim Fasting dd170cd5df
hardened-config: build with fortify source 2017-09-16 00:31:25 +02:00
Joachim Fasting 9a763f8f59
hardened-config: enable the randstruct plugin 2017-09-16 00:31:23 +02:00
Joachim Fasting edd0d2f2e9
hardened-config: additional refcount checking 2017-09-16 00:31:17 +02:00
Tim Steinbach 43b3029a4a
linux: 4.9.49 -> 4.9.50 2017-09-14 08:40:13 -04:00
Tim Steinbach 537da6cb50
linux: 4.12.12 -> 4.12.13 2017-09-14 08:40:13 -04:00
Tim Steinbach 232fc6a806
linux: 4.13.1 -> 4.13.2 2017-09-14 08:40:13 -04:00
Tim Steinbach 87fa247867
linux-copperhead: 4.13.1.a -> 4.13.1.b 2017-09-13 08:20:58 -04:00
Tim Steinbach 114a2bcc80
linux-copperhead: 4.13.a -> 4.13.1.a 2017-09-10 19:21:31 -04:00
Tim Steinbach 80486ba971
linux: 4.13 -> 4.13.1 2017-09-10 12:13:15 -04:00
Tim Steinbach 9c723d4b2b
linux: 4.12.11 -> 4.12.12 2017-09-10 12:13:15 -04:00
Tim Steinbach 1ab2b06a36
linux: 4.9.48 -> 4.9.49 2017-09-10 12:13:15 -04:00
Tim Steinbach dc8b228a89
linux: 4.9.47 -> 4.9.48 2017-09-07 10:31:02 -04:00
Tim Steinbach a1912c9eb4
linux: 4.12.10 -> 4.12.11 2017-09-07 10:27:39 -04:00
Jörg Thalheim 44f93731d6 linux_chromiumos_3_18: remove kernel due lack of maintainer/breakage 
There is no maintainer for this package, probably not many users.
It requires effort to fix all third-party modules for this old kernel
versions. It might contain unpatched security holes.

For Pixel chromebooks, we have the samus-kernel.
Apart from that https://github.com/GalliumOS/linux might be a good choice.
 2017-09-05 14:42:23 +02:00
Tim Steinbach 967077537b
linux-copperhead: 4.12.10.a -> 4.13.a 2017-09-04 11:09:29 -04:00
Tim Steinbach c1e2a0b6f4
linux: Add 4.13 2017-09-03 19:41:44 -04:00
Tim Steinbach 2c301b1b48
linux: 4.9.46 -> 4.9.47 
(cherry picked from commit 27c8378c0c81aa17aef615615421aa5de3d8246b)
 2017-09-02 11:17:47 -04:00
Joachim Fasting 697cbbc617
kernelPatches.grsecurity_testing: remove 2017-09-02 15:56:49 +02:00
davidak 4134db36d0 linux-testing-bcachefs: init at 4.11.2017.08.23 2017-08-31 05:39:17 -05:00
Tim Steinbach 4c91e32da6
linux-copperhead: 4.12.9.a -> 4.12.10.a 2017-08-30 13:17:51 -04:00
Tim Steinbach fab79d08e9
linux: 4.9.45 -> 4.9.46 2017-08-30 07:59:42 -04:00
Tim Steinbach a27c6c7374
linux: 4.12.9 -> 4.12.10 2017-08-30 07:59:42 -04:00
Tuomas Tynkkynen ff3f6f38c4 linux_rpi: 1.20170515 -> 1.20170811 2017-08-29 02:37:52 +03:00
Tim Steinbach 163b3e853b
linux: 4.13-rc6 -> 4.13-rc7 2017-08-28 11:59:37 -04:00
Tim Steinbach bebaf083cd
linux-copperhead: 4.12.8.a -> 4.12.9.a 2017-08-27 09:43:23 -04:00
Tim Steinbach 9b9d0cc06b
linux: 4.9.44 -> 4.9.45 2017-08-26 09:50:02 -04:00
Tim Steinbach d23bed7cc6
linux: 4.12.8 -> 4.12.9 2017-08-26 09:47:57 -04:00
Tim Steinbach cd85a704a5
linux: 4.13-rc4 -> 4.13-rc6 2017-08-22 03:23:30 -04:00
Frederik Rietdijk 6bbc3a0b24 Merge commit '3b29468313bc8604fe8f85c8d9316fd276d3985c' into HEAD 2017-08-21 04:44:40 +02:00
Vladimír Čunát 7c7c83e233
buildLinux: allow overriding stdenv on each call 2017-08-20 08:24:52 +02:00
Tim Steinbach 7209ed6d4b
linux-copperhead: 4.12.7.a -> 4.12.8.a 2017-08-18 15:47:03 -04:00
Tim Steinbach 9281b05c7f
linux: 4.12.7 -> 4.12.8 2017-08-18 15:33:53 -04:00
Tim Steinbach a5f01aa745
linux: 4.9.43 -> 4.9.44 2017-08-18 15:30:37 -04:00
Tim Steinbach b94210b066
linux-copperhead: 4.12.5.a -> 4.12.7.a 2017-08-14 12:51:30 -04:00
Frederik Rietdijk 13bbaee21d Merge pull request #27881 from mimadrid/fix/http-https 
Update homepage attributes: http -> https
 2017-08-13 21:53:20 +02:00
Tim Steinbach 5c29873e99
linux: 4.9.42 -> 4.9.43 2017-08-13 15:42:15 -04:00
Tim Steinbach 59e34685da
linux: 4.12.6 -> 4.12.7 2017-08-13 15:42:15 -04:00
Joachim Fasting 345e0e6794
hardened-config: enable read-only LSM hooks 
Implies that SELinux can no longer be disabled at runtime (only at boot
time, via selinux=0).

