diff options
Diffstat (limited to 'pkgs/os-specific/linux/kernel')
21 files changed, 215 insertions, 179 deletions
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 54e6b7822f9..bd99a7979ee 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -27,8 +27,11 @@ with stdenv.lib; MODULE_COMPRESS_XZ y ''} + KERNEL_XZ y + # Debugging. DEBUG_KERNEL y + DYNAMIC_DEBUG y TIMER_STATS y BACKTRACE_SELF_TEST n CPU_NOTIFIER_ERROR_INJECT? n @@ -180,7 +183,7 @@ with stdenv.lib; VGA_SWITCHEROO y # Hybrid graphics support DRM_GMA600 y DRM_GMA3600 y - ${optionalString (versionAtLeast version "4.5") '' + ${optionalString (versionAtLeast version "4.5" && (versionOlder version "4.9")) '' DRM_AMD_POWERPLAY y # necessary for amdgpu polaris support ''} @@ -210,6 +213,7 @@ with stdenv.lib; # ACLs for all filesystems that support them. FANOTIFY y TMPFS y + FS_ENCRYPTION? m EXT2_FS_XATTR y EXT2_FS_POSIX_ACL y EXT2_FS_SECURITY y @@ -219,6 +223,7 @@ with stdenv.lib; EXT3_FS_POSIX_ACL y EXT3_FS_SECURITY y EXT4_FS_POSIX_ACL y + EXT4_ENCRYPTION? ${if versionOlder version "4.8" then "m" else "y"} EXT4_FS_SECURITY y REISERFS_FS_XATTR? y REISERFS_FS_POSIX_ACL? y @@ -231,6 +236,10 @@ with stdenv.lib; OCFS2_DEBUG_MASKLOG? n BTRFS_FS_POSIX_ACL y UBIFS_FS_ADVANCED_COMPR? y + F2FS_FS m + F2FS_FS_SECURITY? y + F2FS_FS_ENCRYPTION? y + UDF_FS m ${optionalString (versionAtLeast version "4.0" && versionOlder version "4.6") '' NFSD_PNFS y ''} @@ -252,6 +261,12 @@ with stdenv.lib; CIFS_XATTR y CIFS_POSIX y CIFS_FSCACHE y + CIFS_STATS y + CIFS_WEAK_PW_HASH y + CIFS_UPCALL y + CIFS_ACL y + CIFS_DFS_UPCALL y + CIFS_SMB2 y ${optionalString (versionAtLeast version "3.12") '' CEPH_FSCACHE y ''} @@ -270,6 +285,13 @@ with stdenv.lib; SQUASHFS_LZ4 y ''} + # Native Language Support modules, needed by some filesystems + NLS y + NLS_DEFAULT utf8 + NLS_UTF8 m + NLS_CODEPAGE_437 m # VFAT default for the codepage= mount option + NLS_ISO8859_1 m # VFAT default for the iocharset= mount option + # Runtime security tests DEBUG_SET_MODULE_RONX? y # Detect writes to read-only module pages @@ -277,6 +299,7 @@ with stdenv.lib; RANDOMIZE_BASE? y STRICT_DEVMEM y # Filter access to /dev/mem SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default + SECURITY_YAMA? y # Prevent processes from ptracing non-children processes DEVKMEM n # Disable /dev/kmem ${if versionOlder version "3.14" then '' CC_STACKPROTECTOR? y # Detect buffer overflows on the stack @@ -327,6 +350,7 @@ with stdenv.lib; CGROUPS y # used by systemd FHANDLE y # used by systemd SECCOMP y # used by systemd >= 231 + SECCOMP_FILTER y # ditto POSIX_MQUEUE y FRONTSWAP y FUSION y # Fusion MPT device support @@ -349,7 +373,9 @@ with stdenv.lib; ${optionalString (versionAtLeast version "3.15" && versionOlder version "4.8") '' MLX4_EN_VXLAN y ''} - MODVERSIONS y + ${optionalString (versionOlder version "4.9") '' + MODVERSIONS y + ''} MOUSE_PS2_ELANTECH y # Elantech PS/2 protocol extension MTRR_SANITIZER y NET_FC y # Fibre Channel driver support @@ -388,7 +414,7 @@ with stdenv.lib; # Linux containers. NAMESPACES? y # Required by 'unshare' used by 'nixos-install' - RT_GROUP_SCHED? y + RT_GROUP_SCHED n CGROUP_DEVICE? y MEMCG y MEMCG_SWAP y @@ -505,9 +531,15 @@ with stdenv.lib; TRANSPARENT_HUGEPAGE_MADVISE? y # zram support (e.g for in-memory compressed swap). - ZSMALLOC y ZRAM m ZSWAP? y + ZBUD? y + ${optionalString (versionOlder version "3.18") '' + ZSMALLOC y + ''} + ${optionalString (versionAtLeast version "3.18") '' + ZSMALLOC m + ''} # Enable PCIe and USB for the brcmfmac driver BRCMFMAC_USB? y diff --git a/pkgs/os-specific/linux/kernel/gcc5-link-apm.patch b/pkgs/os-specific/linux/kernel/gcc5-link-apm.patch deleted file mode 100644 index e415c2d9f2b..00000000000 --- a/pkgs/os-specific/linux/kernel/gcc5-link-apm.