Merge branch 'master' into staging

Hydra nixpkgs: ?compare=1279790
author: Vladimír Čunát <vcunat@gmail.com> 2016-06-19 12:33:04 +0200
committer: Vladimír Čunát <vcunat@gmail.com> 2016-06-19 12:33:04 +0200
commit: e75740455546f85cbf9849907b1f6520fdb487d8 (patch)
tree: 02ab162a81b88bcf1e116b6cbb180557c33ba9b9 /pkgs/os-specific
parent: a02e5ad9263e508b4df6a3e5841e95bace0e787b (diff)
parent: 410aad942fc82bbeb9c30a4fdf826ed33998a593 (diff)
download: nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.tar
nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.tar.gz
nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.tar.bz2
nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.tar.lz
nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.tar.xz
nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.tar.zst
nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.zip
13 files changed, 156 insertions, 50 deletions
diff --git a/pkgs/os-specific/linux/jfbview/default.nix b/pkgs/os-specific/linux/jfbview/default.nix
index 31ba5e1152c..bad64a20cac 100644
--- a/pkgs/os-specific/linux/jfbview/default.nix
+++ b/pkgs/os-specific/linux/jfbview/default.nix
@@ -31,6 +31,10 @@ stdenv.mkDerivation rec {
     imlib2
   ];
 
+  patches = [
+    ./mupdf-1.9.patch
+  ];
+
   configurePhase = ''
     # Hack. Probing (`ldconfig -p`) fails with ‘cannot execute binary file’.
     # Overriding `OPENJP2 =` later works, but makes build output misleading:
diff --git a/pkgs/os-specific/linux/jfbview/mupdf-1.9.patch b/pkgs/os-specific/linux/jfbview/mupdf-1.9.patch
new file mode 100644
index 00000000000..99d7377239b
--- /dev/null
+++ b/pkgs/os-specific/linux/jfbview/mupdf-1.9.patch
@@ -0,0 +1,28 @@
+--- JFBView-0.5.2-src/Makefile	2016-06-11 23:27:54.969894750 -0700
++++ JFBView-0.5.2-src/Makefile	2016-06-11 23:24:45.181142832 -0700
+@@ -134,13 +134,22 @@
+ 
+ .PHONY: detect_libopenjp2
+ detect_libopenjp2:
+-	$(eval OPENJP2 = $(shell ldconfig -p | grep -q libopenjp2 && echo 'openjp2' || echo 'openjpeg'))
++	$(eval OPENJP2 = $(shell echo libopenjp2 | grep -q libopenjp2 && echo 'openjp2'  || echo 'openjpeg'))
+ 	@echo "OPENJP2 = $(OPENJP2)" >> $(CONFIG_MK)
+ 
+ # mupdf_version only depends on -lmupdf.
+ mupdf_version: mupdf_version.cpp
+-	$(CXX) $(CXXFLAGS) -o $@ $^ $(LDLIBS) -lmupdf
+-
++	$(CXX) $(CXXFLAGS) -o $@ $^ $(LDLIBS) -lmupdf \
++    -lpthread \
++    -lform \
++    -lncurses \
++    -lfreetype \
++    -lharfbuzz \
++    -lz \
++    -ljbig2dec \
++    -ljpeg \
++    -lmujs \
++    -lopenjp2
+ endif
+ 
+ 
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 3ce65a3f6e1..624d380fe56 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -261,9 +261,7 @@ with stdenv.lib;
   # Security related features.
   STRICT_DEVMEM y # Filter access to /dev/mem
   SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default
-  ${optionalString (!(features.grsecurity or false)) ''
-    DEVKMEM n # Disable /dev/kmem
-  ''}
+  DEVKMEM n # Disable /dev/kmem
   ${if versionOlder version "3.14" then ''
     CC_STACKPROTECTOR? y # Detect buffer overflows on the stack
   '' else ''
@@ -422,13 +420,11 @@ with stdenv.lib;
 