See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd0859dccbe291cf8179a96390f5c0e45cb9af1d
 2017-08-11 23:27:58 +02:00
Robin Gloster 05b8cae9ec
linux: remove unused kernel patches 2017-08-11 19:13:09 +02:00
Robin Gloster 9f3f575ab3
linux_4_4: remove 
Support ends in Feb 2018
 2017-08-11 19:13:09 +02:00
Robin Gloster 0eb9c5bd42
linux_3_10: remove 
Support ends in Oct 2017
 2017-08-11 19:13:08 +02:00
Tim Steinbach 47d9b48e4d
linux: 4.12.5 -> 4.12.6 2017-08-11 12:14:53 -04:00
Tim Steinbach f2d420e4c9
linux: 4.9.41 -> 4.9.42 2017-08-11 12:10:10 -04:00
Tim Steinbach f46f98ad31
Revert 0cf0d7186a 
Order common kernel config by functionality
See #27949
 2017-08-07 17:34:10 -04:00
Tim Steinbach fa10497834 Merge pull request #27684 from gnidorah/bfq 
linux: BFQ Group Scheduling support
 2017-08-07 11:58:45 -04:00
Tim Steinbach 06af1df857
linux: 4.13-rc3 -> 4.13-rc4 2017-08-07 11:40:01 -04:00
Tim Steinbach ea2a10e143
linux: 4.4.79 -> 4.4.80 2017-08-07 11:35:42 -04:00
Tim Steinbach 4825e4818b
linux: 4.9.40 -> 4.9.41 2017-08-07 11:32:26 -04:00
gnidorah dc21f1ad65 linux: BFQ Group Scheduling support 2017-08-07 10:12:21 +03:00
Tim Steinbach 1ec7242bc2
linux-copperhead: 4.12.4.a -> 4.12.5.a 2017-08-06 22:04:46 -04:00
Tim Steinbach ff9479cd54
linux: 4.12.4 -> 4.12.5 2017-08-06 19:22:15 -04:00
Tim Steinbach 0cf0d7186a
linux-common-config: Refactor, clean up 2017-08-06 19:17:30 -04:00
Joachim Fasting f963014829
linux-hardened-config: various fixups 
Note
- the kernel config parser ignores "# foo is unset" comments so they
  have no effect; disabling kernel modules would break *everything* and so
  is ill-suited for a general-purpose kernel anyway --- the hardened nixos
  profile provides a more flexible solution
- removed some overlap with the common config (SECCOMP is *required* by systemd;
  YAMA is enabled by default).
- MODIFY_LDT_SYSCALL is guarded by EXPERT on vanilla so setting it to y breaks
  the build; fix by making it optional
- restored some original comments which I feel are clearer
 2017-08-06 23:38:07 +02:00
Heitham Omar 5ac00265a8 linux-common-config: add CONFIG_HOTPLUG_PCI_ACPI 2017-08-06 20:41:28 +02:00
Tim Steinbach ff10bafd00
linux: Expand hardened config 
Based on latest recommendations at
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
 2017-08-06 09:58:02 -04:00
Robin Gloster 2b4811887a
kernel: add IP_NF_TARGET_REDIRECT 2017-08-04 08:26:09 +02:00
mimadrid 09e0cc7cc7
Update homepage attributes: http -> https 
Homepage link "http://.../" is a permanent redirect to "https://.../" and should be updated
https://repology.org/repository/nix_stable/problems
 2017-08-03 11:56:15 +02:00
Tuomas Tynkkynen 3db9a2bdff linux_rpi: 1.20170427 -> 1.20170515 2017-07-31 19:47:23 +03:00
aszlig 979817d153
linux-testing: 4.13-rc2 -> 4.13-rc3 
Tested via building the linux_testing attribute, but didn't test it at
runtime (yet).

Diffed unpacked tarball against my local git clone and the contents
match.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
 2017-07-31 09:39:42 +02:00
Tim Steinbach a918521c1e
linux-copperhead: 4.12.3.a -> 4.12.4.a 2017-07-28 17:54:37 -04:00
Tim Steinbach 5a6b5b8daf
linux: 4.4.78 -> 4.4.79 2017-07-28 10:02:29 -04:00
Tim Steinbach 88c0f67ded
linux: 4.9.39 -> 4.9.40 2017-07-28 10:00:25 -04:00
Tim Steinbach f43c445824
linux: 4.12.3 -> 4.12.4 2017-07-28 09:55:48 -04:00
Tim Steinbach 1dd6e7dcbc
linux: 4.13-rc1 -> 4.13-rc2 2017-07-24 09:50:32 -04:00
Jörg Thalheim 887570883e perf: remove binutils patch by wrapper 
starting with linux 4.12 our patch no longer applied. In order to
avoid having to maintain patches for different linux kernels it is
easier to use a wrapper instead.
 2017-07-23 15:18:02 +01:00
Tim Steinbach 869bb2e486
linux-copperhead: 4.12.2.a -> 4.12.3.a 2017-07-22 19:08:02 -04:00
Tim Steinbach ba9275da88
linux: Remove 4.11 
4.11.x has been EOL'd
 2017-07-21 07:33:14 -04:00
Tim Steinbach 98ad0f4dab
linux: 4.12.2 -> 4.12.3 2017-07-21 07:28:24 -04:00
Tim Steinbach 232f497169
linux: 4.9.38 -> 4.9.39 2017-07-21 07:25:50 -04:00
Tim Steinbach 5181d7568f
linux: 4.4.77 -> 4.4.78 2017-07-21 07:23:12 -04:00
Al Zohali 0b3d29d4ac linux_samus_4_12: init at 4.12.2 
Co-authored-by: Nikolay Amiantov <ab@fmap.me>

