Commit Graph

2061 Commits

Author SHA1 Message Date
Shea Levy
34c52896d1 linux 4.9.4 -> 4.9.5 2017-01-20 09:36:04 -05:00
Tuomas Tynkkynen
9fc3ce73d1 kernel config: Enable BONDING and TMPFS_POSIX_ACL
Yet again something that's lacking on other platforms than x86.
2017-01-18 01:21:08 +02:00
Eelco Dolstra
e9109b1b97
linux: 4.4.42 -> 4.4.43 2017-01-17 12:02:46 +01:00
Eelco Dolstra
9a9be9296f
linux: 4.9.3 -> 4.9.4 2017-01-17 12:02:46 +01:00
Tuomas Tynkkynen
08ddb16865 linux_testing: 4.10-rc2 -> 4.10-rc4 2017-01-16 11:41:13 +02:00
Thomas Tuegel
04d11637cb
linux_4_9: enable support for amdgpu on older chipsets
Linux 4.9 includes experimental amdgpu support for AMD Southern Islands
chipsets. (By default, only Sea Islands and newer chipsets are supported.)
Southern Islands chips will still use radeon by default, but daring users may
set `services.xserver.videoDrivers = [ "amdgpu" ];` to try the experimental
driver.
2017-01-15 16:29:50 -06:00
Tim Steinbach
295337ead5
linux: 4.9.2 -> 4.9.3 2017-01-14 11:02:26 -05:00
Tim Steinbach
9158b89fd3
linux: 4.4.41 -> 4.4.42 2017-01-14 11:01:52 -05:00
Tim Steinbach
d483a871d1
linux: Remove 4.8 2017-01-11 16:59:29 -05:00
Franz Pletz
6b01b229c2
linux: 4.9.1 -> 4.9.2 2017-01-10 07:45:19 +01:00
Franz Pletz
3b17823187
linux: 4.8.16 -> 4.8.17 2017-01-10 07:45:19 +01:00
Franz Pletz
4c43937af0
linux: 4.4.40 -> 4.4.41 2017-01-10 07:45:18 +01:00
Joachim Fasting
d6ff445f10
grsecurity: 4.8.15-201612301949 -> 4.8.16-201701062021 2017-01-07 08:01:41 +01:00
Tim Steinbach
c1d20ea50c
kernel: 4.9.0 -> 4.9.1 2017-01-06 16:15:18 -05:00
Tim Steinbach
ecf87b11f2
kernel: 4.8.15 -> 4.8.16 2017-01-06 16:15:02 -05:00
Tim Steinbach
8fda707027
kernel: 4.4.39 -> 4.4.40 2017-01-06 16:14:30 -05:00
Tuomas Tynkkynen
2a4c8313e4 linux_testing: 4.10-rc1 -> 4.10-rc2 2017-01-03 13:51:23 +02:00
Joachim Fasting
75ce714818
grsecurity: 4.8.15-201612151923 -> 201612301949 2017-01-01 06:01:04 +01:00
Eelco Dolstra
bbd03e236a
Use looser 9pfs caching in VM tests/builds
This can give significant speed ups, see
7e20254412.
2016-12-29 21:26:16 +01:00
Franz Pletz
c6bcc485de
linux_4_8: add patch to fix CVE-2016-9919 2016-12-28 06:35:11 +01:00
Tuomas Tynkkynen
5ba7f33e3a linux_testing: 4.9-rc8 -> 4.10-rc1 2016-12-27 01:35:10 +02:00
Graham Christensen
3ffb5ba60c
linux:3.18.44 -> 3.18.45 2016-12-21 21:08:47 -05:00
Graham Christensen
53e21529d4
linux:3.12.68 -> 3.12.69 2016-12-21 21:08:47 -05:00
Tim Steinbach
0e8e4a08f3
linux: 4.8.14 -> 4.8.15 2016-12-16 08:16:45 -05:00
Tim Steinbach
cb9ff3f7f9
linux: 4.4.38 -> 4.4.39 2016-12-16 08:16:22 -05:00
Joachim Fasting
f0e77cd07d
grsecurity: 4.8.14-201612110933 -> 4.8.15-201612151923 2016-12-16 12:46:44 +01:00
Graham Christensen
01d022e16b Merge pull request #21118 from grahamc/fix-rsa-build-failure
linux_{4_8,grsec_nixos}: patch to fix build failure
2016-12-13 09:15:50 -05:00
Joachim Fasting
d918c80e13
grsecurity: disable verbose initify
Not as useful/informative as I had hoped.
2016-12-13 15:12:34 +01:00
Graham Christensen
7a813d3f6d
linux_{4_8,grsec_nixos}: patch to fix build failure
crypto/rsa_helper.c:18:28: fatal error: rsapubkey-asn1.h: No such file or directory
2016-12-13 07:25:46 -05:00
Shea Levy
f6daae391f linux: add 4.9 2016-12-11 19:33:05 -05:00
Joachim Fasting
601058e0e2
grsecurity: 4.8.13-201612082118 -> 4.8.14-201612110933 2016-12-11 19:09:16 +01:00
Tim Steinbach
f576c490e3
linux: 4.4.37 -> 4.4.38 2016-12-10 15:18:52 -05:00
Tim Steinbach
b69822c505
linux: 4.8.13 -> 4.8.14 2016-12-10 15:15:44 -05:00
Tuomas Tynkkynen
bdab6fe5a1 kernel: Use built-in dtbs_install target instead of rolling our own
In particular, on aarch64 all the .dtb files will be in subdirectories
and *.dtb won't match anything.
2016-12-10 20:24:08 +02:00
Franz Pletz
9074d9859e
linux: add patch to fix CVE-2016-8655
See https://lwn.net/Articles/708319/ for more information.
2016-12-10 17:08:42 +01:00
Bjørn Forsman
2077385421 kernel: enable CONFIG_DYNAMIC_DEBUG (like Fedora and Ubuntu)
It was useful in tracking down CIFS + DFS issue, and it's apparently
enabled by default in two major distros.
2016-12-10 00:01:21 +02:00
Bjørn Forsman
d429520b13 kernel: add CONFIG_CIFS_* like Fedora, Ubuntu
The plan is to fix mounting DFS shares on NixOS (for which some of these
options are needed), but I figured it might be a good idea to enable all
CONFIG_CIFS_* like Fedora 24 and Ubuntu 16.04 while at it. Ubuntu even
has CONFIG_CIFS_SMB311, but as Fedora do not, I left it out.

