1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-23 14:11:36 +00:00
Commit graph

12145 commits

Author SHA1 Message Date
Emily ed89b5b3f1 linux_*_hardened: don't set PANIC_ON_OOPS
Upstreamed in anthraxx/linux-hardened@366e0216f1.
2020-04-17 16:13:39 +01:00
Emily 0d5f1697b7 linux_*_hardened: don't set SLAB_FREELIST_{RANDOM,HARDENED}
Upstreamed in anthraxx/linux-hardened@786126f177,
anthraxx/linux-hardened@44822ebeb7.
2020-04-17 16:13:39 +01:00
Emily 4fb796e341 linux_*_hardened: don't set HARDENED_USERCOPY_FALLBACK
Upstreamed in anthraxx/linux-hardened@c1fe7a68e3,
anthraxx/linux-hardened@2c553a2bb1.
2020-04-17 16:13:39 +01:00
Emily 3eeb5240ac linux_*_hardened: don't set DEBUG_LIST
Upstreamed in anthraxx/linux-hardened@6b20124185.
2020-04-17 16:13:39 +01:00
Emily 0611462e33 linux_*_hardened: don't set {,IO_}STRICT_DEVMEM
STRICT_DEVMEM is on by default in upstream 5.6.2; IO_STRICT_DEVMEM is
turned on by anthraxx/linux-hardened@103d23cb66.

Note that anthraxx/linux-hardened@db1d27e10e
disables DEVMEM by default, so this is only relevant if that default is
overridden to turn it back on.
2020-04-17 16:13:39 +01:00
Emily 303bb60fb1 linux_*_hardened: don't set DEBUG_WX
Upstreamed in anthraxx/linux-hardened@55ee7417f3.
2020-04-17 16:13:39 +01:00
Emily 33b94e5a44 linux_*_hardened: don't set BUG_ON_DATA_CORRUPTION
Upstreamed in anthraxx/linux-hardened@3fcd15014c.
2020-04-17 16:13:39 +01:00
Emily db6b327508 linux_*_hardened: don't set LEGACY_VSYSCALL_NONE
Upstreamed in anthraxx/linux-hardened@d300b0fdad.
2020-04-17 16:13:39 +01:00
Emily 130f6812be linux_*_hardened: don't set RANDOMIZE_{BASE,MEMORY}
These are on by default for x86 in upstream linux-5.6.2, and turned on
for arm64 by anthraxx/linux-hardened@90f9670bc3.
2020-04-17 16:13:39 +01:00
Emily 8c68055432 linux_*_hardened: don't set MODIFY_LDT_SYSCALL
Upstreamed in anthraxx/linux-hardened@05644876fa.
2020-04-17 16:13:39 +01:00
Emily 8efe83c22e linux_*_hardened: don't set DEFAULT_MMAP_MIN_ADDR
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd.
2020-04-17 16:13:39 +01:00
Emily 3d4c8ae901 linux_*_hardened: don't set VMAP_STACK
This has been on by default upstream for as long as it's been an option.
2020-04-17 16:13:39 +01:00
Emily 7d5352df31 linux_*_hardened: don't set X86_X32
As far as I can tell, this has never defaulted to on upstream, and our
common kernel configuration doesn't turn it on, so the attack surface
reduction here is somewhat homeopathic.
2020-04-17 16:13:39 +01:00
Emily 0d4f35efd4 linux_*_hardened: use linux-hardened patch set
This is an updated version of the former upstream,
https://github.com/AndroidHardeningArchive/linux-hardened, and provides
a minimal set of additional hardening patches on top of upstream.

