mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-04 19:45:54 +00:00
Code Issues Wiki Activity
98395 commits 186 branches 125 tags 6 GiB
Commit graph

1797 commits

Author SHA1 Message Date
Franz Pletz 2104d28bcd linux: 4.1.27 -> 4.1.30 
Fixes CVE-2016-5696.
 2016-08-17 05:45:59 +02:00
Joachim Fasting d82ddd6dc0
grsecurity: 4.7-201608131240 -> 4.7-201608151842 2016-08-16 17:50:37 +02:00
Joachim Fasting b1cceeda84
grsecurity: enable pax size overflow plugin 2016-08-16 17:50:36 +02:00
Joachim Fasting 3fcb9e6f57
grsecurity: support non-enforcing mode 
Until we've made sure that most things actually work out of the box, we
need to give people a way of continuing to use the system without
completely disabling grsecurity.

Set sysctl kernel.pax.softmode=1 or boot with pax.softmode=1
 2016-08-16 17:50:36 +02:00
Robin Gloster 33e1c78ae3 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-16 07:54:01 +00:00
Shea Levy 9adad8612b Revert "Merge branch 'modprobe-fix' of git://github.com/abbradar/nixpkgs" 
Was meant to go into staging, sorry

This reverts commit 57b2d1e9b0, reversing
changes made to 760b2b9048.
 2016-08-15 19:05:52 -04:00
Shea Levy 57b2d1e9b0 Merge branch 'modprobe-fix' of git://github.com/abbradar/nixpkgs 2016-08-15 19:01:44 -04:00
Nikolay Amiantov 1afd250676 treewide: replace several /sbin paths by /bin 2016-08-16 00:19:25 +03:00
Joachim Fasting 9062c67914
grsecurity: 4.6.5-201607312210 -> 4.7-201608131240 2016-08-15 20:36:46 +02:00
Franz Pletz 64c79e8526 linux: 4.6.5 -> 4.6.6 2016-08-15 04:28:08 +02:00
Franz Pletz 2a8718fb0b linux_4_5: remove, not support by upstream anymore 2016-08-15 04:28:02 +02:00
Franz Pletz bd4490e277 Merge branch 'master' into hardened-stdenv 2016-08-13 16:59:55 +02:00
obadz b2efe2babd Revert "linux kernel 4.4: fix race during build" 
Removes patch. Was fixed upstream.

This reverts commit 4788ec1372.
 2016-08-12 16:42:25 +01:00
Guillaume Maudoux b1817fa8a3 linux_mptcp: 0.90.1 (kernel 3.18) -> 0.91 (kernel 4.1) (#17675) 2016-08-12 15:14:24 +02:00
Robin Gloster b7787d932e Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-12 09:46:53 +00:00
obadz 18947c9e36 Revert "ecryptfs: fix kernel bug introduced in 4.4.14" 
The Linux 4.4.17 release fixes the underlying issue

This reverts commit fad9a8841b.
 2016-08-11 17:15:54 +01:00
Eelco Dolstra e26ac7afd4 linux: 4.4.16 -> 4.4.17 2016-08-11 15:20:07 +02:00
Tuomas Tynkkynen 088bcf4ec4 kernel config: Fix 3.10, 3.12, 3.14 builds 2016-08-06 17:06:45 +03:00
Tuomas Tynkkynen 44f462bf4d generate-config.pl: Be more verbose about missing options 
For instance, the current 3.10 kernel build fails at the end with:

unused option: BRCMFMAC_PCIE
unused option: FW_LOADER_USER_HELPER_FALLBACK
unused option: KEXEC_FILE
unused option: RANDOMIZE_BASE

However, it's not obvious that only the _last_ one is actually fatal to
the build. After this change it's at least somewhat better:

warning: unused option: BRCMFMAC_PCIE
warning: unused option: FW_LOADER_USER_HELPER_FALLBACK
warning: unused option: KEXEC_FILE
error: unused option: RANDOMIZE_BASE
 2016-08-06 17:06:45 +03:00
Michal Rus 7281740c2e
linux: enable DRM_GMA600 and DRM_GMA3600 
Adds basic support for Intel GMA3600/3650 (Intel Cedar Trail) platforms
and support for GMA600 (Intel Moorestown/Oaktrail) platforms with LVDS
ports via the gma500_gfx module.

Resolves #14727 Closes #17519
 2016-08-05 19:07:40 +02:00
Franz Pletz 2d6b7aa545 linux: enable some useful networking options 
All options are enabled by default on Debian and some other
distributions, so these should be safe.
 2016-08-05 04:07:31 +02:00
Robin Gloster 1be4907ca2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-02 13:46:36 +00:00
Joachim Fasting 76f2e827a7
grsecurity: 4.6.5-201607272152 -> 4.6.5-201607312210 2016-08-01 12:46:48 +02:00
Robin Gloster 63c7b4f9a7 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-31 20:51:34 +00:00
Joachim Fasting 83f783c00f
grsecurity: 4.6.4-201607242014 -> 4.6.5-201607272152 2016-07-29 00:24:00 +02:00
Franz Pletz 9aee2a17af linux: 4.6.4 -> 4.6.5 
Removed patch was applied upstream.
 2016-07-28 23:05:27 +02:00
Franz Pletz b68fe1a572 linux: 4.5.6 -> 4.5.7 2016-07-28 23:05:27 +02:00
Eelco Dolstra 42f8df10a2 linux: 4.4.16 -> 4.4.16 2016-07-28 17:03:55 +02:00
Robin Gloster f222d98746 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-25 12:47:13 +00:00
Joachim Fasting e725c927d4
grsecurity: 4.6.4-201607192040 -> 4.6.4-201607242014 2016-07-25 09:11:28 +02:00
Shea Levy ac93e9f2c8 Linux 4.7 2016-07-24 18:30:08 -04:00
Lluís Batlle i Rossell dd02b6f118 perf: depend on libiberty to get c++ demangling. 2016-07-21 17:27:15 +02:00
Robin Gloster 1f04b4a566 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-21 00:56:43 +00:00
Joachim Fasting 55120ac4cb
grsecurity: 4.6.4-201607112205 -> 4.6.4-201607192040 2016-07-20 10:17:35 +02:00
Joachim Fasting c93ffb95bc
grsecurity: enable support for setting pax flags via xattrs 
While useless for binaries within the Nix store, user xattrs are a convenient
alternative for setting PaX flags to executables outside of the store.