   # Virtualisation.
   PARAVIRT? y
-  ${optionalString (!(features.grsecurity or false))
-    (if versionAtLeast version "3.10" then ''
-      HYPERVISOR_GUEST y
-    '' else ''
-      PARAVIRT_GUEST? y
-    '')
-  }
+  ${if versionAtLeast version "3.10" then ''
+    HYPERVISOR_GUEST y
+  '' else ''
+    PARAVIRT_GUEST? y
+  ''}
   KVM_APIC_ARCHITECTURE y
   KVM_ASYNC_PF y
   ${optionalString (versionOlder version "3.7") ''
@@ -443,9 +439,7 @@ with stdenv.lib;
   ${optionalString (versionAtLeast version "4.0") ''
     KVM_GENERIC_DIRTYLOG_READ_PROTECT y
   ''}
-  ${optionalString (!features.grsecurity or true) ''
-    KVM_GUEST y
-  ''}
+  KVM_GUEST y
   KVM_MMIO y
   ${optionalString (versionAtLeast version "3.13") ''
     KVM_VFIO y
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
new file mode 100644
index 00000000000..894f2d8e364
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
@@ -0,0 +1,43 @@
+{ stdenv }:
+
+with stdenv.lib;
+
+''
+GRKERNSEC y
+PAX y
+
+GRKERNSEC_CONFIG_AUTO y
+GRKERNSEC_CONFIG_DESKTOP y
+GRKERNSEC_CONFIG_VIRT_HOST y
+GRKERNSEC_CONFIG_VIRT_EPT y
+GRKERNSEC_CONFIG_VIRT_KVM y
+GRKERNSEC_CONFIG_PRIORITY_SECURITY y
+
+PAX_PT_PAX_FLAGS y
+PAX_XATTR_PAX_FLAGS n
+PAX_EI_PAX n
+
+GRKERNSEC_PROC_GID 0
+
+PAX_LATENT_ENTROPY n
+PAX_SIZE_OVERFLOW n
+GRKERNSEC_HIDESYM n
+GRKERNSEC_RANDSTRUCT n
+GRKERNSEC_PROC n
+GRKERNSEC_SYSFS_RESTRICT n
+GRKERNSEC_KMEM n
+GRKERNSEC_MODHARDEN n
+GRKERNSEC_NO_SIMULT_CONNECT n
+
+PAX_KERNEXEC_PLUGIN_METHOD_BTS y
+
+GRKERNSEC_ACL_HIDEKERN y
+GRKERNSEC_IO y
+
+GRKERNSEC_AUDIT_PTRACE y
+GRKERNSEC_FORKFAIL y
+
+GRKERNSEC_SYSCTL y
+GRKERNSEC_SYSCTL_DISTRO y
+GRKERNSEC_SYSCTL_ON y
+''
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch b/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch
index e0430a69c95..e0430a69c95 100644
--- a/pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch
+++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch
diff --git a/pkgs/os-specific/linux/kernel/linux-4.1.nix b/pkgs/os-specific/linux/kernel/linux-4.1.nix
index 57e239c1d09..1e8932ad598 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.1.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.1.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.1.20";
+  version = "4.1.25";
   extraMeta.branch = "4.1";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1dpq8dgj351jzm7n6330a4xriz9dxv7d9wxzj9zn9q7ya22np9gs";
+    sha256 = "0rfs5vn9ggymd426jr4gkhgk9bnn1g9c5x7k3xgfh4i08mq1920f";
   };
 
   kernelPatches = args.kernelPatches;
diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix
index e89a53d21bf..4bc501a3ba2 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.4.11";
+  version = "4.4.12";
   extraMeta.branch = "4.4";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1c0lqk2q4hf8jx6myhcqgh2509d36wx87l5k5cl3xfsnrzrpclrs";
+    sha256 = "1r96jyvm44615f5zh5sn04zx7y8bllpx12lx1zjkns66i4ddv0rq";
   };
 