Mounting DFS shares still doesn't work; need to configure cifs.upcall
and /etc/request-key.conf. Until then, using GVFS as a workaround.
2016-12-10 00:01:21 +02:00
Joachim Fasting
d1a5dc0b1c
grsecurity: 4.8.12-201612062306 -> 4.8.13-201612082118 2016-12-09 15:31:02 +01:00
Joachim Fasting
9a63779d64
grsecurity: use upstream url as the primary source 2016-12-09 15:31:00 +01:00
Joachim Fasting
ca7cc96ee8
grsecurity: enable PAX_INITIFY
Uses gcc plugin to detect more instances where memory used during init
can be freed.
2016-12-09 15:30:40 +01:00
Tim Steinbach
bfffbb5ea6
linux: 4.8.12 -> 4.8.13 2016-12-09 08:27:11 -05:00
Tim Steinbach
e861a5f7af
linux: 4.4.36 -> 4.4.37 2016-12-09 08:26:46 -05:00
Joachim Fasting
5fd4ffe00f
grsecurity: 4.8.12-201612031658 -> 201612062306 2016-12-08 12:22:13 +01:00
Tim Steinbach
c9d1d430ec
linux: 4.9-rc7 -> 4.9-rc8 2016-12-05 19:40:11 -05:00
Joachim Fasting
9578299bbe
grsecurity: 4.8.11-201611271225 -> 4.8.12-201612031658 2016-12-06 01:24:32 +01:00
Joachim Fasting
cc396697a6
grsecurity: enable ability to lock in readonly mounts 2016-12-06 01:24:12 +01:00
Joachim Fasting
0e765c72e5
grsecurity: enable module hardening 2016-12-06 01:23:58 +01:00
Joachim Fasting
071fbcda24
grsecurity: enable optional sysfs restrictions
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
2016-12-06 01:23:36 +01:00
Joachim Fasting
8c1f5afdf3
grsecurity: delay toggling of sysctls until system is up
We generally trust init, so there's little point in having these enabled
during early bootup; it accomplishes little except fill our logs with
spam.
2016-12-06 01:22:53 +01:00
Tuomas Tynkkynen
9ccc14b1bc linux_rpi: Add some feature flags
Copied from linux_4_4 (except for the EFI stub thing).

Otherwise the firewall module fails to evaluate:
Failed assertions:
- This kernel does not support rpfilter
2016-12-04 18:18:06 +02:00
Tim Steinbach
4f8b74b401 Merge pull request #20866 from NeQuissimus/linux_4_8_12
linux: 4.8.11 -> 4.8.12
2016-12-02 18:28:46 -05:00
Tim Steinbach
853b6493c8
linux: 4.8.11 -> 4.8.12 2016-12-02 14:29:00 -05:00
Tim Steinbach
654f5df5dc
linux: 4.4.35 -> 4.4.36 2016-12-02 14:28:26 -05:00
Tim Steinbach
5afc6b506c
linux: 4.1.35 -> 4.1.36 2016-12-01 20:34:02 -05:00
Tim Steinbach
18a3225dac
linux: 3.12.67 -> 3.12.68 2016-11-29 17:40:17 -05:00
Joachim Fasting
b90ed0cc80
grsecurity: 4.8.10-201611232213 -> 4.8.11-201611271225 2016-11-28 11:41:10 +01:00
Joachim Fasting
4c7323545b
Revert "grsecurity: work around for #20490"
This reverts commit e38b74ba89.

I failed to notice f19c961b4e461da045f2e72e73701059e5117be0; better
use that fix instead.
2016-11-28 11:40:55 +01:00
Tim Steinbach
eecf76eaa2
linux: 4.9-rc6 -> 4.9-rc7 2016-11-27 19:48:24 -05:00
Tuomas Tynkkynen
86ea3126bc linux_rpi: 1.20160620 -> 1.20161020 2016-11-28 00:24:00 +02:00
Tim Steinbach
b47307bd74
linux: 4.8.10 -> 4.8.11 2016-11-26 16:29:23 -05:00
Tim Steinbach
cc77360bed
linux: 4.4.34 -> 4.4.35 2016-11-26 16:28:58 -05:00
Jörg Thalheim
01172c2ccf Merge pull request #20591 from NeQuissimus/linux_4_9_rc6
linux: 4.9-rc5 -> 4.9-rc6
2016-11-26 16:00:16 +01:00
Joachim Fasting
f9d787c67b
grsecurity: 4.8.10-201611210813 -> 201611232213 2016-11-24 12:08:12 +01:00
Franz Pletz
7974d7493a
linux: compress kernel image with xz 2016-11-23 02:24:13 +01:00
Tim Steinbach
e4a1b76457
linux: 4.8.9 -> 4.8.10 2016-11-21 18:07:17 -05:00
Tim Steinbach
d62069aca4
linux: 4.4.33 -> 4.4.34 2016-11-21 18:06:57 -05:00
Joachim Fasting
96194467e6
grsecurity: 4.8.8-201611150756 -> 4.8.10-201611210813 2016-11-21 23:15:14 +01:00
Tim Steinbach
f6bbc6c477
linux: 4.9-rc5 -> 4.9-rc6 2016-11-20 17:23:32 -05:00
Pascal Wittmann
f7e0bc2ae7
Make all meta.maintainers attributes lists 2016-11-20 18:06:03 +01:00
Tim Steinbach
13491f9f48 Merge pull request #20552 from NeQuissimus/linux_4_8_9
linux: 4.8.8 -> 4.8.9
2016-11-19 09:03:00 -05:00
Tim Steinbach
d3b8a77834
linux: 4.4.32 -> 4.4.33 2016-11-19 08:56:31 -05:00
Tim Steinbach
250224bf01
linux: 4.8.8 -> 4.8.9 2016-11-19 08:55:57 -05:00
Joachim Fasting
e38b74ba89
grsecurity: work around for #20490
In `scripts/Makefile.modinst`, the code that generates the list of
modules to install passes file names via the command line.  When
installing a grsecurity kernel, this list appears to exceed the
shell's argument list limit, as in

    make[2]: execvp: /nix/store/[...]-bash-4.3-p46/bin/bash: Argument list too long

The build does not fail, however, but the list of modules to be installed ends
up being empty.  Thus, the resulting kernel package output contains no modules,
rendering it useless.

We work around this by patching the makefile to use `find -exec` to
process files.  Why this would occur for grsecurity and not other
kernels is unknown, most likely there's something *else* that is
actually causing this behaviour, so this is a temporary fix until that
cause is found.

Fixes https://github.com/NixOS/nixpkgs/issues/20490
2016-11-18 16:14:26 +01:00
Tim Steinbach
a4cd6f1378 Merge pull request #20441 from NeQuissimus/linux_4_4_32
linux: 4.4.31 -> 4.4.32
2016-11-15 17:49:00 -05:00
Tim Steinbach
819884119c Merge pull request #20439 from NeQuissimus/linux_4_8_8
linux: 4.8.7 -> 4.8.8
2016-11-15 17:48:07 -05:00
Joachim Fasting
0d4e1b5edd
grsecurity: 4.8.7-201611142350 -> 4.8.8-201611150756 2016-11-15 22:57:25 +01:00
Tim Steinbach
24c342fde7
linux: 4.4.31 -> 4.4.32 2016-11-15 12:31:27 -05:00
Tim Steinbach
9e851d3b11
linux: 4.8.7 -> 4.8.8 2016-11-15 12:30:55 -05:00
Joachim Fasting
afab1a948e
grsecurity: 4.8.7-201611102210 -> 201611142350 2016-11-15 13:11:47 +01:00
Tim Steinbach
a87c8ad05f
linux: 4.9-rc4 -> 4.9-rc5 2016-11-14 09:40:27 -05:00
Joachim Fasting
cad9212813
grsecurity: 4.7.10-201611011946 -> 4.8.7-201611102210 2016-11-14 00:16:19 +01:00
Joachim Fasting
081a871771
Revert "Merge pull request #20302 from spacekitteh/patch-10"
This reverts commit e02173c70c, reversing
changes made to c2b4a0d266.