To use disable secure memory protections for a non-store file foo, do
  $ setfattr -n user.pax.flags -v em foo
 2016-07-20 10:17:11 +02:00
Robin Gloster 5185bc1773 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-15 14:41:01 +00:00
obadz 927a984de6 kernel: make KEXEC_FILE & KEXEC_JUMP optional to fix i686 build 
cc @edolstra @dezgeg @domenkozar
 2016-07-13 12:49:18 +02:00
obadz fad9a8841b ecryptfs: fix kernel bug introduced in 4.4.14 
Introduced by mainline commit 2f36db7
Patch is from http://www.spinics.net/lists/stable/msg137350.html
Fixes #16766
 2016-07-13 11:04:07 +02:00
Franz Pletz dde259dfb5 linux: Add patch to fix CVE-2016-5829 (#16824) 
Fixed for all available 4.x series kernels.

From CVE-2016-5829:

  Multiple heap-based buffer overflows in the hiddev_ioctl_usage function
  in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow
  local users to cause a denial of service or possibly have unspecified
  other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl
  call.
 2016-07-12 20:56:50 +02:00
Joachim Fasting 416120e0c7
grsecurity: 4.6.3-201607070721 -> 4.6.4-201607112205 2016-07-12 15:15:09 +02:00
Tim Steinbach 47da65923b kernel: 4.6.3 -> 4.6.4 (#16875) 2016-07-12 09:54:57 +02:00
Louis Taylor b2b8a89945 linux-testing: 4.7-rc6 -> 4.7-rc7 (#16854) 2016-07-11 17:53:41 +02:00
Eelco Dolstra ecc26d7a40 linux: Disable the old IDE subsystem 
This has long been deprecated in favour of the new ATA support
(CONFIG_ATA).
 2016-07-11 15:05:21 +02:00
Eelco Dolstra 7b9c493d60 linux: Enable some kernel features 
This enables a few features that should be useful and safe (they're
all used by the default Ubuntu kernel config), in particular zswap,
wakelocks, kernel load address randomization, userfaultfd (useful for
QEMU), paravirtualized spinlocks and automatic process group
scheduling.

Also removes some configuration conditional on kernel versions that we
no longer support.
 2016-07-11 15:04:56 +02:00
Eelco Dolstra 1cd7dbc00b linux: Bump NR_CPUS 
The default limit (64) is too low for systems like EC2 x1.* instances
or Xeon Phis, so let's increase it.
 2016-07-11 14:32:18 +02:00
Joachim Fasting a2ebf45b47
grsecurity: 4.5.7-201606302132 -> 4.6.3-201607070721 2016-07-07 19:34:58 +02:00
Tuomas Tynkkynen 4085f4de5f Merge branch 'pr-newest-uboot' into master 2016-07-04 15:17:46 +03:00
Tuomas Tynkkynen 55aecd308e linux-rpi: 4.1.20-XXX -> 4.4.13-1.20160620-1 
- Add a patch to unset CONFIG_LOCALVERSION in the v7 build.
- Copy all the device trees to match the upstream names so U-Boot can
  find them. (This is a hack.)
 2016-07-04 15:13:29 +03:00
aszlig 566c990f33
linux-testing: 4.6-rc6 -> 4.7-rc6 
The config option DEVPTS_MULTIPLE_INSTANCES now no longer exists since
torvalds/linux@eedf265aa0.

Built successfully on my Hydra instance:

https://headcounter.org/hydra/log/r4n6sv0zld0aj65r7l494757s2r8w8sr-linux-4.7-rc6.drv

Verified unpacked tarball with GnuPG:

ABAF 11C6 5A29 70B1 30AB  E3C4 79BE 3E43 0041 1886

gpg: Signature made Mon 04 Jul 2016 08:13:05 AM CEST
gpg:                using RSA key 79BE3E4300411886
gpg: Good signature from "Linus Torvalds <torvalds@linux-foundation.org>"