fixes #26038
 2017-07-18 23:31:18 +01:00
Tim Steinbach df929d6216
linux-copperhead: 4.12.1.a -> 4.12.2.a 2017-07-15 19:44:12 -04:00
Tim Steinbach b103e9317a
linux-testing: 4.12-rc7 -> 4.13-rc1 2017-07-15 19:30:44 -04:00
Tim Steinbach 81b993369c
linux: 4.4.76 -> 4.4.77 2017-07-15 19:25:42 -04:00
Tim Steinbach b04858db1b
linux: 4.9.37 -> 4.9.38 
Remove temporary patches to perf as well
 2017-07-15 19:22:07 -04:00
Tim Steinbach ccec16579d
linux: 4.11.10 -> 4.11.11 2017-07-15 19:17:06 -04:00
Tim Steinbach c5ef98bb34
linux: 4.12.1 -> 4.12.2 2017-07-15 19:14:44 -04:00
Tim Steinbach 954c66983d
perf: Apply patch for offline kernels 
As per https://lkml.org/lkml/2017/7/13/314, perf is broken in 4.9.36 and 4.9.37
Patches in this commit are taken from
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=39f4f2c018bd831c325e11983f8893caf72fd9eb

This will allow perf to build again and should be included in a future 4.9.x release,
allowing the custom patching to be removed again
 2017-07-14 20:07:16 -04:00
Tuomas Tynkkynen 42395a191b kernel-config: Disable Xen on non-x86 
There's an upstream build failure on ARM (not directly related to Xen
but rather some other config options it enables). The xen package is
x86_64-only anyways.
 2017-07-13 20:12:50 +03:00
Tim Steinbach 6fda535869
linux-copperhead: Fix modDirVersion 2017-07-13 09:00:44 -04:00
Tim Steinbach 45a2534459
linux-copperhead: 4.12.e -> 4.12.1.a 2017-07-13 08:40:08 -04:00
Tim Steinbach 6131b4d52d
linux: 4.12 -> 4.12.1 2017-07-13 08:36:50 -04:00
Tim Steinbach 24de0bad42
linux: 4.11.9 -> 4.11.10 2017-07-13 08:34:51 -04:00
Tim Steinbach 6da222918e
linux: 4.9.36 -> 4.9.37 2017-07-13 08:30:47 -04:00
Tim Steinbach 1434128a18
linux-copperhead: 4.12.d -> 4.12.e 2017-07-11 08:22:56 -04:00
Tim Steinbach d38656b3c3
linux-copperhead: 4.12.c -> 4.12.d 2017-07-09 18:20:14 -04:00
Tim Steinbach fca0b3602d
linux-copperhead: 4.12.b -> 4.12.c 2017-07-09 18:16:58 -04:00
Tim Steinbach da8bd6df67 Merge pull request #27161 from NeQuissimus/kernel_config_cleanup 
linux: Clean up kernel config warnings
 2017-07-07 09:00:52 -04:00
gnidorah ff348f4b6d linux: Enable more I/O schedulers 2017-07-07 11:43:48 +03:00
Tim Steinbach 968e0b2baf
linux-copperhead: 4.11.8.a -> 4.12.b 2017-07-06 11:42:27 -04:00
Tim Steinbach 3ec2a2f476
linux: Clean up kernel config warnings 2017-07-05 20:09:14 -04:00
Tim Steinbach a04afd1594
linux: 4.4.75 -> 4.4.76 2017-07-05 12:54:56 -04:00
Tim Steinbach 05bd289ff8
linux: 4.9.35 -> 4.9.36 2017-07-05 12:52:05 -04:00
Tim Steinbach 00f0f7e9f6
linux: 4.11.8 -> 4.11.9 2017-07-05 12:49:56 -04:00
Tim Steinbach cd1f998289
Revert "linux-copperhead: 4.11.8.a -> 4.12.a" 
This reverts commit cb703f1314.
 2017-07-04 20:56:02 -04:00
Tim Steinbach cb703f1314
linux-copperhead: 4.11.8.a -> 4.12.a 2017-07-03 21:03:58 -04:00
Tim Steinbach f130e0027e
linux: Add 4.12 2017-07-03 11:57:40 -04:00
Tim Steinbach 3130f3ed0a
linux-copperhead: 4.11.7.a -> 4.11.8.a 
Fixes #26790 by properly including built modules
 2017-06-29 23:16:52 -04:00
Tim Steinbach 37bc494949
linux: 4.11.7 -> 4.11.8 2017-06-29 08:29:04 -04:00
Tim Steinbach d1aff8d2e5
linux: 4.9.34 -> 4.9.35 
Also, remove XSA-216 patches, the fixes are now integrated upstream
 2017-06-29 08:26:25 -04:00
Tim Steinbach 6b35f22e28
linux: 4.4.74 -> 4.4.75 2017-06-29 08:20:06 -04:00
Tim Steinbach 4cc729644e Merge pull request #26867 from michalpalka/xen-security-2017.06-new 
xen: patch for XSAs: 216, 217, 218, 219, 220, 221, 222, and 224
 2017-06-28 22:43:46 -04:00
John Ericson e1faeb574a Merge pull request #26884 from obsidiansystems/purge-stdenv-cross 
Purge stdenv cross
 2017-06-28 21:39:16 -04:00
hsloan 16781a3892 kernel perf: Don't use stdenv.cross 2017-06-28 20:23:09 -04:00
hsloan 1e3b45cfdb kernel manual-config: Don't use stdenv.cross 2017-06-28 20:23:09 -04:00
hsloan 459d07d41c kernel generic: Don't use stdenv.cross 2017-06-28 20:22:59 -04:00
Tim Steinbach d2e199ca3c
linux: 4.4.73 -> 4.4.74 2017-06-27 08:14:47 -04:00
Tim Steinbach c90a4b8541
linux: 4.12-rc6 -> 4.12-rc7 2017-06-26 09:58:37 -04:00
Michał Pałka 80e0cda7ff xen: patch for XSAs: 216, 217, 218, 219, 220, 221, 222, and 224 
XSA-216 Issue Description:

> The block interface response structure has some discontiguous fields.
> Certain backends populate the structure fields of an otherwise
> uninitialized instance of this structure on their stacks, leaking
> data through the (internal or trailing) padding field.

