Merge remote-tracking branch 'upstream/master' into hardened-stdenv

7 files changed, 73 insertions, 38 deletions

diff --git a/pkgs/os-specific/linux/dmraid/default.nix b/pkgs/os-specific/linux/dmraid/default.nix
index 9412747d6bc..d39cadf4199 100644
--- a/pkgs/os-specific/linux/dmraid/default.nix
+++ b/pkgs/os-specific/linux/dmraid/default.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
 
   meta = {
     description = "Old-style RAID configuration utility";
-    longDescritipn = ''
+    longDescription = ''
       Old RAID configuration utility (still under development, though).
       It is fully compatible with modern kernels and mdadm recognizes
       its volumes. May be needed for rescuing an older system or nuking
diff --git a/pkgs/os-specific/linux/gradm/default.nix b/pkgs/os-specific/linux/gradm/default.nix
index 121b6db5400..52c839bdedd 100644
--- a/pkgs/os-specific/linux/gradm/default.nix
+++ b/pkgs/os-specific/linux/gradm/default.nix
@@ -1,52 +1,51 @@
-{ fetchurl, stdenv, bison, flex, pam,
-  gcc, coreutils, findutils, binutils, bash }:
+{ stdenv, fetchurl
+, bison, flex
+, pam
+}:
 
 stdenv.mkDerivation rec {
   name    = "gradm-${version}";
-  version = "3.1-201507191652";
+  version = "3.1-201607172312";
 
   src  = fetchurl {
     url    = "http://grsecurity.net/stable/${name}.tar.gz";
-    sha256 = "0l3s56wvk5kpd2qppl328x4alh327xnbf271lh1fan84pxbw651g";
+    sha256 = "1r3fbrfijj8mbh3gl489q5bj2srj35f9f96i04nfmw427qpcg0a2";
   };
 
-  buildInputs = [ gcc coreutils findutils binutils pam flex bison bash ];
+  nativeBuildInputs = [ bison flex ];
+  buildInputs = [ pam ];
+
+  enableParallelBuilding = true;
+
+  makeFlags = [
+    "DESTDIR=$(out)"
+    "LEX=${flex}/bin/flex"
+    "MANDIR=/share/man"
+    "MKNOD=true"
+  ];
+
   preBuild = ''
-    substituteInPlace ./Makefile --replace "/usr/include/security/pam_" "${pam}/include/security/pam_"
-    substituteInPlace ./gradm_defs.h --replace "/sbin/grlearn"   "$out/sbin/grlearn"
-    substituteInPlace ./gradm_defs.h --replace "/sbin/gradm"     "$out/sbin/gradm"
-  '';
+    substituteInPlace Makefile \
+      --replace "/usr/bin/" "" \
+      --replace "/usr/include/security/pam_" "${pam}/include/security/pam_"
 
-  postInstall = ''
-    mkdir -p $out/lib/udev/rules.d
-    cat > $out/lib/udev/rules.d/80-grsec.rules <<EOF
-    ACTION!="add|change", GOTO="permissions_end"
-    KERNEL=="grsec",          MODE="0622"
-    LABEL="permissions_end"
-    EOF
+    substituteInPlace gradm_defs.h \
+      --replace "/sbin/grlearn" "$out/bin/grlearn" \
+      --replace "/sbin/gradm" "$out/bin/gradm" \
+      --replace "/sbin/gradm_pam" "$out/bin/gradm_pam"
 
-    echo "inherit-learn /nix/store" >> $out/etc/grsec/learn_config
-  '';
+    echo 'inherit-learn /nix/store' >>learn_config
 
-  makeFlags =
-    [ "DESTDIR=$(out)"
-      "CC=${gcc}/bin/gcc"
-      "FLEX=${flex}/bin/flex"
-      "BISON=${bison}/bin/bison"
-      "FIND=${findutils}/bin/find"
-      "STRIP=${binutils.out}/bin/strip"
-      "INSTALL=${coreutils}/bin/install"
-      "MANDIR=/share/man"
-      "MKNOD=true"
-    ];
+    mkdir -p "$out/etc/udev/rules.d"
+  '';
 
-  enableParallelBuilding = true;
+  postInstall = ''rmdir $out/dev'';
 
   meta = with stdenv.lib; {
     description = "grsecurity RBAC administration and policy analysis utility";
     homepage    = "https://grsecurity.net";
     license     = licenses.gpl2;
     platforms   = platforms.linux;
-    maintainers = with maintainers; [ thoughtpolice ];
+    maintainers = with maintainers; [ thoughtpolice joachifm ];
   };
 }
diff --git a/pkgs/os-specific/linux/hostapd/default.nix b/pkgs/os-specific/linux/hostapd/default.nix
index 39982859712..5053ef3d1d2 100644
--- a/pkgs/os-specific/linux/hostapd/default.nix
+++ b/pkgs/os-specific/linux/hostapd/default.nix
@@ -3,11 +3,11 @@
 with stdenv.lib;
 stdenv.mkDerivation rec {
   name = "hostapd-${version}";
-  version = "2.4";
+  version = "2.5";
 