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
 2016-07-04 10:46:48 +02:00
Joachim Fasting 640ac5186f
grsecurity: 4.5.7-201606292300 -> 4.5.7-201606302132 2016-07-02 20:37:52 +02:00
Joachim Fasting 51c04b74c1
grsecurity: 4.5.7-201606280009 -> 4.5.7-201606292300 2016-06-30 11:09:59 +02:00
Joachim Fasting cdcdc25ef3
grsecurity: 4.5.7-201606262019 -> 4.5.7-201606280009 2016-06-28 14:57:20 +02:00
Joachim Fasting d5eec25ff9
grsecurity: 4.5.7-201606222150 -> 4.5.7-201606262019 2016-06-27 21:42:17 +02:00
Franz Pletz 7e9affa7ee linux_4_3: Remove, not maintained anymore 2016-06-27 00:11:16 +02:00
Franz Pletz eed51eccef linux: 3.10.101 -> 3.10.102 2016-06-27 00:11:16 +02:00
Franz Pletz b7e0b118d9 linux: 3.12.57 -> 3.12.61 2016-06-27 00:11:04 +02:00
Franz Pletz 0387eddb51 linux: 3.14.65 -> 3.14.73 2016-06-27 00:10:38 +02:00
Franz Pletz 6165af4db2 linux: 3.18.29 -> 3.18.36 2016-06-27 00:09:56 +02:00
Franz Pletz 5806b185bd linux: 4.1.25 -> 4.1.27 2016-06-27 00:09:30 +02:00
Franz Pletz 4a942499b4 linux: 4.4.13 -> 4.4.14 2016-06-27 00:08:11 +02:00
Joachim Fasting 4fb72b2fd3
grsecurity: 4.5.7-201606202152 -> 4.5.7-201606222150 2016-06-26 17:27:17 +02:00
Tim Steinbach 125ffff089 kernel: 4.6.2 -> 4.6.3 2016-06-24 22:18:16 +00:00
Joachim Fasting 9d052a2c39
grsecurity: 4.5.7-201606142010 -> 4.5.7-201606202152 2016-06-23 00:55:54 +02:00
Eelco Dolstra 453086a15f linux: 4.4.12 -> 4.4.13 2016-06-20 13:11:55 +02:00
zimbatm 7c32638439 Merge pull request #16259 from layus/update-mptcp 
linux_mptcp: update 0.90 -> 0.90.1
 2016-06-20 09:29:07 +01:00
Joachim Fasting 875fd5af73
grsecurity: 4.5.7-201606110914 -> 4.5.7-201606142010 2016-06-16 14:29:12 +02:00
Guillaume Maudoux d73b7d101f linux_mptcp: 0.90 -> 0.90.1 2016-06-15 22:56:11 +02:00
Joachim Fasting 130b06eb0b
grsecurity: 4.5.7-201606080852 -> 4.5.7-201606110914 2016-06-14 14:18:01 +02:00
Joachim Fasting 886c03ad2e Merge pull request #16107 from joachifm/grsec-ng 
Rework grsecurity support
 2016-06-14 03:52:50 +02:00
Joachim Fasting 75b9a7beac
grsecurity: implement a single NixOS kernel 
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
 2016-06-14 00:08:20 +02:00
Joachim Fasting 4ae5eb97f1
kernel: set virtualization options regardless of grsec 
Per my own testing, the NixOS grsecurity kernel works both as a
KVM-based virtualisation host and guest; there appears to be no good
reason to making these conditional on `features.grsecurity`.

More generally, it's unclear what `features.grsecurity` *means*. If
someone configures a grsecurity kernel in such a fashion that it breaks
KVM support, they should know to disable KVM themselves.
 2016-06-10 19:27:59 +02:00
Joachim Fasting d8e4432fe2
kernel: unconditionally disable /dev/kmem 
This was presumably set for grsecurity compatibility, but now appears
redundant.  Grsecurity does not expect nor require /dev/kmem to be
present and so it makes little sense to continue making its inclusion in
the standard kernel dependent on grsecurity.

More generally, given the large number of possible grsecurity
configurations, it is unclear what `features.grsecurity` even
*means* and its use should be discouraged.
 2016-06-10 19:27:41 +02:00
Shea Levy 4fbafb2395 linux 4.6.1 -> 4.6.2 2016-06-10 09:30:11 -04:00
Robin Gloster 8031cba2ab Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-06-10 09:27:04 +00:00
Joachim Fasting edc36a0091
grsecurity: 4.5.6-201606051644 -> 4.5.7-201606080852 2016-06-09 15:40:06 +02:00
Vladimír Čunát 20c2ce4954 Merge #16045: kernel: 4.6.0 -> 4.6.1 2016-06-09 14:37:32 +02:00
Vladimír Čunát c0895be3ee Merge #16044: kernel: 4.1.20 -> 4.1.25 2016-06-09 14:36:31 +02:00
Vladimír Čunát f9310c2eee Merge #16043: kernel: 4.4.11 -> 4.4.12 2016-06-09 14:34:50 +02:00
Tim Steinbach 269b7d30a7 kernel: 4.6.0 -> 4.6.1 2016-06-07 09:59:19 -04:00
Tim Steinbach 8f4755a0ae kernel: 4.5.5 -> 4.5.6 2016-06-07 09:58:24 -04:00
Tim Steinbach a57cbf6546 kernel: 4.4.11 -> 4.4.12 2016-06-07 09:57:47 -04:00
Tim Steinbach f3ebf13762 kernel: 4.1.20 -> 4.1.25 2016-06-07 09:57:07 -04:00
Joachim Fasting 72899d92d0
grsecurity: 4.5.5-201605291201 -> 4.5.6-201606051644 2016-06-07 15:04:24 +02:00
Tuomas Tynkkynen bac26e08db Fix lots of fetchgit hashes (fallout from #15469) 2016-06-03 17:17:08 +03:00
Alexander Kjeldaas 4c99d22f19 kernel: set nx bit on module ro segments 
Fixes #4757.
 2016-06-03 15:41:47 +02:00
Robin Gloster 2d382f3d98 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-05-30 19:39:34 +00:00
Joachim Fasting bfefc54bc5
grsecurity: 4.5.5-201605211442 -> 4.5.5-201605291201 2016-05-29 20:34:24 +02:00
Eelco Dolstra 3ee6b22dc3 linux: 4.4.10 -> 4.4.11 2016-05-22 23:05:10 +02:00
Joachim Fasting 5a357d9731
grsecurity: 4.5.5-201605202102 -> 4.5.5-201605211442 2016-05-21 22:28:36 +02:00
Joachim Fasting 79481bd68f
linux: 4.5.4 -> 4.5.5 2016-05-21 07:37:41 +02:00
Joachim Fasting cdf2ffda9d
grsecurity: 4.5.4-201605131918 -> 4.5.5-201605202102 2016-05-21 07:37:41 +02:00
Franz Pletz f8d481754c
Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-05-18 17:10:02 +02:00
Shea Levy 1ea263ef03 linux-4.6: Fix copy-paste error. 
Thanks to @NeQuissimus for the spot
 2016-05-16 13:53:23 -04:00
Shea Levy 0373eb86f1 Linux 4.6 2016-05-16 11:56:39 -04:00
Joachim Fasting f99c86eec1
grsecurity: remove expressions for unsupported versions 
Retain top-level attributes for now but consolidate compatibility
attributes.