More: https://xenbits.xen.org/xsa/advisory-216.html

XSA-217 Issue Description:

> Domains controlling other domains are permitted to map pages owned by
> the domain being controlled.  If the controlling domain unmaps such a
> page without flushing the TLB, and if soon after the domain being
> controlled transfers this page to another PV domain (via
> GNTTABOP_transfer or, indirectly, XENMEM_exchange), and that third
> domain uses the page as a page table, the controlling domain will have
> write access to a live page table until the applicable TLB entry is
> flushed or evicted.  Note that the domain being controlled is
> necessarily HVM, while the controlling domain is PV.

More: https://xenbits.xen.org/xsa/advisory-217.html

XSA-218 Issue Description:

> We have discovered two bugs in the code unmapping grant references.
>
> * When a grant had been mapped twice by a backend domain, and then
> unmapped by two concurrent unmap calls, the frontend may be informed
> that the page had no further mappings when the first call completed rather
> than when the second call completed.
>
> * A race triggerable by an unprivileged guest could cause a grant
> maptrack entry for grants to be "freed" twice.  The ultimate effect of
> this would be for maptrack entries for a single domain to be re-used.

More: https://xenbits.xen.org/xsa/advisory-218.html

XSA-219 Issue Description:

> When using shadow paging, writes to guest pagetables must be trapped and
> emulated, so the shadows can be suitably adjusted as well.
>
> When emulating the write, Xen maps the guests pagetable(s) to make the final
> adjustment and leave the guest's view of its state consistent.
>
> However, when mapping the frame, Xen drops the page reference before
> performing the write.  This is a race window where the underlying frame can
> change ownership.
>
> One possible attack scenario is for the frame to change ownership and to be
> inserted into a PV guest's pagetables.  At that point, the emulated write will
> be an unaudited modification to the PV pagetables whose value is under guest
> control.

More: https://xenbits.xen.org/xsa/advisory-219.html

XSA-220 Issue Description:

> Memory Protection Extensions (MPX) and Protection Key (PKU) are features in
> newer processors, whose state is intended to be per-thread and context
> switched along with all other XSAVE state.
>
> Xen's vCPU context switch code would save and restore the state only
> if the guest had set the relevant XSTATE enable bits.  However,
> surprisingly, the use of these features is not dependent (PKU) or may
> not be dependent (MPX) on having the relevant XSTATE bits enabled.
>
> VMs which use MPX or PKU, and context switch the state manually rather
> than via XSAVE, will have the state leak between vCPUs (possibly,
> between vCPUs in different guests).  This in turn corrupts state in
> the destination vCPU, and hence may lead to weakened protections
>
> Experimentally, MPX appears not to make any interaction with BND*
> state if BNDCFGS.EN is set but XCR0.BND{CSR,REGS} are clear.  However,
> the SDM is not clear in this case; therefore MPX is included in this
> advisory as a precaution.

More: https://xenbits.xen.org/xsa/advisory-220.html

XSA-221 Issue Description:

> When polling event channels, in general arbitrary port numbers can be
> specified.  Specifically, there is no requirement that a polled event
> channel ports has ever been created.  When the code was generalised
> from an earlier implementation, introducing some intermediate
> pointers, a check should have been made that these intermediate
> pointers are non-NULL.  However, that check was omitted.

More: https://xenbits.xen.org/xsa/advisory-221.html

XSA-222 Issue Description:

> Certain actions require removing pages from a guest's P2M
> (Physical-to-Machine) mapping.  When large pages are in use to map
> guest pages in the 2nd-stage page tables, such a removal operation may
> incur a memory allocation (to replace a large mapping with individual
> smaller ones).  If this allocation fails, these errors are ignored by
> the callers, which would then continue and (for example) free the
> referenced page for reuse.  This leaves the guest with a mapping to a
> page it shouldn't have access to.
>
> The allocation involved comes from a separate pool of memory created
> when the domain is created; under normal operating conditions it never
> fails, but a malicious guest may be able to engineer situations where
> this pool is exhausted.

More: https://xenbits.xen.org/xsa/advisory-222.html

XSA-224 Issue Description:

> We have discovered a number of bugs in the code mapping and unmapping
> grant references.
>
> * If a grant is mapped with both the GNTMAP_device_map and
> GNTMAP_host_map flags, but unmapped only with host_map, the device_map
> portion remains but the page reference counts are lowered as though it
> had been removed. This bug can be leveraged cause a page's reference
> counts and type counts to fall to zero while retaining writeable
> mappings to the page.
>
> * Under some specific conditions, if a grant is mapped with both the
> GNTMAP_device_map and GNTMAP_host_map flags, the operation may not
> grab sufficient type counts.  When the grant is then unmapped, the
> type count will be erroneously reduced.  This bug can be leveraged
> cause a page's reference counts and type counts to fall to zero while
> retaining writeable mappings to the page.
>
> * When a grant reference is given to an MMIO region (as opposed to a
> normal guest page), if the grant is mapped with only the
> GNTMAP_device_map flag set, a mapping is created at host_addr anyway.
> This does *not* cause reference counts to change, but there will be no
> record of this mapping, so it will not be considered when reporting
> whether the grant is still in use.