The patch already incorporates many of our hardened profile defaults,
and releases are timely (Linux 5.5.15 and 5.6.2 were released on
2020-04-02; linux-hardened patches for them came out on 2020-04-03 and
2020-04-04 respectively).
2020-04-17 16:13:39 +01:00
Emily 3d01e802bd linux: explicitly enable SYSVIPC
The linux-hardened patch set removes this default, probably because of
its original focus on Android kernel hardening.
2020-04-17 16:12:29 +01:00
Tim Steinbach e341107367
linux: 5.4.32 -> 5.4.33 2020-04-17 08:34:01 -04:00
Tim Steinbach d9258d33be
linux: 4.19.115 -> 4.19.116 2020-04-17 08:34:01 -04:00
Vladimír Čunát acb4710214
alsaTools: 1.1.7 -> 1.2.2
Fixes build regression (after alsa update, I assume).
Despite the version number change, the diff is trivial:
https://git.alsa-project.org/?p=alsa-tools.git;a=log;h=refs/tags/v1.2.2
2020-04-17 13:49:20 +02:00
Florian Klink b3f14109a8 systemd: explicitly disable portabled for now
This hasn't worked with 243, let's disable it for now, until we have
tests and can ensure it works and keeps working.
2020-04-17 00:31:03 +02:00
Florian Klink ce7c1230ea systemd: explicitly disable homed for now
We don't currently have tests to ensure it works and keeps working.

So instead of having it accidentially working, and possibly breaking it
in the future, disable it for now.
2020-04-17 00:30:52 +02:00
Jörg Thalheim c18ceab106 systemd: remove myself as maintainer 2020-04-17 00:30:52 +02:00
Florian Klink b0b7f673dc systemd: 245 -> 245.3 2020-04-17 00:30:52 +02:00
Florian Klink d2871a723a systemd: 244.3 -> 245 2020-04-17 00:30:51 +02:00
Florian Klink 9de0ac3770 systemd: 243.7 -> 244.3
This required some changes in how we treat DEFAULT_PATH_NORMAL.
2020-04-17 00:30:51 +02:00
Florian Klink b4cbcba5b1 systemd: update paths kmod-static-nodes.service
The previous patch just removed a `ConditionFileNotEmpty=…` line from
`kmod-static-nodes.service` referring to a location not existing on
NixOS. We know better, and can actually replace this Condition to point
to `run/booted-system/kernel-modules/lib/modules/%v/`, instead of just
patching it out.
2020-04-17 00:28:58 +02:00
Florian Klink a6710adab2 systemd: join 000{3,8}-Don-t-try-to-unmount-nix-or-nix-store.patch 2020-04-17 00:27:30 +02:00
Florian Klink 4f346cd849 systemd: drop 0017-Fix-mount-option-x-initrd.mount-handling-35268-16.patch
This was simply undoing a hunk from
0008-Don-t-try-to-unmount-nix-or-nix-store.patch, so drop that one from
there and omit
0017-Fix-mount-option-x-initrd.mount-handling-35268-16.patch entirely.
2020-04-17 00:27:29 +02:00
Florian Klink a16ebf8561 systemd: drop 001{4,5}-{catalog,hwdb}-don-t-update-on-install.patch
These patches removed logic in the meson install phase invoking
`journalctl --update-catalog` and `systemd-hwdb update`, which would
mutate the running system, and obviously fails in the sandbox.

Upstream also knows this is a bad thing if you're not on the machine you
want to deploy to, so there's logic in there to not execute it when
DESTDIR isn't empty. In our case, it is - as we set --prefix instead for
other reasons, but by just setting DESTIDIR to "/", we can still trigger
these things to be skipped.

The patches removed some context from
0018-Install-default-configuration-into-out-share-factory.patch, which
we need to introduce there to make that patch still apply.
2020-04-17 00:27:29 +02:00
Florian Klink 1ad4accdaf systemd: drop 0027-Start-getty-on-lxc.patch
Since quite some time, systemd starts getty on these consoles
automatically.
2020-04-17 00:27:29 +02:00
Florian Klink 22bb3a6771 systemd: remove local-fs patch and revert of it 2020-04-17 00:27:29 +02:00
Florian Klink ba770e599c systemd: switch from our own fork to upstream repo + local patches
After patching, this produces exactly the same source code as in our
custom fork, but having the actual patches inlined inside nixpkgs makes
it easier to get rid of them.