Breaks all grsec packages; Not having binary substitutes for no good
reason is disruptive to my workflow, so I'll just revert this for now.
2016-11-12 14:02:20 +01:00
Tim Steinbach
e02173c70c Merge pull request #20302 from spacekitteh/patch-10
grsecurity_testing: 4.7.10 -> 4.8.7
2016-11-11 22:03:39 -05:00
Sophie Taylor
fa180d0d63 grsec: 4.8.6 -> 4.8.7 2016-11-12 12:54:47 +10:00
Tim Steinbach
c2b4a0d266 Merge pull request #20327 from NeQuissimus/linux_4_9_rc4
linux: 4.9-rc3 -> 4.9-rc4
2016-11-11 18:11:02 -05:00
Tim Steinbach
52cc30cd87 Merge pull request #20326 from NeQuissimus/linux_3_12_67
linux: 3.12.66 -> 3.12.67
2016-11-11 18:10:16 -05:00
Tim Steinbach
933dfca167 Merge pull request #20322 from NeQuissimus/linux_4_8_7
linux: 4.8.6 -> 4.8.7
2016-11-10 21:12:06 -05:00
Tim Steinbach
ad19b9bde5
linux: 4.9-rc3 -> 4.9-rc4 2016-11-10 21:08:28 -05:00
Tim Steinbach
0a1f39eb91
linux: 4.8.6 -> 4.8.7 2016-11-10 21:07:56 -05:00
Tim Steinbach
579f5fd9dd
linux: 4.4.30 -> 4.4.31 2016-11-10 21:07:24 -05:00
Tim Steinbach
cc62ecc2d9
linux: 3.12.66 -> 3.12.67 2016-11-10 21:06:54 -05:00
Tuomas Tynkkynen
74ecbbe4e3 kernel config: Ensure SECCOMP_FILTER is enabled
As noted in a97db109a2, SECCOMP_FILTER must be enabled or systemd gets
very unhappy.
2016-11-11 02:10:20 +02:00
Peter Hoeg
cb93b34999 SMB2 support for CIFS
[tuomas: removed unneeded kernel version check]
Signed-off-by: Tuomas Tynkkynen <tuomas@tuxera.com>
2016-11-11 02:10:20 +02:00
Sophie Taylor
6476f11f40 grsecurity patch update to kernel 4.8.6 2016-11-10 12:44:22 +10:00
Guillaume Maudoux
eb9d126d2c linux_mptcp: 0.91 -> 0.91.2 2016-11-07 14:15:33 +01:00
Joachim Fasting
d9b5cd41c5
grsecurity: 4.7.10-201610262029 -> 201611011946 2016-11-03 13:55:23 +01:00
Tim Steinbach
874abe694a
linux: 4.8.5 -> 4.8.6 2016-11-01 08:58:53 -04:00
Eelco Dolstra
ef1a188e07 linux: 4.4.28 -> 4.4.30 2016-11-01 11:31:00 +01:00
Vladimír Čunát
3be635b9b5
Merge linux kernel maintenance updates
PRs: #19995 #19996 #19997
2016-10-30 17:29:43 +01:00
Tim Steinbach
f154459cf4
linux: 4.9-rc2 -> 4.9-rc3 2016-10-30 10:30:07 -04:00
Tim Steinbach
1af5b2a80c
linux: 4.4.27 -> 4.4.28 2016-10-30 10:29:37 -04:00
Tim Steinbach
8073430d95
linux: 4.8.4 -> 4.8.5 2016-10-30 10:28:55 -04:00
Joachim Fasting
dfdaea1240
grsecurity: 4.7.10-201610222037 -> 201610262029 2016-10-27 15:03:27 +02:00
Graham Christensen
2f3b62375f Merge pull request #19891 from NeQuissimus/kernel_4_9_rc2
kernel: 4.9-rc1 -> 4.9-rc2
2016-10-27 08:36:23 -04:00
Graham Christensen
ad2deee7d1 Merge pull request #19894 from NeQuissimus/kernel_3_18_44
kernel: 3.18.42 -> 3.18.44
2016-10-27 08:36:17 -04:00
Graham Christensen
c654ec0f25 Merge pull request #19893 from NeQuissimus/kernel_3_12_66
kernel: 3.12.63 -> 3.12.66
2016-10-27 08:36:10 -04:00
Graham Christensen
00e2bc22db Merge pull request #19890 from NeQuissimus/kernel_3_10_104
kernel: 3.10.103 -> 3.10.104
2016-10-27 08:35:54 -04:00
Tim Steinbach
b02646f93b
kernel: 3.18.42 -> 3.18.44 2016-10-26 19:23:43 -04:00
Tim Steinbach
e5e84ecbbd
kernel: 3.12.63 -> 3.12.66 2016-10-26 19:17:46 -04:00
Tim Steinbach
e4773819f4
kernel: 3.10.103 -> 3.10.104 2016-10-26 19:13:21 -04:00
Tim Steinbach
e9a5cf3f6f
kernel: 4.9-rc1 -> 4.9-rc2 2016-10-26 09:11:00 -04:00
Tim Steinbach
89cd922a6a
kernel: 4.1.33 -> 4.1.35 2016-10-26 09:04:37 -04:00
Tim Steinbach
b3f7d626c1
kernel: remove 4.7 2016-10-24 21:30:00 -04:00
Joachim Fasting
5440c1a64c
grsecurity: 4.7.9-201610200819 -> 4.7.10-201610222037
Notably, this pulls in the dirtycow fix from upstream (but I've been
unable to execute the POC exploits on grsec kernels without that fix
...)
2016-10-23 17:14:40 +02:00
Tim Steinbach
a3989b87df Merge pull request #19772 from NeQuissimus/linux_4_8_4
linux: 4.8.3 -> 4.8.4
2016-10-22 12:14:59 -04:00
Tim Steinbach
72d91f95cb Merge pull request #19771 from NeQuissimus/linux_4_7_10
linux: 4.7.9 -> 4.7.10
2016-10-22 12:14:26 -04:00
Tim Steinbach
8d0ca31849
linux: 4.8.3 -> 4.8.4 2016-10-22 12:11:37 -04:00
Tim Steinbach
adbe0e0a13
linux: 4.7.9 -> 4.7.10 2016-10-22 12:11:09 -04:00
Tim Steinbach
4489454b83
linux: 4.4.26 -> 4.4.27 2016-10-22 12:10:34 -04:00
Joachim Fasting
ed5d146e9d
grsecurity: 4.7.7-201610101902 -> 4.7.9-201610200819 2016-10-21 01:50:53 +02:00
Vladimír Čunát
fabfb0a900 Merge #19725: kernel: 4.7.8 -> 4.7.9 2016-10-20 19:45:25 +02:00
Tim Steinbach
963804ba8e
kernel: 4.7.8 -> 4.7.9 2016-10-20 13:08:53 -04:00
Tim Steinbach
0c3e5217fc
kernel: 4.8.2 -> 4.8.3 2016-10-20 13:06:03 -04:00
Eelco Dolstra
76a57d83b5 linux: 4.4.25 -> 4.4.26 2016-10-20 13:37:19 +02:00
Tim Steinbach
dac481d999 Merge pull request #19648 from NeQuissimus/linux_4_7_8
linux_4_7: 4.7.7 -> 4.7.8
2016-10-19 14:48:47 -04:00
Tim Steinbach
84e4dcb34b Merge pull request #19649 from NeQuissimus/linux_4_8_2
linux_4_8: 4.8.1 -> 4.8.2
2016-10-19 14:38:11 -04:00
Tim Steinbach
70c8de0536 Merge pull request #19652 from NeQuissimus/linux_4_9_rc1
linux_testing: 4.8-rc6 -> 4.9-rc1
2016-10-19 14:35:21 -04:00
Eelco Dolstra
13f43c7ebc linux: 4.4.24 -> 4.4.25 2016-10-19 17:11:53 +02:00
Tuomas Tynkkynen
59f12d9394 kernel config: Add some filesystem options
Enable encryption support for both F2FS and ext4. For ext4 this is a bit
tricky, since pre-4.8 the way to enable it as a module was just
"EXT4_ENCRYPTION=m" but after that it changed to "FS_ENCRYPTION=m &&
EXT4_ENCRYPTION=y".

