Commit Graph

179125 Commits

Author SHA1 Message Date
Joachim Fasting
87bc514620
hardened-config: enable the SafeSetID LSM
The purpose of this LSM is to allow processes to drop to a less privileged
user id without having to grant them full CAP_SETUID (or use file caps).

The LSM allows configuring a whitelist policy of permitted from:to uid
transitions.  The policy is enforced upon calls to setuid(2) and related
syscalls.

Policies are configured through securityfs by writing to
- safesetid/add_whitelist_policy ; and
- safesetid/flush_whitelist_policies

A process attempting a transition not permitted by current policy is killed
(to avoid accidentally running with higher privileges than intended).

A uid that has a configured policy is prevented from obtaining auxiliary
setuid privileges (e.g., setting up user namespaces).

See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
2019-05-07 13:39:24 +02:00
Renaud
7085da0cef
Merge pull request #60870 from dkudriavtsev/patch-1
miraclecast: 20170427 -> 20190403
2019-05-07 13:37:39 +02:00
Renaud
029adb3ad4
Merge pull request #61003 from r-ryantm/auto-update/ocaml4.06.1-ppxlib
ocamlPackages.ppxlib: 0.5.0 -> 0.6.0
2019-05-07 13:19:50 +02:00
Frederik Rietdijk
01b99a67e9
Merge pull request #61028 from marsam/update-cedille
cedille: fix hash
2019-05-07 13:11:33 +02:00
Renaud
ad36fb38e2
Merge pull request #60992 from danieldk/cargo-asm-0.1.17
cargo-asm: 0.1.16 -> 0.1.17
2019-05-07 13:11:17 +02:00
R. RyanTM
af46c07eaf python37Packages.lark-parser: 0.6.6 -> 0.7.0
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/python3.7-lark-parser/versions
2019-05-07 13:08:31 +02:00
Andrew Childs
1d754bbe94 qscintilla: fix dylib names on Darwin
On Darwin dylibs are intended to have their install names set to their
absolute path. Without an absolute path, applications using these
libraries will have invalid references embedded, and will be unable to
locate the libraries at runtime.
2019-05-07 13:08:00 +02:00
Elis Hirwing
0269936094
Merge pull request #61080 from DIzFer/jellyfin-remove-emby-ref
jellyfin: remove assertion if emby enabled: no emby module exists
2019-05-07 12:48:26 +02:00
Renaud
78b8ff9be0
Merge pull request #61017 from r-ryantm/auto-update/python3.7-Cerberus
python37Packages.cerberus: 1.2 -> 1.3
2019-05-07 12:23:28 +02:00
Robin Gloster
97450715da
Merge pull request #60678 from mayflower/atomicparsley-cross
atomicparsley: fix cross
2019-05-07 09:50:04 +00:00
Jörg Thalheim
2146e1023a
Merge pull request #61076 from Mic92/linux-fpu
linux_5_0: restore __kernel_fpu_{begin,restore}
2019-05-07 10:35:04 +01:00
Renaud
843a062c43
Merge pull request #61016 from r-ryantm/auto-update/python3.7-braintree
python37Packages.braintree: 3.52.0 -> 3.53.0
2019-05-07 11:30:36 +02:00
Jörg Thalheim
33220585a8
Merge pull request #61071 from dtzWill/update/creduce-2.9.0
creduce: 2.8.0 -> 2.9.0, llvm7
2019-05-07 10:05:02 +01:00
David Izquierdo
b24a87fafe jellyfin: remove assertion if emby enabled: no emby module exists 2019-05-07 11:04:57 +02:00
Jörg Thalheim
7ed04c2a6f
postgresqlPackages.timescaledb: 1.2.2 -> 1.3.0 (#61074)
postgresqlPackages.timescaledb: 1.2.2 -> 1.3.0
2019-05-07 09:54:33 +01:00
Renaud
1303cc1136
Merge pull request #60972 from r-ryantm/auto-update/geos
geos: 3.7.1 -> 3.7.2
2019-05-07 10:39:07 +02:00
Joachim Fasting
7defc47944
tor-browser-bundle-bin: meta.homepage is a regular string 2019-05-07 09:48:16 +02:00
Joachim Fasting
501c2c28a4
tor-browser-bundle-bin: 8.0.8 -> 8.0.9 2019-05-07 09:48:10 +02:00
Frederik Rietdijk
0196d8f11c Merge master into staging-next 2019-05-07 09:00:06 +02:00
Jörg Thalheim
a3f8a25ab3
python.pkgs.imread: inherit native libs on callsite
this avoids potential namespace collisions between python libs
and packages from all-packags.nix:

https://github.com/NixOS/nixpkgs/pull/61033#issuecomment-489926103
2019-05-07 07:34:13 +01:00
Jörg Thalheim
6bcc5e2080
pythonPackages.imread: 0.6 -> 0.7.0 (#61033)
pythonPackages.imread: 0.6 -> 0.7.0
2019-05-07 07:23:33 +01:00
Jörg Thalheim
8da4d318d1
nix-review: 2.0.0 -> 2.0.1 (#61078)
nix-review: 2.0.0 -> 2.0.1
2019-05-07 07:19:19 +01:00
Jörg Thalheim
4a0fcfd3cc
flow: 0.98.0 -> 0.98.1 (#61075)
flow: 0.98.0 -> 0.98.1
2019-05-07 07:16:42 +01:00
Jörg Thalheim
cf5ed1d004
nix-review: 2.0.0 -> 2.0.1 2019-05-07 07:12:55 +01:00
Jörg Thalheim
dd2052ce36
awesome: use makeWrapper rather than wrapProgram (#61060)
awesome: use makeWrapper rather than wrapProgram
2019-05-07 07:07:36 +01:00
Jörg Thalheim
3a83427e6d
Merge pull request #61055 from nyanloutre/radarr_update_0_2_0_1344
radarr: 0.2.0.1293 -> 0.2.0.1344
2019-05-07 07:05:49 +01:00
Jörg Thalheim
6d207876db
Merge pull request #61057 from dywedir/i3status-rust
i3status-rust: 0.9.0.2019-03-21 -> 0.9.0.2019-04-27
2019-05-07 07:05:15 +01:00
Jörg Thalheim
c28f0c39d2
Merge pull request #61073 from marsam/fix-mpv-darwin
mpv: fix darwin build
2019-05-07 06:59:41 +01:00
Mario Rodas
2d6f91f26c
Merge pull request #61064 from mstojcevich/influxdb-176
influxdb: 1.7.5 -> 1.7.6
2019-05-07 00:32:41 -05:00
Michael Raskin
2ca644ea9a
Merge pull request #61070 from dtzWill/update/libreoffice-fresh-6.2.3.2
libreoffice-fresh: 6.2.2.2 -> 6.2.3.2
2019-05-07 05:16:55 +00:00
adisbladis
ca088617ac
firefox-beta-bin: 67.0b16 -> 67.0b17 2019-05-07 06:10:31 +01:00
adisbladis
5985cd73dc
firefox-devedition-bin: 67.0b7 -> 67.0b17 2019-05-07 06:10:31 +01:00
adisbladis
baf17a4042
pipenv: Add missing build input virtualenv-clone 2019-05-07 06:10:28 +01:00
Mario Rodas
dbba6f0b3c
flow: 0.98.0 -> 0.98.1 2019-05-07 00:05:00 -05:00
Mario Rodas
5a9983a76e
postgresqlPackages.timescaledb: 1.2.2 -> 1.3.0 2019-05-07 00:02:25 -05:00
Mario Rodas
20eda8246c
mpv: fix darwin build 2019-05-06 23:57:10 -05:00
Mario Rodas
bdbd5f6026
Merge pull request #61044 from greydot/fix-pipenv-deps
pipenv: fix missing dependency issue (#61027)
2019-05-06 23:53:19 -05:00
Will Dietz
b809071ffb rngd: add option to run w/debug flag
Added while testing if adding hardening
directives to the service blocked access
to various sources, might be useful in the future.
2019-05-06 23:44:38 -05:00
Will Dietz
5fe0547457 creduce: 2.8.0 -> 2.9.0, llvm7 2019-05-06 23:39:56 -05:00
Will Dietz
d90da9197a libreoffice-fresh: 6.2.2.2 -> 6.2.3.2 2019-05-06 23:38:11 -05:00
Will Dietz
fac13d8af5 public-sans: init at 1.002 2019-05-06 23:31:28 -05:00
Mario Rodas
5e407fcbb0
Merge pull request #61042 from xrelkd/update/cargo-bloat
cargo-bloat: 0.6.2 -> 0.6.3
2019-05-06 22:07:24 -05:00
José Romildo Malaquias
eb19fdace7 sierra-gtk-theme: mv to pkgs/data/themes 2019-05-06 23:28:24 -03:00
José Romildo Malaquias
86665d0744 sierra-gtk-theme: 2018-10-12 -> 2019-05-07 2019-05-06 23:28:24 -03:00
Profpatsch
6ad3c59f03 ultrastar-manager: 2017-05-24 -> 2019-04-23 2019-05-07 02:02:11 +02:00
Profpatsch
59aef0aa9c ultrastar-creator: 2017-04-12 -> 2019-04-23 2019-05-07 02:02:11 +02:00
Profpatsch
3a0fbc17e2 libbass: update 2019-05-07 02:02:11 +02:00
Marcus Stojcevich
118487b694
influxdb: 1.7.5 -> 1.7.6 2019-05-06 19:38:37 -04:00
Renaud
0852a6e22a
Merge pull request #59654 from r-ryantm/auto-update/python3.7-fonttools
python37Packages.fonttools: 3.39.0 -> 3.41.0
2019-05-06 23:51:14 +02:00
Renaud
dfac1543d0
pythonPackages.fonttools: 3.40.0 -> 3.41.0
and specify license
2019-05-06 22:42:31 +02:00