Part of ongoing cleanup, doing it all at once is infeasible.
 2016-05-16 09:10:27 +02:00
Joachim Fasting 6194e9d801
kernelPatches.grsecurity: 4.5.4-201605122039 -> 4.5.4-201605131918 
Also revert to using the grsecurity-scrape mirror; relying on upstream
just isn't viable. Lately, updates have been so frequent that a new
version is released before Hydra even gets around to building the
previous one.
 2016-05-14 05:15:35 +02:00
Joachim Fasting 7fdce2feb0
kernelPatches.grsecurity_4_5: 4.5.4-201605112030 -> 4.5.4-201605122039 2016-05-13 23:11:07 +02:00
Joachim Fasting 10aaca8c1f
grsecurity_4_5: 4.5.3-201605080858 -> 4.5.4-201605112030 2016-05-13 20:11:31 +02:00
Franz Pletz 006f6d9437 linux: 4.5.3 -> 4.5.4 2016-05-13 17:27:51 +02:00
Eelco Dolstra 7a8ea6138e linux: 4.4.9 -> 4.4.10 2016-05-11 20:34:02 +02:00
Joachim Fasting 52477b0a0b
kernelPatches.grsecurity_4_5: 201605060852 -> 201605080858 2016-05-09 16:38:44 +02:00
Tim Steinbach f53850bf21 kernel: 4.4.8 -> 4.4.9 (#15276) 2016-05-06 20:25:29 +02:00
Lluís Batlle i Rossell 53a4582552 Adding vmlinux to linux kernel 'dev' derivation. 
It takes some extra 13MB (and in dev, not out), but allows perf to show kernel
symbols when profiling. I think it is worth it.

In my NixOS, I refer to it in the system derivation, for easy telling to perf
through /run/booted-system/vmlinux:

  system.extraSystemBuilderCmds = ''
    ln -s ${config.boot.kernelPackages.kernel.dev}/vmlinux $out/vmlinux
  '';
 2016-05-06 18:11:03 +02:00
Tim Steinbach 02d94d335a
kernel: 4.5.2 -> 4.5.3 2016-05-06 11:12:04 -04:00
Joachim Fasting 27061905bd
linuxPackages_grsec_4_5: 3.1-4.5.2-201604290633 -> 3.1-4.5.3-201605060852 2016-05-06 16:37:25 +02:00
Eelco Dolstra 1f84e43239 Do some large, concurrency-capable builds on dedicated machines 2016-05-04 18:16:27 +02:00
Joachim Fasting 0bd31bce10
grsecurity: drop support for 4.4 kernels 
From now on, only the testing branch of grsecurity will be supported.
Additionally, use only patches from upstream.

It's impossible to provide meaningful support for grsecurity stable.
First, because building and testing \(m \times n \times z) [1], packages
is infeasible.  Second, because stable patches are only available from
upstream for-pay, making us reliant on third-parties for patches. In
addition to creating yet more work for the maintainers, using stable
patches provided by a third-party goes against the wishes of upstream.

nixpkgs provides the tools necessary to build grsecurity kernels for any
version the user chooses, however, provided they pay for, or otherwise
acquire, the patch themselves.

Eventually, we'll want to remove the now obsolete top-level attributes,
but leave them in for now to smoothe migration (they have been removed
from top-level/release.nix, though, because it makes no sense to have
them there).

[1]: where \(m\) is the number of grsecurity flavors, \(n\) is the
number of kernel versions, and z is the size of the `linuxPackages` set
 2016-05-04 01:07:53 +02:00
Robin Gloster c92bca56f8 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-05-02 22:58:02 +00:00
Joachim Fasting 7893cb1aea
linuxPackages_grsec_4_1: delete 
Upstream supports 3.14, 4.4, and 4.5
 2016-05-02 11:28:05 +02:00
Joachim Fasting fecb56fc3f
linuxPackages_grsec_4_5: init at 3.1-4.5.2-201604290633 2016-05-02 11:28:05 +02:00
Louis Taylor 80f923f26f linux-testing: 4.6-rc5 -> 4.6-rc6 2016-05-02 02:29:42 +01:00
Tim Steinbach c494947676 linux_testing: 4.6-rc4 -> 4.6-rc5 2016-04-28 23:59:52 +00:00
Tuomas Tynkkynen 7276417870 kernel config: Enable BINFMT_MISC 
This is enabled in x86 builds but lacking on ARM.
 2016-04-28 20:46:34 +03:00
Eelco Dolstra 454eefa63b linux: 4.4.7 -> 4.4.8 2016-04-26 16:39:59 +02:00
Louis Taylor 90cdfb5414 kernel: 4.5.1 -> 4.5.2 2016-04-20 11:55:13 +01:00
Robin Gloster b59a6aa93a kernel: turn off bindnow hardening 2016-04-19 02:21:57 +00:00
Robin Gloster d020caa5b2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-18 13:49:22 +00:00
Louis Taylor ec198e3868 linux-testing: 4.6-rc3 -> 4.6-rc4 (#14803) 2016-04-18 14:11:25 +01:00
Tim Steinbach ccc3080857 kernel: 4.4.6 -> 4.4.7 (#14690) 2016-04-14 16:30:20 +02:00
Tim Steinbach af4d84544f kernel: 4.5 -> 4.5.1 (#14691) 2016-04-14 15:57:18 +02:00
Vladimír Čunát 39ebb01d6e Merge branch 'staging', containing closure-size #7701 2016-04-13 09:25:28 +02:00
obadz 4788ec1372 linux kernel 4.4: fix race during build 
Patch drivers/crypto/qat/qat_common/Makefile so that qat_asym_algs.o
explicitly depends on headers qat_rsaprivkey-asn1.h and qat_rsapubkey-asn1.h

