diff options
Diffstat (limited to 'pkgs/os-specific/linux')
65 files changed, 762 insertions, 3196 deletions
diff --git a/pkgs/os-specific/linux/ati-drivers/builder.sh b/pkgs/os-specific/linux/ati-drivers/builder.sh index 520f20e2ed6..844f30e0c60 100644 --- a/pkgs/os-specific/linux/ati-drivers/builder.sh +++ b/pkgs/os-specific/linux/ati-drivers/builder.sh @@ -6,15 +6,14 @@ set -x die(){ echo $@; exit 1; } -# custom unpack: -mkdir fglrx +mkdir fglrx # custom unpack: cd fglrx unzip $src cd .. run_file=$(echo fglrx/amd-driver-installer-*) sh $run_file --extract . -eval "$patchPhase" +eval "$patchPhase1" case "$system" in x86_64-linux) @@ -31,6 +30,7 @@ case "$system" in esac # Handle/Build the kernel module. + if test -z "$libsOnly"; then kernelVersion=$(cd ${kernel}/lib/modules && ls) @@ -41,6 +41,7 @@ if test -z "$libsOnly"; then # current kbuild infrastructure allows using CONFIG_* defines # but ati sources don't use them yet.. # copy paste from make.sh + setSMP(){ linuxincludes=$kernelBuild/include @@ -68,7 +69,6 @@ if test -z "$libsOnly"; then if [ "$SMP" = 0 ]; then echo "assuming default: SMP=$SMP" fi - # act on final result if [ ! "$SMP" = 0 ]; then smp="-SMP" @@ -147,19 +147,15 @@ if test -z "$libsOnly"; then fi { # install - mkdir -p $out/lib/xorg - cp -r common/usr/include $out cp -r common/usr/sbin $out cp -r common/usr/share $out - cp -r common/usr/X11R6 $out - + mkdir $out/bin/ + cp -f common/usr/X11R6/bin/* $out/bin/ # cp -r arch/$arch/lib $out/lib - # what are those files used for? cp -r common/etc $out - cp -r $DIR_DEPENDING_ON_XORG_VERSION/usr/X11R6/$lib_arch/* $out/lib/xorg # install kernel module @@ -179,30 +175,26 @@ fi cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/modules/dri/* $out/lib cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/*.so* $out/lib cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/fglrx/fglrx-libGL.so.1.2 $out/lib/fglrx-libGL.so.1.2 - cp -r $TMP/arch/$arch/usr/$lib_arch/* $out/lib - - # cp -r $TMP/arch/$arch/usr/$lib_arch/* $out/lib ln -s libatiuki.so.1.0 $out/lib/libatiuki.so.1 ln -s fglrx-libGL.so.1.2 $out/lib/libGL.so.1 ln -s fglrx-libGL.so.1.2 $out/lib/libGL.so - - ln -s libfglrx_gamma.so.1.0 $out/lib/libfglrx_gamma.so.1 + # FIXME : This file is missing or has changed versions + #ln -s libfglrx_gamma.so.1.0 $out/lib/libfglrx_gamma.so.1 # make xorg use the ati version ln -s $out/lib/xorg/modules/extensions/{fglrx/fglrx-libglx.so,libglx.so} - # Correct some paths that are hardcoded into binary libs. if [ "$arch" == "x86_64" ]; then for lib in \ - lib/xorg/modules/extensions/fglrx/fglrx-libglx.so \ - lib/xorg/modules/glesx.so \ - lib/dri/fglrx_dri.so \ - lib/fglrx_dri.so \ - lib/fglrx-libGL.so.1.2 + xorg/modules/extensions/fglrx/fglrx-libglx.so \ + xorg/modules/glesx.so \ + dri/fglrx_dri.so \ + fglrx_dri.so \ + fglrx-libGL.so.1.2 do oldPaths="/usr/X11R6/lib/modules/dri" newPaths="/run/opengl-driver/lib/dri" - sed -i -e "s|$oldPaths|$newPaths|" $out/$lib + sed -i -e "s|$oldPaths|$newPaths|" $out/lib/$lib done else oldPaths="/usr/X11R6/lib32/modules/dri\x00/usr/lib32/dri" @@ -211,34 +203,45 @@ fi $out/lib/xorg/modules/extensions/fglrx/fglrx-libglx.so for lib in \ - lib/dri/fglrx_dri.so \ - lib/fglrx_dri.so \ - lib/xorg/modules/glesx.so + dri/fglrx_dri.so \ + fglrx_dri.so \ + xorg/modules/glesx.so do oldPaths="/usr/X11R6/lib32/modules/dri/" newPaths="/run/opengl-driver-32/lib/dri" - sed -i -e "s|$oldPaths|$newPaths|" $out/$lib + sed -i -e "s|$oldPaths|$newPaths|" $out/lib/$lib done oldPaths="/usr/X11R6/lib32/modules/dri\x00" newPaths="/run/opengl-driver-32/lib/dri" sed -i -e "s|$oldPaths|$newPaths|" $out/lib/fglrx-libGL.so.1.2 fi - # libstdc++ and gcc are needed by some libs - patchelf --set-rpath $gcc/$lib_arch $out/lib/libatiadlxx.so - patchelf --set-rpath $gcc/$lib_arch $out/lib/xorg/modules/glesx.so + for pelib1 in \ + fglrx_dri.so \ + dri/fglrx_dri.so + do + patchelf --remove-needed libX11.so.6 $out/lib/$pelib1 + done + + for pelib2 in \ + libatiadlxx.so \ + xorg/modules/glesx.so \ + dri/fglrx_dri.so \ + fglrx_dri.so \ + libaticaldd.so + do + patchelf --set-rpath $gcc/$lib_arch/ $out/lib/$pelib2 + done } if test -z "$libsOnly"; then { # build samples mkdir -p $out/bin - mkdir -p samples cd samples tar xfz ../common/usr/src/ati/fglrx_sample_source.tgz - eval "$patchPhaseSamples" ( # build and install fgl_glxgears @@ -252,27 +255,42 @@ if test -z "$libsOnly"; then true || ( # build and install + ### + ## FIXME ? # doesn't build undefined reference to `FGLRX_X11SetGamma' - # wich should be contained in -lfglrx_gamma + # which should be contained in -lfglrx_gamma + # This should create $out/lib/libfglrx_gamma.so.1.0 ? because there is + # a symlink named libfglrx_gamma.so.1 linking to libfglrx_gamma.so.1.0 in $out/lib/ cd programs/fglrx_gamma gcc -fPIC -I${libXxf86vm}/include \ -I${xf86vidmodeproto}/include \ -I$out/X11R6/include \ -L$out/lib \ - -Wall -lm -lfglrx_gamma -lX11 -lXext -o fglrx_xgamma fglrx_xgamma.c + -Wall -lm -lfglrx_gamma -lX11 -lXext -o $out/bin/fglrx_xgamma fglrx_xgamma.c ) - { # copy binaries and wrap them: + { + # patch and copy statically linked qt libs used by amdcccle + patchelf --set-interpreter $(echo $glibc/lib/ld-linux*.so.2) $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtCore.so.4 && + patchelf --set-rpath $gcc/$lib_arch/ $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtCore.so.4 && + patchelf --set-rpath $gcc/$lib_arch/:$out/share/ati/:$libXrender/lib/:$libSM/lib/:$libICE/lib/:$libfontconfig/lib/:$libfreetype/lib/ $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtGui.so.4 && + mkdir -p $out/share/ati + cp -r $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtCore.so.4 $out/share/ati/ + cp -r $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtGui.so.4 $out/share/ati/ + # copy binaries and wrap them: BIN=$TMP/arch/$arch/usr/X11R6/bin - cp $BIN/* $out/bin + patchelf --set-rpath $gcc/$lib_arch/:$out/share/ati/:$libXinerama/lib/:$libXrandr/lib/ $TMP/arch/$arch/usr/X11R6/bin/amdcccle + patchelf --set-rpath $libXrender/lib/:$libXrandr/lib/ $TMP/arch/$arch/usr/X11R6/bin/aticonfig + patchelf --shrink-rpath $BIN/amdcccle for prog in $BIN/*; do - patchelf --set-interpreter $(echo $glibc/lib/ld-linux*.so.2) $out/bin/$(basename $prog) - wrapProgram $out/bin/$(basename $prog) --prefix LD_LIBRARY_PATH : $out/lib:$gcc/lib:$qt4/lib:$LD_LIBRARY_PATH + cp -f $prog $out/bin && + patchelf --set-interpreter $(echo $glibc/lib/ld-linux*.so.2) $out/bin/$(basename $prog) && + wrapProgram $out/bin/$(basename $prog) --prefix LD_LIBRARY_PATH : $out/lib/:$gcc/lib/:$out/share/ati/:$libXinerama/lib/:$libXrandr/lib/:$libfontconfig/lib/:$libfreetype/lib/:$LD_LIBRARY_PATH done } - rm -fr $out/lib/modules/fglrx # don't think those .a files are needed. They cause failure of the mod + rm -f $out/lib/fglrx/switchlibglx && rm -f $out/lib/fglrx/switchlibGL } diff --git a/pkgs/os-specific/linux/ati-drivers/default.nix b/pkgs/os-specific/linux/ati-drivers/default.nix index c1e524e224b..78903da1f1a 100644 --- a/pkgs/os-specific/linux/ati-drivers/default.nix +++ b/pkgs/os-specific/linux/ati-drivers/default.nix @@ -1,9 +1,6 @@ -{ stdenv, fetchurl, kernel ? null, which, imake -, mesa # for fgl_glxgears -, libXxf86vm, xf86vidmodeproto # for fglrx_gamma -, xorg, makeWrapper, glibc, patchelf -, unzip -, qt4 # for amdcccle +{ stdenv, fetchurl, kernel ? null, which +, xorg, makeWrapper, glibc, patchelf, unzip +, fontconfig, freetype, mesa # for fgl_glxgears , # Whether to build the libraries only (i.e. not the kernel module or # driver utils). Used to support 32-bit binaries on 64-bit # Linux. @@ -12,6 +9,15 @@ assert (!libsOnly) -> kernel != null; +with stdenv.lib; + +let + version = "15.7"; +in + +# This derivation requires a maximum of gcc49, Linux kernel 4.1 and xorg.xserver 1.17 +# and will not build or run using versions newer + # If you want to use a different Xorg version probably # DIR_DEPENDING_ON_XORG_VERSION in builder.sh has to be adopted (?) # make sure libglx.so of ati is used. xorg.xorgserver does provide it as well @@ -20,23 +26,37 @@ assert (!libsOnly) -> kernel != null; # See http://thread.gmane.org/gmane.linux.distributions.nixos/4145 for a # workaround (TODO) -# The gentoo ebuild contains much more magic and is usually a great resource to -# find patches :) +# The gentoo ebuild contains much more "magic" and is usually a great resource to +# find patches XD # http://wiki.cchtml.com/index.php/Main_Page -# There is one issue left: +# # /usr/lib/dri/fglrx_dri.so must point to /run/opengl-driver/lib/fglrx_dri.so - -with stdenv.lib; +# This is done in the builder script. stdenv.mkDerivation { - name = "ati-drivers-15.7" + (optionalString (!libsOnly) "-${kernel.version}"); - builder = ./builder.sh; + linuxonly = + if stdenv.system == "i686-linux" then + true + else if stdenv.system == "x86_64-linux" then + true + else throw "ati-drivers are Linux only. Sorry. The build was stopped."; - inherit libXxf86vm xf86vidmodeproto; + name = "ati-drivers-${version}" + (optionalString (!libsOnly) "-${kernel.version}"); + + builder = ./builder.sh; gcc = stdenv.cc.cc; + libXinerama = xorg.libXinerama; + libXrandr = xorg.libXrandr; + libXrender = xorg.libXrender; + libXxf86vm = xorg.libXxf86vm; + xf86vidmodeproto = xorg.xf86vidmodeproto; + libSM = xorg.libSM; + libICE = xorg.libICE; + libfreetype = freetype; + libfontconfig = fontconfig; src = fetchurl { url = "http://www2.ati.com/drivers/linux/amd-driver-installer-15.20.1046-x86.x86_64.zip"; @@ -44,16 +64,19 @@ stdenv.mkDerivation { curlOpts = "--referer http://support.amd.com/en-us/download/desktop?os=Linux%20x86_64"; }; - patchPhase = "patch -p1 < ${./kernel-api-fixes.patch}"; patchPhaseSamples = "patch -p2 < ${./patch-samples.patch}"; + patchPhase1 = "patch -p1 < ${./kernel-api-fixes.patch}"; buildInputs = - [ xorg.libXext xorg.libX11 xorg.libXinerama - xorg.libXrandr which imake makeWrapper + [ xorg.libXrender xorg.libXext xorg.libX11 xorg.libXinerama xorg.libSM + xorg.libXrandr xorg.libXxf86vm xorg.xf86vidmodeproto xorg.imake xorg.libICE patchelf unzip mesa - qt4 + fontconfig + freetype + makeWrapper + which ]; inherit libsOnly; @@ -62,27 +85,40 @@ stdenv.mkDerivation { inherit glibc /* glibc only used for setting interpreter */; + # outputs TODO: probably many fixes are needed; + # this in particular would be much better by lib.makeLibraryPath LD_LIBRARY_PATH = stdenv.lib.concatStringsSep ":" - [ "${xorg.libXrandr.out}/lib" - "${xorg.libXrender.out}/lib" - "${xorg.libXext.out}/lib" - "${xorg.libX11.out}/lib" - "${xorg.libXinerama.out}/lib" + [ "${xorg.libXrandr.out}/lib/" + "${xorg.libXrender.out}/lib/" + "${xorg.libXext.out}/lib/" + "${xorg.libX11.out}/lib/" + "${xorg.libXinerama.out}/lib/" + "${xorg.libSM.out}/lib/" + "${xorg.libICE.out}/lib/" + "${stdenv.cc.cc.out}/lib/" ]; # without this some applications like blender don't start, but they start # with nvidia. This causes them to be symlinked to $out/lib so that they # appear in /run/opengl-driver/lib which get's added to LD_LIBRARY_PATH - extraDRIlibs = [ xorg.libXext ]; - inherit mesa qt4; # only required to build examples and amdcccle + extraDRIlibs = [ xorg.libXrandr xorg.libXrender xorg.libXext xorg.libX11 xorg.libXinerama xorg.libSM xorg.libICE ]; + + inherit mesa; # only required to build the examples + + enableParallelBuilding = true; meta = with stdenv.lib; { - description = "ATI drivers"; + description = "ATI Catalyst display drivers"; homepage = http://support.amd.com/us/gpudownload/Pages/index.aspx; license = licenses.unfree; maintainers = with maintainers; [ marcweber offline jgeerds ]; platforms = platforms.linux; hydraPlatforms = []; + # Copied from the nvidia default.nix to prevent a store collision. + priority = 4; }; + + + } diff --git a/pkgs/os-specific/linux/batman-adv/alfred.nix b/pkgs/os-specific/linux/batman-adv/alfred.nix index a42194d7193..72f14ff2d68 100644 --- a/pkgs/os-specific/linux/batman-adv/alfred.nix +++ b/pkgs/os-specific/linux/batman-adv/alfred.nix @@ -1,14 +1,14 @@ { stdenv, fetchurl, pkgconfig, gpsd, libcap }: let - ver = "2015.2"; + ver = "2016.0"; in stdenv.mkDerivation rec { name = "alfred-${ver}"; src = fetchurl { url = "http://downloads.open-mesh.org/batman/releases/batman-adv-${ver}/${name}.tar.gz"; - sha256 = "0cyr3bxwypddifg18yi3i5mcdam8izlq3ayrbkjir2b4vqhixs3s"; + sha256 = "1zlmcp9r1xwp6li56j5ip9x7h5gjdhh0gi6cb3f8x6ydszhynxbf"; }; nativeBuildInputs = [ pkgconfig ]; diff --git a/pkgs/os-specific/linux/batman-adv/batctl.nix b/pkgs/os-specific/linux/batman-adv/batctl.nix index 3ea4fc5f96e..c17f7beb74f 100644 --- a/pkgs/os-specific/linux/batman-adv/batctl.nix +++ b/pkgs/os-specific/linux/batman-adv/batctl.nix @@ -1,14 +1,14 @@ { stdenv, fetchurl, pkgconfig, libnl }: let - ver = "2015.2"; + ver = "2016.0"; in stdenv.mkDerivation rec { name = "batctl-${ver}"; src = fetchurl { url = "http://downloads.open-mesh.org/batman/releases/batman-adv-${ver}/${name}.tar.gz"; - sha256 = "1yv9i304bicm34mgl387c21ynv711yr2m5ycx9hjbxprkyzjlkdi"; + sha256 = "0khpw0w26j6pc1263phk086chs64p9m6a63azk62pxs1cmmbr80y"; }; nativeBuildInputs = [ pkgconfig ]; @@ -22,7 +22,7 @@ stdenv.mkDerivation rec { homepage = http://www.open-mesh.org/projects/batman-adv/wiki/Wiki; description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2, control