Merge staging-next into staging

author: Frederik Rietdijk <fridh@fridh.nl> 2019-01-06 09:48:31 +0100
committer: Frederik Rietdijk <fridh@fridh.nl> 2019-01-06 09:48:31 +0100
commit: a4250d14784e318f44d084095f9a41aa4375105b (patch)
tree: d324f345bee9408253768c7bfb5dc2db9f2831e0 /pkgs/os-specific
parent: d47a99c450a95f2275b761d3e3b80b9764322abd (diff)
parent: e5381cdeceeb150535998cee5518e6fa678e4dc0 (diff)
5 files changed, 54 insertions, 33 deletions
diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix
index d712ea9957843..e8d272622ce93 100644
--- a/pkgs/os-specific/linux/fuse/default.nix
+++ b/pkgs/os-specific/linux/fuse/default.nix
@@ -6,8 +6,8 @@ let
   };
 in {
   fuse_2 = mkFuse {
-    version = "2.9.8";
-    sha256Hash = "0s04ln4k9zvvbjih8ybaa19fxg8xv7dcsz2yrlbk35psnf3l67af";
+    version = "2.9.9";
+    sha256Hash = "1yxxvm58c30pc022nl1wlg8fljqpmwnchkywic3r74zirvlcq23n";
   };
 
   fuse_3 = mkFuse {
diff --git a/pkgs/os-specific/linux/i2c-tools/default.nix b/pkgs/os-specific/linux/i2c-tools/default.nix
index 3f90b91f10d8b..5b061183356cf 100644
--- a/pkgs/os-specific/linux/i2c-tools/default.nix
+++ b/pkgs/os-specific/linux/i2c-tools/default.nix
@@ -2,22 +2,23 @@
 
 stdenv.mkDerivation rec {
   name = "i2c-tools-${version}";
-  version = "4.0";
+  version = "4.1";
 
   src = fetchurl {
     url = "https://www.kernel.org/pub/software/utils/i2c-tools/${name}.tar.xz";
-    sha256 = "1mi8mykvl89y6liinc9jv1x8m2q093wrdc2hm86a47n524fcl06r";
+    sha256 = "1m97hpwqfaqjl9xvr4pvz2vdrsdvxbcn0nnx8pamnyc3s7pikcjp";
   };
 
   buildInputs = [ perl ];
 
-  patchPhase = ''
+  postPatch = ''
     substituteInPlace eeprom/decode-edid --replace "/usr/sbin/parse-edid" "${read-edid}/bin/parse-edid"
     substituteInPlace stub/i2c-stub-from-dump --replace "/sbin/" ""
   '';
 
-  installPhase = ''
-    make install prefix=$out
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  postInstall = ''
     rm -rf $out/include # Installs include/linux/i2c-dev.h that conflics with kernel headers
   '';
 
diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix
index e424dff596d38..3f6479c572b8c 100644
--- a/pkgs/os-specific/linux/kernel/generic.nix
+++ b/pkgs/os-specific/linux/kernel/generic.nix
@@ -4,6 +4,9 @@
 , perl
 , bison ? null
 , flex ? null
+, gmp ? null
+, libmpc ? null
+, mpfr ? null
 , stdenv
 
 , # The kernel source tarball.
@@ -89,7 +92,7 @@ let
     passAsFile = [ "kernelConfig" ];
 
     depsBuildBuild = [ buildPackages.stdenv.cc ];
-    nativeBuildInputs = [ perl ]
+    nativeBuildInputs = [ perl gmp libmpc mpfr ]
       ++ lib.optionals (stdenv.lib.versionAtLeast version "4.16") [ bison flex ];
 
     platformName = stdenv.hostPlatform.platform.name;
@@ -112,7 +115,10 @@ let
       export buildRoot="''${buildRoot:-build}"
 
       # Get a basic config file for later refinement with $generateConfig.
-      make HOSTCC=${buildPackages.stdenv.cc.targetPrefix}gcc -C . O="$buildRoot" $kernelBaseConfig ARCH=$kernelArch
+      make -C .  O="$buildRoot" $kernelBaseConfig \
+          ARCH=$kernelArch \
+          HOSTCC=${buildPackages.stdenv.cc.targetPrefix}gcc \
+          HOSTCXX=${buildPackages.stdenv.cc.targetPrefix}g++
 
       # Create the config file.
       echo "generating kernel configuration..."
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix
index 84d1dd8a378e6..ed540a9e7518d 100644
--- a/pkgs/os-specific/linux/kernel/hardened-config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened-config.nix
@@ -28,9 +28,9 @@ ${optionalString (stdenv.hostPlatform.platform.kernelArch == "x86_64") ''
   # Reduce attack surface by disabling various emulations
   IA32_EMULATION n
   X86_X32 n
-  ${optionalString (versionOlder version "4.17") ''
-    MODIFY_LDT_SYSCALL? n
-  ''}
+  # Note: this config depends on EXPERT y and so will not take effect, hence
+  # it is left "optional" for now.
+  MODIFY_LDT_SYSCALL? n
 