Hopefully fixes #14595
 2016-04-12 22:45:57 +01:00
Tim Steinbach 5e5ef22d73 linux_testing: 4.6-rc2 -> 4.6-rc3 (#14592) 2016-04-11 13:44:34 +01:00
Charles Strahan ad7b1e24c2 fan-networking: updated patches from Ubuntu 
This pulls in updated Fan Networking patches from Ubuntu.
(https://wiki.ubuntu.com/FanNetworking)

closes #14328
 2016-04-10 16:07:03 -04:00
Vladimír Čunát 30f14243c3 Merge branch 'master' into closure-size 
Comparison to master evaluations on Hydra:
  - 1255515 for nixos
  - 1255502 for nixpkgs
 2016-04-10 11:17:52 +02:00
Robin Gloster 3e68106afd Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-07 21:52:26 +00:00
Eelco Dolstra 4907fc9e8d Merge pull request #14509 from ragnard/bpf-tracing-kernel-config 
linux: kernel config for extended BPF support
 2016-04-07 11:01:34 +02:00
Ragnar Dahlén 961d1e847c linux: kernel config for extended BPF support 
- Enable BPF_SYSCALL and BPF_EVENTS
- Build modules for NET_CLS_BPF and NET_ACT_BPF

With these config options we can leverage the full potential of BPF for
tracing and instrumenting Linux systems, for example using
libraries/tools like those provided by the bcc project.
 2016-04-07 08:14:41 +01:00
Tuomas Tynkkynen b95274cc90 kernel: Don't patchELF manually 
AFAICT this is done by stdenv nowadays:

bde82098b8/pkgs/development/tools/misc/patchelf/setup-hook.sh (L5)
bde82098b8/pkgs/stdenv/generic/setup.sh (L737)

Might help /be somehow related to these mysterious errors that seem to
occur sometimes (?):

