diff options
author | Robin Gloster <mail@glob.in> | 2016-07-25 12:47:13 +0000 |
---|---|---|
committer | Robin Gloster <mail@glob.in> | 2016-07-25 12:47:13 +0000 |
commit | f222d9874643197fb61ca8460449f10abae1a4fd (patch) | |
tree | b8b9c2dcdf54cc418ef54d579b7d21e0830006b8 /pkgs/os-specific/linux | |
parent | 1f04b4a566d3c8f8de5354ed09dee46557c4abe3 (diff) | |
parent | e725c927d4a09ee116fe18f2f0718364678a321f (diff) | |
download | nixpkgs-f222d9874643197fb61ca8460449f10abae1a4fd.tar nixpkgs-f222d9874643197fb61ca8460449f10abae1a4fd.tar.gz nixpkgs-f222d9874643197fb61ca8460449f10abae1a4fd.tar.bz2 nixpkgs-f222d9874643197fb61ca8460449f10abae1a4fd.tar.lz nixpkgs-f222d9874643197fb61ca8460449f10abae1a4fd.tar.xz nixpkgs-f222d9874643197fb61ca8460449f10abae1a4fd.tar.zst nixpkgs-f222d9874643197fb61ca8460449f10abae1a4fd.zip |
Merge remote-tracking branch 'upstream/master' into hardened-stdenv
Diffstat (limited to 'pkgs/os-specific/linux')
-rw-r--r-- | pkgs/os-specific/linux/dmraid/default.nix | 2 | ||||
-rw-r--r-- | pkgs/os-specific/linux/gradm/default.nix | 61 | ||||
-rw-r--r-- | pkgs/os-specific/linux/hostapd/default.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-4.7.nix | 20 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/patches.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/perf.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/sysdig/default.nix | 16 |
7 files changed, 73 insertions, 38 deletions
diff --git a/pkgs/os-specific/linux/dmraid/default.nix b/pkgs/os-specific/linux/dmraid/default.nix index 9412747d6bc..d39cadf4199 100644 --- a/pkgs/os-specific/linux/dmraid/default.nix +++ b/pkgs/os-specific/linux/dmraid/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { meta = { description = "Old-style RAID configuration utility"; - longDescritipn = '' + longDescription = '' Old RAID configuration utility (still under development, though). It is fully compatible with modern kernels and mdadm recognizes its volumes. May be needed for rescuing an older system or nuking diff --git a/pkgs/os-specific/linux/gradm/default.nix b/pkgs/os-specific/linux/gradm/default.nix index 121b6db5400..52c839bdedd 100644 --- a/pkgs/os-specific/linux/gradm/default.nix +++ b/pkgs/os-specific/linux/gradm/default.nix @@ -1,52 +1,51 @@ -{ fetchurl, stdenv, bison, flex, pam, - gcc, coreutils, findutils, binutils, bash }: +{ stdenv, fetchurl +, bison, flex +, pam +}: stdenv.mkDerivation rec { name = "gradm-${version}"; - version = "3.1-201507191652"; + version = "3.1-201607172312"; src = fetchurl { url = "http://grsecurity.net/stable/${name}.tar.gz"; - sha256 = "0l3s56wvk5kpd2qppl328x4alh327xnbf271lh1fan84pxbw651g"; + sha256 = "1r3fbrfijj8mbh3gl489q5bj2srj35f9f96i04nfmw427qpcg0a2"; }; - buildInputs = [ gcc coreutils findutils binutils pam flex bison bash ]; + nativeBuildInputs = [ bison flex ]; + buildInputs = [ pam ]; + + enableParallelBuilding = true; + + makeFlags = [ + "DESTDIR=$(out)" + "LEX=${flex}/bin/flex" + "MANDIR=/share/man" + "MKNOD=true" + ]; + preBuild = '' - substituteInPlace ./Makefile --replace "/usr/include/security/pam_" "${pam}/include/security/pam_" - substituteInPlace ./gradm_defs.h --replace "/sbin/grlearn" "$out/sbin/grlearn" - substituteInPlace ./gradm_defs.h --replace "/sbin/gradm" "$out/sbin/gradm" - ''; + substituteInPlace Makefile \ + --replace "/usr/bin/" "" \ + --replace "/usr/include/security/pam_" "${pam}/include/security/pam_" - postInstall = '' - mkdir -p $out/lib/udev/rules.d - cat > $out/lib/udev/rules.d/80-grsec.rules <<EOF - ACTION!="add|change", GOTO="permissions_end" - KERNEL=="grsec", MODE="0622" - LABEL="permissions_end" - EOF + substituteInPlace gradm_defs.h \ + --replace "/sbin/grlearn" "$out/bin/grlearn" \ + --replace "/sbin/gradm" "$out/bin/gradm" \ + --replace "/sbin/gradm_pam" "$out/bin/gradm_pam" - echo "inherit-learn /nix/store" >> $out/etc/grsec/learn_config - ''; + echo 'inherit-learn /nix/store' >>learn_config - makeFlags = - [ "DESTDIR=$(out)" - "CC=${gcc}/bin/gcc" - "FLEX=${flex}/bin/flex" - "BISON=${bison}/bin/bison" - "FIND=${findutils}/bin/find" - "STRIP=${binutils.out}/bin/strip" - "INSTALL=${coreutils}/bin/install" - "MANDIR=/share/man" - "MKNOD=true" - ]; + mkdir -p "$out/etc/udev/rules.d" + ''; - enableParallelBuilding = true; + postInstall = ''rmdir $out/dev''; meta = with stdenv.lib; { description = "grsecurity RBAC administration and policy analysis