More: https://xenbits.xen.org/xsa/advisory-224.html
 2017-06-26 07:01:24 +00:00
Tim Steinbach 03aed4cfcf
linux-copperhead: 4.11.6.d -> 4.11.7.a 2017-06-24 14:50:41 -04:00
Tim Steinbach b06cb59fc1
linux: 4.9.33 -> 4.9.34 2017-06-24 11:22:56 -04:00
Tim Steinbach 3a68f0bb78
linux: 4.11.6 -> 4.11.7 2017-06-24 11:20:32 -04:00
Tim Steinbach 4e08459f9b
linux-hardened-copperhead: 4.11.6c -> 4.11.6d 2017-06-22 21:12:20 -04:00
Franz Pletz dd3f2e648a
linux_hardened_copperhead: init at 4.11.6.c 2017-06-21 23:49:00 +02:00
Jörg Thalheim e89e96a755 linux_4_11: renable CONFIG_UPROBE_EVENTS 
CONFIG_UPROBE_EVENT was renamed to CONFIG_UPROBE_EVENTS.
 2017-06-21 17:16:46 +01:00
Tim Steinbach 2764961b87
linux: 4.12-rc5 -> 4.12-rc6 2017-06-19 21:21:15 -04:00
Franz Pletz bbb9182cbc
linux: 4.9.32 -> 4.9.33 2017-06-17 18:45:29 +02:00
Franz Pletz a470aa0924
linux: 4.4.72 -> 4.4.73 2017-06-17 18:45:29 +02:00
Franz Pletz c973a4a887
linux: 4.11.5 -> 4.11.6 2017-06-17 18:45:29 +02:00
Tim Steinbach b4576c5108
linux: 4.11.4 -> 4.11.5 2017-06-15 08:54:55 -04:00
Tim Steinbach a7efc9f0cd
linux: 4.9.31 -> 4.9.32 2017-06-15 08:53:35 -04:00
Tim Steinbach 07edb44d15
linux: 4.4.71 -> 4.4.72 2017-06-15 08:52:26 -04:00
timor d74f8351a5 kernel: enable audio jack reconfiguration 
Change kernel config to allow for changing the functions of the audio
jacks at run-time as well as at boot time.
 2017-06-13 08:50:34 +03:00
Eelco Dolstra 63e9d1c51e
perf: Fix perf annotate 
This command requires objdump, so make sure it can find it.
 2017-06-12 13:23:18 +02:00
Tim Steinbach 5fbab5dfb3
linux: 4.12-rc4 -> 4.12-rc5 2017-06-11 21:37:46 -04:00
Tuomas Tynkkynen 370ace4cf0 kernel: Don't build self-test modules 2017-06-11 19:33:24 +03:00
Tim Steinbach c7abd6943e
linux: 4.9.30 -> 4.9.31 2017-06-07 08:09:37 -04:00
Tim Steinbach 01fc1a80b3
linux: 4.4.70 -> 4.4.71 2017-06-07 08:07:53 -04:00
Tim Steinbach 66faa421c9
linux: 4.11.3 -> 4.11.4 2017-06-07 08:05:45 -04:00
Tim Steinbach 7c476b98df
linux: 4.12-rc3 -> 4.12-rc4 2017-06-05 10:01:53 -04:00
Tim Steinbach a78af5196c
linux: 4.12-rc2 -> 4.12-rc3 2017-05-29 09:32:52 -04:00
Tim Steinbach 690a83091b
linux: FS_ENCRYPTION only for >= 4.9 kernels 2017-05-25 18:25:08 -04:00
Tim Steinbach 8f0ca4f44a
linux: 4.4.69 -> 4.4.70 2017-05-25 18:21:54 -04:00
Tim Steinbach 446c57fdb2
linux: 4.9.29 -> 4.9.30 2017-05-25 18:19:16 -04:00
Tim Steinbach f618a6caa1
linux: 4.11.2 -> 4.11.3 2017-05-25 18:16:57 -04:00
Tim Steinbach aa73b7df30
linux: 4.12-rc1 -> 4.12-rc2 2017-05-22 11:40:04 -04:00
Tim Steinbach a42c54057f
linux: 4.11.1 -> 4.11.2 2017-05-20 17:17:35 -04:00
Tim Steinbach a551ca61b7
linux: 4.9.28 -> 4.9.29 2017-05-20 17:17:34 -04:00
Tim Steinbach 82852ac60e
linux: 4.4.68 -> 4.4.69 2017-05-20 17:17:33 -04:00
Tuomas Tynkkynen de263072b5 kernel: 4.10 is end-of-life 
https://lkml.org/lkml/2017/5/20/75
 2017-05-20 19:54:18 +03:00
Joachim Fasting 77ed860114
linux_hardened: enable checks on scatter-gather tables 
Recommended by kspp
 2017-05-18 12:33:42 +02:00
Tim Steinbach 8eb302d6d7 Merge pull request #25792 from NeQuissimus/linux_4_12_rc1 
linux-testing: 4.11-rc7 -> 4.12-rc1
 2017-05-17 08:30:10 -04:00
Tuomas Tynkkynen a35ec5dda6 linux_rpi: 1.20170303 -> 1.20170427 2017-05-15 11:14:59 +03:00
Tim Steinbach 336b044dcb
linux-testing: 4.11-rc7 -> 4.12-rc1 2017-05-14 22:03:14 -04:00
Tuomas Tynkkynen ba585648e7 kernel: 4.9.27 -> 4.9.28 2017-05-15 01:28:01 +03:00
Tuomas Tynkkynen 8de08ff145 kernel: 4.4.67 -> 4.4.68 2017-05-15 01:27:50 +03:00
Tuomas Tynkkynen c230aee121 kernel: 4.11 -> 4.11.1 2017-05-15 01:27:41 +03:00
Tuomas Tynkkynen 2f1e6c8686 kernel: 4.10.15 -> 4.10.16 2017-05-15 01:27:30 +03:00
Tim Steinbach 8584a16922
linux: 4.10.14 -> 4.10.15 2017-05-09 08:43:37 -04:00
Joachim Fasting 996b65cfba
linux_hardened: enable structleak plugin 
A port of the PaX structleak plugin.  Note that this version of structleak
seems to cover less ground than the PaX original (only marked structs are
zeroed). [1]

