Commit Graph

165644 Commits

Author SHA1 Message Date
Joachim Fasting
167578163a
nixos/hardened profile: always enable pti 2019-01-05 14:07:39 +01:00
Joachim Fasting
3f1f443125
nixos/hardened profile: slab/slub hardening
slab_nomerge may reduce surface somewhat

slub_debug is used to enable additional sanity checks and "red zones" around
allocations to detect read/writes beyond the allocated area, as well as
poisoning to overwrite free'd data.

The cost is yet more memory fragmentation ...
2019-01-05 14:07:37 +01:00
Joachim Fasting
d62086e6fc
hardened-config: allow slub/slab free poisoning 2019-01-05 14:07:36 +01:00
Joachim Fasting
11840f5c70
hardened-config: explain HARDENED_USERCOPY_FALLBACK n 2019-01-05 14:07:36 +01:00
Joachim Fasting
dfd77a046d
hardened-config: ensure STRICT_KERNEL_RWX
This is y in the default config, but enable it explicitly here to catch
situations where it has been disabled (explicitly or implicitly).
2019-01-05 14:07:35 +01:00
Joachim Fasting
1801aad7b8
hardened-config: clarify MODIFY_LDT_SYSCALL
This likely never worked; MODIFY_LDT_SYSCALL depends on EXPERT; enabling
EXPERT however seems to introduce quite a few changes that would need to be
properly vetted.

The version guard is unnecessary, however, as this config has been supported
since 4.3.
2019-01-05 14:07:34 +01:00
Joachim Fasting
abc8ed3fca
hardened-config: clarify readonly LSM hooks config
SECURITY_WRITABLE_HOOKS is implicitly controlled by SECURITY_SELINUX_DISABLE;
explicitly unsetting results in an error because the configfile builder fails
to detect that it has in fact been unset (reporting it as an unused option).
For now, leave WRITABLE_HOOKS as an "optional" config for documentation
purposes.
2019-01-05 14:07:33 +01:00
Joachim Fasting
c68e8b05f0
Revert "linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT"
This reverts commit 5dda1324be.

Presumably this was done to work around build errors or something but it
works fine now.
2019-01-05 14:07:21 +01:00
Jörg Thalheim
e36c93b3a0
Merge pull request #53408 from frlan/Update/Geany/1.34.1
Geany: 1.34 -> 1.34.1
2019-01-05 13:24:38 +01:00
Jörg Thalheim
9b2f0fbcdd
nixos/lirc: expose socket path via passthru 2019-01-05 13:22:39 +01:00
Michael Raskin
3b152247ea weechatScripts.weechat-matrix-bridge: 2018-05-29 -> 2018-11-19 (HTTP/2 support fix) 2019-01-05 13:21:30 +01:00
taku0
17f4d415a2
thunderbird: 60.3.3 -> 60.4.0
Picked from PR #53437.  It runs fine for me.
2019-01-05 13:09:04 +01:00
Jörg Thalheim
8e95adcb75
Merge pull request #53439 from dywedir/gpxsee
gpxsee: 6.3 -> 7.1
2019-01-05 13:08:27 +01:00
Jörg Thalheim
38fa1ed0db
Merge pull request #53392 from xzfc/xpointerbarrier
xpointerbarrier: 17.11 -> 18.06
2019-01-05 13:03:53 +01:00
Jörg Thalheim
8832292ace
Merge pull request #52932 from ejpcmac/init-elixir_1_8
elixir_1_8: init at 1.8.0-rc.1
2019-01-05 12:59:33 +01:00
Jörg Thalheim
bf6aa78d0d
Merge pull request #52951 from Gerschtli/update/pdf2image
pythonPackages.pdf2image: 1.0.0 -> 1.3.1
2019-01-05 12:56:47 +01:00
Michael Raskin
fbd6ddadf1
Merge pull request #53434 from tohl/master
sbcl updated, tested on nixos x86_64
2019-01-05 11:48:23 +00:00
Jörg Thalheim
4a4d1d6497
cryptominisat: 5.0.1 -> 5.6.6 2019-01-05 12:45:44 +01:00
Jörg Thalheim
69d3eb6b6f
elixir: link to compatibility table 2019-01-05 12:39:23 +01:00
Jean-Philippe Cugnet
5cefef0d12
elixir_1_3: Remove since it is not supported anymore 2019-01-05 12:34:49 +01:00
Orivej Desh
8dddd6d4a1 clang-tools: override llvm version in all-packages 2019-01-05 11:19:37 +00:00
Tobias Happ
f94016eb84 pythonPackages.pdf2image: 1.0.0 -> 1.3.1 2019-01-05 10:56:50 +01:00
Vladyslav Mykhailichenko
f24d62c1e9
gpxsee: 6.3 -> 7.1 2019-01-05 11:44:07 +02:00
Samuel Dionne-Riel
c620278b63
Merge pull request #53435 from worldofpeace/systemd-logo
nixos/version: add LOGO to /etc/os-release
2019-01-05 00:30:21 -05:00
Matthew Bauer
d9707792b5 mesa: make sure $drivers output gets created
Not all installs will have a $drivers output, so we just create an
empty one here.
2019-01-04 23:26:57 -06:00
worldofpeace
21327795ce nixos/version: add LOGO to /etc/os-release 2019-01-05 00:03:39 -05:00
Tomas Hlavaty
2d9d6337f8 sbcl: 1.4.13 -> 1.4.15 2019-01-05 05:19:42 +01:00
John Ericson
1383670a83
Merge pull request #53029 from Ericson2314/windows-ce-arm
lib: Fix Mingw on 32-bit ARM
2019-01-04 20:27:35 -05:00
Michael Weiss
e7e18206dd
fuse: 2.9.8 -> 2.9.9 2019-01-05 02:26:02 +01:00
Dmitry Kalinkin
fb185ff859
Merge pull request #52835 from suhr/musescore
musescore: 2.3.2 -> 3.0
2019-01-04 20:20:34 -05:00
worldofpeace
678dda92a5 libcdr: drop boost159 compat fix 2019-01-04 19:49:05 -05:00
worldofpeace
2764297cc5 libcdr: disable werror is default
So this optional configure flag is uneeded.