tool"; license = stdenv.lib.licenses.gpl2; - maintainers = with stdenv.lib.maintainers; [viric]; + maintainers = with stdenv.lib.maintainers; [ viric fpletz ]; platforms = with stdenv.lib.platforms; linux; }; } diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix index e50d613624d..b8bef1b5a9a 100644 --- a/pkgs/os-specific/linux/batman-adv/default.nix +++ b/pkgs/os-specific/linux/batman-adv/default.nix @@ -2,14 +2,14 @@ #assert stdenv.lib.versionOlder kernel.version "3.17"; -let base = "batman-adv-2015.2"; in +let base = "batman-adv-2016.0"; in stdenv.mkDerivation rec { name = "${base}-${kernel.version}"; src = fetchurl { url = "http://downloads.open-mesh.org/batman/releases/${base}/${base}.tar.gz"; - sha256 = "0lj8q9fnrf9n434h9wb2385z65skmq8q64svx5hbnlcj0bjhyxw6"; + sha256 = "0r5faf12ifpj8h1fklkzvy4ck359cadk8xh1l3n7vimh67hxbxbz"; }; preBuild = '' diff --git a/pkgs/os-specific/linux/bluez/bluez5.nix b/pkgs/os-specific/linux/bluez/bluez5.nix index 96c5af74db3..20fa830e320 100644 --- a/pkgs/os-specific/linux/bluez/bluez5.nix +++ b/pkgs/os-specific/linux/bluez/bluez5.nix @@ -5,11 +5,11 @@ assert stdenv.isLinux; stdenv.mkDerivation rec { - name = "bluez-5.36"; + name = "bluez-5.37"; src = fetchurl { url = "mirror://kernel/linux/bluetooth/${name}.tar.xz"; - sha256 = "1wkqwmi5krr37mxcqqlp5m2xnw7vw70v3ww7j09vvlskxcdflhx3"; + sha256 = "c14ba9ddcb0055522073477b8fd8bf1ddf5d219e75fdfd4699b7e0ce5350d6b0"; }; pythonPath = with pythonPackages; diff --git a/pkgs/os-specific/linux/crda/default.nix b/pkgs/os-specific/linux/crda/default.nix index 488a6ce1a0f..d28ae6f5098 100644 --- a/pkgs/os-specific/linux/crda/default.nix +++ b/pkgs/os-specific/linux/crda/default.nix @@ -1,8 +1,8 @@ { stdenv, fetchurl, libgcrypt, libnl, pkgconfig, pythonPackages, wireless-regdb }: -let version = "3.18"; in -stdenv.mkDerivation { +stdenv.mkDerivation rec { name = "crda-${version}"; + version = "3.18"; src = fetchurl { sha256 = "1gydiqgb08d9gbx4l6gv98zg3pljc984m50hmn3ysxcbkxkvkz23"; @@ -36,7 +36,6 @@ stdenv.mkDerivation { checkTarget = "verify"; meta = with stdenv.lib; { - inherit version; description = "Linux wireless Central Regulatory Domain Agent"; longDescription = '' CRDA acts as the udev helper for communication between the kernel and diff --git a/pkgs/os-specific/linux/e1000e/default.nix b/pkgs/os-specific/linux/e1000e/default.nix index db5f88b935f..0b67a5382f7 100644 --- a/pkgs/os-specific/linux/e1000e/default.nix +++ b/pkgs/os-specific/linux/e1000e/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, kernel }: stdenv.mkDerivation { - name = "e1000e-2.5.4-${kernel.version}"; + name = "e1000e-3.3.1-${kernel.version}"; src = fetchurl { - url = "mirror://sourceforge/e1000/e1000e-2.5.4.tar.gz"; - sha256 = "0bmihkc7y37jzwi996ryqblnyflyhhbimbnrnmlk419vxlzg1pzi"; + url = "mirror://sourceforge/e1000/e1000e-3.3.1.tar.gz"; + sha256 = "07hg6xxqgqshnys1qs9wbl9qr7d4ixdkd1y1fj27cg6bn8s2n797"; }; configurePhase = '' diff --git a/pkgs/os-specific/linux/fatrace/default.nix b/pkgs/os-specific/linux/fatrace/default.nix index 3a2be543582..ca864091d4b 100644 --- a/pkgs/os-specific/linux/fatrace/default.nix +++ b/pkgs/os-specific/linux/fatrace/default.nix @@ -1,8 +1,8 @@ { stdenv, fetchurl, python3, which }: -let version = "0.11"; in stdenv.mkDerivation rec { name = "fatrace-${version}"; + version = "0.11"; src = fetchurl { url = "http://launchpad.net/fatrace/trunk/${version}/+download/${name}.tar.bz2"; @@ -19,7 +19,6 @@ stdenv.mkDerivation rec { makeFlags = [ "PREFIX=$(out)" ]; meta = with stdenv.lib; { - inherit version; description = "Report system-wide file access events"; homepage = https://launchpad.net/fatrace/; license = licenses.gpl3Plus; diff --git a/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix b/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix index 7afd464620d..4f09410c75e 100644 --- a/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix +++ b/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix @@ -1,9 +1,8 @@ { stdenv, fetchurl, b43FirmwareCutter }: -let version = "6.30.163.46"; in - -stdenv.mkDerivation { +stdenv.mkDerivation rec { name = "b43-firmware-${version}"; + version = "6.30.163.46"; src = fetchurl { url = "http://www.lwfinger.com/b43-firmware/broadcom-wl-${version}.tar.bz2"; diff --git a/pkgs/os-specific/linux/firmware/rt5677/default.nix b/pkgs/os-specific/linux/firmware/rt5677/default.nix new file mode 100644 index 00000000000..46716b3f490 --- /dev/null +++ b/pkgs/os-specific/linux/firmware/rt5677/default.nix @@ -0,0 +1,23 @@ +{ stdenv, fetchgit }: + +stdenv.mkDerivation { + name = "rt5677-firmware"; + + src = fetchgit { + url = "https://github.com/raphael/linux-samus"; + rev = "995de6c2093797905fbcd79f1a3625dd3f50be37"; + sha256 = "6e59f7ce24122eb9474e7863e63729de632e4c7afcb8f08534cb2102007f8381"; + }; + + + installPhase = '' + mkdir -p $out/lib/firmware + cp ./firmware/rt5677_elf_vad $out/lib/firmware + ''; + + meta = with stdenv.lib; { + description = "Firmware for Realtek rt5677 device"; + license = licenses.unfreeRedistributableFirmware; + maintainers = [ maintainers.zohl ]; + }; +} diff --git a/pkgs/os-specific/linux/freefall/default.nix b/pkgs/os-specific/linux/freefall/default.nix index e2aa079240a..590b6b61dd3 100644 --- a/pkgs/os-specific/linux/freefall/default.nix +++ b/pkgs/os-specific/linux/freefall/default.nix @@ -1,8 +1,8 @@ { stdenv, fetchurl }: -let version = "4.3"; in -stdenv.mkDerivation { +stdenv.mkDerivation rec { name = "freefall-${version}"; + version = "4.3"; src = fetchurl { sha256 = "1bpkr45i4yzp32p0vpnz8mlv9lk4q2q9awf1kg9khg4a9g42qqja"; diff --git a/pkgs/os-specific/linux/ftop/default.nix b/pkgs/os-specific/linux/ftop/default.nix index 022fc33a206..1ca7d43b6a7 100644 --- a/pkgs/os-specific/linux/ftop/default.nix +++ b/pkgs/os-specific/linux/ftop/default.nix @@ -1,8 +1,8 @@ { stdenv, fetchurl, ncurses }: -let version = "1.0"; in stdenv.mkDerivation rec { name = "ftop-${version}"; + version = "1.0"; src = fetchurl { url = "http://ftop.googlecode.com/files/${name}.tar.bz2"; @@ -22,7 +22,6 @@ stdenv.mkDerivation rec { ''; meta = with stdenv.lib; { - inherit version; description = "Show progress of open files and file systems"; homepage = https://code.google.com/p/ftop/; license = licenses.gpl3Plus; diff --git a/pkgs/os-specific/linux/jfbview/default.nix b/pkgs/os-specific/linux/jfbview/default.nix index 467fed744ed..73ce1e7780a 100644 --- a/pkgs/os-specific/linux/jfbview/default.nix +++ b/pkgs/os-specific/linux/jfbview/default.nix @@ -2,11 +2,11 @@ , mujs, mupdf, ncurses, openjpeg, openssl }: let - version = "0.5.1"; binaries = [ "jfbpdf" "jfbview" "jpdfcat" "jpdfgrep" ]; in -stdenv.mkDerivation { +stdenv.mkDerivation rec { name = "jfbview-${version}"; + version = "0.5.1"; src = fetchFromGitHub { sha256 = "113bkf49q04k9rjps5l28ychmzsfjajp9cjhr433s9ld0972z01m"; @@ -27,7 +27,6 @@ stdenv.mkDerivation { ''; meta = with stdenv.lib; { - inherit version; description = "PDF and image viewer for the Linux framebuffer"; longDescription = '' A very fast PDF and image viewer for the Linux framebuffer with some diff --git a/pkgs/os-specific/linux/kernel-headers/unifdef-getline.patch b/pkgs/os-specific/linux/kernel-headers/unifdef-getline.patch deleted file mode 100644 index 8caabfd3286..00000000000 --- a/pkgs/os-specific/linux/kernel-headers/unifdef-getline.patch +++ /dev/null @@ -1,35 +0,0 @@ -This patch fixes a trivial compilation error with glibc 2.11. -From http://patchwork.kernel.org/patch/11166/ . - -diff --git a/scripts/unifdef.c b/scripts/unifdef.c -index 552025e..977e682 100644 ---- a/scripts/unifdef.c -+++ b/scripts/unifdef.c -@@ -206,7 +206,7 @@ static void done(void); - static void error(const char *); - static int findsym(const char *); - static void flushline(bool); --static Linetype getline(void); -+static Linetype parseline(void); - static Linetype ifeval(const char **); - static void ignoreoff(void); - static void ignoreon(void); -@@ -512,7 +512,7 @@ process(void) - - for (;;) { - linenum++; -- lineval = getline(); -+ lineval = parseline(); - trans_table[ifstate[depth]][lineval](); - debug("process %s -> %s depth %d", - linetype_name[lineval], -@@ -526,7 +526,7 @@ process(void) - * help from skipcomment(). - */ - static Linetype --getline(void) -+parseline(void) - { - const char *cp; - int cursym; - diff --git a/pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0001-AppArmor-compatibility-patch-for-v5-network-controll.patch b/pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0001-AppArmor-compatibility-patch-for-v5-network-controll.patch deleted file mode 100644 index b411f43298c..00000000000 --- a/pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0001-AppArmor-compatibility-patch-for-v5-network-controll.patch +++ /dev/null @@ -1,553 +0,0 @@ -From 125fccb600288968aa3395883c0a394c47176fcd Mon Sep 17 00:00:00 2001 -From: John Johansen <john.johansen@canonical.com> -Date: Wed, 10 Aug 2011 22:02:39 -0700 -Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll - -Add compatibility for v5 network rules. - -Signed-off-by: John Johansen <john.johansen@canonical.com> ---- - include/linux/lsm_audit.h | 4 + - security/apparmor/Makefile | 19 +++- - security/apparmor/include/net.h | 40 +++++++++ - security/apparmor/include/policy.h | 3 + - security/apparmor/lsm.c | 112 ++++++++++++++++++++++++ - security/apparmor/net.c | 170 ++++++++++++++++++++++++++++++++++++ - security/apparmor/policy.c | 1 + - security/apparmor/policy_unpack.c | 48 +++++++++- - 8 files changed, 394 insertions(+), 3 deletions(-) - create mode 100644 security/apparmor/include/net.h - create mode 100644 security/apparmor/net.c - -diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h -index 88e78de..c63979a 100644 ---- a/include/linux/lsm_audit.h -+++ b/include/linux/lsm_audit.h -@@ -124,6 +124,10 @@ struct common_audit_data { - u32 denied; - uid_t ouid; - } fs; -+ struct { -+ int type, protocol; -+ struct sock *sk; -+ } net; - }; - } apparmor_audit_data; - #endif -diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile -index 2dafe50..7cefef9 100644 ---- a/security/apparmor/Makefile -+++ b/security/apparmor/Makefile -@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o - - apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ - path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ -- resource.o sid.o file.o -+ resource.o sid.o file.o net.o - --clean-files := capability_names.h rlim_names.h -+clean-files := capability_names.h rlim_names.h af_names.h - - - # Build a lower case string table of capability names -@@ -44,9 +44,24 @@ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\ - sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\ - echo "};" >> $@ - -+# Build a lower case string table of address family names. -+# Transform lines from -+# #define AF_INET 2 /* Internet IP Protocol */ -+# to -+# [2] = "inet", -+quiet_cmd_make-af = GEN $@ -+cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\ -+ sed $< >> $@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \ -+ 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+).*/[\2] = "\L\1",/p';\ -+ echo "};" >> $@ -+ -+ - $(obj)/capability.o : $(obj)/capability_names.h - $(obj)/resource.o : $(obj)/rlim_names.h -+$(obj)/net.o : $(obj)/af_names.h - $(obj)/capability_names.h : $(srctree)/include/linux/capability.h - $(call cmd,make-caps) - $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h - $(call cmd,make-rlim) -+$(obj)/af_names.h : $(srctree)/include/linux/socket.h -+ $(call cmd,make-af) -\ No newline at end of file -diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h -new file mode 100644 -index 0000000..3c7d599 ---- /dev/null -+++ b/security/apparmor/include/net.h -@@ -0,0 +1,40 @@ -+/* -+ * AppArmor security module -+ * -+ * This file contains AppArmor network mediation definitions. -+ * -+ * Copyright (C) 1998-2008 Novell/SUSE -+ * Copyright 2009-2010 Canonical Ltd. -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License as -+ * published by the Free Software Foundation, version 2 of the -+ * License. -+ */ -+ -+#ifndef __AA_NET_H -+#define __AA_NET_H -+ -+#include <net/sock.h> -+ -+/* struct aa_net - network confinement data -+ * @allowed: basic network families permissions -+ * @audit_network: which network permissions to force audit -+ * @quiet_network: which network permissions to quiet rejects -+ */ -+struct aa_net { -+ u16 allow[AF_MAX]; -+ u16 audit[AF_MAX]; -+ u16 quiet[AF_MAX]; -+}; -+ -+extern int aa_net_perm(int op, struct aa_profile *profile, u16 family, -+ int type, int protocol, struct sock *sk); -+extern int aa_revalidate_sk(int op, struct sock *sk); -+ -+static inline void aa_free_net_rules(struct aa_net *new) -+{ -+ /* NOP */ -+} -+ -+#endif /* __AA_NET_H */ -diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h -index aeda5cf..6776929 100644 ---- a/security/apparmor/include/policy.h -+++ b/security/apparmor/include/policy.h -@@ -27,6 +27,7 @@ - #include "capability.h" - #include "domain.h" - #include "file.h" -+#include "net.h" - #include "resource.h" - - extern const char *profile_mode_names[]; -@@ -145,6 +146,7 @@ struct aa_namespace { - * @size: the memory consumed by this profiles rules - * @file: The set of rules governing