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 54c2f3fdb941204cad136024c7b854b7ad112ab6 Mon Sep 17 00:00:00 2001 -From: Andi Kleen <ak@linux.intel.com> -Date: Mon, 5 Aug 2013 15:02:45 -0700 -Subject: x86, asmlinkage, apm: Make APM data structure used from assembler - visible - -Signed-off-by: Andi Kleen <ak@linux.intel.com> -Link: http://lkml.kernel.org/r/1375740170-7446-12-git-send-email-andi@firstfloor.org -Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> ---- - arch/x86/kernel/apm_32.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c -index 53a4e27..3ab0343 100644 ---- a/arch/x86/kernel/apm_32.c -+++ b/arch/x86/kernel/apm_32.c -@@ -392,7 +392,7 @@ static struct cpuidle_device apm_cpuidle_device; - /* - * Local variables - */ --static struct { -+__visible struct { - unsigned long offset; - unsigned short segment; - } apm_bios_entry; --- -cgit v0.12 - diff --git a/pkgs/os-specific/linux/kernel/gcc5-link-lguest.patch b/pkgs/os-specific/linux/kernel/gcc5-link-lguest.patch deleted file mode 100644 index b2474f572ae..00000000000 --- a/pkgs/os-specific/linux/kernel/gcc5-link-lguest.patch +++ /dev/null @@ -1,46 +0,0 @@ -From cdd77e87eae52b7251acc5990207a1c4500a84ce Mon Sep 17 00:00:00 2001 -From: Andi Kleen <ak@linux.intel.com> -Date: Tue, 5 Nov 2013 21:22:28 +1030 -Subject: x86, asmlinkage, lguest: Pass in globals into assembler statement - -Tell the compiler that the inline assembler statement -references lguest_entry. - -This fixes compile problems with LTO where the variable -and the assembler code may end up in different files. - -Cc: x86@kernel.org -Cc: rusty@rustcorp.com.au -Signed-off-by: Andi Kleen <ak@linux.intel.com> -Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> ---- - drivers/lguest/x86/core.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c -index 5169239..922a1ac 100644 ---- a/drivers/lguest/x86/core.c -+++ b/drivers/lguest/x86/core.c -@@ -157,7 +157,7 @@ static void run_guest_once(struct lg_cpu *cpu, struct lguest_pages *pages) - * stack, then the address of this call. This stack layout happens to - * exactly match the stack layout created by an interrupt... - */ -- asm volatile("pushf; lcall *lguest_entry" -+ asm volatile("pushf; lcall *%4" - /* - * This is how we tell GCC that %eax ("a") and %ebx ("b") - * are changed by this routine. The "=" means output. -@@ -169,7 +169,9 @@ static void run_guest_once(struct lg_cpu *cpu, struct lguest_pages *pages) - * physical address of the Guest's top-level page - * directory. - */ -- : "0"(pages), "1"(__pa(cpu->lg->pgdirs[cpu->cpu_pgd].pgdir)) -+ : "0"(pages), -+ "1"(__pa(cpu->lg->pgdirs[cpu->cpu_pgd].pgdir)), -+ "m"(lguest_entry) - /* - * We tell gcc that all these registers could change, - * which means we don't have to save and restore them in --- -cgit v0.12 - diff --git a/pkgs/os-specific/linux/kernel/generate-config.pl b/pkgs/os-specific/linux/kernel/generate-config.pl index e5fa780c6e7..5574cc937af 100644 --- a/pkgs/os-specific/linux/kernel/generate-config.pl +++ b/pkgs/os-specific/linux/kernel/generate-config.pl @@ -91,17 +91,17 @@ sub runConfig { print STDERR "CHOICE: $1, ANSWER: $answer\n" if $debug; print OUT "$answer\n" if $1 =~ /-/; } - + # Some questions lack the option name ("bla bla [Y/n/m/...] "). elsif ($line =~ /(.*) \[(.