See: 10211e95bb/NEWS (L5)
2019-01-04 19:49:05 -05:00
R. RyanTM
d211457188 libcdr: 0.1.4 -> 0.1.5
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/libcdr/versions
2019-01-04 19:49:05 -05:00
Dmitry Kalinkin
fc2a65308f
musescore: switch to QtWebEngine
Since version 3.0 it builds with QtWebEngine by default.
2019-01-04 19:43:23 -05:00
Elis Hirwing
eeb35be95d gitea: 1.6.2 -> 1.6.3
Changelog: https://github.com/go-gitea/gitea/releases/tag/v1.6.3
2019-01-04 19:38:40 -05:00
R. RyanTM
487cbfc563 python37Packages.node-semver: 0.5.1 -> 0.6.1
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/python3.7-node-semver/versions
2019-01-04 17:43:19 -05:00
R. RyanTM
b69d3fae73 python37Packages.django_redis: 4.9.1 -> 4.10.0
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/python3.7-django-redis/versions
2019-01-04 17:42:23 -05:00
R. RyanTM
e65eb19da5 plantuml: 1.2018.13 -> 1.2018.14
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/plantuml/versions
2019-01-04 17:41:15 -05:00
R. RyanTM
bb5ebed17f python37Packages.faker: 0.9.3 -> 1.0.1
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/python3.7-faker/versions
2019-01-04 17:36:39 -05:00
Joachim F
893c51bda8
Merge pull request #53369 from delroth/kernel-hardening
Re-add security features based on GCC plugins in 4.18+ hardened kernels
2019-01-04 21:49:53 +00:00
Piotr Bogdan
ac1122f264 pythonPackages.sipsimple: use c compiler for linkage 2019-01-04 21:44:22 +00:00
Piotr Bogdan
2e5cb0cb5b offrss: use c++ compiler for linkage 2019-01-04 21:44:22 +00:00
Piotr Bogdan
eb41113270 qshowdiff: build with a c++ compiler 2019-01-04 21:44:22 +00:00
Piotr Bogdan
bf61e100d7 xautoclick: use c++ compiler for linkage 2019-01-04 21:44:22 +00:00
Piotr Bogdan
89bcdd1184 timemachine: link with libm explicitly 2019-01-04 21:44:22 +00:00
Piotr Bogdan
1492dcccda texmacs: link with libz explicitly 2019-01-04 21:44:21 +00:00
Piotr Bogdan
510b678cb7 tangogps: link with libm explicitly 2019-01-04 21:44:21 +00:00
Piotr Bogdan
19061fb79e svnfs: link with libsvn_subr-1 explicitly 2019-01-04 21:44:21 +00:00
Piotr Bogdan
a54cc22d4d ssmtp: link with libcrypto explicitly 2019-01-04 21:44:21 +00:00
Piotr Bogdan
a898c8335d sqlitebrowser: link with libQt5PrintSupport explicitly 2019-01-04 21:44:21 +00:00