utility"; homepage = "https://grsecurity.net"; license = licenses.gpl2; platforms = platforms.linux; - maintainers = with maintainers; [ thoughtpolice ]; + maintainers = with maintainers; [ thoughtpolice joachifm ]; }; } diff --git a/pkgs/os-specific/linux/hostapd/default.nix b/pkgs/os-specific/linux/hostapd/default.nix index 39982859712..5053ef3d1d2 100644 --- a/pkgs/os-specific/linux/hostapd/default.nix +++ b/pkgs/os-specific/linux/hostapd/default.nix @@ -3,11 +3,11 @@ with stdenv.lib; stdenv.mkDerivation rec { name = "hostapd-${version}"; - version = "2.4"; + version = "2.5"; src = fetchurl { url = "http://hostap.epitest.fi/releases/${name}.tar.gz"; - sha256 = "0zv5pnfrp6z7jjbskzgdb2rlmlbvdxmmis7ca94x5jy9s5mypq3g"; + sha256 = "0jn77r39ysshkzihv5rjbdajqazci59v2yab4rn05my09najs9wf"; }; nativeBuildInputs = [ pkgconfig ]; diff --git a/pkgs/os-specific/linux/kernel/linux-4.7.nix b/pkgs/os-specific/linux/kernel/linux-4.7.nix new file mode 100644 index 00000000000..53fa5de5bb6 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/linux-4.7.nix @@ -0,0 +1,20 @@ +{ stdenv, fetchurl, perl, buildLinux, ... } @ args: + +import ./generic.nix (args // rec { + version = "4.7"; + modDirVersion = "4.7.0"; + extraMeta.branch = "4.7"; + + src = fetchurl { + url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; + sha256 = "5190c3d1209aeda04168145bf50569dc0984f80467159b1dc50ad731e3285f10"; + }; + + kernelPatches = args.kernelPatches; + + features.iwlwifi = true; + features.efiBootStub = true; + features.needsCifsUtils = true; + features.canDisableNetfilterConntrackHelpers = true; + features.netfilterRPFilter = true; +} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index ddb1ccce91b..085bbef7395 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -94,8 +94,8 @@ rec { grsecurity_testing = grsecPatch { kver = "4.6.4"; - grrev = "201607192040"; - sha256 = "14l52halck6lwbpahz3fmv7q5cx22r77k1hqfnn29a66ws9ra6sz"; + grrev = "201607242014"; + sha256 = "1imzz4m1a6i7199plwj264izj8xvvx7r09v3s50rrb17jcsrfiss"; }; # This patch relaxes grsec constraints on the location of usermode helpers, diff --git a/pkgs/os-specific/linux/kernel/perf.nix b/pkgs/os-specific/linux/kernel/perf.nix index ad80d2ed93c..d1544cc17f1 100644 --- a/pkgs/os-specific/linux/kernel/perf.nix +++ b/pkgs/os-specific/linux/kernel/perf.nix @@ -1,5 +1,6 @@ { lib, stdenv, kernel, elfutils, python, perl, newt, slang, asciidoc, xmlto , docbook_xsl, docbook_xml_dtd_45, libxslt, flex, bison, pkgconfig, libunwind, binutils +, libiberty , zlib, withGtk ? false, gtk ? null }: with lib; @@ -22,7 +23,8 @@ stdenv.mkDerivation { # perf refers both to newt and slang # binutils is required for libbfd. - nativeBuildInputs = [ asciidoc xmlto docbook_xsl docbook_xml_dtd_45 libxslt flex bison ]; + nativeBuildInputs = [ asciidoc xmlto docbook_xsl docbook_xml_dtd_45 libxslt + flex bison libiberty ]; buildInputs = [ python perl newt slang pkgconfig libunwind binutils zlib ] ++ stdenv.lib.optional withGtk gtk; diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix index 27e41825b98..76858ab5e48 100644 --- a/pkgs/os-specific/linux/sysdig/default.nix +++ b/pkgs/os-specific/linux/sysdig/default.nix @@ -1,8 +1,15 @@ -{stdenv, fetchurl, cmake, luajit, kernel, zlib, ncurses, perl, jsoncpp, libb64, openssl, curl}: +{stdenv, fetchurl, fetchFromGitHub, cmake, luajit, kernel, zlib, ncurses, perl, jsoncpp, libb64, openssl, curl}: let inherit (stdenv.lib) optional optionalString; baseName = "sysdig"; version = "0.10.0"; + # sysdig-0.11.0 depends on some headers from jq which are not + # installed by default. + # Relevant sysdig issue: https://github.com/draios/sysdig/issues/626 + jq-prefix = fetchurl { + url="https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"; + sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4"; + }; in stdenv.mkDerivation { name = "${baseName}-${version}"; @@ -24,6 +31,8 @@ stdenv.mkDerivation { cmakeFlags = [ "-DUSE_BUNDLED_DEPS=OFF" + "-DUSE_BUNDLED_JQ=ON" + "-DSYSDIG_VERSION=${version}" ] ++ optional (kernel == null) "-DBUILD_DRIVER=OFF"; preConfigure = '' @@ -32,6 +41,11 @@ stdenv.mkDerivation { export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ''; + preBuild = '' + mkdir -p jq-prefix/src + cp ${jq-prefix} jq-prefix/src/jq-1.5.tar.gz + ''; + postInstall = optionalString (kernel != null) '' make install_driver kernel_dev=${kernel.dev} |