http://hydra.nixos.org/build/34131589/nixlog/1/raw
 2016-04-06 17:19:43 +03:00
Robin Gloster 5ca99ae7a7 kernel.i686-linux: disable bindnow hardening 2016-04-06 14:16:42 +00:00
Domen Kožar b95a1c4f77 kernel: fix build of 3.10 and 3.12 on i686 
(cherry picked from commit 23730413fe)
Signed-off-by: Domen Kožar <domen@dev.si>
 2016-04-06 10:36:04 +01:00
Robin Gloster bbbaccfa68 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-04 15:24:52 +00:00
Tim Steinbach 5ef5e59c56 linux_testing: 4.6-rc1 -> 4.6-rc2 2016-04-03 19:14:31 +00:00
Vladimír Čunát ab15a62c68 Merge branch 'master' into closure-size 
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
 2016-04-01 10:06:01 +02:00
Robin Gloster f60c9df0ba Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-28 15:16:29 +00:00
Domen Kožar c61445357e Merge pull request #14239 from kragniz/linux-testing-4.6-rc1 
Linux-testing 4.6-rc1
 2016-03-28 15:53:52 +01:00
Joachim Fasting dd16dcbba4 linux_grsec_3_14: mark as broken 
First, The patch is outdated, I failed to find it anywhere in the mirror repos.
Second, the build fails, and while it may be "fixed" by ad-hoc patching (it
appears to simply need some missing includes), this would mean shipping a
potentially insecure software package. Given that the only reason to use
grsecurity is security, this is both misleading and exposes users to undue risk.
Finally, the build has been broken for quite a long time with no complaints,
leading me to believe that the number of actual users is quite low.
 2016-03-27 21:13:41 +02:00
Domen Kožar b07e7bfc7b Merge remote-tracking branch 'origin/staging' 2016-03-27 13:19:04 +01:00
Joachim Fasting bd9737cc3e linux_chromiumos: require 64bit build host 
I noticed that almost all the Hydra build failures were on i686. Sure
enough, upstream says that you need an x86_64 machine to build the
kernel.
 2016-03-27 05:35:04 +02:00
Louis Taylor 8b7e150bb9 linux-testing: 4.5-rc7 -> 4.6-rc1 2016-03-27 03:10:19 +01:00
Louis Taylor 695c2e4ee4 kernel-config: do not use NFSD_PNFS on >=4.6 2016-03-27 03:09:30 +01:00
Joachim Fasting 89c6b3c11a perf: fix build 
https://hydra.nixos.org/build/33553564/nixlog/1/raw
 2016-03-26 18:18:40 +01:00
Domen Kožar 4393e65a44 Merge pull request #14054 from NeQuissimus/kernel310101 
kernel: 3.10.99 -> 3.10.101
 2016-03-23 11:31:21 +00:00
Domen Kožar 2a428566e8 Merge pull request #14055 from NeQuissimus/kernel31257 
kernel: 3.12.55 -> 3.12.57
 2016-03-23 11:31:14 +00:00
Domen Kožar 4b29e2e6cb Merge pull request #14056 from NeQuissimus/kernel31465 
kernel: 3.14.63 -> 3.14.65
 2016-03-23 11:30:59 +00:00
Lluís Batlle i Rossell 40b0538239 Update linux raspberry-pi to 4.1.y. 
I could boot it in pi2; I don't know if I needed new
firmware files in /boot.
 2016-03-22 15:09:57 +01:00
Tim Steinbach 6476075ccf kernel: 3.18.28 -> 3.18.29 (close #14057) 2016-03-21 12:39:29 +01:00
Tim Steinbach 379709b404 kernel: 4.1.17 -> 4.1.20 (close #14058) 2016-03-21 12:15:25 +01:00
Tim Steinbach 4274edbe40 kernel: 3.14.63 -> 3.14.65 2016-03-19 18:29:40 +00:00
Tim Steinbach bf41deb889 kernel: 3.12.55 -> 3.12.57 2016-03-19 18:27:41 +00:00
Tim Steinbach 6f5f855a2e kernel: 3.10.99 -> 3.10.101 2016-03-19 18:25:24 +00:00
Eelco Dolstra 4b512321de linux: 4.4.5 -> 4.4.6 
CVE-2016-2143
 2016-03-17 13:05:57 +01:00
Eelco Dolstra 6faa0aea88 linux: 3.18.27 -> 3.18.28 
CVE-2016-2085
 2016-03-17 13:05:13 +01:00
Robin Gloster 2ac4dba0fb Merge pull request #13909 from kragniz/linux-4.5 
linux: add 4.5
 2016-03-15 18:12:47 +01:00
Robin Gloster 3f45f0948d Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-15 01:44:24 +00:00
Louis Taylor 8bdee80d39 linux: add 4.5 2016-03-14 22:34:05 +00:00
Tim Steinbach a5d8256df4 grsecurity: 4.4.4 -> 4.4.5 2016-03-14 21:29:42 +00:00
Tim Steinbach 7c90420119 kernel: 4.4.4 -> 4.4.5 2016-03-10 01:39:17 +00:00
Nikolay Amiantov fedabe3334 Merge pull request #13745 from zohl/linux-chromiumos 
linux_chromiumos_3_14: kernel option fix
 2016-03-08 13:57:32 +03:00
Vladimír Čunát 09af15654f Merge master into closure-size 
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
 2016-03-08 09:58:19 +01:00
Franz Pletz 255d710757 grsecurity: 4.4.2 -> 4.4.4 
See #13505.
 2016-03-08 01:03:47 +01:00
Franz Pletz eb5a897161 Merge remote-tracking branch 'origin/pr/13505' 
Fixes #13505.
 2016-03-08 01:01:44 +01:00
Al Zohali 9d03355bed ChromiumOS kernel option fixup 2016-03-08 01:19:42 +03:00
Franz Pletz e9fc4e7db6 Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-03-07 22:08:27 +01:00
Louis Taylor cdb0267efe linux-testing: 4.5-rc6 -> 4.5-rc7 2016-03-07 01:00:33 +00:00
Franz Pletz 3b1f2e070b linux_4_4: 4.4.3 -> 4.4.4 2016-03-05 21:50:03 +01:00
Franz Pletz af40e356fe linux_3_14: 3.14.61 -> 3.14.63 2016-03-05 21:50:03 +01:00
Franz Pletz 354a1935d3 linux_3_12: 3.12.54 -> 3.12.55 2016-03-05 21:50:03 +01:00
Franz Pletz 5b8361c118 linux_3_10: 3.10.97 -> 3.10.99 2016-03-05 21:50:03 +01:00
Franz Pletz cb3d27df93 Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-03-05 18:55:30 +01:00
Franz Pletz aff1f4ab94 Use general hardening flag toggle lists 
The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
 2016-03-05 18:55:26 +01:00
Franz Pletz 4927ca8397 Merge pull request #13555 from kragniz/linux-testing-4.5-rc6 
linux-testing: 4.5-rc5 -> 4.5-rc6
 2016-03-03 19:03:17 +01:00
Robin Gloster fed49425c5 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-03 16:11:55 +00:00
Marko Poikonen ede005ad3f Enabling Media PCI adapters (needed for PCI DVB cards) 2016-03-01 20:57:46 +01:00
Louis Taylor 3747aef768 linux-testing: 4.5-rc5 -> 4.5-rc6 2016-02-28 19:13:36 +00:00
Robin Gloster 3b4765c9e5 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-02-28 16:32:57 +00:00
tg(x) be3bd972d5 grsecurity: add 4.1 kernel 2016-02-28 15:00:16 +01:00
tg(x) 38614d3f6a grsecurity: use kernel version instead of testing / stable 2016-02-28 04:10:59 +01:00
tg(x) 4e3d6d3e90 grsecurity: separate fix patches for testing & stable 2016-02-27 19:54:55 +01:00
tg(x) 75f353ffbd grsecurity: decouple from mainline 2016-02-27 19:33:35 +01:00
tg(x) 7547960546 grsecurity: move version information to one place 2016-02-27 18:36:12 +01:00
tg(x) d95321b83e grsecurity: 4.3.4 -> 4.4.2 2016-02-27 18:36:12 +01:00
Franz Pletz 73e0c261c2 linux: 4.4.2 -> 4.4.3 2016-02-27 16:34:02 +01:00
Robin Gloster 3477e662e6 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-02-27 00:08:08 +00:00
Tim Steinbach 7506c58d74 linux_3_10: 3.10.96 -> 3.10.97 (close #13405) 2016-02-25 23:09:08 +01:00
Tuomas Tynkkynen 0e1319f03f linux-3.10: fixup config by a slightly hacky way 
For explanation see:
https://github.com/NixOS/nixpkgs/pull/13405#issuecomment-188357637
 2016-02-25 23:07:47 +01:00
Tim Steinbach 3ef63227dd linux-testing: 4.5-rc4 -> 4.5-rc5 (close #13403) 2016-02-24 08:17:52 +01:00
Tim Steinbach 642517fbda linux_3_12: 3.12.53 -> 3.12.54 (close #13406) 2016-02-24 08:16:47 +01:00
Tim Steinbach 08cf57204f linux_3_14: 3.14.60 -> 3.14.61 (close #13407) 2016-02-24 08:16:18 +01:00
Tim Steinbach a2bd90650d linux_4_3: 4.3.5 -> 4.3.6 (close #13408) 2016-02-24 08:15:34 +01:00
Franz Pletz 5e0105af9b linux: 4.4.1 -> 4.4.2 2016-02-22 04:52:00 +01:00
Robin Gloster bb2639aafc Merge branch 'curl-7.15-fixup' of https://github.com/zimbatm/nixpkgs into hardened-stdenv 2016-02-22 01:14:22 +00:00
Tuomas Tynkkynen a6638c62a8 Revert "linux: 4.1.17 -> 4.1.18" 
This reverts commit 6cdf5fe85f.