*)\] ###$/) { print OUT "\n"; } - + else { warn "don't know how to answer this question: $line\n"; print OUT "\n"; } - + $line = ""; %choices = (); } @@ -124,7 +124,10 @@ my %config; open CONFIG, "<.config" or die; while (<CONFIG>) { chomp; - if (/^CONFIG_([A-Za-z0-9_]+)=(.*)$/) { + if (/^CONFIG_([A-Za-z0-9_]+)="(.*)"$/) { + # String options have double quotes, e.g. 'CONFIG_NLS_DEFAULT="utf8"' and allow escaping. + ($config{$1} = $2) =~ s/\\([\\"])/$1/g; + } elsif (/^CONFIG_([A-Za-z0-9_]+)=(.*)$/) { $config{$1} = $2; } elsif (/^# CONFIG_([A-Za-z0-9_]+) is not set$/) { $config{$1} = "n"; @@ -136,6 +139,6 @@ foreach my $name (sort (keys %answers)) { my $f = $requiredAnswers{$name} && $ENV{'ignoreConfigErrors'} ne "1" ? sub { die "error: " . $_[0]; } : sub { warn "warning: " . $_[0]; }; &$f("unused option: $name\n") unless defined $config{$name}; - &$f("option not set correctly: $name\n") + &$f("option not set correctly: $name (wanted '$answers{$name}', got '$config{$name}')\n") if $config{$name} && $config{$name} ne $answers{$name}; } diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix index 4c81cd5b6ad..ed8942b1066 100644 --- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix +++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix @@ -3,43 +3,61 @@ with stdenv.lib; '' -GRKERNSEC y -PAX y - +# Auto configuration with these constraints will enable most of the +# important features (RAP, UDEREF, ASLR, memory sanitization). GRKERNSEC_CONFIG_AUTO y GRKERNSEC_CONFIG_DESKTOP y -GRKERNSEC_CONFIG_VIRT_HOST y +GRKERNSEC_CONFIG_PRIORITY_SECURITY y + +# We specify virt guest rather than host here, the latter deselects e.g., +# paravirtualization. +GRKERNSEC_CONFIG_VIRT_GUEST y +# Note: assumes platform supports CPU-level virtualization (so no pentium 4) GRKERNSEC_CONFIG_VIRT_EPT y GRKERNSEC_CONFIG_VIRT_KVM y -GRKERNSEC_CONFIG_PRIORITY_SECURITY y +# PaX control PAX_SOFTMODE y - PAX_PT_PAX_FLAGS y PAX_XATTR_PAX_FLAGS y PAX_EI_PAX n -GRKERNSEC_PROC_GID 0 +PAX_INITIFY y + +# The bts instrumentation method is compatible with binary only modules. +# +# Note: if platform supports SMEP, we could do without this +PAX_KERNEXEC_PLUGIN_METHOD_BTS y + +# Additional grsec hardening not implied by auto constraints +GRKERNSEC_IO y +GRKERNSEC_SYSFS_RESTRICT y +GRKERNSEC_ROFS y -PAX_LATENT_ENTROPY n +GRKERNSEC_MODHARDEN y +# Disable protections rendered useless by redistribution GRKERNSEC_HIDESYM n GRKERNSEC_RANDSTRUCT n -GRKERNSEC_PROC n -GRKERNSEC_SYSFS_RESTRICT n -GRKERNSEC_KMEM n -GRKERNSEC_MODHARDEN n -GRKERNSEC_NO_SIMULT_CONNECT n -PAX_KERNEXEC_PLUGIN_METHOD_BTS y +# Disable protections covered by vanilla mechanisms +GRKERNSEC_DMESG n +GRKERNSEC_KMEM n +GRKERNSEC_PROC n -GRKERNSEC_ACL_HIDEKERN y -GRKERNSEC_IO y +# Disable protections that are inappropriate for a general-purpose kernel +GRKERNSEC_NO_SIMULT_CONNECT n +# Enable additional audititing +GRKERNSEC_AUDIT_MOUNT y GRKERNSEC_AUDIT_PTRACE y GRKERNSEC_FORKFAIL y +# Wishlist: support trusted path execution +GRKERNSEC_TPE n + GRKERNSEC_SYSCTL y GRKERNSEC_SYSCTL_DISTRO y -GRKERNSEC_SYSCTL_ON y +# Assume that appropriate sysctls are toggled once the system is up +GRKERNSEC_SYSCTL_ON n '' diff --git a/pkgs/os-specific/linux/kernel/linux-3.10.nix b/pkgs/os-specific/linux/kernel/linux-3.10.nix index 27b97054d1a..3e6bd51cc47 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.10.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.10.