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c61f13eaa1ee17728c41370100d2d45c254ce76f
 2017-05-09 01:38:26 +02:00
Joachim Fasting 1816e2b960
linux_hardened: BUG on struct validation failure 2017-05-09 01:38:24 +02:00
Joachim Fasting a7ecdffc28
linux_hardened: move to 4.11 
Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX &
STRICT_MODULE_RWX, which are on by default (non-optional).
 2017-05-09 01:38:22 +02:00
Joachim Fasting 42c58cd2e8
linux_hardened: compile with stackprotector-strong 
Default is regular, which we need to unset for kconfig to accept the new
value.
 2017-05-09 01:38:21 +02:00
Tim Steinbach 8c74ff6534
linux: 4.9.26 -> 4.9.27 2017-05-08 09:26:26 -04:00
Tim Steinbach 4e2c67ff76
linux: 4.4.66 -> 4.4.67 2017-05-08 09:23:52 -04:00
Joachim Fasting a04d8532c2
linux: support using gcc plugins 
linux 4.8 onwards support gcc plugins.  This patch adds build inputs
required to make use of gcc plugins to the generic kernel build
environment.
 2017-05-06 19:47:27 +02:00
Tim Steinbach 2a38ecc055
linux: 4.10.13 -> 4.10.14 2017-05-03 20:46:48 -04:00
Tim Steinbach 6076843be3
linux: 4.9.25 -> 4.9.26 2017-05-03 20:44:09 -04:00
Tim Steinbach af933bc7d3
linux: 4.4.65 -> 4.4.66 2017-05-03 20:41:46 -04:00
Tim Steinbach b5169fd277
linux: Add cgroups patches for 4.9, 4.10, 4.11 2017-05-02 08:49:39 -04:00
Shea Levy 207a0af06a Add linux 4.11 2017-05-01 19:04:45 -04:00
Michael Raskin 1cce0887ee Merge branch 'master' into mptcp-v91.3 2017-05-01 00:43:08 +02:00
Tim Steinbach 0c4de3c0c9
linux: 4.4.64 -> 4.4.65 2017-04-30 08:58:44 -04:00
Joachim Fasting ab4fa1cce4
tree-wide: prune some dead grsec leaves 
The beginning of pruning grsecurity/PaX from the tree.
 2017-04-30 12:05:41 +02:00
Joachim Fasting 62f2a1c2be
linux_hardened: init 
The rationale for this is to have a place to enable hardening features
that are either too invasive or that may be speculative/yet proven to be
worthwhile for general-purpose kernels.
 2017-04-30 12:05:39 +02:00
Joachim Fasting 32b8512e54
grsecurity: discontinue support 
Upstream has decided to make -testing patches private, effectively ceasing
free support for grsecurity/PaX [1].  Consequently, we can no longer
responsibly support grsecurity on NixOS.

This patch turns the kernel and patch expressions into build errors and
adds a warning to the manual, but retains most of the infrastructure, in
an effort to make the transition smoother.  For 17.09 all of it should
probably be pruned.

[1]: https://grsecurity.net/passing_the_baton.php
 2017-04-28 12:35:15 +02:00
Tim Steinbach 7f3b857d0d
linux: 4.4.63 -> 4.4.64 2017-04-27 22:12:35 -04:00
Tim Steinbach 08c44a5cac
linux: 4.10.12 -> 4.10.13 2017-04-27 22:10:06 -04:00
Tim Steinbach 903fec9922
linux: 4.9.24 -> 4.9.25 2017-04-27 22:07:34 -04:00
Jason A. Donenfeld b1750d699c linux-chromiumos: remove 3.14 
3.14 is no longer supported upstream by kernel.org and thus no longer
receives security patches. The git commit mentioned in this .nix isn't
even available in the linked repository --
https://chromium.googlesource.com/chromiumos/third_party/kernel -- so I
think this .nix might be dead anyway. Finally, it specifies 3.14.0,
which is so ridiculously old (the latest was 3.14.79) that nobody
develops for it.