This version has a crypto regression:
https://lkml.org/lkml/2016/2/19/748 which is blocking the channel update
due to a failing luksroot test: http://hydra.nixos.org/build/32159615
 2016-02-21 17:57:39 +02:00
Robin Gloster bc21db3692 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-02-19 21:16:14 +00:00
Franz Pletz eff9726d54 linux: 4.3.4 -> 4.3.5 2016-02-18 03:44:19 +01:00
Franz Pletz 6cdf5fe85f linux: 4.1.17 -> 4.1.18 2016-02-18 03:44:12 +01:00
Franz Pletz d756ff9354 linux: 3.18.26 -> 3.18.27 2016-02-18 03:44:07 +01:00
Franz Pletz 41698c9efa Merge branch 'master' into hardened-stdenv 2016-02-15 20:05:29 +01:00
Louis Taylor d48f117d06 linux-testing: 4.5-rc3 -> 4.5-rc4 2016-02-14 23:03:26 +00:00
Vladimír Čunát d039c87984 Merge branch 'master' into closure-size 2016-02-14 08:33:51 +01:00
Robin Gloster 077e24c10d Revert "linuxPackages.perf: set -Wno-error=bool-compare" 
This reverts commit 332c84196c.

only works on gcc5
 2016-02-10 23:27:37 +00:00
Eelco Dolstra e2eca0c24c Fix misspelled meta.maintainers attributes 2016-02-10 23:27:34 +00:00
tg(x) 280033235e grsecurity: use source URL from a scraped repository as grsecurity.net only has the latest version 2016-02-10 23:27:31 +00:00
Domen Kožar 6040699768 Merge pull request #12890 from NeQuissimus/kernel45rc3 
linux-testing: 4.5-rc2 -> 4.5-rc3
 2016-02-10 21:20:46 +00:00
Eelco Dolstra aea262f654 Fix misspelled meta.maintainers attributes 2016-02-10 14:59:50 +01:00
tg(x) 42deddb17a grsecurity: use source URL from a scraped repository as grsecurity.net only has the latest version 2016-02-10 00:46:11 +01:00
Robin Gloster 332c84196c linuxPackages.perf: set -Wno-error=bool-compare 2016-02-09 23:17:13 +00:00
Robin Gloster 5969a59052 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-02-09 16:28:44 +00:00
Tim Steinbach 2fabb4b34d linux-testing: 4.5-rc2 -> 4.5-rc3 2016-02-09 14:38:06 +00:00
Robin Gloster 9229e9c656 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-02-07 11:17:57 +00:00
Louis Taylor 12ca23d650 linux-testing: 4.4-rc8 -> 4.5-rc2 2016-02-06 20:54:55 +00:00
Vladimír Čunát ae74c356d9 Merge recent 'staging' into closure-size 
Let's get rid of those merge conflicts.
 2016-02-03 16:57:19 +01:00
Tuomas Tynkkynen 7db1cba057 kernel: Let the kernel build system strip modules 
Since commit 48f51f1185 we let the kernel build system compress the
modules, which makes the original strip expression not work. Let the
kernel build system strip them as well so they get stripped.
 2016-02-02 22:47:32 +02:00
Eelco Dolstra 7b772ae398 linux: Update to 3.10.96, 3.12.53, 3.14.60, 3.18.26, 4.1.17, 4.4.1 2016-02-02 16:38:42 +01:00
Eelco Dolstra 48f51f1185 linux: Compress kernel modules 
This reduces the kernel package from 185 to 62 MiB, for a neglible
boot time cost.
 2016-02-01 18:19:23 +01:00
Eelco Dolstra 72a30ae66f linux: Use $SOURCE_DATE_EPOCH as the build timestamp 2016-02-01 18:19:23 +01:00
Eelco Dolstra 0a7cd3c110 Remove unused file 2016-02-01 18:19:23 +01:00
Lluís Batlle i Rossell b2dc647c1e linux: adding PCI Expresscard Hotplug support 2016-02-01 11:07:08 +01:00
Robin Gloster f6d3b7a2ae switch hardening flags 2016-01-30 16:36:57 +00:00
Franz Pletz 954e9903ad Use a hardened stdenv by default 2016-01-30 16:36:57 +00:00
Dan Peebles ef1f64106f kernel: add back the patch I just removed by accident 2016-01-24 04:12:17 +00:00
Dan Peebles 78956c77c0 linux: 4.3.3 -> 4.34 (and update grsecurity patches, too) 2016-01-24 03:53:46 +00:00
Tobias Geerinckx-Rice 32d40f0f98 Remove no longer (or never) referenced patches 
55 files changed, 6041 deletions. Tested with `nix-build -A tarball`.
 2016-01-24 02:02:21 +01:00
Dan Peebles 8f9aea9ccc grsecurity: fix kernel config and uncomment grsecurity kernels 2016-01-23 16:58:44 +00:00
Dan Peebles 33cf0792b1 grsecurity-testing: update patches and associated kernel version 2016-01-23 14:29:34 +00:00
Nikolay Amiantov 29785c5b7a Merge pull request #12309 from zohl/chromiumos-kernel 
Add ChromiumOS kernels
 2016-01-23 13:13:59 +03:00
Vladimír Čunát 4824f73cb3 linux-4.2: remove as it's no longer maintained upstream 
grsecurity still holds a reference to it,
but I prefer it to fail than to use a version
that is most likely not secure anymore.
 2016-01-20 20:15:07 +01:00
Nathan Zadoks 23f5e3c90f linux: patch CVE-2016-0728 (close #12492) 
The PoC provided successfully escalates privileges from a local user to
root. The vulnerability affects any Linux Kernel version 3.8 and higher.
http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
 2016-01-20 09:31:53 +01:00
Guillaume Maudoux f8ff4691ed linux-mptcp: init at 0.90 (kernel 3.18.20), fixes #11149 2016-01-20 02:11:09 +01:00
Vladimír Čunát 716aac2519 Merge branch 'staging' into closure-size 2016-01-19 09:55:31 +01:00
Simon Jagoe 42d4175e4e kernel: 4.1.13 -> 4.1.15 (close #12408) 2016-01-15 19:59:52 +01:00
Al Zohali a3a5bc6095 linux_chromiumos_3_14: init at 3.14.0 
Co-authored-by: Nikolay Amiantov <ab@fmap.me>
 2016-01-13 22:43:19 +03:00
Al Zohali ee9e7b7224 linux_chromiumos_3_18: init at 3.18.0 
Co-authored-by: Nikolay Amiantov <ab@fmap.me>
 2016-01-13 22:43:19 +03:00
Shea Levy 44274f62f5 linux: Add 4.4 2016-01-12 19:39:00 -05:00
Lluís Batlle i Rossell 1792ca5810 Increasing mmc possible partitions from 8 to 32. 
In kernel common config. I have a modern tablet with 18 gpt partitions
on eMMC (Android+Win10 dualboot).
 2016-01-11 09:27:58 +01:00
Tim Steinbach f318049964 kernel: 4.3.2 -> 4.3.3 2016-01-11 02:08:31 +00:00
Aristid Breitkreuz 6fc1c08324 Merge pull request #12143 from NeQuissimus/kernel440rc8 
linux-testing: 4.4.0-rc7 -> 4.4.0-rc8
 2016-01-10 21:07:46 +01:00
Lluís Batlle i Rossell be9ad574f7 Adding framebuffer console rotation to kernels. 
This helps in some weird screens that otherwise show the console 90° turned.
 2016-01-07 16:48:46 +01:00
Eelco Dolstra e4b4e9b986 linux: Make Unix domain sockets builtin 
This hopefully fixes intermittent initrd failures where udevd cannot
create a Unix domain socket:

