diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2019-01-06 09:36:23 +0100 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2019-01-06 09:36:23 +0100 |
commit | e5381cdeceeb150535998cee5518e6fa678e4dc0 (patch) | |
tree | f0ba4eaa3e0d2c5e2cdfd55e18c1953b1ad9a854 /pkgs/os-specific/linux | |
parent | d84a33d85b621f4621f4e4da1c74b8ad896a349e (diff) | |
parent | 7d864c6bd6391baa516118051ec5fb7e9836280e (diff) | |
download | nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.tar nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.tar.gz nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.tar.bz2 nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.tar.lz nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.tar.xz nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.tar.zst nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.zip |
Merge master into staging-next
Diffstat (limited to 'pkgs/os-specific/linux')
-rw-r--r-- | pkgs/os-specific/linux/i2c-tools/default.nix | 11 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/hardened-config.nix | 35 | ||||
-rw-r--r-- | pkgs/os-specific/linux/sysstat/default.nix | 4 |
3 files changed, 32 insertions, 18 deletions
diff --git a/pkgs/os-specific/linux/i2c-tools/default.nix b/pkgs/os-specific/linux/i2c-tools/default.nix index 3f90b91f10d..5b061183356 100644 --- a/pkgs/os-specific/linux/i2c-tools/default.nix +++ b/pkgs/os-specific/linux/i2c-tools/default.nix @@ -2,22 +2,23 @@ stdenv.mkDerivation rec { name = "i2c-tools-${version}"; - version = "4.0"; + version = "4.1"; src = fetchurl { url = "https://www.kernel.org/pub/software/utils/i2c-tools/${name}.tar.xz"; - sha256 = "1mi8mykvl89y6liinc9jv1x8m2q093wrdc2hm86a47n524fcl06r"; + sha256 = "1m97hpwqfaqjl9xvr4pvz2vdrsdvxbcn0nnx8pamnyc3s7pikcjp"; }; buildInputs = [ perl ]; - patchPhase = '' + postPatch = '' substituteInPlace eeprom/decode-edid --replace "/usr/sbin/parse-edid" "${read-edid}/bin/parse-edid" substituteInPlace stub/i2c-stub-from-dump --replace "/sbin/" "" ''; - installPhase = '' - make install prefix=$out + makeFlags = [ "PREFIX=${placeholder "out"}" ]; + + postInstall = '' rm -rf $out/include # Installs include/linux/i2c-dev.h that conflics with kernel headers ''; diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 9d28b3edf85..ed540a9e751 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -28,9 +28,9 @@ ${optionalString (stdenv.hostPlatform.platform.kernelArch == "x86_64") '' # Reduce attack surface by disabling various emulations IA32_EMULATION n X86_X32 n - ${optionalString (versionOlder version "4.17") '' - MODIFY_LDT_SYSCALL? n - ''} + # Note: this config depends on EXPERT y and so will not take effect, hence + # it is left "optional" for now. + MODIFY_LDT_SYSCALL? n VMAP_STACK y # Catch kernel stack overflows @@ -52,18 +52,23 @@ ${optionalString (versionOlder version "4.11") '' DEBUG_SET_MODULE_RONX y ''} -# Mark LSM hooks read-only after init. Conflicts with SECURITY_SELINUX_DISABLE -# (disabling SELinux at runtime); hence, SELinux can only be disabled at boot -# via the selinux=0 boot parameter. +# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n +# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter +# implicitly marks LSM hooks read-only after init. +# +# SELinux can only be disabled at boot via selinux=0 +# +# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the +# config builder fails to detect that it has indeed been unset. ${optionalString (versionAtLeast version "4.12") '' SECURITY_SELINUX_DISABLE n -''} - -${optionalString ((versionAtLeast version "4.12") && (versionOlder version "4.17")) '' - SECURITY_WRITABLE_HOOKS n + SECURITY_WRITABLE_HOOKS? n ''} DEBUG_WX y # boot-time warning on RWX mappings +${optionalString (versionAtLeast version "4.11") '' + STRICT_KERNEL_RWX y +''} # Stricter /dev/mem STRICT_DEVMEM? y @@ -84,7 +89,7 @@ ${optionalString (versionAtLeast version "4.13") '' # Perform usercopy bounds checking. HARDENED_USERCOPY y ${optionalString (versionAtLeast version "4.16") '' - HARDENED_USERCOPY_FALLBACK n + HARDENED_USERCOPY_FALLBACK n # for full whitelist enforcement ''} # Randomize allocator freelists. @@ -94,6 +99,9 @@ ${optionalString (versionAtLeast version "4.14") '' SLAB_FREELIST_HARDENED y ''} +# Allow enabling slub/slab free poisoning with slub_debug=P +SLUB_DEBUG y + # Wipe higher-level memory allocations on free() with page_poison=1 PAGE_POISONING y PAGE_POISONING_NO_SANITY y @@ -117,6 +125,11 @@ ${optionalString (versionAtLeast version "4.20") '' GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin ''} +${optionalString (versionAtLeast version "4.13") '' + GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y +''} + # Disable various dangerous settings ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory PROC_KCORE n # Exposes kernel text image layout diff --git a/pkgs/os-specific/linux/sysstat/default.nix b/pkgs/os-specific/linux/sysstat/default.nix index d3a9d7834cd..27b27ebffdd 100644 --- a/pkgs/os-specific/linux/sysstat/default.nix +++ b/pkgs/os-specific/linux/sysstat/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, gettext, bzip2 }: stdenv.mkDerivation rec { - name = "sysstat-12.1.1"; + name = "sysstat-12.1.2"; src = fetchurl { url = "http://perso.orange.fr/sebastien.godard/${name}.tar.xz"; - sha256 = "0drrlv2fr64g5zf0a2bkla2rql4nmq4n192wvcr9r4zppg58d8k4"; + sha256 = "0xiv70x4n24fcycvlq95lqgb3jwjxfzq61bnyqai57x54hhn46yp"; }; buildInputs = [ gettext ]; |