   kernelPatches = args.kernelPatches;
diff --git a/pkgs/os-specific/linux/kernel/linux-4.5.nix b/pkgs/os-specific/linux/kernel/linux-4.5.nix
index 84d48865bcb..94561ed2e54 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.5.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.5.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.5.5";
+  version = "4.5.6";
   extraMeta.branch = "4.5";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0l7wnilqqhg3im2v04g6k2x621yckdb9bpfh8s8jq9l2fixjln99";
+    sha256 = "1bdyviimgnc4zbgd9v1xk87sj9h8cprjykifriddwslqxyr2yh0y";
   };
 
   kernelPatches = args.kernelPatches;
diff --git a/pkgs/os-specific/linux/kernel/linux-4.6.nix b/pkgs/os-specific/linux/kernel/linux-4.6.nix
index 0a85af58473..6223a55c467 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.6.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.6.nix
@@ -1,13 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.6";
-  modDirVersion = "4.6.0";
+  version = "4.6.2";
   extraMeta.branch = "4.6";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "a93771cd5a8ad27798f22e9240538dfea48d3a2bf2a6a6ab415de3f02d25d866";
+    sha256 = "e158f3c69da87c2ec28d0f194dbe18b05e0d0b9e1142566615cea3390bab1c6a";
   };
 
   kernelPatches = args.kernelPatches;
diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix
index 94561ed2e54..63db1779014 100644
--- a/pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix
+++ b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.5.6";
+  version = "4.5.7";
   extraMeta.branch = "4.5";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1bdyviimgnc4zbgd9v1xk87sj9h8cprjykifriddwslqxyr2yh0y";
+    sha256 = "0azvh7lf9kak1xcs5f9smlvx4gkf45vyandizmxhx0zyjlhacw60";
   };
 
   kernelPatches = args.kernelPatches;
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 59fa93480cf..09280cd9063 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -18,20 +18,20 @@ let
       };
     };
 
-  grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch ? "test", sha256 }:
-    assert kversion == kernel.version;
-    { name = "grsecurity-${grversion}-${kversion}";
-      inherit grversion kernel patches kversion revision;
+  grsecPatch = { grbranch ? "test", grver ? "3.1", kver, grrev, sha256 }: rec {
+    name = "grsecurity-${grver}-${kver}-${grrev}";
+
+    # Pass these along to allow the caller to determine compatibility
+    inherit grver kver grrev;
+
+    patch = fetchurl {
       # When updating versions/hashes, ALWAYS use the official version; we use
       # this mirror only because upstream removes sources files immediately upon
       # releasing a new version ...
-      patch = fetchurl {
-        url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/test/grsecurity-${grversion}-${kversion}-${revision}.patch";
-        inherit sha256;
-      };
-      features.grsecurity = true;
+      url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch";
+      inherit sha256;
     };
-
+  };
 in
 
 rec {
@@ -92,19 +92,18 @@ rec {
 
   grsecurity_4_4 = throw "grsecurity stable is no longer supported";
 
-  grsecurity_4_5 = grsecPatch
-    { kernel    = pkgs.grsecurity_base_linux_4_5;
-      patches   = [ grsecurity_fix_path_4_5 ];
-      kversion  = "4.5.6";
-      revision  = "201606051644";
-      sha256    = "1ympym3kpaychd1qsb10hn5ffv8w83ccfmb631hj4jk69xwrry9m";
+  grsecurity_testing = grsecPatch
+    { kver   = "4.5.7";
+      grrev  = "201606142010";
+      sha256 = "00lg4zlxxcl9a27vxl4c4cv6adsdvl00kkbl6s97523vsvsvy1q0";
     };
 