Also make sure UDF is enabled.
2016-10-19 16:44:08 +03:00
Tim Steinbach
51c9c2f851
linux_testing: 4.8-rc6 -> 4.9-rc1 2016-10-18 11:19:46 -04:00
Tim Steinbach
0acfbaa5b2
linux_4_8: 4.8.1 -> 4.8.2 2016-10-18 10:13:02 -04:00
Tim Steinbach
55adff59f1
linux_4_7: 4.7.7 -> 4.7.8 2016-10-18 10:12:26 -04:00
Joachim Fasting
ce73a3ea0f grsecurity: 4.7.6-201609301918 -> 4.7.7-201610101902 2016-10-11 13:15:16 +02:00
Aneesh Agrawal
f0602d2d36 kernel: Make SECURITY_YAMA optional
It's highly recommended, but not required to run NixOS.
2016-10-08 17:46:33 +02:00
Aneesh Agrawal
a000ed181c linux config: enable the Yama LSM (#14392)
The Yama Linux Security Module restricts the use of ptrace so that
processes cannot ptrace processes that are not their children. This
prevents attackers from compromising one user-level processes and
snooping on the memory and runtime state of other processes owned
by the same user.
2016-10-08 16:40:12 +02:00
Tim Steinbach
a699eb4798 linux: 4.4.23 -> 4.4.24 (#19346) 2016-10-08 07:02:07 +02:00
Tim Steinbach
9481edec56 linux: 4.7.6 -> 4.7.7 (#19345) 2016-10-08 07:01:51 +02:00
Tim Steinbach
07e67b33af linux: 4.8.0 -> 4.8.1 (#19344) 2016-10-08 07:01:27 +02:00
Marco Maggesi
435673b948 Revert "Revert "linux*: remove 3.14, as it's no longer maintained""
In the end, it is too dangerous to have an unmaintained kernel in
nixpkgs.  Revert the revert.

This reverts commit e921725176.
2016-10-07 23:26:32 +02:00
Marco Maggesi
e921725176 Revert "linux*: remove 3.14, as it's no longer maintained"
This is the simplest way to reenable the use of BLCR
(which at present requires linux version >3.12 <3.18)
until we find a better solution.

This reverts commit 6a9e765e27.
2016-10-07 14:31:24 +02:00
Eelco Dolstra
a8b61b0aad Merge pull request #19278 from anderspapitto/local
perf: add dependency on libaudit
2016-10-06 11:45:54 +02:00
Anders Papitto
aa44330963 perf: add dependency on libaudit
the `trace` subcommand of perf is only enabled when libaudit is
available at compile time
2016-10-05 17:59:44 -07:00
Alexander Ried
96fbdf8594 kernel: Disable RT_GROUP_SCHED
Follow systemd recommendation
fd74fa791f/README (L96-L103)
2016-10-05 12:52:45 +02:00
Shea Levy
e54313d183 Revert "Revert "Linux 4.8""
Now featuring @aszlig's modinst_arg_list_too_long patch.

This reverts commit 43bedb970d.

Fixes #19213
2016-10-04 10:10:36 -04:00
Shea Levy
43bedb970d Revert "Linux 4.8"
This reverts commit e4958d54b1.
2016-10-03 22:04:43 -04:00
Shea Levy
e4958d54b1 Linux 4.8 2016-10-03 08:45:45 -04:00
Joachim Fasting
9a9237e0aa
grsecurity: revamp nixos kernel config
Cleanup:
- Restructure & add some commentary
- Remove redundant option specs given the auto config
  constraints (some are left in for documentation purposes)

Changes:
- GRKERNSEC_CONFIG_VIRT_HOST -> GUEST
  The former deselects paravirtualization and friends
- PAX_LATENT_ENTROPY n -> y (implied by auto)
- GRKERNSEC_ACL_HIDEKERN y -> n
  Possibly useless with redistribution
2016-10-02 19:25:58 +02:00
Joachim Fasting
1bb7b44cd7
grsecurity: make GRKERNSEC y and PAX y implicit
These options should always be specified. Note, an implication of this
change is that not specifying any grsec/PaX options results in a build
failure.
2016-10-02 19:25:58 +02:00
Joachim Fasting
2ec9a1a955
grsecurity: 4.7.5-201609261522 -> 4.7.6-201609301918 2016-10-01 08:47:30 +02:00
Joachim Fasting
22108b7a10
linux_4_7: 4.7.5 -> 4.7.6 2016-10-01 08:46:31 +02:00
Eelco Dolstra
613a12a8bd linux: 4.4.22 -> 4.4.23 2016-09-30 14:41:19 +02:00
Graham Christensen
ff5cf3abff linux-3.10: fix build by upstream patch 2016-09-28 19:18:34 +02:00
Joachim Fasting
98a9d815e0
grsecurity: 4.7.4-201609211951 -> 4.7.5-201609261522 2016-09-27 01:43:50 +02:00
Franz Pletz
3a4a425728
linux: 4.7.4 -> 4.7.5 2016-09-25 14:20:46 +02:00
Franz Pletz
c83f8a536a
linux: 4.4.20 -> 4.4.22 2016-09-25 14:20:46 +02:00
Franz Pletz
fdf239fb83
linux: 4.1.31 -> 4.1.33 2016-09-25 14:20:45 +02:00
Franz Pletz
17402fc4a3
linux: 3.18.40 -> 3.18.42 2016-09-25 14:20:45 +02:00
Franz Pletz
31ff655e46
kernelPatches: remove unneeded patches 2016-09-25 14:20:45 +02:00
Franz Pletz
01f465c82b
linux: 3.12.62 -> 3.12.63 2016-09-25 14:20:45 +02:00
Franz Pletz
b1029abe56
linux: 3.10.102 -> 3.10.103 2016-09-25 14:20:45 +02:00
Franz Pletz
e8cd27dd8a
linux_4_6: remove, not maintained anymore 2016-09-25 14:20:39 +02:00
Nikolay Amiantov
ea4d517eb8 Merge pull request #18661 from NeQuissimus/kernel/zbud
kernel-common: Add ZBUD
2016-09-25 12:33:08 +04:00
Joachim Fasting
64816cd972
grsecurity: 4.7.4-201609152234 -> 201609211951 2016-09-22 23:40:50 +02:00
Joachim Fasting
e2659de1b2
kernelPatches: remove legacy grsecurity attrs 2016-09-18 15:26:57 +02:00
Vladimír Čunát
6a9e765e27 linux*: remove 3.14, as it's no longer maintained 2016-09-17 02:10:53 +02:00
Tuomas Tynkkynen
f5c9c4f18a Merge pull request #18659 from layus/fix-mptcp
linux_mptcp: fix config options broken by b4a4a63cc4
2016-09-16 21:06:54 +03:00
aszlig
a0b643ed06
linux-testing: 4.8-rc4 -> 4.8-rc6
Built successfully on my machine, no runtime tests performed.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Verified-with-PGP: ABAF 11C6 5A29 70B1 30AB E3C4 79BE 3E43 0041 1886
2016-09-16 17:57:32 +02:00
Tim Steinbach
77e1be36b9
kernel-common: Add ZBUD, move ZSMALLOC into module space 2016-09-16 15:31:51 +00:00
Guillaume Maudoux
f0e519d26a linux_mptcp: fix config options broken by b4a4a63cc4 2016-09-16 13:15:50 +02:00
Joachim Fasting
d082a7c0fd
grsecurity: 4.7.3-201609072139 -> 4.7.4-201609152234 2016-09-16 11:18:42 +02:00
Joachim Fasting
2050f12f4e
linux_4_7: 4.7.3 -> 4.7.4 2016-09-16 11:18:42 +02:00
Kirill Boltaev
0f37287df5 treewide: explicitly specify gtk version 2016-09-13 21:09:24 +03:00
Tuomas Tynkkynen
0c0188c5d2 kernel config: Explicitly enable some NLS-related things
Doesn't affect x86, but ARM can't mount VFAT filesystems without this on
a 3.18 kernel.
2016-09-13 17:06:13 +03:00
Tuomas Tynkkynen
b4a4a63cc4 kernel generate-config.pl: Properly support string options
Or we get something like:

option not set correctly: NLS_DEFAULT (wanted 'utf8', got '"utf8"')
2016-09-13 17:06:13 +03:00
Tuomas Tynkkynen
246bd302ec kernel generate-config.pl: Be more verbose on errors 2016-09-13 17:06:13 +03:00
Joachim Fasting
91674b75d3
grsecurity: 4.7.2-201608312326 -> 4.7.3-201609072139 2016-09-10 17:06:42 +02:00
Eelco Dolstra
bc7e4e390a linux: 4.4.19 -> 4.4.20 2016-09-08 13:58:05 +02:00
Tim Steinbach
4829cd7f65
kernel: 4.7.2 -> 4.7.3 2016-09-08 01:51:28 +00:00
Joachim Fasting
0ce7b31b09
grsecurity: 4.7.2-201608211829 -> 201608312326 2016-09-01 14:51:33 +02:00
Tuomas Tynkkynen
8c4aeb1780 Merge staging into master
Brings in:
    - changed output order for multiple outputs:
      https://github.com/NixOS/nixpkgs/pull/14766
    - audit disabled by default
      https://github.com/NixOS/nixpkgs/pull/17916

 Conflicts:
	pkgs/development/libraries/openldap/default.nix
2016-09-01 13:27:27 +03:00
Tuomas Tynkkynen
d3dc3d4130 Merge remote-tracking branch 'dezgeg/shuffle-outputs' into staging
https://github.com/NixOS/nixpkgs/pull/14766
2016-08-30 12:43:37 +03:00
aszlig
f19c961b4e
linux-testing: Fix arg list too long in modinst
With the default kernel and thus with the build I have tested in
74ec94bfa2, we get an error during
modules_install:

make[2]: execvp: /nix/store/.../bin/bash: Argument list too long

I haven't noticed this build until I actually tried booting using this
kernel because make didn't fail here.

The reason this happens within Nix and probably didn't yet surface in
other distros is that programs only have a limited amount of memory
available for storing the environment and the arguments.

Environment variables however are quite common on Nix and thus we
stumble on problems like this way earlier - in this case Linux 4.8 - but
I have noticed this in 4.7-next as well already.

The fix is far from perfect and suffers performance overhead because we
now run grep for every *.mod file instead of passing all *.mod files
into one single invocation of grep.

But comparing the performance overhead (around 1s on my machine) with
the overall build time of the kernel I think the overhead really is
neglicible.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-08-30 06:55:52 +02:00
aszlig
74ec94bfa2
linux/kernel/testing: 4.8-rc3 -> 4.8-rc4
Tested by only building the linux_testing attribute, but haven't yet
tested it in production.

I've also fixed the extraMeta.branch attribute.

Verified-with-PGP: ABAF 11C6 5A29 70B1 30AB E3C4 79BE 3E43 0041 1886
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-08-29 20:52:19 +02:00
aszlig
42e1ec215e
linux/kernel: Remove MLX4_EN_VXLAN for 4.8
This option is no longer needed and has been removed in upstream commit
torvalds/linux@a831274a13.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-08-29 20:52:19 +02:00
aszlig
0bce188ec1
linux/kernel: Remove KVM_APIC_ARCHITECTURE for 4.8
The option is no longer needed and has been removed upstream in
torvalds/linux@557abc40d1.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-08-29 20:52:19 +02:00
Tuomas Tynkkynen
0e26cf84fc kernel: Remove propagatedBuildOutputs
Not needed after the shuffle.
2016-08-29 14:49:52 +03:00
obadz
b74793bd1c Merge branch 'master' into staging
Conflicts:
	pkgs/tools/system/facter/default.nix
2016-08-29 12:44:17 +01:00
Joachim Fasting
e5c3a52afc
grsecurity: fix features.grsecurity
Previously, features.grsecurity wasn't actually set due to a bug in the
grsec builder. We now rely on the generic kernel builder to set features
from kernelPatches.
2016-08-29 04:09:40 +02:00
Joachim Fasting
fcf5a24d8c
kernel config: set DEBUG_STACKOVERFLOW regardless of features.grsecurity
features.grsecurity has actually been unset for a long time, with no
ill effect on grsec kernel builds so this conditional looks useless.
2016-08-29 04:08:39 +02:00
Robin Gloster
e17bc25943
Merge remote-tracking branch 'upstream/master' into staging 2016-08-29 00:24:47 +00:00
Tuomas Tynkkynen
c004c6e14d kernel config: Explicitly enable some stuff not enabled by 'make alldefconfig'
List of what to enable taken from https://lwn.net/Articles/672587/.
This doesn't change the resulting x86 configs, but is more useful for
other architectures. For instance, POSIX_MQUEUE is currently missing
on ARM.
2016-08-29 03:07:11 +03:00
obadz
3de6e5be50 Merge branch 'master' into staging
Conflicts:
      pkgs/applications/misc/navit/default.nix
      pkgs/applications/networking/mailreaders/alpine/default.nix
      pkgs/applications/networking/mailreaders/realpine/default.nix
      pkgs/development/compilers/ghc/head.nix
      pkgs/development/libraries/openssl/default.nix
      pkgs/games/liquidwar/default.nix
      pkgs/games/spring/springlobby.nix
      pkgs/os-specific/linux/kernel/perf.nix
      pkgs/servers/sip/freeswitch/default.nix
      pkgs/tools/archivers/cromfs/default.nix
      pkgs/tools/graphics/plotutils/default.nix
2016-08-27 23:54:54 +01:00
Bjørn Forsman
daa9d5edca perf: unbreak build since glibc 2.24 upgrade
glibc 2.24 deprecated readdir_r, breaking the perf build:

  $ nix-build -A linuxPackages.perf
  ...
    CC       util/event.o
    CC       util/evlist.o
  util/event.c: In function '__event__synthesize_thread':
  util/event.c:448:2: error: 'readdir_r' is deprecated [-Werror=deprecated-declarations]
    while (!readdir_r(tasks, &dirent, &next) && next) {
    ^
  In file included from /nix/store/8ic0jwg3p5vcwx52k4781n987hmv0bks-glibc-2.24-dev/include/features.h:368:0,
                   from /nix/store/8ic0jwg3p5vcwx52k4781n987hmv0bks-glibc-2.24-dev/include/stdint.h:25,
                   from /nix/store/jsazxc1b86g2ww569ziwhhvkz8z43vjd-gcc-5.4.0/lib/gcc/x86_64-unknown-linux-gnu/5.4.0/include/stdint.h:9,
                   from /tmp/nix-build-perf-linux-4.4.19.drv-0/linux-4.4.19/tools/include/linux/types.h:6,
                   from util/event.c:1:
  /nix/store/8ic0jwg3p5vcwx52k4781n987hmv0bks-glibc-2.24-dev/include/dirent.h:189:12: note: declared here
   extern int __REDIRECT (readdir_r,
              ^
  util/event.c: In function 'perf_event__synthesize_threads':
  util/event.c:586:2: error: 'readdir_r' is deprecated [-Werror=deprecated-declarations]
    while (!readdir_r(proc, &dirent, &next) && next) {

Fix by adding -Wno-error=deprecated-declarations compile flag.
2016-08-27 10:21:57 +02:00
Gabriel Ebner
131cd8f45d Merge pull request #18005 from gebner/kernel-amd-powerplay
kernel: config: enable DRM_AMD_POWERPLAY
2016-08-26 19:04:54 +02:00
Franz Pletz
40e0e5fb0b
linux_testing: 4.7-rc7 -> 4.8-rc3 2016-08-26 14:47:45 +02:00
Franz Pletz
aacf6651c1
linux: 4.4.18 -> 4.4.19 2016-08-26 14:47:45 +02:00
Franz Pletz
90251478ec
linux: 4.1.30 -> 4.1.31 2016-08-26 14:47:45 +02:00
Franz Pletz
377c851395
linux: 3.18.36 -> 3.18.40 2016-08-26 14:47:45 +02:00
Franz Pletz
dc37edb36c
linux: 3.14.73 -> 3.14.77 2016-08-26 14:47:45 +02:00
Franz Pletz
458d477215
linux: 3.12.61 -> 3.12.62 2016-08-26 14:47:45 +02:00
Gabriel Ebner
7b01df18a2 kernel: config: enable DRM_AMD_POWERPLAY 2016-08-26 08:45:49 +02:00
Shea Levy
2b1fa9da8b Add initial patches for CPU Controller on Control Group v2 2016-08-25 13:01:40 -04:00
Robin Gloster
c26de11551 linuxPackages.perf: fix build with new glibc and remove hack
elfutils now adds a eu- prefix to avoid collisions
2016-08-24 19:19:02 +00:00
obadz
0e8d2725dc Merge branch 'master' into staging 2016-08-23 18:50:06 +01:00
Joachim Fasting
cf592a8969
grsecurity: 4.7.1-201608161813 -> 4.7.2-201608211829 2016-08-23 01:49:34 +02:00
obadz
24a9183f90 Merge branch 'hardened-stdenv' into staging
Closes #12895

Amazing work by @globin & @fpletz getting hardened compiler flags by
enabled default on the whole package set
2016-08-22 01:19:35 +01:00
obadz
ba50fd7170 Merge branch 'master' into staging 2016-08-22 01:18:11 +01:00
Tim Steinbach
175028582c
linux: 4.7.1 -> 4.7.2 2016-08-21 13:56:45 +00:00
Nikolay Amiantov
ff22705793 treewide: replace several /sbin paths by /bin 2016-08-19 17:56:45 +03:00
Tuomas Tynkkynen
bd68309643 kernel config: Enable SECCOMP
This is used by systemd >= 231 and is not enabled in the ARM
multiplatform defconfig.
2016-08-18 16:33:46 +03:00
Joachim Fasting
ba20363f11
grsecurity: 4.7-201608151842 -> 4.7.1-201608161813 2016-08-17 15:19:27 +02:00
Franz Pletz
2571438988 linux: 4.7 -> 4.7.1 2016-08-17 05:46:00 +02:00
Franz Pletz
7a4407461b linux: 4.6.6 -> 4.6.7
Fixes CVE-2016-5696.
2016-08-17 05:45:59 +02:00
Franz Pletz
da95fb368c linux: 4.4.17 -> 4.4.18
Fixes CVE-2016-5696.
2016-08-17 05:45:59 +02:00
Franz Pletz
2104d28bcd linux: 4.1.27 -> 4.1.30
Fixes CVE-2016-5696.
2016-08-17 05:45:59 +02:00
Joachim Fasting
d82ddd6dc0
grsecurity: 4.7-201608131240 -> 4.7-201608151842 2016-08-16 17:50:37 +02:00
Joachim Fasting
b1cceeda84
grsecurity: enable pax size overflow plugin 2016-08-16 17:50:36 +02:00
Joachim Fasting
3fcb9e6f57
grsecurity: support non-enforcing mode
Until we've made sure that most things actually work out of the box, we
need to give people a way of continuing to use the system without
completely disabling grsecurity.

Set sysctl kernel.pax.softmode=1 or boot with pax.softmode=1
2016-08-16 17:50:36 +02:00
Robin Gloster
33e1c78ae3 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-16 07:54:01 +00:00
Shea Levy
9adad8612b Revert "Merge branch 'modprobe-fix' of git://github.com/abbradar/nixpkgs"
Was meant to go into staging, sorry

This reverts commit 57b2d1e9b0, reversing
changes made to 760b2b9048.
2016-08-15 19:05:52 -04:00
Shea Levy
57b2d1e9b0 Merge branch 'modprobe-fix' of git://github.com/abbradar/nixpkgs 2016-08-15 19:01:44 -04:00
Nikolay Amiantov
1afd250676 treewide: replace several /sbin paths by /bin 2016-08-16 00:19:25 +03:00
Joachim Fasting
9062c67914
grsecurity: 4.6.5-201607312210 -> 4.7-201608131240 2016-08-15 20:36:46 +02:00
Franz Pletz
64c79e8526 linux: 4.6.5 -> 4.6.6 2016-08-15 04:28:08 +02:00
Franz Pletz
2a8718fb0b linux_4_5: remove, not support by upstream anymore 2016-08-15 04:28:02 +02:00
Franz Pletz
bd4490e277 Merge branch 'master' into hardened-stdenv 2016-08-13 16:59:55 +02:00
obadz
b2efe2babd Revert "linux kernel 4.4: fix race during build"
Removes patch. Was fixed upstream.