basic file access and domain transitions - * @caps: capabilities for the profile -+ * @net: network controls for the profile - * @rlimits: rlimits for the profile - * - * The AppArmor profile contains the basic confinement data. Each profile -@@ -181,6 +183,7 @@ struct aa_profile { - - struct aa_file_rules file; - struct aa_caps caps; -+ struct aa_net net; - struct aa_rlimit rlimits; - }; - -diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c -index 3783202..7459547 100644 ---- a/security/apparmor/lsm.c -+++ b/security/apparmor/lsm.c -@@ -32,6 +32,7 @@ - #include "include/context.h" - #include "include/file.h" - #include "include/ipc.h" -+#include "include/net.h" - #include "include/path.h" - #include "include/policy.h" - #include "include/procattr.h" -@@ -621,6 +622,104 @@ static int apparmor_task_setrlimit(struct task_struct *task, - return error; - } - -+static int apparmor_socket_create(int family, int type, int protocol, int kern) -+{ -+ struct aa_profile *profile; -+ int error = 0; -+ -+ if (kern) -+ return 0; -+ -+ profile = __aa_current_profile(); -+ if (!unconfined(profile)) -+ error = aa_net_perm(OP_CREATE, profile, family, type, protocol, -+ NULL); -+ return error; -+} -+ -+static int apparmor_socket_bind(struct socket *sock, -+ struct sockaddr *address, int addrlen) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_BIND, sk); -+} -+ -+static int apparmor_socket_connect(struct socket *sock, -+ struct sockaddr *address, int addrlen) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_CONNECT, sk); -+} -+ -+static int apparmor_socket_listen(struct socket *sock, int backlog) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_LISTEN, sk); -+} -+ -+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_ACCEPT, sk); -+} -+ -+static int apparmor_socket_sendmsg(struct socket *sock, -+ struct msghdr *msg, int size) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_SENDMSG, sk); -+} -+ -+static int apparmor_socket_recvmsg(struct socket *sock, -+ struct msghdr *msg, int size, int flags) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_RECVMSG, sk); -+} -+ -+static int apparmor_socket_getsockname(struct socket *sock) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_GETSOCKNAME, sk); -+} -+ -+static int apparmor_socket_getpeername(struct socket *sock) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_GETPEERNAME, sk); -+} -+ -+static int apparmor_socket_getsockopt(struct socket *sock, int level, -+ int optname) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_GETSOCKOPT, sk); -+} -+ -+static int apparmor_socket_setsockopt(struct socket *sock, int level, -+ int optname) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_SETSOCKOPT, sk); -+} -+ -+static int apparmor_socket_shutdown(struct socket *sock, int how) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk); -+} -+ - static struct security_operations apparmor_ops = { - .name = "apparmor", - -@@ -652,6 +751,19 @@ static struct security_operations apparmor_ops = { - .getprocattr = apparmor_getprocattr, - .setprocattr = apparmor_setprocattr, - -+ .socket_create = apparmor_socket_create, -+ .socket_bind = apparmor_socket_bind, -+ .socket_connect = apparmor_socket_connect, -+ .socket_listen = apparmor_socket_listen, -+ .socket_accept = apparmor_socket_accept, -+ .socket_sendmsg = apparmor_socket_sendmsg, -+ .socket_recvmsg = apparmor_socket_recvmsg, -+ .socket_getsockname = apparmor_socket_getsockname, -+ .socket_getpeername = apparmor_socket_getpeername, -+ .socket_getsockopt = apparmor_socket_getsockopt, -+ .socket_setsockopt = apparmor_socket_setsockopt, -+ .socket_shutdown = apparmor_socket_shutdown, -+ - .cred_alloc_blank = apparmor_cred_alloc_blank, - .cred_free = apparmor_cred_free, - .cred_prepare = apparmor_cred_prepare, -diff --git a/security/apparmor/net.c b/security/apparmor/net.c -new file mode 100644 -index 0000000..1765901 ---- /dev/null -+++ b/security/apparmor/net.c -@@ -0,0 +1,170 @@ -+/* -+ * AppArmor security module -+ * -+ * This file contains AppArmor network mediation -+ * -+ * Copyright (C) 1998-2008 Novell/SUSE -+ * Copyright 2009-2010 Canonical Ltd. -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License as -+ * published by the Free Software Foundation, version 2 of the -+ * License. -+ */ -+ -+#include "include/apparmor.h" -+#include "include/audit.h" -+#include "include/context.h" -+#include "include/net.h" -+#include "include/policy.h" -+ -+#include "af_names.h" -+ -+static const char *sock_type_names[] = { -+ "unknown(0)", -+ "stream", -+ "dgram", -+ "raw", -+ "rdm", -+ "seqpacket", -+ "dccp", -+ "unknown(7)", -+ "unknown(8)", -+ "unknown(9)", -+ "packet", -+}; -+ -+/* audit callback for net specific fields */ -+static void audit_cb(struct audit_buffer *ab, void *va) -+{ -+ struct common_audit_data *sa = va; -+ -+ audit_log_format(ab, " family="); -+ if (address_family_names[sa->u.net.family]) { -+ audit_log_string(ab, address_family_names[sa->u.net.family]); -+ } else { -+ audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family); -+ } -+ -+ audit_log_format(ab, " sock_type="); -+ if (sock_type_names[sa->aad.net.type]) { -+ audit_log_string(ab, sock_type_names[sa->aad.net.type]); -+ } else { -+ audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type); -+ } -+ -+ audit_log_format(ab, " protocol=%d", sa->aad.net.protocol); -+} -+ -+/** -+ * audit_net - audit network access -+ * @profile: profile being enforced (NOT NULL) -+ * @op: operation being checked -+ * @family: network family -+ * @type: network type -+ * @protocol: network protocol -+ * @sk: socket auditing is being applied to -+ * @error: error code for failure else 0 -+ * -+ * Returns: %0 or sa->error else other errorcode on failure -+ */ -+static int audit_net(struct aa_profile *profile, int op, u16 family, int type, -+ int protocol, struct sock *sk, int error) -+{ -+ int audit_type = AUDIT_APPARMOR_AUTO; -+ struct common_audit_data sa; -+ if (sk) { -+ COMMON_AUDIT_DATA_INIT(&sa, NET); -+ } else { -+ COMMON_AUDIT_DATA_INIT(&sa, NONE); -+ } -+ /* todo fill in socket addr info */ -+ -+ sa.aad.op = op, -+ sa.u.net.family = family; -+ sa.u.net.sk = sk; -+ sa.aad.net.type = type; -+ sa.aad.net.protocol = protocol; -+ sa.aad.error = error; -+ -+ if (likely(!sa.aad.error)) { -+ u16 audit_mask = profile->net.audit[sa.u.net.family]; -+ if (likely((AUDIT_MODE(profile) != AUDIT_ALL) && -+ !(1 << sa.aad.net.type & audit_mask))) -+ return 0; -+ audit_type = AUDIT_APPARMOR_AUDIT; -+ } else { -+ u16 quiet_mask = profile->net.quiet[sa.u.net.family]; -+ u16 kill_mask = 0; -+ u16 denied = (1 << sa.aad.net.type) & ~quiet_mask; -+ -+ if (denied & kill_mask) -+ audit_type = AUDIT_APPARMOR_KILL; -+ -+ if ((denied & quiet_mask) && -+ AUDIT_MODE(profile) != AUDIT_NOQUIET && -+ AUDIT_MODE(profile) != AUDIT_ALL) -+ return COMPLAIN_MODE(profile) ? 0 : sa.aad.error; -+ } -+ -+ return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb); -+} -+ -+/** -+ * aa_net_perm - very course network access check -+ * @op: operation being checked -+ * @profile: profile being enforced (NOT NULL) -+ * @family: network family -+ * @type: network type -+ * @protocol: network protocol -+ * -+ * Returns: %0 else error if permission denied -+ */ -+int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type, -+ int protocol, struct sock *sk) -+{ -+ u16 family_mask; -+ int error; -+ -+ if ((family < 0) || (family >= AF_MAX)) -+ return -EINVAL; -+ -+ if ((type < 0) || (type >= SOCK_MAX)) -+ return -EINVAL; -+ -+ /* unix domain and netlink sockets are handled by ipc */ -+ if (family == AF_UNIX || family == AF_NETLINK) -+ return 0; -+ -+ family_mask = profile->net.allow[family]; -+ -+ error = (family_mask & (1 << type)) ? 0 : -EACCES; -+ -+ return audit_net(profile, op, family, type, protocol, sk, error); -+} -+ -+/** -+ * aa_revalidate_sk - Revalidate access to a sock -+ * @op: operation being checked -+ * @sk: sock being revalidated (NOT NULL) -+ * -+ * Returns: %0 else error if permission denied -+ */ -+int aa_revalidate_sk(int op, struct sock *sk) -+{ -+ struct aa_profile *profile; -+ int error = 0; -+ -+ /* aa_revalidate_sk should not be called from interrupt context -+ * don't mediate these calls as they are not task related -+ */ -+ if (in_interrupt()) -+ return 0; -+ -+ profile = __aa_current_profile(); -+ if (!unconfined(profile)) -+ error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type, -+ sk->sk_protocol, sk); -+ -+ return error; -+} -diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c -index 4f0eade..4d5ce13 100644 ---- a/security/apparmor/policy.c -+++ b/security/apparmor/policy.c -@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile) - - aa_free_file_rules(&profile->file); - aa_free_cap_rules(&profile->caps); -+ aa_free_net_rules(&profile->net); - aa_free_rlimit_rules(&profile->rlimits); - - aa_free_sid(profile->sid); -diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c -index 741dd13..ee8043e 100644 ---- a/security/apparmor/policy_unpack.c -+++ b/security/apparmor/policy_unpack.c -@@ -190,6 +190,19 @@ fail: - return 0; - } - -+static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name) -+{ -+ if (unpack_nameX(e, AA_U16, name)) { -+ if (!inbounds(e, sizeof(u16))) -+ return 0; -+ if (data) -+ *data = le16_to_cpu(get_unaligned((u16 *) e->pos)); -+ e->pos += sizeof(u16); -+ return 1; -+ } -+ return 0; -+} -+ - static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) - { - if (unpack_nameX(e, AA_U32, name)) { -@@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e) - { - struct aa_profile *profile = NULL; - const char *name = NULL; -- int error = -EPROTO; -+ size_t size = 0; -+ int i, error = -EPROTO; - kernel_cap_t tmpcap; - u32 tmp; - -@@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e) - if (!unpack_rlimits(e, profile)) - goto fail; - -+ size = unpack_array(e, "net_allowed_af"); -+ if (size) { -+ -+ for (i = 0; i < size; i++) { -+ /* discard extraneous rules that this kernel will -+ * never request -+ */ -+ if (i >= AF_MAX) { -+ u16 tmp; -+ if (!unpack_u16(e, &tmp, NULL) || -+ !unpack_u16(e, &tmp, NULL) || -+ !unpack_u16(e, &tmp, NULL)) -+ goto fail; -+ continue; -+ } -+ if (!unpack_u16(e, &profile->net.allow[i], NULL)) -+ goto fail; -+ if (!unpack_u16(e, &profile->net.audit[i], NULL)) -+ goto fail; -+ if (!unpack_u16(e, &profile->net.quiet[i], NULL)) -+ goto fail; -+ } -+ if (!unpack_nameX(e, AA_ARRAYEND, NULL)) -+ goto fail; -+ /* -+ * allow unix domain and netlink sockets they are handled -+ * by IPC -+ */ -+ } -+ profile->net.allow[AF_UNIX] = 0xffff; -+ profile->net.allow[AF_NETLINK] = 0xffff; -+ - /* get file rules */ - profile->file.dfa = unpack_dfa(e); - if (IS_ERR(profile->file.dfa)) { --- -1.7.9.5 - diff --git a/pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0002-AppArmor-compatibility-patch-for-v5-interface.patch b/pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0002-AppArmor-compatibility-patch-for-v5-interface.patch deleted file mode 100644 index aa4b6b1109f..00000000000 --- a/pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0002-AppArmor-compatibility-patch-for-v5-interface.patch +++ /dev/null @@ -1,391 +0,0 @@ -From 004192fb5223c7b81a949e36a080a5da56132826 Mon Sep 17 00:00:00 2001 -From: John Johansen <john.johansen@canonical.com> -Date: Wed, 10 Aug 2011 22:02:40 -0700 -Subject: [PATCH 2/3] AppArmor: compatibility patch for v5 interface - -Signed-off-by: John Johansen <john.johansen@canonical.com> ---- - security/apparmor/Kconfig | 9 + - security/apparmor/Makefile | 1 + - security/apparmor/apparmorfs-24.c | 287 ++++++++++++++++++++++++++++++++ - security/apparmor/apparmorfs.c | 18 +- - security/apparmor/include/apparmorfs.h | 6 + - 5 files changed, 319 insertions(+), 2 deletions(-) - create mode 100644 security/apparmor/apparmorfs-24.c - -diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig -index 9b9013b..51ebf96 100644 ---- a/security/apparmor/Kconfig -+++ b/security/apparmor/Kconfig -@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE - boot. - - If you are unsure how to answer this question, answer 1. -+ -+config SECURITY_APPARMOR_COMPAT_24 -+ bool "Enable AppArmor 2.4 compatability" -+ depends on SECURITY_APPARMOR -+ default y -+ help -+ This option enables compatability with AppArmor 2.4. It is -+ recommended if compatability with older versions of AppArmor -+ is desired. -diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile -index 7cefef9..0bb604b 100644 ---- a/security/apparmor/Makefile -+++ b/security/apparmor/Makefile -@@ -5,6 +5,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o - apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ - path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ - resource.o sid.o file.o net.o -+apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o - - clean-files := capability_names.h rlim_names.h af_names.h - -diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c -new file mode 100644 -index 0000000..dc8c744 ---- /dev/null -+++ b/security/apparmor/apparmorfs-24.c -@@ -0,0 +1,287 @@ -+/* -+ * AppArmor security module -+ * -+ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions -+ * -+ * Copyright (C) 1998-2008 Novell/SUSE -+ * Copyright 2009-2010 Canonical Ltd. -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License