In case more complicated rebasing is necessary, maintainers can

 - Clone the upstream systemd/systemd[-stable] repo
 - Checkout the current rev mentioned in src
 - Apply the patches from this folder via `git am 00*.patch`
 - Rebase the repo on top of a new version
 - Export the patch series via `git format-patch $newVersion`
 - Update the patches = [ … ] attribute (if necessary)
2020-04-17 00:27:19 +02:00
Mario Rodas fc7efb2d49
lxc: 4.0.1 -> 4.0.2 2020-04-16 04:20:00 -05:00
Jan Tojnar 4b706490da
Merge branch 'staging-next' into staging 2020-04-16 10:10:38 +02:00
Jan Tojnar 3d8e436917
Merge branch 'master' into staging-next 2020-04-16 10:09:43 +02:00
markuskowa 4289160b17
Merge pull request #85281 from r-ryantm/auto-update/rdma-core
rdma-core: 28.0 -> 29.0
2020-04-15 13:27:20 +02:00
R. RyanTM d6d2b1ee6d rdma-core: 28.0 -> 29.0 2020-04-15 07:31:00 +00:00
Niklas Hambüchen f16ae2da3e linux: Enable CONFIG_NET_DROP_MONITOR by default.
Needed for subscribing to dropped packets (e.g. via `dropwatch`).
2020-04-14 20:07:51 +02:00
Maximilian Bosch 401e07d419
Merge pull request #84551 from gnprice/pr-stripDebugList
treewide: Fix types of stripDebugList attrs (and fix doc)
2020-04-14 15:54:52 +02:00
John Ericson 17f2cf93dc fwupdate: Clean up -I flags 2020-04-13 19:21:23 -04:00
Matthew Bauer e520d6af29
Merge pull request #84415 from matthewbauer/mb-cross-fixes-april2020
Cross compilation fixes [april 2020]
2020-04-13 16:48:38 -04:00
Jan Tojnar b4a6714571
Merge branch 'staging-next' into staging 2020-04-13 18:54:59 +02:00
Jan Tojnar a04625379a
Merge branch 'master' into staging-next 2020-04-13 18:50:35 +02:00
Matthew Bauer 156c67858f
Merge pull request #85017 from r-ryantm/auto-update/android-udev-rules
android-udev-rules: 20191103 -> 20200410
2020-04-13 11:11:25 -04:00
Tim Steinbach f6e64feb14
linux: 5.6.3 -> 5.6.4 2020-04-13 08:36:35 -04:00
Tim Steinbach bba4a30f8c
linux: 5.5.16 -> 5.5.17 2020-04-13 08:36:27 -04:00
Tim Steinbach 2b6e16abe0
linux: 5.4.31 -> 5.4.32 2020-04-13 08:36:19 -04:00
Tim Steinbach f47969645b
linux: 4.9.218 -> 4.9.219 2020-04-13 08:36:11 -04:00
Tim Steinbach e06d2a4682
linux: 4.19.114 -> 4.19.115 2020-04-13 08:36:04 -04:00
Tim Steinbach f717bfeedb
linux: 4.14.175 -> 4.14.176 2020-04-13 08:35:56 -04:00
Tim Steinbach 3a8f6159cb
linux: 4.4.218 -> 4.4.219 2020-04-13 08:35:32 -04:00
Maximilian Bosch 89d2967c9e
linuxPackages.bpftrace: 0.9.3 -> 0.9.4
https://github.com/iovisor/bpftrace/releases/tag/v0.9.4
2020-04-13 12:03:37 +02:00
R. RyanTM b1d4fdad19 pam_krb5: 4.8 -> 4.9 2020-04-12 17:43:53 -07:00
R. RyanTM 1c0b645d7b
earlyoom: 1.5 -> 1.6 2020-04-12 09:09:57 +00:00
Edmund Wu f9ac494891
rtkit: 0.11 -> 0.13 2020-04-11 21:36:43 -04:00
Edmund Wu 363004c7eb
rtkit: cleanup 2020-04-11 17:09:44 -04:00
R. RyanTM 64f80e3397 android-udev-rules: 20191103 -> 20200410 2020-04-11 18:24:40 +00:00
Andreas Stührk 9ddfde8977 v4l2loopback: 0.12.3 -> 0.12.4 2020-04-10 14:22:11 -07:00