   VMAP_STACK y # Catch kernel stack overflows
 
@@ -52,18 +52,23 @@ ${optionalString (versionOlder version "4.11") ''
   DEBUG_SET_MODULE_RONX y
 ''}
 
-# Mark LSM hooks read-only after init.  Conflicts with SECURITY_SELINUX_DISABLE
-# (disabling SELinux at runtime); hence, SELinux can only be disabled at boot
-# via the selinux=0 boot parameter.
+# Mark LSM hooks read-only after init.  SECURITY_WRITABLE_HOOKS n
+# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
+# implicitly marks LSM hooks read-only after init.
+#
+# SELinux can only be disabled at boot via selinux=0
+#
+# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
+# config builder fails to detect that it has indeed been unset.
 ${optionalString (versionAtLeast version "4.12") ''
   SECURITY_SELINUX_DISABLE n
-''}
-
-${optionalString ((versionAtLeast version "4.12") && (versionOlder version "4.17")) ''
-  SECURITY_WRITABLE_HOOKS n
+  SECURITY_WRITABLE_HOOKS? n
 ''}
 
 DEBUG_WX y # boot-time warning on RWX mappings
+${optionalString (versionAtLeast version "4.11") ''
+  STRICT_KERNEL_RWX y
+''}
 
 # Stricter /dev/mem
 STRICT_DEVMEM? y
@@ -84,7 +89,7 @@ ${optionalString (versionAtLeast version "4.13") ''
 # Perform usercopy bounds checking.
 HARDENED_USERCOPY y
 ${optionalString (versionAtLeast version "4.16") ''
-  HARDENED_USERCOPY_FALLBACK n
+  HARDENED_USERCOPY_FALLBACK n  # for full whitelist enforcement
 ''}
 
 # Randomize allocator freelists.
@@ -94,6 +99,9 @@ ${optionalString (versionAtLeast version "4.14") ''
   SLAB_FREELIST_HARDENED y
 ''}
 
+# Allow enabling slub/slab free poisoning with slub_debug=P
+SLUB_DEBUG y
+
 # Wipe higher-level memory allocations on free() with page_poison=1
 PAGE_POISONING y
 PAGE_POISONING_NO_SANITY y
@@ -103,17 +111,23 @@ PAGE_POISONING_ZERO y
 PANIC_ON_OOPS y
 PANIC_TIMEOUT -1
 
-${optionalString (versionOlder version "4.18") ''
-  GCC_PLUGINS y # Enable gcc plugin options
-  # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
-  GCC_PLUGIN_LATENT_ENTROPY y
-
-  ${optionalString (versionAtLeast version "4.11") ''
-    GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
-  ''}
-  ${optionalString (versionAtLeast version "4.14") ''
-    GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
-  ''}
+GCC_PLUGINS y # Enable gcc plugin options
+# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
+GCC_PLUGIN_LATENT_ENTROPY y
+
+${optionalString (versionAtLeast version "4.11") ''
+  GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
+''}
+${optionalString (versionAtLeast version "4.14") ''
+  GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
+''}
+${optionalString (versionAtLeast version "4.20") ''
+  GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin
+''}
+
+${optionalString (versionAtLeast version "4.13") ''
+  GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin
+  GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y
 ''}
 
 # Disable various dangerous settings
diff --git a/pkgs/os-specific/linux/sysstat/default.nix b/pkgs/os-specific/linux/sysstat/default.nix
index d3a9d7834cdc6..27b27ebffdd87 100644
--- a/pkgs/os-specific/linux/sysstat/default.nix
+++ b/pkgs/os-specific/linux/sysstat/default.nix
@@ -1,11 +1,11 @@
 { stdenv, fetchurl, gettext, bzip2 }:
 
 stdenv.mkDerivation rec {
-  name = "sysstat-12.1.1";
+  name = "sysstat-12.1.2";
 
   src = fetchurl {
     url = "http://perso.orange.fr/sebastien.godard/${name}.tar.xz";
-    sha256 = "0drrlv2fr64g5zf0a2bkla2rql4nmq4n192wvcr9r4zppg58d8k4";
+    sha256 = "0xiv70x4n24fcycvlq95lqgb3jwjxfzq61bnyqai57x54hhn46yp";
   };
 
   buildInputs = [ gettext ];
author	Frederik Rietdijk <fridh@fridh.nl>	2019-01-06 09:48:31 +0100
committer	Frederik Rietdijk <fridh@fridh.nl>	2019-01-06 09:48:31 +0100
commit	a4250d14784e318f44d084095f9a41aa4375105b (patch)
tree	d324f345bee9408253768c7bfb5dc2db9f2831e0 /pkgs/os-specific
parent	d47a99c450a95f2275b761d3e3b80b9764322abd (diff)
parent	e5381cdeceeb150535998cee5518e6fa678e4dc0 (diff)