as -+ * published by the Free Software Foundation, version 2 of the -+ * License. -+ * -+ * -+ * This file contain functions providing an interface for <= AppArmor 2.4 -+ * compatibility. It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24 -+ * being set (see Makefile). -+ */ -+ -+#include <linux/security.h> -+#include <linux/vmalloc.h> -+#include <linux/module.h> -+#include <linux/seq_file.h> -+#include <linux/uaccess.h> -+#include <linux/namei.h> -+ -+#include "include/apparmor.h" -+#include "include/audit.h" -+#include "include/context.h" -+#include "include/policy.h" -+ -+ -+/* apparmor/matching */ -+static ssize_t aa_matching_read(struct file *file, char __user *buf, -+ size_t size, loff_t *ppos) -+{ -+ const char matching[] = "pattern=aadfa audit perms=crwxamlk/ " -+ "user::other"; -+ -+ return simple_read_from_buffer(buf, size, ppos, matching, -+ sizeof(matching) - 1); -+} -+ -+const struct file_operations aa_fs_matching_fops = { -+ .read = aa_matching_read, -+}; -+ -+/* apparmor/features */ -+static ssize_t aa_features_read(struct file *file, char __user *buf, -+ size_t size, loff_t *ppos) -+{ -+ const char features[] = "file=3.1 capability=2.0 network=1.0 " -+ "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1"; -+ -+ return simple_read_from_buffer(buf, size, ppos, features, -+ sizeof(features) - 1); -+} -+ -+const struct file_operations aa_fs_features_fops = { -+ .read = aa_features_read, -+}; -+ -+/** -+ * __next_namespace - find the next namespace to list -+ * @root: root namespace to stop search at (NOT NULL) -+ * @ns: current ns position (NOT NULL) -+ * -+ * Find the next namespace from @ns under @root and handle all locking needed -+ * while switching current namespace. -+ * -+ * Returns: next namespace or NULL if at last namespace under @root -+ * NOTE: will not unlock root->lock -+ */ -+static struct aa_namespace *__next_namespace(struct aa_namespace *root, -+ struct aa_namespace *ns) -+{ -+ struct aa_namespace *parent; -+ -+ /* is next namespace a child */ -+ if (!list_empty(&ns->sub_ns)) { -+ struct aa_namespace *next; -+ next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); -+ read_lock(&next->lock); -+ return next; -+ } -+ -+ /* check if the next ns is a sibling, parent, gp, .. */ -+ parent = ns->parent; -+ while (parent) { -+ read_unlock(&ns->lock); -+ list_for_each_entry_continue(ns, &parent->sub_ns, base.list) { -+ read_lock(&ns->lock); -+ return ns; -+ } -+ if (parent == root) -+ return NULL; -+ ns = parent; -+ parent = parent->parent; -+ } -+ -+ return NULL; -+} -+ -+/** -+ * __first_profile - find the first profile in a namespace -+ * @root: namespace that is root of profiles being displayed (NOT NULL) -+ * @ns: namespace to start in (NOT NULL) -+ * -+ * Returns: unrefcounted profile or NULL if no profile -+ */ -+static struct aa_profile *__first_profile(struct aa_namespace *root, -+ struct aa_namespace *ns) -+{ -+ for ( ; ns; ns = __next_namespace(root, ns)) { -+ if (!list_empty(&ns->base.profiles)) -+ return list_first_entry(&ns->base.profiles, -+ struct aa_profile, base.list); -+ } -+ return NULL; -+} -+ -+/** -+ * __next_profile - step to the next profile in a profile tree -+ * @profile: current profile in tree (NOT NULL) -+ * -+ * Perform a depth first taversal on the profile tree in a namespace -+ * -+ * Returns: next profile or NULL if done -+ * Requires: profile->ns.lock to be held -+ */ -+static struct aa_profile *__next_profile(struct aa_profile *p) -+{ -+ struct aa_profile *parent; -+ struct aa_namespace *ns = p->ns; -+ -+ /* is next profile a child */ -+ if (!list_empty(&p->base.profiles)) -+ return list_first_entry(&p->base.profiles, typeof(*p), -+ base.list); -+ -+ /* is next profile a sibling, parent sibling, gp, subling, .. */ -+ parent = p->parent; -+ while (parent) { -+ list_for_each_entry_continue(p, &parent->base.profiles, -+ base.list) -+ return p; -+ p = parent; -+ parent = parent->parent; -+ } -+ -+ /* is next another profile in the namespace */ -+ list_for_each_entry_continue(p, &ns->base.profiles, base.list) -+ return p; -+ -+ return NULL; -+} -+ -+/** -+ * next_profile - step to the next profile in where ever it may be -+ * @root: root namespace (NOT NULL) -+ * @profile: current profile (NOT NULL) -+ * -+ * Returns: next profile or NULL if there isn't one -+ */ -+static struct aa_profile *next_profile(struct aa_namespace *root, -+ struct aa_profile *profile) -+{ -+ struct aa_profile *next = __next_profile(profile); -+ if (next) -+ return next; -+ -+ /* finished all profiles in namespace move to next namespace */ -+ return __first_profile(root, __next_namespace(root, profile->ns)); -+} -+ -+/** -+ * p_start - start a depth first traversal of profile tree -+ * @f: seq_file to fill -+ * @pos: current position -+ * -+ * Returns: first profile under current namespace or NULL if none found -+ * -+ * acquires first ns->lock -+ */ -+static void *p_start(struct seq_file *f, loff_t *pos) -+ __acquires(root->lock) -+{ -+ struct aa_profile *profile = NULL; -+ struct aa_namespace *root = aa_current_profile()->ns; -+ loff_t l = *pos; -+ f->private = aa_get_namespace(root); -+ -+ -+ /* find the first profile */ -+ read_lock(&root->lock); -+ profile = __first_profile(root, root); -+ -+ /* skip to position */ -+ for (; profile && l > 0; l--) -+ profile = next_profile(root, profile); -+ -+ return profile; -+} -+ -+/** -+ * p_next - read the next profile entry -+ * @f: seq_file to fill -+ * @p: profile previously returned -+ * @pos: current position -+ * -+ * Returns: next profile after @p or NULL if none -+ * -+ * may acquire/release locks in namespace tree as necessary -+ */ -+static void *p_next(struct seq_file *f, void *p, loff_t *pos) -+{ -+ struct aa_profile *profile = p; -+ struct aa_namespace *root = f->private; -+ (*pos)++; -+ -+ return next_profile(root, profile); -+} -+ -+/** -+ * p_stop - stop depth first traversal -+ * @f: seq_file we are filling -+ * @p: the last profile writen -+ * -+ * Release all locking done by p_start/p_next on namespace tree -+ */ -+static void p_stop(struct seq_file *f, void *p) -+ __releases(root->lock) -+{ -+ struct aa_profile *profile = p; -+ struct aa_namespace *root = f->private, *ns; -+ -+ if (profile) { -+ for (ns = profile->ns; ns && ns != root; ns = ns->parent) -+ read_unlock(&ns->lock); -+ } -+ read_unlock(&root->lock); -+ aa_put_namespace(root); -+} -+ -+/** -+ * seq_show_profile - show a profile entry -+ * @f: seq_file to file -+ * @p: current position (profile) (NOT NULL) -+ * -+ * Returns: error on failure -+ */ -+static int seq_show_profile(struct seq_file *f, void *p) -+{ -+ struct aa_profile *profile = (struct aa_profile *)p; -+ struct aa_namespace *root = f->private; -+ -+ if (profile->ns != root) -+ seq_printf(f, ":%s://", aa_ns_name(root, profile->ns)); -+ seq_printf(f, "%s (%s)\n", profile->base.hname, -+ COMPLAIN_MODE(profile) ? "complain" : "enforce"); -+ -+ return 0; -+} -+ -+static const struct seq_operations aa_fs_profiles_op = { -+ .start = p_start, -+ .next = p_next, -+ .stop = p_stop, -+ .show = seq_show_profile, -+}; -+ -+static int profiles_open(struct inode *inode, struct file *file) -+{ -+ return seq_open(file, &aa_fs_profiles_op); -+} -+ -+static int profiles_release(struct inode *inode, struct file *file) -+{ -+ return seq_release(inode, file); -+} -+ -+const struct file_operations aa_fs_profiles_fops = { -+ .open = profiles_open, -+ .read = seq_read, -+ .llseek = seq_lseek, -+ .release = profiles_release, -+}; -diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index 69ddb47..867995c 100644 ---- a/security/apparmor/apparmorfs.c -+++ b/security/apparmor/apparmorfs.c -@@ -187,7 +187,11 @@ void __init aa_destroy_aafs(void) - aafs_remove(".remove"); - aafs_remove(".replace"); - aafs_remove(".load"); -- -+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24 -+ aafs_remove("profiles"); -+ aafs_remove("matching"); -+ aafs_remove("features"); -+#endif - securityfs_remove(aa_fs_dentry); - aa_fs_dentry = NULL; - } -@@ -218,7 +222,17 @@ static int __init aa_create_aafs(void) - aa_fs_dentry = NULL; - goto error; - } -- -+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24 -+ error = aafs_create("matching", 0444, &aa_fs_matching_fops); -+ if (error) -+ goto error; -+ error = aafs_create("features", 0444, &aa_fs_features_fops); -+ if (error) -+ goto error; -+#endif -+ error = aafs_create("profiles", 0440, &aa_fs_profiles_fops); -+ if (error) -+ goto error; - error = aafs_create(".load", 0640, &aa_fs_profile_load); - if (error) - goto error; -diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h -index cb1e93a..14f955c 100644 ---- a/security/apparmor/include/apparmorfs.h -+++ b/security/apparmor/include/apparmorfs.h -@@ -17,4 +17,10 @@ - - extern void __init aa_destroy_aafs(void); - -+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24 -+extern const struct file_operations aa_fs_matching_fops; -+extern const struct file_operations aa_fs_features_fops; -+extern const struct file_operations aa_fs_profiles_fops; -+#endif -+ - #endif /* __AA_APPARMORFS_H */ --- -1.7.9.5 - diff --git a/pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch b/pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch deleted file mode 100644 index 7dd55781fda..00000000000 --- a/pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch +++ /dev/null @@ -1,69 +0,0 @@ -From e5d90918aa31f948ecec2f3c088567dbab30c90b Mon Sep 17 00:00:00 2001 -From: John Johansen <john.johansen@canonical.com> -Date: Wed, 10 Aug 2011 22:02:41 -0700 -Subject: [PATCH 3/3] AppArmor: Allow dfa backward compatibility with broken - userspace - -The apparmor_parser when compiling policy could generate invalid dfas -that did not have sufficient padding to avoid invalid references, when -used by the kernel. The kernels check to verify the next/check table -size was broken meaning invalid dfas were being created by userspace -and not caught. - -To remain compatible with old tools that are not fixed, pad the loaded -dfas next/check table. The dfa's themselves are valid except for the -high padding for potentially invalid transitions (high bounds error), -which have a maximimum is 256 entries. So just allocate an extra null filled -256 entries for the next/check tables. This will guarentee all bounds -are good and invalid transitions go to the null (0) state. - -Signed-off-by: John Johansen <john.johansen@canonical.com> ---- - security/apparmor/match.c | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/security/apparmor/match.c b/security/apparmor/match.c -index 94de6b4..081491e 100644 ---- a/security/apparmor/match.c -+++ b/security/apparmor/match.c -@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize) - if (bsize < tsize) - goto out; - -+ /* Pad table allocation for next/check by 256 entries to remain -+ * backwards compatible with old (buggy) tools and remain safe without -+ * run time checks -+ */ -+ if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK) -+ tsize += 256 * th.td_flags; -+ - table = kvmalloc(tsize); - if (table) { -+ /* ensure the pad is clear, else there will be errors */ -+ memset(table, 0, tsize); - *table = th; - if (th.td_flags == YYTD_DATA8) - UNPACK_ARRAY(table->td_data, blob, th.td_lolen, -@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags) - goto out; - - if (flags & DFA_FLAG_VERIFY_STATES) { -+ int warning = 0; - for (i = 0; i < state_count; i++) { - if (DEFAULT_TABLE(dfa)[i] >= state_count) - goto out; - /* TODO: do check that DEF state recursion terminates */ - if (BASE_TABLE(dfa)[i] + 255 >= trans_count) { -+ if (warning) -+ continue; -+ printk(KERN_WARNING "AppArmor DFA next/check " -+ "upper bounds error fixed, upgrade " -+ "user space tools \n"); -+ warning = 1; -+ } else if (BASE_TABLE(dfa)[i] >= trans_count) { - printk(KERN_ERR "AppArmor DFA next/check upper " - "bounds error\n"); - goto out; --- -1.7.9.5 - diff --git a/pkgs/os-specific/linux/kernel/apparmor-patches/3.4/0001-UBUNTU-SAUCE-AppArmor-Add-profile-introspection-file.patch b/pkgs/os-specific/linux/kernel/apparmor-patches/3.4/0001-UBUNTU-SAUCE-AppArmor-Add-profile-introspection-file.patch deleted file mode 100644 index 88a50ca780a..00000000000 --- a/pkgs/os-specific/linux/kernel/apparmor-patches/3.4/0001-UBUNTU-SAUCE-AppArmor-Add-profile-introspection-file.patch +++ /dev/null @@ -1,264 +0,0 @@ -From 8de755e4dfdbc40bfcaca848ae6b5aeaf0ede0e8 Mon Sep 17 00:00:00 2001 -From: John Johansen <john.johansen@canonical.com> -Date: Thu, 22 Jul 2010 02:32:02 -0700 -Subject: [PATCH 1/3] UBUNTU: SAUCE: AppArmor: Add profile introspection file - to interface - -Add the dynamic profiles file to the interace, to allow load policy -introspection. - -Signed-off-by: John Johansen <john.johansen@canonical.com> -Acked-by: Kees Cook <kees@ubuntu.com> -Signed-off-by: Tim Gardner <tim.gardner@canonical.com> ---- - security/apparmor/apparmorfs.c | 227 ++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 227 insertions(+) - -diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index 16c15ec..89bdc62 100644 ---- a/security/apparmor/apparmorfs.c -+++ b/security/apparmor/apparmorfs.c -@@ -182,6 +182,232 @@ const struct file_operations aa_fs_seq_file_ops = { - .release = single_release, - }; - -+/** -+ * __next_namespace - find the next namespace to list -+ * @root: root namespace to stop search at (NOT NULL) -+ * @ns: current ns position (NOT NULL) -+ * -+ * Find the next namespace from @ns under @root and handle all locking needed -+ * while switching current namespace. -+ * -+ * Returns: next namespace or NULL if at last namespace under @root -+ * NOTE: will not unlock root->lock -+ */ -+static struct aa_namespace *__next_namespace(struct aa_namespace *root, -+ struct aa_namespace *ns) -+{ -+ struct aa_namespace *parent; -+ -+ /* is next namespace a child */ -+ if (!list_empty(&ns->sub_ns)) { -+ struct aa_namespace *next; -+ next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); -+ read_lock(&next->lock); -+ return next; -+ } -+ -+ /* check if the next ns is a sibling, parent, gp, .. */ -+ parent = ns->parent; -+ while (parent) { -+ read_unlock(&ns->lock); -+ list_for_each_entry_continue(ns, &parent->sub_ns, base.list) { -+ read_lock(&ns->lock); -+ return ns; -+ } -+ if (parent == root) -+ return NULL; -+ ns = parent; -+ parent = parent->parent; -+ } -+ -+ return NULL; -+} -+ -+/** -+ * __first_profile - find the first profile in a namespace -+ * @root: namespace that is root of profiles being displayed (NOT NULL) -+ * @ns: namespace to start in (NOT NULL) -+ * -+ * Returns: unrefcounted profile or NULL if no profile -+ */ -+static struct aa_profile *__first_profile(struct aa_namespace *root, -+ struct aa_namespace *ns) -+{ -+ for ( ; ns; ns = __next_namespace(root, ns)) { -+ if (!list_empty(&ns->base.profiles)) -+ return list_first_entry(&ns->base.profiles, -+ struct aa_profile, base.list); -+ } -+ return NULL; -+} -+ -+/** -+ * __next_profile - step to the next profile in a profile tree -+ * @profile: current profile in tree (NOT NULL) -+ * -+ * Perform a depth first taversal on the profile tree in a namespace -+ * -+ * Returns: next profile or NULL if done -+ * Requires: profile->ns.lock to be held -+ */ -+static struct aa_profile *__next_profile(struct aa_profile *p) -+{ -+ struct aa_profile *parent; -+ struct aa_namespace *ns = p->ns; -+ -+ /* is next profile a child */ -+ if (!list_empty(&p->base.profiles)) -+ return list_first_entry(&p->base.profiles, typeof(*p), -+ base.list); -+ -+ /* is next profile a sibling, parent sibling, gp, subling, .. */ -+ parent = p->parent; -+ while (parent) { -+ list_for_each_entry_continue(p, &parent->base.profiles, -+ base.list) -+ return p; -+ p = parent; -+ parent = parent->parent; -+ } -+ -+ /* is next another profile in the namespace */ -+ list_for_each_entry_continue(p, &ns->base.profiles, base.list) -+ return p; -+ -+ return NULL; -+} -+ -+/** -+ * next_profile - step to the next profile in where ever it may be -+ * @root: root namespace (NOT NULL) -+ * @profile: current profile (NOT NULL) -+ * -+ * Returns: next profile or NULL if there isn't one -+ */ -+static struct aa_profile *next_profile(struct aa_namespace *root, -+ struct aa_profile *profile) -+{ -+ struct aa_profile *next = __next_profile(profile); -+ if (next) -+ return next; -+ -+ /* finished all profiles in namespace move to next namespace */ -+ return __first_profile(root, __next_namespace(root, profile->ns)); -+} -+ -+/** -+ * p_start - start a depth first traversal of profile tree -+ * @f: seq_file to fill -+ * @pos: current position -+ * -+ * Returns: first profile under current namespace or NULL if none found -+ * -+ * acquires first ns->lock -+ */ -+static void *p_start(struct seq_file *f, loff_t *pos) -+ __acquires(root->lock) -+{ -+ struct aa_profile *profile = NULL; -+ struct aa_namespace *root = aa_current_profile()->ns; -+ loff_t l = *pos; -+ f->private = aa_get_namespace(root); -+ -+ -+ /* find the first profile */ -+ read_lock(&root->lock); -+ profile = __first_profile(root, root); -+ -+ /* skip to position */ -+ for (; profile && l > 0; l--) -+ profile = next_profile(root, profile); -+ -+ return profile; -+} -+ -+/** -+ * p_next - read the next profile entry -+ * @f: seq_file to fill -+ * @p: profile previously returned -+ * @pos: current position -+ * -+ * Returns: next profile after @p or NULL if none -+ * -+ * may acquire/release locks in namespace tree as necessary -+ */ -+static void *p_next(struct seq_file *f, void *p, loff_t *pos) -+{ -+ struct aa_profile *profile = p; -+ struct aa_namespace *root = f->private; -+ (*pos)++; -+ -+ return next_profile(root, profile); -+} -+ -+/** -+ * p_stop - stop depth first traversal -+ * @f: seq_file we are filling -+ * @p: the last profile writen -+ * -+ * Release all locking done by p_start/p_next on namespace tree -+ */ -+static void p_stop(struct seq_file *f, void *p) -+ __releases(root->lock) -+{ -+ struct aa_profile *profile = p; -+ struct aa_namespace *root = f->private, *ns; -+ -+ if (profile) { -+ for (ns = profile->ns; ns && ns != root; ns = ns->parent) -+ read_unlock(&ns->lock); -+ } -+ read_unlock(&root->lock); -+ aa_put_namespace(root); -+} -+ -+/** -+ * seq_show_profile - show a profile entry -+ * @f: seq_file to file -+ * @p: current position (profile) (NOT NULL) -+ * -+ * Returns: error on failure -+ */ -+static int seq_show_profile(struct seq_file *f, void *p) -+{ -+ struct aa_profile *profile = (struct aa_profile *)p; -+ struct aa_namespace *root = f->private; -+ -+ if (profile->ns != root) -+ seq_printf(f, ":%s://", aa_ns_name(root, profile->ns)); -+ seq_printf(f, "%s (%s)\n", profile->base.hname, -+ COMPLAIN_MODE(profile) ? "complain" : "enforce"); -+ -+ return 0; -+} -+ -+static const struct seq_operations aa_fs_profiles_op = { -+ .start = p_start, -+ .next = p_next, -+ .stop = p_stop, -+ .show = seq_show_profile, -+}; -+ -+static int profiles_open(struct inode *inode, struct file *file) -+{ -+ return seq_open(file, &aa_fs_profiles_op); -+} -+ -+static int profiles_release(struct inode *inode, struct file *file) -+{ -+ return seq_release(inode, file); -+} -+ -+const struct file_operations aa_fs_profiles_fops = { -+ .open = profiles_open, -+ .read = seq_read, -+ .llseek = seq_lseek, -+ .release = profiles_release, -+}; -+ - /** Base file system setup **/ - - static struct aa_fs_entry aa_fs_entry_file[] = { -@@ -210,6 +436,7 @@ static struct aa_fs_entry aa_fs_entry_apparmor[] = { - AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load), - AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace), - AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove), -+ AA_FS_FILE_FOPS("profiles", 0640, &aa_fs_profiles_fops), - AA_FS_DIR("features", aa_fs_entry_features), - { } - }; --- -1.7.9.5 - diff --git a/pkgs/os-specific/linux/kernel/apparmor-patches/3.4/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch b/pkgs/os-specific/linux/kernel/apparmor-patches/3.4/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch deleted file mode 100644 index 01316b9db78..00000000000 --- a/pkgs/os-specific/linux/kernel/apparmor-patches/3.4/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch +++ /dev/null @@ -1,603 +0,0 @@ -From 423e2cb454d75d6185eecd0c1b5cf6ccc2d8482d Mon Sep 17 00:00:00 2001 -From: John Johansen <john.johansen@canonical.com> -Date: Mon, 4 Oct 2010 15:03:36 -0700 -Subject: [PATCH 2/3] UBUNTU: SAUCE: AppArmor: basic networking rules - -Base support for network mediation. - -Signed-off-by: John Johansen <john.johansen@canonical.com> ---- - security/apparmor/.gitignore | 2 +- - security/apparmor/Makefile | 42 +++++++++- - security/apparmor/apparmorfs.c | 1 + - security/apparmor/include/audit.h | 4 + - security/apparmor/include/net.h | 44 ++++++++++ - security/apparmor/include/policy.h | 3 + - security/apparmor/lsm.c | 112 +++++++++++++++++++++++++ - security/apparmor/net.c | 162 ++++++++++++++++++++++++++++++++++++ - security/apparmor/policy.c | 1 + - security/apparmor/policy_unpack.c | 46 ++++++++++ - 10 files changed, 414 insertions(+), 3 deletions(-) - create mode 100644 security/apparmor/include/net.h - create mode 100644 security/apparmor/net.c - -diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore -index 4d995ae..d5b291e 100644 ---- a/security/apparmor/.gitignore -+++ b/security/apparmor/.gitignore -@@ -1,6 +1,6 @@ - # - # Generated include files - # --af_names.h -+net_names.h - capability_names.h - rlim_names.h -diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile -index 806bd19..19daa85 100644 ---- a/security/apparmor/Makefile -+++ b/security/apparmor/Makefile -@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o - - apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ - path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ -- resource.o sid.o file.o -+ resource.o sid.o file.o net.o - --clean-files := capability_names.h rlim_names.h -+clean-files := capability_names.h rlim_names.h net_names.h - - - # Build a lower case string table of capability names -@@ -20,6 +20,38 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\ - -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\ - echo "};" >> $@ - -+# Build a lower case string table of address family names -+# Transform lines from -+# define AF_LOCAL 1 /* POSIX name for AF_UNIX */ -+# #define AF_INET 2 /* Internet IP Protocol */ -+# to -+# [1] = "local", -+# [2] = "inet", -+# -+# and build the securityfs entries for the mapping. -+# Transforms lines from -+# #define AF_INET 2 /* Internet IP Protocol */ -+# to -+# #define AA_FS_AF_MASK "local inet" -+quiet_cmd_make-af = GEN $@ -+cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\ -+ sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \ -+ 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\ -+ echo "};" >> $@ ;\ -+ echo -n '\#define AA_FS_AF_MASK "' >> $@ ;\ -+ sed -r -n 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\ -+ $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ -+ -+# Build a lower case string table of sock type names -+# Transform lines from -+# SOCK_STREAM = 1, -+# to -+# [1] = "stream", -+quiet_cmd_make-sock = GEN $@ -+cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\ -+ sed $^ >>$@ -r -n \ -+ -e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\ -+ echo "};" >> $@ - - # Build a lower case string table of rlimit names. - # Transforms lines from -@@ -56,6 +88,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \ - tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ - - $(obj)/capability.o : $(obj)/capability_names.h -+$(obj)/net.o : $(obj)/net_names.h - $(obj)/resource.o : $(obj)/rlim_names.h - $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \ - $(src)/Makefile -@@ -63,3 +96,8 @@ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \ - $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h \ - $(src)/Makefile - $(call cmd,make-rlim) -+$(obj)/net_names.h : $(srctree)/include/linux/socket.h \ -+ $(srctree)/include/linux/net.h \ -+ $(src)/Makefile -+ $(call cmd,make-af) -+ $(call cmd,make-sock) -diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index 89bdc62..c66315d 100644 ---- a/security/apparmor/apparmorfs.c -+++ b/security/apparmor/apparmorfs.c -@@ -427,6 +427,7 @@ static struct aa_fs_entry aa_fs_entry_domain[] = { - static struct aa_fs_entry aa_fs_entry_features[] = { - AA_FS_DIR("domain", aa_fs_entry_domain), - AA_FS_DIR("file", aa_fs_entry_file), -+ AA_FS_DIR("network", aa_fs_entry_network), - AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), - AA_FS_DIR("rlimit", aa_fs_entry_rlimit), - { } -diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h -index 3868b1e..c1ff09c 100644 ---- a/security/apparmor/include/audit.h -+++ b/security/apparmor/include/audit.h -@@ -126,6 +126,10 @@ struct apparmor_audit_data { - u32 denied; - uid_t ouid; - } fs; -+ struct { -+ int type, protocol; -+ struct sock *sk; -+ } net; - }; - }; - -diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h -new file mode 100644 -index 0000000..cb8a121 ---- /dev/null -+++ b/security/apparmor/include/net.h -@@ -0,0 +1,44 @@ -+/* -+ * AppArmor security module -+ * -+ * This file contains AppArmor network mediation definitions. -+ * -+ * Copyright (C) 1998-2008 Novell/SUSE -+ * Copyright 2009-2012 Canonical Ltd. -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License as -+ * published by the Free Software Foundation, version 2 of the -+ * License. -+ */ -+ -+#ifndef __AA_NET_H -+#define __AA_NET_H -+ -+#include <net/sock.h> -+ -+#include "apparmorfs.h" -+ -+/* struct aa_net - network confinement data -+ * @allowed: basic network families permissions -+ * @audit_network: which network permissions to force audit -+ * @quiet_network: which network permissions to quiet rejects -+ */ -+struct aa_net { -+ u16 allow[AF_MAX]; -+ u16 audit[AF_MAX]; -+ u16 quiet[AF_MAX]; -+}; -+ -+extern struct aa_fs_entry aa_fs_entry_network[]; -+ -+extern int aa_net_perm(int op, struct aa_profile *profile, u16 family, -+ int type, int protocol, struct sock *sk); -+extern int aa_revalidate_sk(int op, struct sock *sk); -+ -+static inline void aa_free_net_rules(struct aa_net *new) -+{ -+ /* NOP */ -+} -+ -+#endif /* __AA_NET_H */ -diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h -index bda4569..eb13a73 100644 ---- a/security/apparmor/include/policy.h -+++ b/security/apparmor/include/policy.h -@@ -27,6 +27,7 @@ - #include "capability.h" - #include "domain.h" - #include "file.h" -+#include "net.h" - #include "resource.h" - - extern