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "3.10.102"; + version = "3.10.104"; extraMeta.branch = "3.10"; src = fetchurl { url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz"; - sha256 = "0hvymhmbvpmpz1jk0xwhxyskijdh6bzakqj7k0gaa2y0wdj33pxi"; + sha256 = "04kc64zdpg8h8655m825lbny3fwvqhmh3mg9h564i2irnll35lp3"; }; kernelPatches = args.kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-3.12.nix b/pkgs/os-specific/linux/kernel/linux-3.12.nix index 3d98da9526b..95ca51a972e 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.12.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.12.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "3.12.62"; + version = "3.12.69"; extraMeta.branch = "3.12"; src = fetchurl { url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz"; - sha256 = "0a9vghq3z5xhr9xssfivb78d3i74h4kn15wqgls1cw5qzyhc1wb0"; + sha256 = "1pzghmj0j2shms4n3knryigy73qssskd6awbgk6mmyg42wypbcmm"; }; kernelPatches = args.kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-3.14.nix b/pkgs/os-specific/linux/kernel/linux-3.14.nix deleted file mode 100644 index fdc5cc802a1..00000000000 --- a/pkgs/os-specific/linux/kernel/linux-3.14.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ stdenv, fetchurl, perl, buildLinux, ... } @ args: - -import ./generic.nix (args // rec { - version = "3.14.77"; - extraMeta.branch = "3.14"; - - src = fetchurl { - url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz"; - sha256 = "1v3cc3ddla2b8gkwbms4x3lbjygw87r13150nikf1gc0hf64rqp0"; - }; - - kernelPatches = args.kernelPatches; - - features.iwlwifi = true; - features.efiBootStub = true; - features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; - features.netfilterRPFilter = true; -} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-3.18.nix b/pkgs/os-specific/linux/kernel/linux-3.18.nix index 98151295d1b..727126de388 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.18.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.18.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "3.18.40"; + version = "3.18.45"; extraMeta.branch = "3.18"; src = fetchurl { url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz"; - sha256 = "0x94lp4vkw1472m8sq308r8aw96nirkwppkjvqi2240ayw89d5jb"; + sha256 = "1qwvqrlzpf57zvh57dsdk4c4swgbasf2ab75vcn2py8l7jl6rxf0"; }; kernelPatches = args.kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-4.1.nix b/pkgs/os-specific/linux/kernel/linux-4.1.nix index 1f89edecfe6..b7f98829931 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.1.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.1.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.1.31"; + version = "4.1.36"; extraMeta.branch = "4.1"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "0madbh1sdkf8gk6ns0zacygvfrpzrl1vd1a4qw8py7slg1bpk79n"; + sha256 = "140my5r39w795gsaglqxaw97hwpy8qf95c6hy2cr7a122bgnslp1"; }; kernelPatches = args.kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix index b1892e51600..f3eceb5fe26 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.4.19"; + version = "4.4.41"; extraMeta.branch = "4.4"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "1566d8x0ljdsgcgazj7paia3m3qfjw0hw3qh9dg6yd321dphrbam"; + sha256 = "1z26frg7sx5n9bvkpg9pfspwhxxvlnnfnrnjr7aqhcgsbxzq8vca"; }; kernelPatches = args.kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-4.6.nix b/pkgs/os-specific/linux/kernel/linux-4.8.nix index 6bca1bfe718..a5ce23ee3e4 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.6.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.8.