Michael Reilly 84cf00f980
treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
Jan Tojnar 55a5c128d4
Merge branch 'staging-next' into staging 2020-04-10 12:13:27 +02:00
Jan Tojnar 1ab03c3a76
Merge branch 'master' into staging-next 2020-04-10 12:12:56 +02:00
Dmitry Kalinkin 98790dab3b
Merge pull request #84680 from lovesegfault/nvidia-x11-440.82
linuxPackages.nvidia_x11: 440.64 -> 440.82
2020-04-09 00:16:46 -04:00
Bernardo Meurer 73ff54e7b9
linuxPackages.nvidia_x11: 440.64 -> 440.82 2020-04-08 20:01:41 -07:00
Peter Hoeg f14b43a54c
Merge pull request #84716 from peterhoeg/p/g15daemon
g15daemon: init at 1.9.5.3
2020-04-09 09:56:26 +08:00
Michael Weiss b7bf29993b
Merge pull request #82298 from Ralith/netem
iproute: include netem tools
2020-04-08 19:05:59 +02:00
Michael Bishop 70308c5c56
device-tree_rpi: fix platforms 2020-04-08 12:54:58 -03:00
Jörg Thalheim fe8875a363
Merge pull request #84597 from NixOS/acpi-call
linuxPackages.acpi-call: switch to nix-community fork
2020-04-08 15:34:01 +01:00
Jörg Thalheim 1ae03c9db1
linuxPackages.acpi-call: switch to nix-community fork
This fixes also build against linux 5.6
We also took the opportunity to cleanup the build.
2020-04-08 15:03:53 +01:00
Tim Steinbach 7bd91fe7af
linux: 5.6.2 -> 5.6.3 2020-04-08 08:51:08 -04:00
Tim Steinbach 1c637d2326
linux: 5.5.15 -> 5.5.16 2020-04-08 08:51:07 -04:00
Tim Steinbach 5653337922
linux: 5.4.30 -> 5.4.31 2020-04-08 08:51:07 -04:00
Peter Hoeg 0669cd72ae g15daemon: init at 1.9.5.3 2020-04-08 20:49:49 +08:00
Silvan Mosberger b293421a69
Merge pull request #84129 from Infinisil/removing-python-from-grub
Support removing python from zfs/grub closure
2020-04-08 12:53:28 +02:00
Jörg Thalheim b3a9a65955
Merge pull request #84595 from NixOS/zfs
zfs: fix build against 5.6
2020-04-08 10:14:11 +01:00
worldofpeace d9a056953c
Merge pull request #81693 from lovesegfault/uvcdynctrl-udev
uvcdynctrl: fix udev files
2020-04-07 23:38:50 -04:00
worldofpeace 9fa5658672
Merge pull request #84161 from lovesegfault/ddcci-0.3.3
ddcci: 0.3.2 -> 0.3.3
2020-04-07 23:36:12 -04:00
R. RyanTM 53c6b76dc4 fwts: 20.02.00 -> 20.03.00 2020-04-07 19:35:21 -07:00
Silvan Mosberger 0a43c6e0f9
zfs: Add enablePython argument
Reduces closure size with it disabled from 236.0M to 176.7M
2020-04-08 02:29:03 +02:00
Jörg Thalheim 75c28ebdf7
zfs: fix build against 5.6 2020-04-07 13:00:55 +01:00
Michael Weiss 84867e44bf
Merge pull request #84134 from primeos/iproute2
iproute: 5.5.0 -> 5.6.0
2020-04-07 12:39:04 +02:00
Bernardo Meurer fe9b7e6281
uvcdynctrl: fix udev files 2020-04-07 00:35:53 -07:00
Bernardo Meurer 79045d9051
linuxPackages.ddcci-driver: 0.3.2 -> 0.3.3 2020-04-07 00:34:54 -07:00
Greg Price 7547cf9dfc treewide: Fix up stripDebugList attrs to be lists.
The documentation says this should be a list, and it already is in
about half the expressions that set it.

