Merge remote-tracking branch 'upstream/master' into hardened-stdenv

14 files changed, 47 insertions, 71 deletions

diff --git a/pkgs/os-specific/linux/eudev/default.nix b/pkgs/os-specific/linux/eudev/default.nix
index e9fcf5d8c4d..8ab4da2da8c 100644
--- a/pkgs/os-specific/linux/eudev/default.nix
+++ b/pkgs/os-specific/linux/eudev/default.nix
@@ -3,10 +3,10 @@ let
   s = # Generated upstream information
   rec {
     baseName="eudev";
-    version = "3.1.5";
+    version = "3.2";
     name="${baseName}-${version}";
     url="http://dev.gentoo.org/~blueness/eudev/eudev-${version}.tar.gz";
-    sha256 = "0akg9gcc3c2p56xbhlvbybqavcprly5q0bvk655zwl6d62j8an7p";
+    sha256 = "099w62ncq78nxpxizf910mx18hc8x4qvzw3azjd00fir89wmyjnq";
   };
   buildInputs = [
     glib pkgconfig gperf utillinux
diff --git a/pkgs/os-specific/linux/firejail/default.nix b/pkgs/os-specific/linux/firejail/default.nix
index dac0eb0d0f5..ce2f860efc8 100644
--- a/pkgs/os-specific/linux/firejail/default.nix
+++ b/pkgs/os-specific/linux/firejail/default.nix
@@ -3,11 +3,10 @@ let
   s = # Generated upstream information
   rec {
     baseName="firejail";
-    version="0.9.40";
+    version="0.9.42-rc1";
     name="${baseName}-${version}";
-    hash="1vr0z694wibjkcpmyg7lz68r53z857c8hsb02cqxi4lfkkcmzgh2";
-    url="mirror://sourceforge/project/firejail/firejail/firejail-0.9.40-rc1.tar.bz2";
-    sha256="1vr0z694wibjkcpmyg7lz68r53z857c8hsb02cqxi4lfkkcmzgh2";
+    url="mirror://sourceforge/project/firejail/firejail/firejail-0.9.42~rc1.tar.bz2";
+    sha256="11br6xp86bxs1ic2x683hbvg1hk8v2wp8cw6blj0zz3cdl0pcjqf";
   };
   buildInputs = [
     which
@@ -18,6 +17,7 @@ stdenv.mkDerivation {
   inherit buildInputs;
   src = fetchurl {
     inherit (s) url sha256;
+    name = "${s.name}.tar.bz2";
   };
 
   preConfigure = ''
diff --git a/pkgs/os-specific/linux/iputils/default.nix b/pkgs/os-specific/linux/iputils/default.nix
index 9bce875570e..f6fcef11eb0 100644
--- a/pkgs/os-specific/linux/iputils/default.nix
+++ b/pkgs/os-specific/linux/iputils/default.nix
@@ -1,17 +1,17 @@
 { stdenv, fetchurl, libsysfs, gnutls, openssl, libcap, sp, docbook_sgml_dtd_31
-, SGMLSpm }:
+, SGMLSpm, libgcrypt }:
 
 assert stdenv ? glibc;
 
 let
-  time = "20121221";
+  time = "20151218";
 in
 stdenv.mkDerivation rec {
   name = "iputils-${time}";
 
   src = fetchurl {
     url = "http://www.skbuff.net/iputils/iputils-s${time}.tar.bz2";
-    sha256 = "17riqp8dh8dvx32zv3hyrghpxz6xnxa6vai9b4yc485nqngm83s5";
+    sha256 = "189592jlkhxdgy8jc07m4bsl41ik9r6i6aaqb532prai37bmi7sl";
   };
 
   prePatch = ''
@@ -20,7 +20,9 @@ stdenv.mkDerivation rec {
 
   makeFlags = "USE_GNUTLS=no";
 
-  buildInputs = [ libsysfs openssl libcap sp docbook_sgml_dtd_31 SGMLSpm ];
+  buildInputs = [
+    libsysfs openssl libcap sp docbook_sgml_dtd_31 SGMLSpm libgcrypt
+  ];
 
   buildFlags = "man all ninfod";
 
diff --git a/pkgs/os-specific/linux/jool/source.nix b/pkgs/os-specific/linux/jool/source.nix
index 7a341b9e82b..60415c0d009 100644
--- a/pkgs/os-specific/linux/jool/source.nix
+++ b/pkgs/os-specific/linux/jool/source.nix
@@ -1,9 +1,9 @@
 { fetchzip }:
 