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.6.7"; - extraMeta.branch = "4.6"; + version = "4.8.17"; + extraMeta.branch = "4.8"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "107acpq6jk48ng25jlyv905zslrrv77yxwr46mqbq5lxg8rdg7fh"; + sha256 = "1zk0q6bvqgz2pk1axd5z0cx71vqk96314f1zn8apwa4raylf9fpa"; }; kernelPatches = args.kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-4.7.nix b/pkgs/os-specific/linux/kernel/linux-4.9.nix index bd54c5352a5..29f0eba7175 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.7.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.7.2"; - extraMeta.branch = "4.7"; + version = "4.9.2"; + extraMeta.branch = "4.9"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "1234z4wzvrbyzql6cc8i4bq7bbbjgaxhys4fcnqzm14lavk3wjaq"; + sha256 = "0f2p12pkzgrh9k5c7g2wwjnv6gzqha8bgd7b0qgbzq3ss7nrmnld"; }; kernelPatches = args.kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix index bd54c5352a5..8a71a771c4f 100644 --- a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix +++ b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.7.2"; - extraMeta.branch = "4.7"; + version = "4.8.16"; + extraMeta.branch = "4.8"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "1234z4wzvrbyzql6cc8i4bq7bbbjgaxhys4fcnqzm14lavk3wjaq"; + sha256 = "1aml6vhsfpvm8rsadraff7qj0ivgd9aw75k2q65drz4iby1pqb9h"; }; kernelPatches = args.kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-mptcp.nix b/pkgs/os-specific/linux/kernel/linux-mptcp.nix index b39514d45dd..a037343751c 100644 --- a/pkgs/os-specific/linux/kernel/linux-mptcp.nix +++ b/pkgs/os-specific/linux/kernel/linux-mptcp.nix @@ -1,18 +1,18 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - mptcpVersion = "0.91"; - modDirVersion = "4.1.26"; + mptcpVersion = "0.91.2"; + modDirVersion = "4.1.35"; version = "${modDirVersion}-mptcp_v${mptcpVersion}"; extraMeta = { branch = "4.1"; - maintainers = stdenv.lib.maintainers.layus; + maintainers = [ stdenv.lib.maintainers.layus ]; }; src = fetchurl { url = "https://github.com/multipath-tcp/mptcp/archive/v${mptcpVersion}.tar.gz"; - sha256 = "0rbvgz89j5wk781y201qdxy2kz4gmlamb72wdbxj8mxv92x56lh3"; + sha256 = "1jfxycg8i99ry2cr2ksarvqjzlr46sp192wkpb4sb2mynbzf3dmk"; }; kernelPatches = args.kernelPatches; @@ -29,12 +29,12 @@ import ./generic.nix (args // rec { # ... but use none by default. # The default is safer if source policy routing is not setup. DEFAULT_DUMMY y - DEFAULT_MPTCP_PM "default" + DEFAULT_MPTCP_PM default # MPTCP scheduler selection. # Disabled as the only non-default is the useless round-robin. MPTCP_SCHED_ADVANCED n - DEFAULT_MPTCP_SCHED "default" + DEFAULT_MPTCP_SCHED default # Smarter TCP congestion controllers TCP_CONG_LIA m diff --git a/pkgs/os-specific/linux/kernel/linux-rpi.nix b/pkgs/os-specific/linux/kernel/linux-rpi.nix index a069e7606cc..f41c53da5a6 100644 --- a/pkgs/os-specific/linux/kernel/linux-rpi.nix +++ b/pkgs/os-specific/linux/kernel/linux-rpi.nix @@ -1,8 +1,8 @@ { stdenv, fetchFromGitHub, perl, buildLinux, ... } @ args: let - modDirVersion = "4.4.13"; - tag = "1.20160620-1"; + modDirVersion = "4.4.26"; + tag = "1.20161020-1"; in stdenv.lib.overrideDerivation (import ./generic.nix (args // rec { version = "${modDirVersion}-${tag}"; @@ -12,10 +12,13 @@ stdenv.lib.overrideDerivation (import ./generic.nix (args // rec { owner = "raspberrypi"; repo = "linux"; rev = "raspberrypi-kernel_${tag}"; - sha256 = "0bydlzmd9mar07j6dihhzn1xm6vpn92y33vf1qsdkl3hjil6brfc"; + sha256 = "0y76xrapq7710zzf6sif94xzly72gg505y65lslfirng500ncnv5"; }; features.iwlwifi = true; + features.needsCifsUtils = true; + features.canDisableNetfilterConntrackHelpers = true; + features.netfilterRPFilter = true; extraMeta.hydraPlatforms = []; })) (oldAttrs: { diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix index 7b4284028ed..b547240eaf2 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing.nix @@ -1,13 +1,13 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.8-rc4"; - modDirVersion = "4.8.0-rc4"; - extraMeta.branch = "4.8"; + version = "4.10-rc2"; + modDirVersion = "4.10.0-rc2"; + extraMeta.branch = "4.10"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/testing/linux-${version}.tar.xz"; - sha256 = "0is4pzmci1i59fxw9b645c8710zjnx19dfl20m4k06kxdbbs01wg"; + sha256 = "1r3w6mqvmjnsmqrk73xsrqybdvs1czjw5xl1x2wsi2w9nifb47zq"; }; features.iwlwifi = true; diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 4ab688c26af..5f890b9b9fe 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -129,9 +129,7 @@ let '' + (optionalString installsFirmware '' mkdir -p $out/lib/firmware '') + (if (platform ? kernelDTB && platform.kernelDTB) then '' - make $makeFlags "''${makeFlagsArray[@]}" dtbs - mkdir -p $out/dtbs - cp $buildRoot/arch/$karch/boot/dts/*.dtb $out/dtbs + make $makeFlags "''${makeFlagsArray[@]}" dtbs dtbs_install INSTALL_DTBS_PATH=$out/dtbs '' else "") + (if isModular then '' if [ -z "$dontStrip" ]; then installFlagsArray+=("INSTALL_MOD_STRIP=1") diff --git a/pkgs/os-specific/linux/kernel/multithreaded-rsapubkey-asn1.patch b/pkgs/os-specific/linux/kernel/multithreaded-rsapubkey-asn1.patch new file mode 100644 index 00000000000..9f5790862b6 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/multithreaded-rsapubkey-asn1.patch @@ -0,0 +1,45 @@ + +From Yang Shi <> +Subject [PATCH] crypto: rsa - fix a potential race condition in build +Date Fri, 2 Dec 2016 15:41:04 -0800 + + +When building kernel with RSA enabled with multithreaded, the below +compile failure might be caught: + +| /buildarea/kernel-source/crypto/rsa_helper.c:18:28: fatal error: rsapubkey-asn1.h: No such file or directory +| #include "rsapubkey-asn1.h" +| ^ +| compilation terminated. +| CC crypto/rsa-pkcs1pad.o +| CC crypto/algboss.o +| CC crypto/testmgr.o +| make[3]: *** [/buildarea/kernel-source/scripts/Makefile.build:289: crypto/rsa_helper.o] Error 1 +| make[3]: *** Waiting for unfinished jobs.... +| make[2]: *** [/buildarea/kernel-source/Makefile:969: crypto] Error 2 +| make[1]: *** [Makefile:150: sub-make] Error 2 +| make: *** [Makefile:24: __sub-make] Error 2 + +The header file is not generated before rsa_helper is compiled, so +adding dependency to avoid such issue. + +Signed-off-by: Yang Shi <yang.shi@windriver.com> + +--- + crypto/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/Makefile b/crypto/Makefile +index 99cc64a..8db39f9 100644 +--- a/crypto/Makefile ++++ b/crypto/Makefile +@@ -40,6 +40,7 @@ obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o + + $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h + $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h ++$(obj)/rsa_helper.o: $(obj)/rsa_helper.c $(obj)/rsaprivkey-asn1.h + clean-files += rsapubkey-asn1.c rsapubkey-asn1.h + clean-files += rsaprivkey-asn1.c rsaprivkey-asn1.h + +-- +2.0.2 diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 3b5e97f9edf..42a6e0d037b 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -25,10 +25,13 @@ let inherit grver kver grrev; patch = fetchurl { - # When updating versions/hashes, ALWAYS use the official version; we use - # this mirror only because upstream removes sources files immediately upon - # releasing a new version ... - url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch"; + urls = [ + "https://grsecurity.net/${grbranch}/${name}.patch" + # When updating