The difference doesn't matter at present, because these values are all
space-free literals.  But it will in a future with __structuredAttrs .

(The similar attr stripAllList has no users in the nixpkgs tree, so
there's nothing to do to fix any of those up.)
2020-04-06 21:26:52 -07:00
Dmitry Kalinkin 9b0d2f3fd1
Merge pull request #84163 from lovesegfault/nvidia-x11-440.64
linuxPackages.nvidia_x11: 440.59 -> 440.64
2020-04-06 18:24:27 -04:00
Matthew Bauer 024877e7b2 alsa-plugins: move pkgconfig to native 2020-04-06 16:36:28 -04:00
Matthew Bauer 0bbdba2d11 bluez: don’t build python packages when tests are disabled
Can’t run these on cross anyway
2020-04-06 16:36:28 -04:00
Matthew Bauer 3a71e62c56 plymouth: set systemd-tty-ask-password-agent path
This is needed in cross where systemd is not in path.
2020-04-06 16:36:21 -04:00
Eelco Dolstra 50913242ab
Merge pull request #81500 from primeos/tcp-cong-switch-to-cubic
linux config: Set TCP_CONG_CUBIC=yes to restore the default
2020-04-06 17:11:31 +02:00
Jörg Thalheim a737f030cf
Merge pull request #71481 from eadwu/bcachefs/update-10
bcachefs: update 10
2020-04-06 15:43:36 +01:00
Edmund Wu 04a5e5ab7c
linux_testing_bcachefs: 5.3.2020.03.25 -> 5.3.2020.04.04 2020-04-06 10:29:33 -04:00
Jörg Thalheim b2aa0bbf46
Merge pull request #84422 from r-ryantm/auto-update/lxcfs
lxcfs: 4.0.0 -> 4.0.1
2020-04-06 13:17:41 +01:00
Michael Weiss 94f2a76718
iproute: Build the netem tools
They will be installed now and we can provide $HOSTCC for
cross-compilation.

New files:
+lib/tc/experimental.dist
+lib/tc/normal.dist
+lib/tc/pareto.dist
+lib/tc/paretonormal.dist

Note: The distributions are generated in a reproducible way.

Co-Authored-By: Benjamin Saunders <ben.e.saunders@gmail.com>
2020-04-06 14:00:06 +02:00
Michael Weiss aa46e1ae34
iproute: Simplify and improve the expression 2020-04-06 13:56:48 +02:00
Mario Rodas 39f6269ec0
lxc: 4.0.0 -> 4.0.1 2020-04-06 04:20:00 -05:00
Frederik Rietdijk 2420184727 Merge staging into staging-next 2020-04-06 08:54:28 +02:00
R. RyanTM a6d549c98f lxcfs: 4.0.0 -> 4.0.1 2020-04-06 03:47:09 +00:00
Mario Rodas f16fb03d32
Merge pull request #84313 from r-ryantm/auto-update/procdump
procdump: 1.1 -> 1.1.1
2020-04-05 20:19:53 -05:00
Bernardo Meurer 408de509cc
linuxPackages.nvidia_x11: 440.59 -> 440.64 2020-04-05 14:01:28 -07:00
Graham Christensen 65d3a18576
Merge pull request #84387 from kraem/fix/facetimehd-linux-5.6
facetimehd: update src to build with linux >= 5.6
2020-04-05 16:28:50 -04:00
kraem a5b0581cf7
facetimehd: update src to build with linux >= 5.6
also add kraem to maintainers
2020-04-05 22:14:54 +02:00
Frederik Rietdijk 98cefdd37f
Merge pull request #83155 from roastiek/alsa-upgrade
alsa-lib: 1.1.9 -> 1.2.2 and new alsa conf packages
2020-04-05 13:17:16 +02:00