 rec {
-  version = "3.4.2";
+  version = "3.4.4";
   src = fetchzip {
-    url = "https://www.jool.mx/download/Jool-${version}.zip";
-    sha256 = "1qv7wwipylb76n8m8vphbf9rgxrryb42dsyw6mm43zjc9knsz7r0";
+    url = "https://github.com/NICMx/releases/raw/master/Jool/Jool-${version}.zip";
+    sha256 = "1k5iyfzjdzl5q64234r806pf6b3qdflvjpw06pnwl0ycj05p5frr";
   };
 }
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 37e3859cd05..f591bdf13d6 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -112,11 +112,21 @@ with stdenv.lib;
     IPV6_PRIVACY y
   ''}
   NETFILTER_ADVANCED y
+  IP_ROUTE_VERBOSE y
+  IP_MROUTE_MULTIPLE_TABLES y
   IP_VS_PROTO_TCP y
   IP_VS_PROTO_UDP y
   IP_VS_PROTO_ESP y
   IP_VS_PROTO_AH y
   IP_DCCP_CCID3 n # experimental
+  IPV6_ROUTER_PREF y
+  IPV6_ROUTE_INFO y
+  IPV6_OPTIMISTIC_DAD y
+  IPV6_MULTIPLE_TABLES y
+  IPV6_SUBTREES y
+  IPV6_MROUTE y
+  IPV6_MROUTE_MULTIPLE_TABLES y
+  IPV6_PIMSM_V2 y
   CLS_U32_PERF y
   CLS_U32_MARK y
   ${optionalString (stdenv.system == "x86_64-linux") ''
@@ -126,6 +136,10 @@ with stdenv.lib;
     NET_CLS_BPF m
     NET_ACT_BPF m
   ''}
+  L2TP_V3 y
+  L2TP_IP m
+  L2TP_ETH m
+  BRIDGE_VLAN_FILTERING y
 
   # Wireless networking.
   CFG80211_WEXT? y # Without it, ipw2200 drivers don't build
@@ -165,6 +179,8 @@ with stdenv.lib;
   # Allow specifying custom EDID on the kernel command line
   DRM_LOAD_EDID_FIRMWARE y
   VGA_SWITCHEROO y # Hybrid graphics support
+  DRM_GMA600 y
+  DRM_GMA3600 y
 
   # Sound.
   SND_DYNAMIC_MINORS y
@@ -255,7 +271,7 @@ with stdenv.lib;
   DEBUG_SET_MODULE_RONX? y # Detect writes to read-only module pages
 
   # Security related features.
-  RANDOMIZE_BASE y
+  RANDOMIZE_BASE? y
   STRICT_DEVMEM y # Filter access to /dev/mem
   SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default
   DEVKMEM n # Disable /dev/kmem
@@ -482,7 +498,7 @@ with stdenv.lib;
   # zram support (e.g for in-memory compressed swap).
   ZSMALLOC y
   ZRAM m
-  ZSWAP y
+  ZSWAP? y
 
   # Enable PCIe and USB for the brcmfmac driver
   BRCMFMAC_USB? y
diff --git a/pkgs/os-specific/linux/kernel/ecryptfs-fix-mmap-bug.patch b/pkgs/os-specific/linux/kernel/ecryptfs-fix-mmap-bug.patch
deleted file mode 100644
index 7f94669a9f4..00000000000
--- a/pkgs/os-specific/linux/kernel/ecryptfs-fix-mmap-bug.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
-Tested-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxx> # 4.4.y, 3.18.y
-Cc: <stable@xxxxxxxxxxxxxxx> # 4.5-
----
- fs/ecryptfs/kthread.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c
-index e818f5a..b9faeab 100644
---- a/fs/ecryptfs/kthread.c
-+++ b/fs/ecryptfs/kthread.c
-@@ -171,7 +171,7 @@ int ecryptfs_privileged_open(struct file **lower_file,
- 		goto out;
- 	}
- have_file:
--	if ((*lower_file)->f_op->mmap == NULL) {
-+	if ((*lower_file)->f_op->mmap == NULL && !d_is_dir(lower_dentry)) {
- 		fput(*lower_file);
- 		*lower_file = NULL;
- 		rc = -EMEDIUMTYPE;
diff --git a/pkgs/os-specific/linux/kernel/generate-config.pl b/pkgs/os-specific/linux/kernel/generate-config.pl
index 20abe1015c3..e5fa780c6e7 100644
--- a/pkgs/os-specific/linux/kernel/generate-config.pl
+++ b/pkgs/os-specific/linux/kernel/generate-config.pl
@@ -134,7 +134,7 @@ close CONFIG;
 
 foreach my $name (sort (keys %answers)) {
     my $f = $requiredAnswers{$name} && $ENV{'ignoreConfigErrors'} ne "1"
-        ? sub { die @_; } : sub { warn @_; };
+        ? sub { die "error: " . $_[0]; } : sub { warn "warning: " . $_[0]; };
     &$f("unused option: $name\n") unless defined $config{$name};
     &$f("option not set correctly: $name\n")
         if $config{$name} && $config{$name} ne $answers{$name};
diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix
index 4dd3444d524..56ab62e95e5 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.4.16";
+  version = "4.4.17";
   extraMeta.branch = "4.4";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "18v4n7yypl4c8k69zrnf9g09pilh47y0ciy3mwbksz2kmw4yq573";
+    sha256 = "10ags1n345irx1bi3fyal326b3m5myndz19v0klbvxhd3i3m350m";
   };
 
