For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).
This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
This is just stuff that's in #48637 already that I wanted to sync.
In detail it's:
- Patching in the use of meson
- Add wrapGAppsHook and hicolor-icon-theme
There's a demo application and granite
provides some generic icons.
- Included patches so third party apps still work
New upstream features:
- New ignore rule option, which prevents conversion to Unix socket.
- A way to increase the verbosity via the -v command line argument.
- Reams of log messages in addition to the FATAL errors we had so far.
- Use Syslog format for logging if stderr is a socket.
- Set FD_CLOEXEC on systemd socket file descriptors as soon as they're
associated.
Upstream fixes:
- Use right endian conversion functions in port matching.
- Pass is_unix to child socket on accept to prevent accidentally
replacing an already converted Unix socket by a new Unix socket. The
latter would be a socket that's not accepted, which would eventually
lead to an error.
- Correctly handle setsockopts used with other levels than SOL_SOCKET.
Upstream changes:
- Improve wording and add more descriptions in README and manpage.
- The implementation for fetching systemd sockets now no longer uses
libsystemd, thus the build-time dependency is no longer required.
- New serialiser for passing rules to the preloaded library in a more
compact form instead of using YAML, so it's less likely that we'll
hit the maximum stack size.
- Systemd sockets are now associated during rule initialisation and
thus behave more predictable in complex setups.
On our side, the dependency on systemd is only needed for running the
tests, as it uses the systemd-socket-activate helper. Socket association
is now done by ip2unix directly and doesn't rely on libsystemd anymore.
Built and tested on i686-linux and x86_64-linux.
Signed-off-by: aszlig <aszlig@nix.build>