Fixes: #25145
Supports: #25127
 2017-04-23 15:47:46 +02:00
Joachim Fasting 9e6c96f8fc
grsecurity: 4.9.24-201704210851 -> 4.9.24-2201704220732 2017-04-22 16:37:24 +02:00
Joachim Fasting 05911da7bb
grsecurity: 4.9.23-201704181901 -> 4.9.24-201704210851 2017-04-21 15:09:32 +02:00
Tim Steinbach 7fb1b54cc1
linux: 4.4.62 -> 4.4.63 2017-04-21 08:03:43 -04:00
Tim Steinbach 1b3282d52d
linux: 4.10.11 -> 4.10.12 2017-04-21 08:01:22 -04:00
Tim Steinbach 4dda88c89d
linux: 4.9.23 -> 4.9.24 2017-04-21 07:58:45 -04:00
Joachim Fasting 9902d63e84
grsecurity: 4.9.22-201704120836 -> 4.9.23-201704181901 2017-04-20 00:21:41 +02:00
Tim Steinbach 7643c7c8cc
linux: 4.4.61 -> 4.4.62 2017-04-18 08:22:23 -04:00
Tim Steinbach 5283e644ce
linux: 4.10.10 -> 4.10.11 2017-04-18 08:20:40 -04:00
Tim Steinbach 1173fe0b49
linux: 4.9.22 -> 4.9.23 2017-04-18 08:15:48 -04:00
Tim Steinbach 5a7b029fa9
linux: 4.11-rc6 -> 4.11-rc7 2017-04-17 07:41:19 -04:00
Tuomas Tynkkynen 3ed0d7e2df kernel-config: Explicitly enable CONFIG_NETFILTER 
This is needed by the NixOS firewall, but isn't enabled by the ARM
defconfig nor kernelAutoModules (as 'm' doesn't seem to be an option)
 2017-04-14 20:43:50 +03:00
Joachim Fasting 3fa5605b41
grsecurity: 4.9.21-201704091948 -> 4.9.22-201704120836 2017-04-12 18:58:29 +02:00
Tim Steinbach 5f05792417
linux: 4.4.60 -> 4.4.61 2017-04-12 09:17:53 -04:00
Tim Steinbach 6860eedfd6
linux: 4.10.9 -> 4.10.10 2017-04-12 09:16:08 -04:00
Tim Steinbach 224a8f7358
linux: 4.9.21 -> 4.9.22 2017-04-12 09:13:56 -04:00
Tim Steinbach 205abc1fb6
linux: 4.11-rc5 -> 4.11-rc6 2017-04-10 08:34:23 -04:00
Joachim Fasting 7701cbca6b
grsecurity: 4.9.20-201703310823 -> 4.9.21-201704091948 2017-04-10 03:34:42 +02:00
Nikolay Amiantov 7099e8da83 linux: build with initrd support by default 
We don't require initrd in some cases but still most boot sequences including ARM use it.
 2017-04-09 22:46:07 +03:00
Nikolay Amiantov c0e77dba0e linux: add kernelPreferBuiltin platform option 
This allows to use kernelAutoModules but still compile in any options that are set so in template config.
It's helpful for ARM and maybe other platforms where defaul configurations are useful because they compile in
modules that we and udev cannot autodetect now.
 2017-04-09 22:46:07 +03:00
Tim Steinbach 79f9544eca
linux: 4.4.59 -> 4.4.60 2017-04-08 08:04:54 -04:00
Tim Steinbach 1988c1fa41
linux: 4.10.8 -> 4.10.9 2017-04-08 08:02:18 -04:00
Tim Steinbach 016a319b50
linux: 4.9.20 -> 4.9.21 2017-04-08 07:59:27 -04:00
Tim Steinbach a29d0df28c
linux: 4.11-rc4 -> 4.11-rc5 2017-04-03 09:02:37 -04:00
Volth b78f16b337 kernel: do not remove .o files on installPhase 2017-04-01 16:05:17 +03:00
Volth ed41d50e9f kernel: fix 9p issues 
[tuomas: rename the patch from 9p-hacks to something slighly more
meaningful]
Signed-off-by: Tuomas Tynkkynen <tuomas@tuxera.com>
 2017-04-01 15:49:14 +03:00
Joachim Fasting a41668f441
grsecurity: 4.9.19-201703300917 -> 4.9.20-201703310823 2017-04-01 00:08:50 +02:00
Tim Steinbach cb791371c5
linux: 4.4.58 -> 4.4.59 2017-03-31 09:19:07 -04:00
Tim Steinbach bff456bd55
linux: 4.10.7 -> 4.10.8 2017-03-31 09:16:52 -04:00
Tim Steinbach 501429d120
linux: 4.9.19 -> 4.9.20 2017-03-31 09:14:19 -04:00
Tim Steinbach ecca152887
linux: 4.10.6 -> 4.10.7 2017-03-30 22:12:26 -04:00
Tim Steinbach 6b5193bcd9
linux: 4.4.57 -> 4.4.58 2017-03-30 22:12:05 -04:00
Joachim Fasting f9cb8775b3
linux_4_9: 4.9.18 -> 4.9.19 2017-03-30 22:50:38 +02:00
Joachim Fasting 4d4488e793
grsecurity: 4.9.18-201703261106 -> 4.9.19-201703300917 2017-03-30 16:28:34 +02:00
Tim Steinbach 310bb3e6bb
linux: 4.11-rc3 -> 4.11-rc4 2017-03-26 19:04:21 -04:00
Joachim Fasting 5fe81c1bdb
grsecurity: 4.9.17-201703221829 -> 4.9.18-201703261106 2017-03-26 21:35:36 +02:00
Tim Steinbach 23d0f01e95
linux: 4.4.56 -> 4.4.57 2017-03-26 10:08:56 -04:00
Tim Steinbach c0411ea229
linux: 4.10.5 -> 4.10.6 2017-03-26 10:05:22 -04:00
Tim Steinbach 422a8b9cd1
linux: 4.9.17 -> 4.9.18 2017-03-26 10:00:57 -04:00
Guillaume Maudoux d431ff2776 linux_mptcp: 0.91.2 -> 0.91.3 (kernel 4.1.38) 2017-03-23 22:36:24 +01:00
Robin Gloster 37f7470269
linux: drop 3.12 and 4.1 