-  grsecurity_latest = grsecurity_4_5;
-
-  grsecurity_fix_path_4_5 =
-    { name = "grsecurity-fix-path-4.5";
-      patch = ./grsecurity-path-4.5.patch;
+  # This patch relaxes grsec constraints on the location of usermode helpers,
+  # e.g., modprobe, to allow calling into the Nix store.
+  grsecurity_nixos_kmod =
+    {
+      name  = "grsecurity-nixos-kmod";
+      patch = ./grsecurity-nixos-kmod.patch;
     };
 
   crc_regression =
diff --git a/pkgs/os-specific/linux/kmod-debian-aliases/default.nix b/pkgs/os-specific/linux/kmod-debian-aliases/default.nix
index 13fe500286d..0fbf7821147 100644
--- a/pkgs/os-specific/linux/kmod-debian-aliases/default.nix
+++ b/pkgs/os-specific/linux/kmod-debian-aliases/default.nix
@@ -1,13 +1,12 @@
 { stdenv, fetchurl, lib }:
-let
-  version = "21-1";
-in
-stdenv.mkDerivation {
+
+stdenv.mkDerivation rec {
   name = "kmod-debian-aliases-${version}.conf";
+  version = "22-1.1";
 
   src = fetchurl {
     url = "mirror://debian/pool/main/k/kmod/kmod_${version}.debian.tar.xz";
-    sha256 = "1abpf8g3yx972by2xpmz6dwwyc1pgh6gjbvrivmrsws69vs0xjsy";
+    sha256 = "0daap2n4bvjqcnksaayy6csmdb1px4r02w3xp36bcp6w3lbnqamh";
   };
 
   installPhase = ''
diff --git a/pkgs/os-specific/linux/odp-dpdk/default.nix b/pkgs/os-specific/linux/odp-dpdk/default.nix
new file mode 100644
index 00000000000..85a6675ee90
--- /dev/null
+++ b/pkgs/os-specific/linux/odp-dpdk/default.nix
@@ -0,0 +1,40 @@
+{ stdenv, fetchgit, autoreconfHook, openssl, libpcap, dpdk, bash }:
+
+stdenv.mkDerivation rec {
+  name = "odp-dpdk-${version}";
+  version = "1.8.0.0";
+
+  src = fetchgit {
+    url = "https://git.linaro.org/lng/odp-dpdk.git";
+    rev = "438a207a39bad213cdc03929452a8199caef5d8c";
+    sha256 = "0k4g5zbirbfdcgqz0nbn9san66y178qnigyvrr2apj3apzjjy7zv";
+  };
+
+  nativeBuildInputs = [ autoreconfHook bash ];
+  buildInputs = [ stdenv openssl dpdk libpcap ];
+
+  RTE_SDK = "${dpdk}";
+  RTE_TARGET = "x86_64-native-linuxapp-gcc";
+
+  patchPhase = ''
+    substituteInPlace scripts/git_hash.sh --replace /bin/bash /bin/sh
+    echo -n ${version} > .scmversion
+  '';
+
+  dontDisableStatic = true;
+
+  configureFlags = [
+    "--with-platform=linux-dpdk"
+    "--disable-shared"
+    "--disable-shared-dpdk"
+    "--with-sdk-install-path=${dpdk}/${RTE_TARGET}"
+  ];
+
+  meta = with stdenv.lib; {
+    description = "Open Data Plane optimized for DPDK";
+    homepage = http://www.opendataplane.org;
+    license = licenses.bsd3;
+    platforms =  [ "x86_64-linux" ];
+    maintainers = [ maintainers.abuibrahim ];
+  };
+}
author	Vladimír Čunát <vcunat@gmail.com>	2016-06-19 12:33:04 +0200
committer	Vladimír Čunát <vcunat@gmail.com>	2016-06-19 12:33:04 +0200
commit	e75740455546f85cbf9849907b1f6520fdb487d8 (patch)
tree	02ab162a81b88bcf1e116b6cbb180557c33ba9b9 /pkgs/os-specific
parent	a02e5ad9263e508b4df6a3e5841e95bace0e787b (diff)
parent	410aad942fc82bbeb9c30a4fdf826ed33998a593 (diff)
download	nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.tar nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.tar.gz nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.tar.bz2 nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.tar.lz nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.tar.xz nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.tar.zst nixpkgs-e75740455546f85cbf9849907b1f6520fdb487d8.zip