diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2019-01-06 09:48:31 +0100 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2019-01-06 09:48:31 +0100 |
commit | a4250d14784e318f44d084095f9a41aa4375105b (patch) | |
tree | d324f345bee9408253768c7bfb5dc2db9f2831e0 /pkgs/os-specific | |
parent | d47a99c450a95f2275b761d3e3b80b9764322abd (diff) | |
parent | e5381cdeceeb150535998cee5518e6fa678e4dc0 (diff) |
Merge staging-next into staging
Diffstat (limited to 'pkgs/os-specific')
-rw-r--r-- | pkgs/os-specific/linux/fuse/default.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/i2c-tools/default.nix | 11 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/generic.nix | 10 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/hardened-config.nix | 58 | ||||
-rw-r--r-- | pkgs/os-specific/linux/sysstat/default.nix | 4 |
5 files changed, 54 insertions, 33 deletions
diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix index d712ea9957843..e8d272622ce93 100644 --- a/pkgs/os-specific/linux/fuse/default.nix +++ b/pkgs/os-specific/linux/fuse/default.nix @@ -6,8 +6,8 @@ let }; in { fuse_2 = mkFuse { - version = "2.9.8"; - sha256Hash = "0s04ln4k9zvvbjih8ybaa19fxg8xv7dcsz2yrlbk35psnf3l67af"; + version = "2.9.9"; + sha256Hash = "1yxxvm58c30pc022nl1wlg8fljqpmwnchkywic3r74zirvlcq23n"; }; fuse_3 = mkFuse { diff --git a/pkgs/os-specific/linux/i2c-tools/default.nix b/pkgs/os-specific/linux/i2c-tools/default.nix index 3f90b91f10d8b..5b061183356cf 100644 --- a/pkgs/os-specific/linux/i2c-tools/default.nix +++ b/pkgs/os-specific/linux/i2c-tools/default.nix @@ -2,22 +2,23 @@ stdenv.mkDerivation rec { name = "i2c-tools-${version}"; - version = "4.0"; + version = "4.1"; src = fetchurl { url = "https://www.kernel.org/pub/software/utils/i2c-tools/${name}.tar.xz"; - sha256 = "1mi8mykvl89y6liinc9jv1x8m2q093wrdc2hm86a47n524fcl06r"; + sha256 = "1m97hpwqfaqjl9xvr4pvz2vdrsdvxbcn0nnx8pamnyc3s7pikcjp"; }; buildInputs = [ perl ]; - patchPhase = '' + postPatch = '' substituteInPlace eeprom/decode-edid --replace "/usr/sbin/parse-edid" "${read-edid}/bin/parse-edid" substituteInPlace stub/i2c-stub-from-dump --replace "/sbin/" "" ''; - installPhase = '' - make install prefix=$out + makeFlags = [ "PREFIX=${placeholder "out"}" ]; + + postInstall = '' rm -rf $out/include # Installs include/linux/i2c-dev.h that conflics with kernel headers ''; diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix index e424dff596d38..3f6479c572b8c 100644 --- a/pkgs/os-specific/linux/kernel/generic.nix +++ b/pkgs/os-specific/linux/kernel/generic.nix @@ -4,6 +4,9 @@ , perl , bison ? null , flex ? null +, gmp ? null +, libmpc ? null +, mpfr ? null , stdenv , # The kernel source tarball. @@ -89,7 +92,7 @@ let passAsFile = [ "kernelConfig" ]; depsBuildBuild = [ buildPackages.stdenv.cc ]; - nativeBuildInputs = [ perl ] + nativeBuildInputs = [ perl gmp libmpc mpfr ] ++ lib.optionals (stdenv.lib.versionAtLeast version "4.16") [ bison flex ]; platformName = stdenv.hostPlatform.platform.name; @@ -112,7 +115,10 @@ let export buildRoot="''${buildRoot:-build}" # Get a basic config file for later refinement with $generateConfig. - make HOSTCC=${buildPackages.stdenv.cc.targetPrefix}gcc -C . O="$buildRoot" $kernelBaseConfig ARCH=$kernelArch + make -C . O="$buildRoot" $kernelBaseConfig \ + ARCH=$kernelArch \ + HOSTCC=${buildPackages.stdenv.cc.targetPrefix}gcc \ + HOSTCXX=${buildPackages.stdenv.cc.targetPrefix}g++ # Create the config file. echo "generating kernel configuration..." diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 84d1dd8a378e6..ed540a9e7518d 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -28,9 +28,9 @@ ${optionalString (stdenv.hostPlatform.platform.kernelArch == "x86_64") '' # Reduce attack surface by disabling various