const char *const profile_mode_names[]; -@@ -157,6 +158,7 @@ struct aa_policydb { - * @policy: general match rules governing policy - * @file: The set of rules governing basic file access and domain transitions - * @caps: capabilities for the profile -+ * @net: network controls for the profile - * @rlimits: rlimits for the profile - * - * The AppArmor profile contains the basic confinement data. Each profile -@@ -194,6 +196,7 @@ struct aa_profile { - struct aa_policydb policy; - struct aa_file_rules file; - struct aa_caps caps; -+ struct aa_net net; - struct aa_rlimit rlimits; - }; - -diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c -index ad05d39..3cde194 100644 ---- a/security/apparmor/lsm.c -+++ b/security/apparmor/lsm.c -@@ -32,6 +32,7 @@ - #include "include/context.h" - #include "include/file.h" - #include "include/ipc.h" -+#include "include/net.h" - #include "include/path.h" - #include "include/policy.h" - #include "include/procattr.h" -@@ -622,6 +623,104 @@ static int apparmor_task_setrlimit(struct task_struct *task, - return error; - } - -+static int apparmor_socket_create(int family, int type, int protocol, int kern) -+{ -+ struct aa_profile *profile; -+ int error = 0; -+ -+ if (kern) -+ return 0; -+ -+ profile = __aa_current_profile(); -+ if (!unconfined(profile)) -+ error = aa_net_perm(OP_CREATE, profile, family, type, protocol, -+ NULL); -+ return error; -+} -+ -+static int apparmor_socket_bind(struct socket *sock, -+ struct sockaddr *address, int addrlen) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_BIND, sk); -+} -+ -+static int apparmor_socket_connect(struct socket *sock, -+ struct sockaddr *address, int addrlen) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_CONNECT, sk); -+} -+ -+static int apparmor_socket_listen(struct socket *sock, int backlog) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_LISTEN, sk); -+} -+ -+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_ACCEPT, sk); -+} -+ -+static int apparmor_socket_sendmsg(struct socket *sock, -+ struct msghdr *msg, int size) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_SENDMSG, sk); -+} -+ -+static int apparmor_socket_recvmsg(struct socket *sock, -+ struct msghdr *msg, int size, int flags) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_RECVMSG, sk); -+} -+ -+static int apparmor_socket_getsockname(struct socket *sock) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_GETSOCKNAME, sk); -+} -+ -+static int apparmor_socket_getpeername(struct socket *sock) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_GETPEERNAME, sk); -+} -+ -+static int apparmor_socket_getsockopt(struct socket *sock, int level, -+ int optname) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_GETSOCKOPT, sk); -+} -+ -+static int apparmor_socket_setsockopt(struct socket *sock, int level, -+ int optname) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_SETSOCKOPT, sk); -+} -+ -+static int apparmor_socket_shutdown(struct socket *sock, int how) -+{ -+ struct sock *sk = sock->sk; -+ -+ return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk); -+} -+ - static struct security_operations apparmor_ops = { - .name = "apparmor", - -@@ -653,6 +752,19 @@ static struct security_operations apparmor_ops = { - .getprocattr = apparmor_getprocattr, - .setprocattr = apparmor_setprocattr, - -+ .socket_create = apparmor_socket_create, -+ .socket_bind = apparmor_socket_bind, -+ .socket_connect = apparmor_socket_connect, -+ .socket_listen = apparmor_socket_listen, -+ .socket_accept = apparmor_socket_accept, -+ .socket_sendmsg = apparmor_socket_sendmsg, -+ .socket_recvmsg = apparmor_socket_recvmsg, -+ .socket_getsockname = apparmor_socket_getsockname, -+ .socket_getpeername = apparmor_socket_getpeername, -+ .socket_getsockopt = apparmor_socket_getsockopt, -+ .socket_setsockopt = apparmor_socket_setsockopt, -+ .socket_shutdown = apparmor_socket_shutdown, -+ - .cred_alloc_blank = apparmor_cred_alloc_blank, - .cred_free = apparmor_cred_free, - .cred_prepare = apparmor_cred_prepare, -diff --git a/security/apparmor/net.c b/security/apparmor/net.c -new file mode 100644 -index 0000000..084232b ---- /dev/null -+++ b/security/apparmor/net.c -@@ -0,0 +1,162 @@ -+/* -+ * AppArmor security module -+ * -+ * This file contains AppArmor network mediation -+ * -+ * Copyright (C) 1998-2008 Novell/SUSE -+ * Copyright 2009-2012 Canonical Ltd. -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License as -+ * published by the Free Software Foundation, version 2 of the -+ * License. -+ */ -+ -+#include "include/apparmor.h" -+#include "include/audit.h" -+#include "include/context.h" -+#include "include/net.h" -+#include "include/policy.h" -+ -+#include "net_names.h" -+ -+struct aa_fs_entry aa_fs_entry_network[] = { -+ AA_FS_FILE_STRING("af_mask", AA_FS_AF_MASK), -+ { } -+}; -+ -+/* audit callback for net specific fields */ -+static void audit_cb(struct audit_buffer *ab, void *va) -+{ -+ struct common_audit_data *sa = va; -+ -+ audit_log_format(ab, " family="); -+ if (address_family_names[sa->u.net->family]) { -+ audit_log_string(ab, address_family_names[sa->u.net->family]); -+ } else { -+ audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family); -+ } -+ audit_log_format(ab, " sock_type="); -+ if (sock_type_names[sa->aad->net.type]) { -+ audit_log_string(ab, sock_type_names[sa->aad->net.type]); -+ } else { -+ audit_log_format(ab, "\"unknown(%d)\"", sa->aad->net.type); -+ } -+ audit_log_format(ab, " protocol=%d", sa->aad->net.protocol); -+} -+ -+/** -+ * audit_net - audit network access -+ * @profile: profile being enforced (NOT NULL) -+ * @op: operation being checked -+ * @family: network family -+ * @type: network type -+ * @protocol: network protocol -+ * @sk: socket auditing is being applied to -+ * @error: error code for failure else 0 -+ * -+ * Returns: %0 or sa->error else other errorcode on failure -+ */ -+static int audit_net(struct aa_profile *profile, int op, u16 family, int type, -+ int protocol, struct sock *sk, int error) -+{ -+ int audit_type = AUDIT_APPARMOR_AUTO; -+ struct common_audit_data sa; -+ struct apparmor_audit_data aad = { }; -+ struct lsm_network_audit net = { }; -+ if (sk) { -+ COMMON_AUDIT_DATA_INIT(&sa, NET); -+ } else { -+ COMMON_AUDIT_DATA_INIT(&sa, NONE); -+ } -+ /* todo fill in socket addr info */ -+ sa.aad = &aad; -+ sa.u.net = &net; -+ sa.aad->op = op, -+ sa.u.net->family = family; -+ sa.u.net->sk = sk; -+ sa.aad->net.type = type; -+ sa.aad->net.protocol = protocol; -+ sa.aad->error = error; -+ -+ if (likely(!sa.aad->error)) { -+ u16 audit_mask = profile->net.audit[sa.u.net->family]; -+ if (likely((AUDIT_MODE(profile) != AUDIT_ALL) && -+ !(1 << sa.aad->net.type & audit_mask))) -+ return 0; -+ audit_type = AUDIT_APPARMOR_AUDIT; -+ } else { -+ u16 quiet_mask = profile->net.quiet[sa.u.net->family]; -+ u16 kill_mask = 0; -+ u16 denied = (1 << sa.aad->net.type) & ~quiet_mask; -+ -+ if (denied & kill_mask) -+ audit_type = AUDIT_APPARMOR_KILL; -+ -+ if ((denied & quiet_mask) && -+ AUDIT_MODE(profile) != AUDIT_NOQUIET && -+ AUDIT_MODE(profile) != AUDIT_ALL) -+ return COMPLAIN_MODE(profile) ? 0 : sa.aad->error; -+ } -+ -+ return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb); -+} -+ -+/** -+ * aa_net_perm - very course network access check -+ * @op: operation being checked -+ * @profile: profile being enforced (NOT NULL) -+ * @family: network family -+ * @type: network type -+ * @protocol: network protocol -+ * -+ * Returns: %0 else error if permission denied -+ */ -+int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type, -+ int protocol, struct sock *sk) -+{ -+ u16 family_mask; -+ int error; -+ -+ if ((family < 0) || (family >= AF_MAX)) -+ return -EINVAL; -+ -+ if ((type < 0) || (type >= SOCK_MAX)) -+ return -EINVAL; -+ -+ /* unix domain and netlink sockets are handled by ipc */ -+ if (family == AF_UNIX || family == AF_NETLINK) -+ return 0; -+ -+ family_mask = profile->net.allow[family]; -+ -+ error = (family_mask & (1 << type)) ? 0 : -EACCES; -+ -+ return audit_net(profile, op, family, type, protocol, sk, error); -+} -+ -+/** -+ * aa_revalidate_sk - Revalidate access to a sock -+ * @op: operation being checked -+ * @sk: sock being revalidated (NOT NULL) -+ * -+ * Returns: %0 else error if permission denied -+ */ -+int aa_revalidate_sk(int op, struct sock *sk) -+{ -+ struct aa_profile *profile; -+ int error = 0; -+ -+ /* aa_revalidate_sk should not be called from interrupt context -+ * don't mediate these calls as they are not task related -+ */ -+ if (in_interrupt()) -+ return 0; -+ -+ profile = __aa_current_profile(); -+ if (!unconfined(profile)) -+ error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type, -+ sk->sk_protocol, sk); -+ -+ return error; -+} -diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c -index f1f7506..b8100a7 100644 ---- a/security/apparmor/policy.c -+++ b/security/apparmor/policy.c -@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile) - - aa_free_file_rules(&profile->file); - aa_free_cap_rules(&profile->caps); -+ aa_free_net_rules(&profile->net); - aa_free_rlimit_rules(&profile->rlimits); - - aa_free_sid(profile->sid); -diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c -index deab7c7..8f8e9c1 100644 ---- a/security/apparmor/policy_unpack.c -+++ b/security/apparmor/policy_unpack.c -@@ -193,6 +193,19 @@ fail: - return 0; - } - -+static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name) -+{ -+ if (unpack_nameX(e, AA_U16, name)) { -+ if (!inbounds(e, sizeof(u16))) -+ return 0; -+ if (data) -+ *data = le16_to_cpu(get_unaligned((u16 *) e->pos)); -+ e->pos += sizeof(u16); -+ return 1; -+ } -+ return 0; -+} -+ - static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) - { - if (unpack_nameX(e, AA_U32, name)) { -@@ -471,6 +484,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e) - { - struct aa_profile *profile = NULL; - const char *name = NULL; -+ size_t size = 0; - int i, error = -EPROTO; - kernel_cap_t tmpcap; - u32 tmp; -@@ -564,6 +578,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e) - if (!unpack_rlimits(e, profile)) - goto fail; - -+ size = unpack_array(e, "net_allowed_af"); -+ if (size) { -+ -+ for (i = 0; i < size; i++) { -+ /* discard extraneous rules that this kernel will -+ * never request -+ */ -+ if (i >= AF_MAX) { -+ u16 tmp; -+ if (!unpack_u16(e, &tmp, NULL) || -+ !unpack_u16(e, &tmp, NULL) || -+ !unpack_u16(e, &tmp, NULL)) -+ goto fail; -+ continue; -+ } -+ if (!unpack_u16(e, &profile->net.allow[i], NULL)) -+ goto fail; -+ if (!unpack_u16(e, &profile->net.audit[i], NULL)) -+ goto fail; -+ if (!unpack_u16(e, &profile->net.quiet[i], NULL)) -+ goto fail; -+ } -+ if (!unpack_nameX(e, AA_ARRAYEND, NULL)) -+ goto fail; -+ } -+ /* -+ * allow unix domain and netlink sockets they are handled -+ * by IPC -+ */ -+ profile->net.allow[AF_UNIX] = 0xffff; -+ profile->net.allow[AF_NETLINK] = 0xffff; -+ - if (unpack_nameX(e, AA_STRUCT, "policydb")) { - /* generic policy dfa - optional and may be NULL */ - profile->policy.dfa = unpack_dfa(e); --- -1.7.9.5 - diff --git a/pkgs/os-specific/linux/kernel/apparmor-patches/3.4/0003-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch b/pkgs/os-specific/linux/kernel/apparmor-patches/3.4/0003-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch deleted file mode 100644 index 48b34343e0b..00000000000 --- a/pkgs/os-specific/linux/kernel/apparmor-patches/3.4/0003-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch +++ /dev/null @@ -1,957 +0,0 @@ -From a94d5e11c0484af59e5feebf144cc48c186892ad Mon Sep 17 00:00:00 2001 -From: John Johansen <john.johansen@canonical.com> -Date: Wed, 16 May 2012 10:58:05 -0700 -Subject: [PATCH 3/3] UBUNTU: SAUCE: apparmor: Add the ability to mediate - mount - -Add the ability for apparmor to do mediation of mount operations. Mount -rules require an updated apparmor_parser (2.8 series) for policy compilation. - -The basic form of the rules are. - - [audit] [deny] mount [conds]* [device] [ -> [conds] path], - [audit] [deny] remount [conds]* [path], - [audit] [deny] umount [conds]* [path], - [audit] [deny] pivotroot [oldroot=<value>] <path> - - remount is just a short cut for mount options=remount - - where [conds] can be - fstype=<expr> - options=<expr> - -Example mount commands - mount, # allow all mounts, but not umount or pivotroot - - mount fstype=procfs, # allow mounting procfs anywhere - - mount options=(bind, ro) /foo -> /bar, # readonly bind mount - - mount /dev/sda -> /mnt, - - mount /dev/sd** -> /mnt/**, - - mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/ - - umount, - - umount /m*, - -See the apparmor userspace for full documentation - -Signed-off-by: John Johansen <john.johansen@canonical.com> -Acked-by: Kees Cook <kees@ubuntu.com> ---- - security/apparmor/Makefile | 2 +- - security/apparmor/apparmorfs.c | 13 + - security/apparmor/audit.c | 4 + - security/apparmor/domain.c | 2 +- - security/apparmor/include/apparmor.h | 3 +- - security/apparmor/include/audit.h | 11 + - security/apparmor/include/domain.h | 2 + - security/apparmor/include/mount.h | 54 +++ - security/apparmor/lsm.c | 59 ++++ - security/apparmor/mount.c | 620 ++++++++++++++++++++++++++++++++++ - 10 files changed, 767 insertions(+), 3 deletions(-) - create mode 100644 