   kernelPatches = args.kernelPatches;
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 375f0e3b0b4..56963d89efa 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -148,8 +148,4 @@ rec {
         sha256 = "14rm1qr87p7a5prz8g5fwbpxzdp3ighj095x8rvhm8csm20wspyy";
       };
     };
-  ecryptfs_fix_mmap_bug =
-    { name = "ecryptfs_fix_mmap_bug";
-      patch = ./ecryptfs-fix-mmap-bug.patch;
-    };
 }
diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix
index 122ca9d5522..84b66ac0d9c 100644
--- a/pkgs/os-specific/linux/klibc/default.nix
+++ b/pkgs/os-specific/linux/klibc/default.nix
@@ -48,6 +48,6 @@ stdenv.mkDerivation rec {
   '';
 
   meta = {
-    platforms = stdenv.lib.platforms.linux;
+    platforms = [ "x86_64-linux" ];
   };
 }
diff --git a/pkgs/os-specific/linux/systemd/cryptsetup-generator.nix b/pkgs/os-specific/linux/systemd/cryptsetup-generator.nix
index 2935990755c..3d617ece1c0 100644
--- a/pkgs/os-specific/linux/systemd/cryptsetup-generator.nix
+++ b/pkgs/os-specific/linux/systemd/cryptsetup-generator.nix
@@ -15,11 +15,16 @@ stdenv.lib.overrideDerivation systemd (p: {
     make $makeFlags systemd-cryptsetup-generator
   '';
 
+  # For some reason systemd-cryptsetup-generator is a wrapper-script
+  # with the current release of systemd. We want the real one.
+
+  # TODO: Revert 3efadce when the wrapper-script is gone
   installPhase = ''
     mkdir -p $out/lib/systemd/
     cp systemd-cryptsetup $out/lib/systemd/systemd-cryptsetup
+    cp .libs/*.so $out/lib/
 
     mkdir -p $out/lib/systemd/system-generators/
-    cp systemd-cryptsetup-generator $out/lib/systemd/system-generators/systemd-cryptsetup-generator
+    cp .libs/systemd-cryptsetup-generator $out/lib/systemd/system-generators/systemd-cryptsetup-generator
   '';
 })
diff --git a/pkgs/os-specific/linux/uclibc/default.nix b/pkgs/os-specific/linux/uclibc/default.nix
index c64297f0529..81c8b7b4df7 100644
--- a/pkgs/os-specific/linux/uclibc/default.nix
+++ b/pkgs/os-specific/linux/uclibc/default.nix
@@ -106,6 +106,7 @@ stdenv.mkDerivation {
   meta = {
     homepage = http://www.uclibc.org/;
     description = "A small implementation of the C library";
+    maintainers = with stdenv.lib.maintainers; [ rasendubi ];
     license = stdenv.lib.licenses.lgpl2;
     platforms = stdenv.lib.platforms.linux;
   };
diff --git a/pkgs/os-specific/linux/uksmtools/default.nix b/pkgs/os-specific/linux/uksmtools/default.nix
deleted file mode 100644
index 4efc2d42f2b..00000000000
--- a/pkgs/os-specific/linux/uksmtools/default.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ stdenv, fetchgit, cmake }:
-
-stdenv.mkDerivation rec {
-  name = "uksmtools-${version}";
-  version = "2015-09-25";
-
-  # This project uses git submodules, which fetchFromGitHub doesn't support:
-  src = fetchgit {
-    sha256 = "1nj53f24qjp0d87fzrz0y72rmv6lhxyiaqrsbd9v423h5zpmkrnj";
-    rev = "9f59a3a0b494b758aa91d7d8fa04e21b5e6463c0";
-    url = "https://github.com/pfactum/uksmtools.git";
-  };
-
-  nativeBuildInputs = [ cmake ];
-
-  enableParallelBuilding = true;
-
-  doCheck = false;
-
-  meta = with stdenv.lib; {
-    description = "Tools to control Linux UKSM (Ultra Kernel Same-page Merging)";
-    homepage = https://github.com/pfactum/uksmtools/;
-    license = licenses.gpl3Plus;
-    platforms = platforms.linux;
-    maintainers = with maintainers; [ nckx ];
-  };
-}
diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix
index 4ade0af9815..ab347961375 100644
--- a/pkgs/os-specific/linux/wireguard/default.nix
+++ b/pkgs/os-specific/linux/wireguard/default.nix
@@ -1,5 +1,8 @@
 { stdenv, fetchgit, libmnl, kernel ? null }:
 
+# module requires Linux >= 4.1 https://www.wireguard.io/install/#kernel-requirements
+assert kernel != null -> stdenv.lib.versionAtLeast kernel.version "4.1";
+
 let
   name = "wireguard-unstable-${version}";