emulations IA32_EMULATION n X86_X32 n - ${optionalString (versionOlder version "4.17") '' - MODIFY_LDT_SYSCALL? n - ''} + # Note: this config depends on EXPERT y and so will not take effect, hence + # it is left "optional" for now. + MODIFY_LDT_SYSCALL? n VMAP_STACK y # Catch kernel stack overflows @@ -52,18 +52,23 @@ ${optionalString (versionOlder version "4.11") '' DEBUG_SET_MODULE_RONX y ''} -# Mark LSM hooks read-only after init. Conflicts with SECURITY_SELINUX_DISABLE -# (disabling SELinux at runtime); hence, SELinux can only be disabled at boot -# via the selinux=0 boot parameter. +# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n +# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter +# implicitly marks LSM hooks read-only after init. +# +# SELinux can only be disabled at boot via selinux=0 +# +# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the +# config builder fails to detect that it has indeed been unset. ${optionalString (versionAtLeast version "4.12") '' SECURITY_SELINUX_DISABLE n -''} - -${optionalString ((versionAtLeast version "4.12") && (versionOlder version "4.17")) '' - SECURITY_WRITABLE_HOOKS n + SECURITY_WRITABLE_HOOKS? n ''} DEBUG_WX y # boot-time warning on RWX mappings +${optionalString (versionAtLeast version "4.11") '' + STRICT_KERNEL_RWX y +''} # Stricter /dev/mem STRICT_DEVMEM? y @@ -84,7 +89,7 @@ ${optionalString (versionAtLeast version "4.13") '' # Perform usercopy bounds checking. HARDENED_USERCOPY y ${optionalString (versionAtLeast version "4.16") '' - HARDENED_USERCOPY_FALLBACK n + HARDENED_USERCOPY_FALLBACK n # for full whitelist enforcement ''} # Randomize allocator freelists. @@ -94,6 +99,9 @@ ${optionalString (versionAtLeast version "4.14") '' SLAB_FREELIST_HARDENED y ''} +# Allow enabling slub/slab free poisoning with slub_debug=P +SLUB_DEBUG y + # Wipe higher-level memory allocations on free() with page_poison=1 PAGE_POISONING y PAGE_POISONING_NO_SANITY y @@ -103,17 +111,23 @@ PAGE_POISONING_ZERO y PANIC_ON_OOPS y PANIC_TIMEOUT -1 -${optionalString (versionOlder version "4.18") '' - GCC_PLUGINS y # Enable gcc plugin options - # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. - GCC_PLUGIN_LATENT_ENTROPY y - - ${optionalString (versionAtLeast version "4.11") '' - GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin - ''} - ${optionalString (versionAtLeast version "4.14") '' - GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address - ''} +GCC_PLUGINS y # Enable gcc plugin options +# Gather additional entropy at boot time for systems that may not have appropriate entropy sources. +GCC_PLUGIN_LATENT_ENTROPY y + +${optionalString (versionAtLeast version "4.11") '' + GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin +''} +${optionalString (versionAtLeast version "4.14") '' + GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address +''} +${optionalString (versionAtLeast version "4.20") '' + GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin +''} + +${optionalString (versionAtLeast version "4.13") '' + GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y ''} # Disable various dangerous settings diff --git a/pkgs/os-specific/linux/sysstat/default.nix b/pkgs/os-specific/linux/sysstat/default.nix index d3a9d7834cdc6..27b27ebffdd87 100644 --- a/pkgs/os-specific/linux/sysstat/default.nix +++ b/pkgs/os-specific/linux/sysstat/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, gettext, bzip2 }: stdenv.mkDerivation rec { - name = "sysstat-12.1.1"; + name = "sysstat-12.1.2"; src = fetchurl { url = "http://perso.orange.fr/sebastien.godard/${name}.tar.xz"; - sha256 = "0drrlv2fr64g5zf0a2bkla2rql4nmq4n192wvcr9r4zppg58d8k4"; + sha256 = "0xiv70x4n24fcycvlq95lqgb3jwjxfzq61bnyqai57x54hhn46yp"; }; buildInputs = [ gettext ]; |