This reverts commit 4788ec1372.
2016-08-12 16:42:25 +01:00
Guillaume Maudoux
b1817fa8a3 linux_mptcp: 0.90.1 (kernel 3.18) -> 0.91 (kernel 4.1) (#17675) 2016-08-12 15:14:24 +02:00
Robin Gloster
b7787d932e Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-12 09:46:53 +00:00
obadz
18947c9e36 Revert "ecryptfs: fix kernel bug introduced in 4.4.14"
The Linux 4.4.17 release fixes the underlying issue

This reverts commit fad9a8841b.
2016-08-11 17:15:54 +01:00
Eelco Dolstra
e26ac7afd4 linux: 4.4.16 -> 4.4.17 2016-08-11 15:20:07 +02:00
Tuomas Tynkkynen
088bcf4ec4 kernel config: Fix 3.10, 3.12, 3.14 builds 2016-08-06 17:06:45 +03:00
Tuomas Tynkkynen
44f462bf4d generate-config.pl: Be more verbose about missing options
For instance, the current 3.10 kernel build fails at the end with:

unused option: BRCMFMAC_PCIE
unused option: FW_LOADER_USER_HELPER_FALLBACK
unused option: KEXEC_FILE
unused option: RANDOMIZE_BASE

However, it's not obvious that only the _last_ one is actually fatal to
the build. After this change it's at least somewhat better:

warning: unused option: BRCMFMAC_PCIE
warning: unused option: FW_LOADER_USER_HELPER_FALLBACK
warning: unused option: KEXEC_FILE
error: unused option: RANDOMIZE_BASE
2016-08-06 17:06:45 +03:00
Michal Rus
7281740c2e
linux: enable DRM_GMA600 and DRM_GMA3600
Adds basic support for Intel GMA3600/3650 (Intel Cedar Trail) platforms
and support for GMA600 (Intel Moorestown/Oaktrail) platforms with LVDS
ports via the gma500_gfx module.

Resolves #14727 Closes #17519
2016-08-05 19:07:40 +02:00
Franz Pletz
2d6b7aa545 linux: enable some useful networking options
All options are enabled by default on Debian and some other
distributions, so these should be safe.
2016-08-05 04:07:31 +02:00
Robin Gloster
1be4907ca2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-02 13:46:36 +00:00
Joachim Fasting
76f2e827a7
grsecurity: 4.6.5-201607272152 -> 4.6.5-201607312210 2016-08-01 12:46:48 +02:00
Robin Gloster
63c7b4f9a7 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-31 20:51:34 +00:00
Joachim Fasting
83f783c00f
grsecurity: 4.6.4-201607242014 -> 4.6.5-201607272152 2016-07-29 00:24:00 +02:00
Franz Pletz
9aee2a17af linux: 4.6.4 -> 4.6.5
Removed patch was applied upstream.
2016-07-28 23:05:27 +02:00
Franz Pletz
b68fe1a572 linux: 4.5.6 -> 4.5.7 2016-07-28 23:05:27 +02:00
Eelco Dolstra
42f8df10a2 linux: 4.4.16 -> 4.4.16 2016-07-28 17:03:55 +02:00
Robin Gloster
f222d98746 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-25 12:47:13 +00:00
Joachim Fasting
e725c927d4
grsecurity: 4.6.4-201607192040 -> 4.6.4-201607242014 2016-07-25 09:11:28 +02:00
Shea Levy
ac93e9f2c8 Linux 4.7 2016-07-24 18:30:08 -04:00
Lluís Batlle i Rossell
dd02b6f118 perf: depend on libiberty to get c++ demangling. 2016-07-21 17:27:15 +02:00
Robin Gloster
1f04b4a566 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-21 00:56:43 +00:00
Joachim Fasting
55120ac4cb
grsecurity: 4.6.4-201607112205 -> 4.6.4-201607192040 2016-07-20 10:17:35 +02:00
Joachim Fasting
c93ffb95bc
grsecurity: enable support for setting pax flags via xattrs
While useless for binaries within the Nix store, user xattrs are a convenient
alternative for setting PaX flags to executables outside of the store.

To use disable secure memory protections for a non-store file foo, do
  $ setfattr -n user.pax.flags -v em foo
2016-07-20 10:17:11 +02:00
Robin Gloster
5185bc1773 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-15 14:41:01 +00:00
obadz
927a984de6 kernel: make KEXEC_FILE & KEXEC_JUMP optional to fix i686 build
cc @edolstra @dezgeg @domenkozar
2016-07-13 12:49:18 +02:00
obadz
fad9a8841b ecryptfs: fix kernel bug introduced in 4.4.14
Introduced by mainline commit 2f36db7
Patch is from http://www.spinics.net/lists/stable/msg137350.html
Fixes #16766
2016-07-13 11:04:07 +02:00
Franz Pletz
dde259dfb5 linux: Add patch to fix CVE-2016-5829 (#16824)
Fixed for all available 4.x series kernels.

From CVE-2016-5829:

  Multiple heap-based buffer overflows in the hiddev_ioctl_usage function
  in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow
  local users to cause a denial of service or possibly have unspecified
  other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl
  call.
2016-07-12 20:56:50 +02:00
Joachim Fasting
416120e0c7
grsecurity: 4.6.3-201607070721 -> 4.6.4-201607112205 2016-07-12 15:15:09 +02:00
Tim Steinbach
47da65923b kernel: 4.6.3 -> 4.6.4 (#16875) 2016-07-12 09:54:57 +02:00
Louis Taylor
b2b8a89945 linux-testing: 4.7-rc6 -> 4.7-rc7 (#16854) 2016-07-11 17:53:41 +02:00
Eelco Dolstra
ecc26d7a40 linux: Disable the old IDE subsystem
This has long been deprecated in favour of the new ATA support
(CONFIG_ATA).
2016-07-11 15:05:21 +02:00
Eelco Dolstra
7b9c493d60 linux: Enable some kernel features
This enables a few features that should be useful and safe (they're
all used by the default Ubuntu kernel config), in particular zswap,
wakelocks, kernel load address randomization, userfaultfd (useful for
QEMU), paravirtualized spinlocks and automatic process group
scheduling.