versions/hashes, ALWAYS use the official + # version; we use this mirror only because upstream removes + # source files immediately upon releasing a new version ... + "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch" + ]; inherit sha256; }; @@ -38,14 +41,10 @@ in rec { - link_lguest = - { name = "gcc5-link-lguest"; - patch = ./gcc5-link-lguest.patch; - }; - - link_apm = - { name = "gcc5-link-apm"; - patch = ./gcc5-link-apm.patch; + multithreaded_rsapubkey = + { + name = "multithreaded-rsapubkey-asn1.patch"; + patch = ./multithreaded-rsapubkey-asn1.patch; }; bridge_stp_helper = @@ -95,14 +94,10 @@ rec { sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j"; }; - grsecurity_3_14 = throw "grsecurity stable is no longer supported"; - - grsecurity_4_4 = throw "grsecurity stable is no longer supported"; - grsecurity_testing = grsecPatch - { kver = "4.7.2"; - grrev = "201608312326"; - sha256 = "0nbp3lnl6gi6kklpc8wnjpz5cj9zafaw2445lan15qnyzf5zb966"; + { kver = "4.8.16"; + grrev = "201701062021"; + sha256 = "0ivl9dpbyf0f7ywgh8kbzdf0za10yrh6s8plqk9vnns3dhgcnvnq"; }; # This patch relaxes grsec constraints on the location of usermode helpers, @@ -153,4 +148,40 @@ rec { }; cpu-cgroup-v2 = import ./cpu-cgroup-v2-patches; + + lguest_entry-linkage = + { name = "lguest-asmlinkage.patch"; + patch = fetchpatch { + url = "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git" + + "/patch/drivers/lguest/x86/core.c?id=cdd77e87eae52"; + sha256 = "04xlx6al10cw039av6jkby7gx64zayj8m1k9iza40sw0fydcfqhc"; + }; + }; + + packet_fix_race_condition_CVE_2016_8655 = + { name = "packet_fix_race_condition_CVE_2016_8655.patch"; + patch = fetchpatch { + url = "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=84ac7260236a49c79eede91617700174c2c19b0c"; + sha256 = "19viqjjgq8j8jiz5yhgmzwhqvhwv175q645qdazd1k69d25nv2ki"; + }; + }; + + panic_on_icmp6_frag_CVE_2016_9919 = rec + { name = "panic_on_icmp6_frag_CVE_2016_9919.patch"; + patch = fetchpatch { + inherit name; + url = "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2"; + sha256 = "0mps33r4mnwiy0bmgrzgqkrk59yya17v6kzpv9024g4xlz61rk8p"; + }; + }; + + p9_caching_4_4 = rec + { name = "9p-caching.patch"; + patch = fetchpatch { + inherit name; + url = https://github.com/edolstra/linux/commit/d522582553368b9564e2d88a8d7b1d469bf98c65.patch; + sha256 = "01h7461pdgavd6ghd6w9wg136hkaca0mrmmzhy6s3phksksimbc2"; + }; + }; + } diff --git a/pkgs/os-specific/linux/kernel/perf.nix b/pkgs/os-specific/linux/kernel/perf.nix index 4b1120afa4e..9e572498457 100644 --- a/pkgs/os-specific/linux/kernel/perf.nix +++ b/pkgs/os-specific/linux/kernel/perf.nix @@ -1,11 +1,11 @@ { lib, stdenv, kernel, elfutils, python, perl, newt, slang, asciidoc, xmlto , docbook_xsl, docbook_xml_dtd_45, libxslt, flex, bison, pkgconfig, libunwind, binutils -, libiberty -, zlib, withGtk ? false, gtk ? null }: +, libiberty, libaudit +, zlib, withGtk ? false, gtk2 ? null }: with lib; -assert withGtk -> gtk != null; +assert withGtk -> gtk2 != null; assert versionAtLeast kernel.version "3.12"; stdenv.mkDerivation { @@ -24,9 +24,9 @@ stdenv.mkDerivation { # perf refers both to newt and slang # binutils is required for libbfd. nativeBuildInputs = [ asciidoc xmlto docbook_xsl docbook_xml_dtd_45 libxslt - flex bison libiberty ]; + flex bison libiberty libaudit ]; buildInputs = [ elfutils python perl newt slang pkgconfig libunwind binutils zlib ] ++ - stdenv.lib.optional withGtk gtk; + stdenv.lib.optional withGtk gtk2; # Note: we don't add elfutils to buildInputs, since it provides a # bad `ld' and other stuff. |