Support ends before 17.09 is released:
https://www.kernel.org/category/releases.html
 2017-03-23 22:06:04 +01:00
Tim Steinbach 37a965c1de
linux: 4.10.4 -> 4.10.5 2017-03-23 16:43:31 -04:00
Tim Steinbach a20602d8e2
linux: 4.4.55 -> 4.4.56 2017-03-23 16:38:46 -04:00
Joachim Fasting 94ab4932ae
grsecurity: 4.9.16-201703180820 -> 4.9.17-201703221829 2017-03-23 01:03:14 +01:00
Joachim Fasting a2fdf72ec4
linux_4_9: 4.9.16 -> 4.9.17 2017-03-23 01:03:11 +01:00
Tim Steinbach c60102d177
linux: 4.11-rc2 -> 4.11-rc3 2017-03-21 20:32:36 -04:00
Tim Steinbach bef5607e20
linux: 4.4.54 -> 4.4.55 2017-03-19 12:18:46 -04:00
Tim Steinbach 6879d560cb
linux: 4.10.3 -> 4.10.4 2017-03-19 12:15:40 -04:00
Joachim Fasting b5da6ca213
linux_4_9: 4.9.15 -> 4.9.16 2017-03-18 15:32:56 +01:00
Joachim Fasting d4409817a6
grsecurity: 4.9.15-201703150049 -> 4.9.16-201703180820 2017-03-18 15:32:48 +01:00
Tim Steinbach ca3fb4d1d4
linux: 4.4.53 -> 4.4.54 2017-03-17 17:25:40 -04:00
Tim Steinbach 81ad24d4d7
linux: 4.10.2 -> 4.10.3 2017-03-17 17:19:59 -04:00
Joachim Fasting 12648a455b
linux_4_9: 4.9.14 -> 4.9.15 2017-03-15 20:03:34 +01:00
Joachim Fasting 9e60a17cb8
grsecurity: 4.9.14-201703121245 -> 4.9.15-201703150049 
Contains a fix for the n_hdlc double free bug.
 2017-03-15 07:25:21 +01:00
Franz Pletz 44bd7c45dc
linux_4_10: 4.10.1 -> 4.10.2 2017-03-14 23:08:43 +01:00
Franz Pletz a691c06556
linux_testing: 4.11-rc1 -> 4.11-rc2 2017-03-14 23:08:43 +01:00
Tim Steinbach 18684a4892
linux: 4.1.38 -> 4.1.39 2017-03-13 20:15:42 -04:00
Tim Steinbach 9ac82a773c
linux: 4.4.52 -> 4.4.53 2017-03-13 20:15:26 -04:00
Tuomas Tynkkynen b2c96062ca kernel: Add a validity check for modDirVersion 
Because if you get it wrong, you get a very confusing error message at
the end of the kernel build, which is quite painful as the build can
take a long time.
 2017-03-13 18:47:21 +02:00
Joachim Fasting 8091c1b208
linux_4_9: 4.9.13 -> 4.9.14 2017-03-12 18:44:29 +01:00
Joachim Fasting 4c211bdc63
grsecurity: 4.9.13-201703052141 -> 4.9.14-201703121245 2017-03-12 18:44:27 +01:00
Franz Pletz c1ccedeaff
linux: make some new config settings optional 
These are not support on older kernels pre 4.0.
 2017-03-11 08:14:29 +01:00
Franz Pletz ff2313a6c6
linux: 3.12.70 -> 3.12.71 2017-03-11 08:14:29 +01:00
Tuomas Tynkkynen 77c49794cd linux_testing: 4.10-rc7 -> 4.11-rc1 
Some config options got removed, so conditionalize them.
 2017-03-11 01:27:06 +02:00
Tuomas Tynkkynen 5f5b87107f raspberrypifw, linux_rpi: 1.20161020 -> 1.20170303 2017-03-08 21:35:31 +02:00
Joachim Fasting 17d80c49fa
grsecurity: 4.9.13-201702270729 -> 201703052141 2017-03-06 15:59:30 +01:00
Tuomas Tynkkynen 57c6fac3e9 kernel config: Enable IP_MULTICAST 
This is lacking on ARM and causes libuv tests to fail.
 2017-03-04 12:49:50 +02:00
Franz Pletz 49bdf9803a
linux: IPV6_FOU_TUNNEL is available since 4.7 2017-03-02 17:19:55 +01:00
Franz Pletz 75e85cae42
linux: enable FOU tunnels and VRF interfaces 2017-03-02 17:19:55 +01:00
Joachim Fasting a20a53300d
grsecurity: 4.9.13-201702261126 -> 201702270729 2017-02-27 16:04:32 +01:00
Joachim Fasting f3a6991f3d
grsecurity: 4.9.12-201702231830 -> 4.9.13-201702261126 2017-02-26 18:20:50 +01:00
Franz Pletz 701544d0a7
linux: 4.9.12 -> 4.9.13 2017-02-26 18:09:16 +01:00
Franz Pletz 62857b1f21
linux: 4.4.51 -> 4.4.52 2017-02-26 18:09:16 +01:00
Franz Pletz 8a75569619
linux: 4.10 -> 4.10.1 2017-02-26 18:09:15 +01:00
Joachim Fasting 0150d9a95c
grsecurity: 4.9.11-201702222257 -> 4.9.12-201702231830 2017-02-26 14:01:57 +01:00
Graham Christensen d36b1ccc13
Revert "Revert "linux kernels: patch against DCCP double free (CVE-2017-6074)"" 
This reverts commit 53a2baabbe.
 2017-02-23 19:23:29 -05:00
Graham Christensen 53a2baabbe
Revert "linux kernels: patch against DCCP double free (CVE-2017-6074)" 
This reverts commit 1d68edbef4.
 2017-02-23 18:47:16 -05:00
Graham Christensen 1d68edbef4
linux kernels: patch against DCCP double free (CVE-2017-6074) 2017-02-23 18:44:43 -05:00
Tim Steinbach 82aae8f631
kernel: 4.4.50 -> 4.4.51 2017-02-23 17:47:51 -05:00
Tim Steinbach 18c2be2862
kernel: 4.9.11 -> 4.9.12 2017-02-23 17:47:18 -05:00