  machine# running udev...
  machine# error getting socket: Address family not supported by protocol
  machine# error initializing udev control socket
  machine# error getting socket: Address family not supported by protocol

The "unix" kernel module is supposed to be loaded automatically, and
clearly that works most of the time, but maybe there is a race
somewhere. In any case, no sane person would run a kernel without Unix
domain sockets, so we may as well make it builtin.

http://hydra.nixos.org/build/30001448
 2016-01-07 13:20:53 +01:00
Tim Steinbach 1283e01b38 linux-testing: 4.4.0-rc7 -> 4.4.0-rc8 2016-01-04 20:52:19 +00:00
aszlig 7ea34af4dd
linux-testing: 4.4.0-rc6 -> 4.4.0-rc7 
Upstream changes can be found at:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/?id=v4.4-rc7

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
 2016-01-02 17:56:03 +01:00
Vladimír Čunát f9f6f41bff Merge branch 'master' into closure-size 
TODO: there was more significant refactoring of qtbase and plasma 5.5
on master, and I'm deferring pointing to correct outputs to later.
 2015-12-31 09:53:02 +01:00
Eelco Dolstra f6df6d8d46 linux: 3.18.24 -> 3.18.25 2015-12-29 15:56:20 +01:00
aszlig a326ab1755
linux-testing: 4.4.0-rc5 -> 4.4.0-rc6 
Upstream changes can be found at:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/?id=v4.4-rc6

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
 2015-12-21 17:16:49 +01:00
aszlig 45e335aabd
linux-testing: 4.4.0-rc4 -> 4.4.0-rc5 
Upstream changes can be found at:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/?id=v4.4-rc5

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
 2015-12-14 20:29:10 +01:00
Shea Levy 18af0f88d0 Linux 4.3: 4.3 -> 4.3.2 2015-12-12 08:46:34 -05:00
Luca Bruno 5b0352a6a4 Merge branch 'master' into closure-size 2015-12-11 18:31:00 +01:00
aszlig fc6d1471ce
linux-testing: Revert build fix for -rc3. 
This reverts commit 79bd2b08ee.

The commit was from an upstream commit anyway and has since been applied
to mainline.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
 2015-12-11 11:31:05 +01:00
Eelco Dolstra 54d6f1f683 linux: 3.14.56 -> 3.14.58 2015-12-10 16:26:33 +01:00
aszlig c00feace39
linux-testing: 4.4.0-rc3 -> 4.4.0-rc4 
Upstream changes can be found at:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/?id=v4.4-rc4

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
 2015-12-08 03:51:34 +01:00