Also removes some configuration conditional on kernel versions that we
no longer support.
2016-07-11 15:04:56 +02:00
Eelco Dolstra
1cd7dbc00b linux: Bump NR_CPUS
The default limit (64) is too low for systems like EC2 x1.* instances
or Xeon Phis, so let's increase it.
2016-07-11 14:32:18 +02:00
Joachim Fasting
a2ebf45b47
grsecurity: 4.5.7-201606302132 -> 4.6.3-201607070721 2016-07-07 19:34:58 +02:00
Tuomas Tynkkynen
4085f4de5f Merge branch 'pr-newest-uboot' into master 2016-07-04 15:17:46 +03:00
Tuomas Tynkkynen
55aecd308e linux-rpi: 4.1.20-XXX -> 4.4.13-1.20160620-1
- Add a patch to unset CONFIG_LOCALVERSION in the v7 build.
- Copy all the device trees to match the upstream names so U-Boot can
  find them. (This is a hack.)
2016-07-04 15:13:29 +03:00
aszlig
566c990f33
linux-testing: 4.6-rc6 -> 4.7-rc6
The config option DEVPTS_MULTIPLE_INSTANCES now no longer exists since
torvalds/linux@eedf265aa0.

Built successfully on my Hydra instance:

https://headcounter.org/hydra/log/r4n6sv0zld0aj65r7l494757s2r8w8sr-linux-4.7-rc6.drv

Verified unpacked tarball with GnuPG:

ABAF 11C6 5A29 70B1 30AB  E3C4 79BE 3E43 0041 1886

gpg: Signature made Mon 04 Jul 2016 08:13:05 AM CEST
gpg:                using RSA key 79BE3E4300411886
gpg: Good signature from "Linus Torvalds <torvalds@linux-foundation.org>"

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-07-04 10:46:48 +02:00
Joachim Fasting
640ac5186f
grsecurity: 4.5.7-201606292300 -> 4.5.7-201606302132 2016-07-02 20:37:52 +02:00
Joachim Fasting
51c04b74c1
grsecurity: 4.5.7-201606280009 -> 4.5.7-201606292300 2016-06-30 11:09:59 +02:00
Joachim Fasting
cdcdc25ef3
grsecurity: 4.5.7-201606262019 -> 4.5.7-201606280009 2016-06-28 14:57:20 +02:00
Joachim Fasting
d5eec25ff9
grsecurity: 4.5.7-201606222150 -> 4.5.7-201606262019 2016-06-27 21:42:17 +02:00
Franz Pletz
7e9affa7ee linux_4_3: Remove, not maintained anymore 2016-06-27 00:11:16 +02:00
Franz Pletz
eed51eccef linux: 3.10.101 -> 3.10.102 2016-06-27 00:11:16 +02:00
Franz Pletz
b7e0b118d9 linux: 3.12.57 -> 3.12.61 2016-06-27 00:11:04 +02:00
Franz Pletz
0387eddb51 linux: 3.14.65 -> 3.14.73 2016-06-27 00:10:38 +02:00
Franz Pletz
6165af4db2 linux: 3.18.29 -> 3.18.36 2016-06-27 00:09:56 +02:00
Franz Pletz
5806b185bd linux: 4.1.25 -> 4.1.27 2016-06-27 00:09:30 +02:00
Franz Pletz
4a942499b4 linux: 4.4.13 -> 4.4.14 2016-06-27 00:08:11 +02:00
Joachim Fasting
4fb72b2fd3
grsecurity: 4.5.7-201606202152 -> 4.5.7-201606222150 2016-06-26 17:27:17 +02:00
Tim Steinbach
125ffff089 kernel: 4.6.2 -> 4.6.3 2016-06-24 22:18:16 +00:00
Joachim Fasting
9d052a2c39
grsecurity: 4.5.7-201606142010 -> 4.5.7-201606202152 2016-06-23 00:55:54 +02:00
Eelco Dolstra
453086a15f linux: 4.4.12 -> 4.4.13 2016-06-20 13:11:55 +02:00
zimbatm
7c32638439 Merge pull request #16259 from layus/update-mptcp
linux_mptcp: update 0.90 -> 0.90.1
2016-06-20 09:29:07 +01:00
Joachim Fasting
875fd5af73
grsecurity: 4.5.7-201606110914 -> 4.5.7-201606142010 2016-06-16 14:29:12 +02:00
Guillaume Maudoux
d73b7d101f linux_mptcp: 0.90 -> 0.90.1 2016-06-15 22:56:11 +02:00
Joachim Fasting
130b06eb0b
grsecurity: 4.5.7-201606080852 -> 4.5.7-201606110914 2016-06-14 14:18:01 +02:00
Joachim Fasting
886c03ad2e Merge pull request #16107 from joachifm/grsec-ng
Rework grsecurity support
2016-06-14 03:52:50 +02:00
Joachim Fasting
75b9a7beac
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-14 00:08:20 +02:00
Joachim Fasting
4ae5eb97f1
kernel: set virtualization options regardless of grsec
Per my own testing, the NixOS grsecurity kernel works both as a
KVM-based virtualisation host and guest; there appears to be no good
reason to making these conditional on `features.grsecurity`.

More generally, it's unclear what `features.grsecurity` *means*. If
someone configures a grsecurity kernel in such a fashion that it breaks
KVM support, they should know to disable KVM themselves.
2016-06-10 19:27:59 +02:00
Joachim Fasting
d8e4432fe2
kernel: unconditionally disable /dev/kmem
This was presumably set for grsecurity compatibility, but now appears
redundant.  Grsecurity does not expect nor require /dev/kmem to be
present and so it makes little sense to continue making its inclusion in
the standard kernel dependent on grsecurity.

More generally, given the large number of possible grsecurity
configurations, it is unclear what `features.grsecurity` even
*means* and its use should be discouraged.
2016-06-10 19:27:41 +02:00
Shea Levy
4fbafb2395 linux 4.6.1 -> 4.6.2 2016-06-10 09:30:11 -04:00
Robin Gloster
8031cba2ab Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-06-10 09:27:04 +00:00
Joachim Fasting
edc36a0091
grsecurity: 4.5.6-201606051644 -> 4.5.7-201606080852 2016-06-09 15:40:06 +02:00
Vladimír Čunát
20c2ce4954 Merge #16045: kernel: 4.6.0 -> 4.6.1 2016-06-09 14:37:32 +02:00
Vladimír Čunát
c0895be3ee Merge #16044: kernel: 4.1.20 -> 4.1.25 2016-06-09 14:36:31 +02:00
Vladimír Čunát
f9310c2eee Merge #16043: kernel: 4.4.11 -> 4.4.12 2016-06-09 14:34:50 +02:00
Tim Steinbach
269b7d30a7 kernel: 4.6.0 -> 4.6.1 2016-06-07 09:59:19 -04:00
Tim Steinbach
8f4755a0ae kernel: 4.5.5 -> 4.5.6 2016-06-07 09:58:24 -04:00
Tim Steinbach
a57cbf6546 kernel: 4.4.11 -> 4.4.12 2016-06-07 09:57:47 -04:00
Tim Steinbach
f3ebf13762 kernel: 4.1.20 -> 4.1.25 2016-06-07 09:57:07 -04:00
Joachim Fasting
72899d92d0
grsecurity: 4.5.5-201605291201 -> 4.5.6-201606051644 2016-06-07 15:04:24 +02:00
Tuomas Tynkkynen
bac26e08db Fix lots of fetchgit hashes (fallout from #15469) 2016-06-03 17:17:08 +03:00
Alexander Kjeldaas
4c99d22f19 kernel: set nx bit on module ro segments
Fixes #4757.
2016-06-03 15:41:47 +02:00
Robin Gloster
2d382f3d98 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-05-30 19:39:34 +00:00