   src = fetchurl {
     url = "http://hostap.epitest.fi/releases/${name}.tar.gz";
-    sha256 = "0zv5pnfrp6z7jjbskzgdb2rlmlbvdxmmis7ca94x5jy9s5mypq3g";
+    sha256 = "0jn77r39ysshkzihv5rjbdajqazci59v2yab4rn05my09najs9wf";
   };
 
   nativeBuildInputs = [ pkgconfig ];
diff --git a/pkgs/os-specific/linux/kernel/linux-4.7.nix b/pkgs/os-specific/linux/kernel/linux-4.7.nix
new file mode 100644
index 00000000000..53fa5de5bb6
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-4.7.nix
@@ -0,0 +1,20 @@
+{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
+
+import ./generic.nix (args // rec {
+  version = "4.7";
+  modDirVersion = "4.7.0";
+  extraMeta.branch = "4.7";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "5190c3d1209aeda04168145bf50569dc0984f80467159b1dc50ad731e3285f10";
+  };
+
+  kernelPatches = args.kernelPatches;
+
+  features.iwlwifi = true;
+  features.efiBootStub = true;
+  features.needsCifsUtils = true;
+  features.canDisableNetfilterConntrackHelpers = true;
+  features.netfilterRPFilter = true;
+} // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index ddb1ccce91b..085bbef7395 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -94,8 +94,8 @@ rec {
 
   grsecurity_testing = grsecPatch
     { kver   = "4.6.4";
-      grrev  = "201607192040";
-      sha256 = "14l52halck6lwbpahz3fmv7q5cx22r77k1hqfnn29a66ws9ra6sz";
+      grrev  = "201607242014";
+      sha256 = "1imzz4m1a6i7199plwj264izj8xvvx7r09v3s50rrb17jcsrfiss";
     };
 
   # This patch relaxes grsec constraints on the location of usermode helpers,
diff --git a/pkgs/os-specific/linux/kernel/perf.nix b/pkgs/os-specific/linux/kernel/perf.nix
index ad80d2ed93c..d1544cc17f1 100644
--- a/pkgs/os-specific/linux/kernel/perf.nix
+++ b/pkgs/os-specific/linux/kernel/perf.nix
@@ -1,5 +1,6 @@
 { lib, stdenv, kernel, elfutils, python, perl, newt, slang, asciidoc, xmlto
 , docbook_xsl, docbook_xml_dtd_45, libxslt, flex, bison, pkgconfig, libunwind, binutils
+, libiberty
 , zlib, withGtk ? false, gtk ? null }:
 
 with lib;
@@ -22,7 +23,8 @@ stdenv.mkDerivation {
 
   # perf refers both to newt and slang
   # binutils is required for libbfd.
-  nativeBuildInputs = [ asciidoc xmlto docbook_xsl docbook_xml_dtd_45 libxslt flex bison ];
+  nativeBuildInputs = [ asciidoc xmlto docbook_xsl docbook_xml_dtd_45 libxslt
+      flex bison libiberty ];
   buildInputs = [ python perl newt slang pkgconfig libunwind binutils zlib ] ++
     stdenv.lib.optional withGtk gtk;
 
diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix
index 27e41825b98..76858ab5e48 100644
--- a/pkgs/os-specific/linux/sysdig/default.nix
+++ b/pkgs/os-specific/linux/sysdig/default.nix
@@ -1,8 +1,15 @@
-{stdenv, fetchurl, cmake, luajit, kernel, zlib, ncurses, perl, jsoncpp, libb64, openssl, curl}:
+{stdenv, fetchurl, fetchFromGitHub, cmake, luajit, kernel, zlib, ncurses, perl, jsoncpp, libb64, openssl, curl}:
 let
   inherit (stdenv.lib) optional optionalString;
   baseName = "sysdig";
   version = "0.10.0";
+  # sysdig-0.11.0 depends on some headers from jq which are not
+  # installed by default.
+  # Relevant sysdig issue: https://github.com/draios/sysdig/issues/626
+  jq-prefix = fetchurl {
+    url="https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz";
+    sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4";
+  };
 in
 stdenv.mkDerivation {
   name = "${baseName}-${version}";
@@ -24,6 +31,8 @@ stdenv.mkDerivation {
 
   cmakeFlags = [
     "-DUSE_BUNDLED_DEPS=OFF"
+    "-DUSE_BUNDLED_JQ=ON"
+    "-DSYSDIG_VERSION=${version}"
   ] ++ optional (kernel == null) "-DBUILD_DRIVER=OFF";
 
   preConfigure = ''
@@ -32,6 +41,11 @@ stdenv.mkDerivation {
     export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
   '';
 
+  preBuild = ''
+    mkdir -p jq-prefix/src
+    cp ${jq-prefix} jq-prefix/src/jq-1.5.tar.gz
+  '';
+
   postInstall = optionalString (kernel != null) ''
     make install_driver
     kernel_dev=${kernel.dev}