| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Since GNOME version is now 40, it no longer makes sense to use the old attribute name.
|
|
lib.meta: introduce `availableOn` to check package availability on given platform
|
|
brltty: 6.1 -> 6.3; nixos/brltty: use upstream units
|
|
installer images: Add available modules to stage-1 on ARM platforms
|
|
set a group and user for the service
remove default null config
it's required, now it throws an error pointing to the option
set myself (module author) as maintainer
|
|
and set myself (module author) as maintainer
|
|
nixos/network: allow configuring tempaddr for undeclared interfaces
|
|
spidermonkey_1_8_5: drop
|
|
nixos/hercules-ci-agent: updates
|
|
|
|
|
|
lib/modules: pass specialArgs to modules
|
|
|
|
been enabled
|
|
|
|
Since v2021.5.0 home-assistant uses the ifaddr library in the zeroconf
component to enumerate network interfaces via netlink. Since discovery
is all over the place lets allow AF_NETLINK unconditionally.
It also relies on pyroute2 now, which additionally tries to access files
in /proc/net, so we relax ProtectProc a bit by default as well.
This leaves us with these options unsecured:
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ DeviceAllow= Service has a device ACL with some special devices 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✗ PrivateDevices= Service potentially has access to hardware devices 0.2
✗ PrivateUsers= Service has access to other users 0.2
✗ SystemCallFilter=~@resources System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed) 0.2
✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✗ SupplementaryGroups= Service runs with supplementary groups 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1
→ Overall exposure level for home-assistant.service: 1.6 OK 🙂
|
|
netdata: 1.29.3 -> 1.30.1
|
|
wpa_supplicant: allow both imperative and declarative networks
|
|
libbrotli wasn't listed as a dependency for the AppArmor profile of the transmission-daemon binary.
As a result, transmission wouldn't run and would fail, logging this audit message to dmesg:
audit[11595]: AVC apparmor=DENIED operation=open profile=/nix/store/08i1rmakmnpwyxpvp0sfc5hcm106am7w-transmission-3.00/bin/transmission-daemon name=/proc/11595/environ pid=11595 comm=transmission-da requested_mask=r denied_mask=r fsuid=70 ouid=70
|
|
It will be run after startup.
|
|
GNOME 40 added support for it in Control Center.
|
|
It has been retired
https://gitlab.gnome.org/GNOME/gnome-build-meta/-/issues/353
|
|
|
|
|
|
|
|
|
|
nixos/tests/sway: init
|
|
Recursive type deprecation
|
|
|
|
|
|
This ensures that SD images and UEFI installers don't drift in
compatibility with regards to early initrd.
|
|
Namely, early KMS on raspberry pi
|
|
|
|
|
|
While it's being brought in implicitly by the other analogix driver,
let's be explicit, in case things change.
|
|
But not exclusive to rockchip
|
|
|
|
|
|
This is used on some allwinner platforms, and is a weak dependency for
USB to work.
|
|
Namely, this is used by the pinebook's display
|
|
|
|
|
|
iso-image: Fix GRUB graphical menu on AArch64
|
|
|
|
...or used correctly.
|
|
|
|
This reverts commit d9e18f4e7f77fffde95384d36cc8ac5d1d51b356.
This change is broken, since it doesn't configure the proper database
username in keycloak when provisioning a local database with a custom
username. Its intended behavior is also potentially confusing and
dangerous, so rather than fixing it, let's revert to the old one.
|
|
This adds a basic test for Sway. Because Sway is an important part of
the Wayland ecosystem, is stable, and has few dependencies this test
should also be suitable for testing core packages it depends on (e.g.
wayland, wayland-protocols, wlroots, xwayland, mesa, libglvnd, libdrm,
and soon libseat).
The test is modeled after the suggested way of using Sway, i.e. logging
in via a virtual console (tty1) and copying the configuration from
/etc/sway/config (we replace Mod4 (the GNU/Tux key - you've replaced
that evil logo, right? :D) with Mod1 (Alt key) because QEMU monitor's
sendkey command doesn't support the former).
The shell aliases are used to make the sendkey log output shorter.
Co-authored-by: Patrick Hilhorst <git@hilhorst.be>
|
|
|
|
|