security/apparmor/include/mount.h - create mode 100644 security/apparmor/mount.c - -diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile -index 19daa85..63e0a4c 100644 ---- a/security/apparmor/Makefile -+++ b/security/apparmor/Makefile -@@ -4,7 +4,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o - - apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ - path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ -- resource.o sid.o file.o net.o -+ resource.o sid.o file.o net.o mount.o - - clean-files := capability_names.h rlim_names.h net_names.h - -diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index c66315d..ff19009 100644 ---- a/security/apparmor/apparmorfs.c -+++ b/security/apparmor/apparmorfs.c -@@ -424,10 +424,23 @@ static struct aa_fs_entry aa_fs_entry_domain[] = { - { } - }; - -+static struct aa_fs_entry aa_fs_entry_mount[] = { -+ AA_FS_FILE_STRING("mask", "mount umount"), -+ { } -+}; -+ -+static struct aa_fs_entry aa_fs_entry_namespaces[] = { -+ AA_FS_FILE_BOOLEAN("profile", 1), -+ AA_FS_FILE_BOOLEAN("pivot_root", 1), -+ { } -+}; -+ - static struct aa_fs_entry aa_fs_entry_features[] = { - AA_FS_DIR("domain", aa_fs_entry_domain), - AA_FS_DIR("file", aa_fs_entry_file), - AA_FS_DIR("network", aa_fs_entry_network), -+ AA_FS_DIR("mount", aa_fs_entry_mount), -+ AA_FS_DIR("namespaces", aa_fs_entry_namespaces), - AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), - AA_FS_DIR("rlimit", aa_fs_entry_rlimit), - { } -diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c -index cc3520d..b9f5ee9 100644 ---- a/security/apparmor/audit.c -+++ b/security/apparmor/audit.c -@@ -44,6 +44,10 @@ const char *const op_table[] = { - "file_mmap", - "file_mprotect", - -+ "pivotroot", -+ "mount", -+ "umount", -+ - "create", - "post_create", - "bind", -diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c -index 6327685..dfdc47b 100644 ---- a/security/apparmor/domain.c -+++ b/security/apparmor/domain.c -@@ -242,7 +242,7 @@ static const char *next_name(int xtype, const char *name) - * - * Returns: refcounted profile, or NULL on failure (MAYBE NULL) - */ --static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) -+struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) - { - struct aa_profile *new_profile = NULL; - struct aa_namespace *ns = profile->ns; -diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h -index 40aedd9..e243d96 100644 ---- a/security/apparmor/include/apparmor.h -+++ b/security/apparmor/include/apparmor.h -@@ -29,8 +29,9 @@ - #define AA_CLASS_NET 4 - #define AA_CLASS_RLIMITS 5 - #define AA_CLASS_DOMAIN 6 -+#define AA_CLASS_MOUNT 7 - --#define AA_CLASS_LAST AA_CLASS_DOMAIN -+#define AA_CLASS_LAST AA_CLASS_MOUNT - - /* Control parameters settable through module/boot flags */ - extern enum audit_mode aa_g_audit; -diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h -index c1ff09c..7b90900c 100644 ---- a/security/apparmor/include/audit.h -+++ b/security/apparmor/include/audit.h -@@ -73,6 +73,10 @@ enum aa_ops { - OP_FMMAP, - OP_FMPROT, - -+ OP_PIVOTROOT, -+ OP_MOUNT, -+ OP_UMOUNT, -+ - OP_CREATE, - OP_POST_CREATE, - OP_BIND, -@@ -121,6 +125,13 @@ struct apparmor_audit_data { - unsigned long max; - } rlim; - struct { -+ const char *src_name; -+ const char *type; -+ const char *trans; -+ const char *data; -+ unsigned long flags; -+ } mnt; -+ struct { - const char *target; - u32 request; - u32 denied; -diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h -index de04464..a3f70c5 100644 ---- a/security/apparmor/include/domain.h -+++ b/security/apparmor/include/domain.h -@@ -23,6 +23,8 @@ struct aa_domain { - char **table; - }; - -+struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex); -+ - int apparmor_bprm_set_creds(struct linux_binprm *bprm); - int apparmor_bprm_secureexec(struct linux_binprm *bprm); - void apparmor_bprm_committing_creds(struct linux_binprm *bprm); -diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h -new file mode 100644 -index 0000000..bc17a53 ---- /dev/null -+++ b/security/apparmor/include/mount.h -@@ -0,0 +1,54 @@ -+/* -+ * AppArmor security module -+ * -+ * This file contains AppArmor file mediation function definitions. -+ * -+ * Copyright 2012 Canonical Ltd. -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License as -+ * published by the Free Software Foundation, version 2 of the -+ * License. -+ */ -+ -+#ifndef __AA_MOUNT_H -+#define __AA_MOUNT_H -+ -+#include <linux/fs.h> -+#include <linux/path.h> -+ -+#include "domain.h" -+#include "policy.h" -+ -+/* mount perms */ -+#define AA_MAY_PIVOTROOT 0x01 -+#define AA_MAY_MOUNT 0x02 -+#define AA_MAY_UMOUNT 0x04 -+#define AA_AUDIT_DATA 0x40 -+#define AA_CONT_MATCH 0x40 -+ -+#define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN) -+ -+int aa_remount(struct aa_profile *profile, struct path *path, -+ unsigned long flags, void *data); -+ -+int aa_bind_mount(struct aa_profile *profile, struct path *path, -+ const char *old_name, unsigned long flags); -+ -+ -+int aa_mount_change_type(struct aa_profile *profile, struct path *path, -+ unsigned long flags); -+ -+int aa_move_mount(struct aa_profile *profile, struct path *path, -+ const char *old_name); -+ -+int aa_new_mount(struct aa_profile *profile, const char *dev_name, -+ struct path *path, const char *type, unsigned long flags, -+ void *data); -+ -+int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags); -+ -+int aa_pivotroot(struct aa_profile *profile, struct path *old_path, -+ struct path *new_path); -+ -+#endif /* __AA_MOUNT_H */ -diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c -index 3cde194..4512cc6 100644 ---- a/security/apparmor/lsm.c -+++ b/security/apparmor/lsm.c -@@ -36,6 +36,7 @@ - #include "include/path.h" - #include "include/policy.h" - #include "include/procattr.h" -+#include "include/mount.h" - - /* Flag indicating whether initialization completed */ - int apparmor_initialized __initdata; -@@ -512,6 +513,60 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma, - !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); - } - -+static int apparmor_sb_mount(char *dev_name, struct path *path, char *type, -+ unsigned long flags, void *data) -+{ -+ struct aa_profile *profile; -+ int error = 0; -+ -+ /* Discard magic */ -+ if ((flags & MS_MGC_MSK) == MS_MGC_VAL) -+ flags &= ~MS_MGC_MSK; -+ -+ flags &= ~AA_MS_IGNORE_MASK; -+ -+ profile = __aa_current_profile(); -+ if (!unconfined(profile)) { -+ if (flags & MS_REMOUNT) -+ error = aa_remount(profile, path, flags, data); -+ else if (flags & MS_BIND) -+ error = aa_bind_mount(profile, path, dev_name, flags); -+ else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | -+ MS_UNBINDABLE)) -+ error = aa_mount_change_type(profile, path, flags); -+ else if (flags & MS_MOVE) -+ error = aa_move_mount(profile, path, dev_name); -+ else -+ error = aa_new_mount(profile, dev_name, path, type, -+ flags, data); -+ } -+ return error; -+} -+ -+static int apparmor_sb_umount(struct vfsmount *mnt, int flags) -+{ -+ struct aa_profile *profile; -+ int error = 0; -+ -+ profile = __aa_current_profile(); -+ if (!unconfined(profile)) -+ error = aa_umount(profile, mnt, flags); -+ -+ return error; -+} -+ -+static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path) -+{ -+ struct aa_profile *profile; -+ int error = 0; -+ -+ profile = __aa_current_profile(); -+ if (!unconfined(profile)) -+ error = aa_pivotroot(profile, old_path, new_path); -+ -+ return error; -+} -+ - static int apparmor_getprocattr(struct task_struct *task, char *name, - char **value) - { -@@ -729,6 +784,10 @@ static struct security_operations apparmor_ops = { - .capget = apparmor_capget, - .capable = apparmor_capable, - -+ .sb_mount = apparmor_sb_mount, -+ .sb_umount = apparmor_sb_umount, -+ .sb_pivotroot = apparmor_sb_pivotroot, -+ - .path_link = apparmor_path_link, - .path_unlink = apparmor_path_unlink, - .path_symlink = apparmor_path_symlink, -diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c -new file mode 100644 -index 0000000..63d8493 ---- /dev/null -+++ b/security/apparmor/mount.c -@@ -0,0 +1,620 @@ -+/* -+ * AppArmor security module -+ * -+ * This file contains AppArmor mediation of files -+ * -+ * Copyright (C) 1998-2008 Novell/SUSE -+ * Copyright 2009-2012 Canonical Ltd. -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License as -+ * published by the Free Software Foundation, version 2 of the -+ * License. -+ */ -+ -+#include <linux/fs.h> -+#include <linux/mount.h> -+#include <linux/namei.h> -+ -+#include "include/apparmor.h" -+#include "include/audit.h" -+#include "include/context.h" -+#include "include/domain.h" -+#include "include/file.h" -+#include "include/match.h" -+#include "include/mount.h" -+#include "include/path.h" -+#include "include/policy.h" -+ -+ -+static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags) -+{ -+ if (flags & MS_RDONLY) -+ audit_log_format(ab, "ro"); -+ else -+ audit_log_format(ab, "rw"); -+ if (flags & MS_NOSUID) -+ audit_log_format(ab, ", nosuid"); -+ if (flags & MS_NODEV) -+ audit_log_format(ab, ", nodev"); -+ if (flags & MS_NOEXEC) -+ audit_log_format(ab, ", noexec"); -+ if (flags & MS_SYNCHRONOUS) -+ audit_log_format(ab, ", sync"); -+ if (flags & MS_REMOUNT) -+ audit_log_format(ab, ", remount"); -+ if (flags & MS_MANDLOCK) -+ audit_log_format(ab, ", mand"); -+ if (flags & MS_DIRSYNC) -+ audit_log_format(ab, ", dirsync"); -+ if (flags & MS_NOATIME) -+ audit_log_format(ab, ", noatime"); -+ if (flags & MS_NODIRATIME) -+ audit_log_format(ab, ", nodiratime"); -+ if (flags & MS_BIND) -+ audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind"); -+ if (flags & MS_MOVE) -+ audit_log_format(ab, ", move"); -+ if (flags & MS_SILENT) -+ audit_log_format(ab, ", silent"); -+ if (flags & MS_POSIXACL) -+ audit_log_format(ab, ", acl"); -+ if (flags & MS_UNBINDABLE) -+ audit_log_format(ab, flags & MS_REC ? ", runbindable" : -+ ", unbindable"); -+ if (flags & MS_PRIVATE) -+ audit_log_format(ab, flags & MS_REC ? ", rprivate" : -+ ", private"); -+ if (flags & MS_SLAVE) -+ audit_log_format(ab, flags & MS_REC ? ", rslave" : -+ ", slave"); -+ if (flags & MS_SHARED) -+ audit_log_format(ab, flags & MS_REC ? ", rshared" : -+ ", shared"); -+ if (flags & MS_RELATIME) -+ audit_log_format(ab, ", relatime"); -+ if (flags & MS_I_VERSION) -+ audit_log_format(ab, ", iversion"); -+ if (flags & MS_STRICTATIME) -+ audit_log_format(ab, ", strictatime"); -+ if (flags & MS_NOUSER) -+ audit_log_format(ab, ", nouser"); -+} -+ -+/** -+ * audit_cb - call back for mount specific audit fields -+ * @ab: audit_buffer (NOT NULL) -+ * @va: audit struct to audit values of (NOT NULL) -+ */ -+static void audit_cb(struct audit_buffer *ab, void *va) -+{ -+ struct common_audit_data *sa = va; -+ -+ if (sa->aad->mnt.type) { -+ audit_log_format(ab, " fstype="); -+ audit_log_untrustedstring(ab, sa->aad->mnt.type); -+ } -+ if (sa->aad->mnt.src_name) { -+ audit_log_format(ab, " srcname="); -+ audit_log_untrustedstring(ab, sa->aad->mnt.src_name); -+ } -+ if (sa->aad->mnt.trans) { -+ audit_log_format(ab, " trans="); -+ audit_log_untrustedstring(ab, sa->aad->mnt.trans); -+ } -+ if (sa->aad->mnt.flags || sa->aad->op == OP_MOUNT) { -+ audit_log_format(ab, " flags=\""); -+ audit_mnt_flags(ab, sa->aad->mnt.flags); -+ audit_log_format(ab, "\""); -+ } -+ if (sa->aad->mnt.data) { -+ audit_log_format(ab, " options="); -+ audit_log_untrustedstring(ab, sa->aad->mnt.data); -+ } -+} -+ -+/** -+ * audit_mount - handle the auditing of mount operations -+ * @profile: the profile being enforced (NOT NULL) -+ * @gfp: allocation flags -+ * @op: operation being mediated (NOT NULL) -+ * @name: name of object being mediated (MAYBE NULL) -+ * @src_name: src_name of object being mediated (MAYBE_NULL) -+ * @type: type of filesystem (MAYBE_NULL) -+ * @trans: name of trans (MAYBE NULL) -+ * @flags: filesystem idependent mount flags -+ * @data: filesystem mount flags -+ * @request: permissions requested -+ * @perms: the permissions computed for the request (NOT NULL) -+ * @info: extra information message (MAYBE NULL) -+ * @error: 0 if operation allowed else failure error code -+ * -+ * Returns: %0 or error on failure -+ */ -+static int audit_mount(struct aa_profile *profile, gfp_t gfp, int op, -+ const char *name, const char *src_name, -+ const char *type, const char *trans, -+ unsigned long flags, const void *data, u32 request, -+ struct file_perms *perms, const char *info, int error) -+{ -+ int audit_type = AUDIT_APPARMOR_AUTO; -+ struct common_audit_data sa; -+ struct apparmor_audit_data aad = { }; -+ -+ if (likely(!error)) { -+ u32 mask = perms->audit; -+ -+ if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) -+ mask = 0xffff; -+ -+ /* mask off perms that are not being force audited */ -+ request &= mask; -+ -+ if (likely(!request)) -+ return 0; -+ audit_type = AUDIT_APPARMOR_AUDIT; -+ } else { -+ /* only report permissions that were denied */ -+ request = request & ~perms->allow; -+ -+ if (request & perms->kill) -+ audit_type = AUDIT_APPARMOR_KILL; -+ -+ /* quiet known rejects, assumes quiet and kill do not overlap */ -+ if ((request & perms->quiet) && -+ AUDIT_MODE(profile) != AUDIT_NOQUIET && -+ AUDIT_MODE(profile) != AUDIT_ALL) -+ request &= ~perms->quiet; -+ -+ if (!request) -+ return COMPLAIN_MODE(profile) ? -+ complain_error(error) : error; -+ } -+ -+ COMMON_AUDIT_DATA_INIT(&sa, NONE); -+ sa.aad = &aad; -+ sa.aad->op = op; -+ sa.aad->name = name; -+ sa.aad->mnt.src_name = src_name; -+ sa.aad->mnt.type = type; -+ sa.aad->mnt.trans = trans; -+ sa.aad->mnt.flags = flags; -+ if (data && (perms->audit & AA_AUDIT_DATA)) -+ sa.aad->mnt.data = data; -+ sa.aad->info = info; -+ sa.aad->error = error; -+ -+ return aa_audit(audit_type, profile, gfp, &sa, audit_cb); -+} -+ -+/** -+ * match_mnt_flags - Do an ordered match on mount flags -+ * @dfa: dfa to match against -+ * @state: state to start in -+ * @flags: mount flags to match against -+ * -+ * Mount flags are encoded as an ordered match. This is done instead of -+ * checking against a simple bitmask, to allow for logical operations -+ * on the flags. -+ * -+ * Returns: next state after flags match -+ */ -+static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state, -+ unsigned long flags) -+{ -+ unsigned int i; -+ -+ for (i = 0; i <= 31 ; ++i) { -+ if ((1 << i) & flags) -+ state = aa_dfa_next(dfa, state, i + 1); -+ } -+ -+ return state; -+} -+ -+/** -+ * compute_mnt_perms - compute mount permission associated with @state -+ * @dfa: dfa to match against (NOT NULL) -+ * @state: state match finished in -+ * -+ * Returns: mount permissions -+ */ -+static struct file_perms compute_mnt_perms(struct aa_dfa *dfa, -+ unsigned int state) -+{ -+ struct file_perms perms; -+ -+ perms.kill = 0; -+ perms.allow = dfa_user_allow(dfa, state); -+ perms.audit = dfa_user_audit(dfa, state); -+ perms.quiet = dfa_user_quiet(dfa, state); -+ perms.xindex = dfa_user_xindex(dfa, state); -+ -+ return perms; -+} -+ -+static const char const *mnt_info_table[] = { -+ "match succeeded", -+ "failed mntpnt match", -+ "failed srcname match", -+ "failed type match", -+ "failed flags match", -+ "failed data match" -+}; -+ -+/* -+ * Returns 0 on success else element that match failed in, this is the -+ * index into the mnt_info_table above -+ */ -+static int do_match_mnt(struct aa_dfa *dfa, unsigned int start, -+ const char *mntpnt, const char *devname, -+ const char *type, unsigned long flags, -+ void *data, bool binary, struct file_perms *perms) -+{ -+ unsigned int state; -+ -+ state = aa_dfa_match(dfa, start, mntpnt); -+ state = aa_dfa_null_transition(dfa, state); -+ if (!state) -+ return 1; -+ -+ if (devname) -+ state = aa_dfa_match(dfa, state, devname); -+ state = aa_dfa_null_transition(dfa, state); -+ if (!state) -+ return 2; -+ -+ if (type) -+ state = aa_dfa_match(dfa, state, type); -+ state = aa_dfa_null_transition(dfa, state); -+ if (!state) -+ return 3; -+ -+ state = match_mnt_flags(dfa, state, flags); -+ if (!state) -+ return 4; -+ *perms = compute_mnt_perms(dfa, state); -+ if (perms->allow & AA_MAY_MOUNT) -+ return 0; -+ -+ /* only match data if not binary and the DFA flags data is expected */ -+ if (data && !binary && (perms->allow & AA_CONT_MATCH)) { -+ state = aa_dfa_null_transition(dfa, state); -+ if (!state) -+ return 4; -+ -+ state = aa_dfa_match(dfa, state, data); -+ if (!state) -+ return 5; -+ *perms = compute_mnt_perms(dfa, state); -+ if (perms->allow & AA_MAY_MOUNT) -+ return 0; -+ } -+ -+ /* failed at end of flags match */ -+ return 4; -+} -+ -+/** -+ * match_mnt - handle path matching for mount -+ * @profile: the confining profile -+ * @mntpnt: string for the mntpnt (NOT NULL) -+ * @devname: string for the devname/src_name (MAYBE NULL) -+ * @type: string for the dev type (MAYBE NULL) -+ * @flags: mount flags to match -+ * @data: fs mount data (MAYBE NULL) -+ * @binary: whether @data is binary -+ * @perms: Returns: permission found by the match -+ * @info: Returns: infomation string about the match for logging -+ * -+ * Returns: 0 on success else error -+ */ -+static int match_mnt(struct aa_profile *profile, const char *mntpnt, -+ const char *devname, const char *type, -+ unsigned long flags, void *data, bool binary, -+ struct file_perms *perms, const char **info) -+{ -+ int pos; -+ -+ if (!profile->policy.dfa) -+ return -EACCES; -+ -+ pos = do_match_mnt(profile->policy.dfa, -+ profile->policy.start[AA_CLASS_MOUNT], -+ mntpnt, devname, type, flags, data, binary, perms); -+ if (pos) { -+ *info = mnt_info_table[pos]; -+ return -EACCES; -+ } -+ -+ return 0; -+} -+ -+static int path_flags(struct aa_profile *profile, struct path *path) -+{ -+ return profile->path_flags | -+ S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0; -+} -+ -+int aa_remount(struct aa_profile *profile, struct path *path, -+ unsigned long flags, void *data) -+{ -+ struct file_perms perms = { }; -+ const char *name, *info = NULL; -+ char *buffer = NULL; -+ int binary, error; -+ -+ binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA; -+ -+ error = aa_path_name(path, path_flags(profile, path), &buffer, &name, -+ &info); -+ if (error) -+ goto audit; -+ -+ error = match_mnt(profile, name, NULL, NULL, flags, data, binary, -+ &perms, &info); -+ -+audit: -+ error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, NULL, NULL, -+ NULL, flags, data, AA_MAY_MOUNT, &perms, info, -+ error); -+ kfree(buffer); -+ -+ return error; -+} -+ -+int aa_bind_mount(struct aa_profile *profile, struct path *path, -+ const char *dev_name, unsigned long flags) -+{ -+ struct file_perms perms = { }; -+ char *buffer = NULL, *old_buffer = NULL; -+ const char *name, *old_name = NULL, *info = NULL; -+ struct path old_path; -+ int error; -+ -+ if (!dev_name || !*dev_name) -+ return -EINVAL; -+ -+ flags &= MS_REC | MS_BIND; -+ -+ error = aa_path_name(path, path_flags(profile, path), &buffer, &name, -+ &info); -+ if (error) -+ goto audit; -+ -+ error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path); -+ if (error) -+ goto audit; -+ -+ error = aa_path_name(&old_path, path_flags(profile, &old_path), -+ &old_buffer, &old_name, &info); -+ path_put(&old_path); -+ if (error) -+ goto audit; -+ -+ error = match_mnt(profile, name, old_name, NULL, flags, NULL, 0, -+ &perms, &info); -+ -+audit: -+ error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, old_name, -+ NULL, NULL, flags, NULL, AA_MAY_MOUNT, &perms, -+ info, error); -+ kfree(buffer); -+ kfree(old_buffer); -+ -+ return error; -+} -+ -+int aa_mount_change_type(struct aa_profile *profile, struct path *path, -+ unsigned long flags) -+{ -+ struct file_perms perms = { }; -+ char *buffer = NULL; -+ const char *name, *info = NULL; -+ int error; -+ -+ /* These are the flags allowed by do_change_type() */ -+ flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE | -+ MS_UNBINDABLE); -+ -+ error = aa_path_name(path, path_flags(profile, path), &buffer, &name, -+ &info); -+ if (error) -+ goto audit; -+ -+ error = match_mnt(profile, name, NULL, NULL, flags, NULL, 0, &perms, -+ &info); -+ -+audit: -+ error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, NULL, NULL, -+ NULL, flags, NULL, AA_MAY_MOUNT, &perms, info, -+ error); -+ kfree(buffer); -+ -+ return error; -+} -+ -+int aa_move_mount(struct aa_profile *profile, struct path *path, -+ const char *orig_name) -+{ -+ struct file_perms perms = { }; -+ char *buffer = NULL, *old_buffer = NULL; -+ const char *name, *old_name = NULL, *info = NULL; -+ struct path old_path; -+ int error; -+ -+ if (!orig_name || !*orig_name) -+ return -EINVAL; -+ -+ error = aa_path_name(path, path_flags(profile, path), &buffer, &name, -+ &info); -+ if (error) -+ goto audit; -+ -+ error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path); -+ if (error) -+ goto audit; -+ -+ error = aa_path_name(&old_path, path_flags(profile, &old_path), -+ &old_buffer, &old_name, &info); -+ path_put(&old_path); -+ if (error) -+ goto audit; -+ -+ error = match_mnt(profile, name, old_name, NULL, MS_MOVE, NULL, 0, -+ &perms, &info); -+ -+audit: -+ error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, old_name, -+ NULL, NULL, MS_MOVE, NULL, AA_MAY_MOUNT, &perms, -+ info, error); -+ kfree(buffer); -+ kfree(old_buffer); -+ -+ return error; -+} -+ -+int aa_new_mount(struct aa_profile *profile, const char *orig_dev_name, -+ struct path *path, const char *type, unsigned long flags, -+ void *data) -+{ -+ struct file_perms perms = { }; -+ char *buffer = NULL, *dev_buffer = NULL; -+ const char *name = NULL, *dev_name = NULL, *info = NULL; -+ int binary = 1; -+ int error; -+ -+ dev_name = orig_dev_name; -+ if (type) { -+ int requires_dev; -+ struct file_system_type *fstype = get_fs_type(type); -+ if (!fstype) -+ return -ENODEV; -+ -+ binary = fstype->fs_flags & FS_BINARY_MOUNTDATA; -+ requires_dev = fstype->fs_flags & FS_REQUIRES_DEV; -+ put_filesystem(fstype); -+ -+ if (requires_dev) { -+ struct path dev_path; -+ -+ if (!dev_name || !*dev_name) { -+ error = -ENOENT; -+ goto out; -+ } -+ -+ error = kern_path(dev_name, LOOKUP_FOLLOW, &dev_path); -+ if (error) -+ goto audit; -+ -+ error = aa_path_name(&dev_path, -+ path_flags(profile, &dev_path), -+ &dev_buffer, &dev_name, &info); -+ path_put(&dev_path); -+ if (error) -+ goto audit; -+ } -+ } -+ -+ error = aa_path_name(path, path_flags(profile, path), &buffer, &name, -+ &info); -+ if (error) -+ goto audit; -+ -+ error = match_mnt(profile, name, dev_name, type, flags, data, binary, -+ &perms, &info); -+ -+audit: -+ error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, dev_name, -+ type, NULL, flags, data, AA_MAY_MOUNT, &perms, info, -+ error); -+ kfree(buffer); -+ kfree(dev_buffer); -+ -+out: -+ return error; -+ -+} -+ -+int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags) -+{ -+ struct file_perms perms = { }; -+ char *buffer = NULL; -+ const char *name, *info = NULL; -+ int error; -+ -+ struct path path = { mnt, mnt->mnt_root }; -+ error = aa_path_name(&path, path_flags(profile, &path), &buffer, &name, -+ &info); -+ if (error) -+ goto audit; -+ -+ if (!error && profile->policy.dfa) { -+ unsigned int state; -+ state = aa_dfa_match(profile->policy.dfa, -+ profile->policy.start[AA_CLASS_MOUNT], -+ name); -+ perms = compute_mnt_perms(profile->policy.dfa, state); -+ } -+ -+ if (AA_MAY_UMOUNT & ~perms.allow) -+ error = -EACCES; -+ -+audit: -+ error = audit_mount(profile, GFP_KERNEL, OP_UMOUNT, name, NULL, NULL, -+ NULL, 0, NULL, AA_MAY_UMOUNT, &perms, info, error); -+ kfree(buffer); -+ -+ return error; -+} -+ -+int aa_pivotroot(struct aa_profile *profile, struct path *old_path, -+ struct path *new_path) -+{ -+ struct file_perms perms = { }; -+ struct aa_profile *target = NULL; -+ char *old_buffer = NULL, *new_buffer = NULL; -+ const char *old_name, *new_name = NULL, *info = NULL; -+ int error; -+ -+ error = aa_path_name(old_path, path_flags(profile, old_path), -+ &old_buffer, &old_name, &info); -+ if (error) -+ goto audit; -+ -+ error = aa_path_name(new_path, path_flags(profile, new_path), -+ &new_buffer, &new_name, &info); -+ if (error) -+ goto audit; -+ -+ if (profile->policy.dfa) { -+ unsigned int state; -+ state = aa_dfa_match(profile->policy.dfa, -+ profile->policy.start[AA_CLASS_MOUNT], -+ new_name); -+ state = aa_dfa_null_transition(profile->policy.dfa, state); -+ state = aa_dfa_match(profile->policy.dfa, state, old_name); -+ perms = compute_mnt_perms(profile->policy.dfa, state); -+ } -+ -+ if (AA_MAY_PIVOTROOT & perms.allow) { -+ if ((perms.xindex & AA_X_TYPE_MASK) == AA_X_TABLE) { -+ target = x_table_lookup(profile, perms.xindex); -+ if (!target) -+ error = -ENOENT; -+ else -+ error = aa_replace_current_profile(target); -+ } -+ } else -+ error = -EACCES; -+ -+audit: -+ error = audit_mount(profile, GFP_KERNEL, OP_PIVOTROOT, new_name, -+ old_name, NULL, target ? target->base.name : NULL, -+ 0, NULL, AA_MAY_PIVOTROOT, &perms, info, error); -+ aa_put_profile(target); -+ kfree(old_buffer); -+ kfree(new_buffer); -+ -+ return error; -+} --- -1.7.9.5 - diff --git a/pkgs/os-specific/linux/kernel/chromiumos-patches/fix-double-Kconfig-entry-3.14.patch b/pkgs/os-specific/linux/kernel/chromiumos-patches/fix-double-Kconfig-entry-3.14.patch new file mode 100644 index 00000000000..7fdcafa62d9 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/chromiumos-patches/fix-double-Kconfig-entry-3.14.patch @@ -0,0 +1,47 @@ +From de6299c1627d80ea6742a0bef15bdb6981e5cfd7 Mon Sep 17 00:00:00 2001 +From: Nikolay Amiantov <ab@fmap.me> +Date: Fri, 25 Dec 2015 17:11:40 +0300 +Subject: [PATCH 1/2] drivers_base: fix double Kconfig entry + +--- + drivers/base/Kconfig | 24 ------------------------ + 1 file changed, 24 deletions(-) + +diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig +index 946ced4..fc3405e1 100644 +--- a/drivers/base/Kconfig ++++ b/drivers/base/Kconfig +@@ -163,30 +163,6 @@ config FW_LOADER_USER_HELPER + no longer required unless you have a special firmware file that + resides in a non-standard path. + +-config WANT_DEV_COREDUMP +- bool +- help +- Drivers should "select" this option if they desire to use the +- device coredump mechanism. +- +-config ALLOW_DEV_COREDUMP +- bool "Allow device coredump" if EXPERT +- default y +- help +- This option controls if the device coredump mechanism is available or +- not; if disabled, the mechanism will be omitted even if drivers that +- can use it are enabled. +- Say 'N' for more sensitive systems or systems that don't want +- to ever access the information to not have the code, nor keep any +- data. +- +- If unsure, say Y. +- +-config DEV_COREDUMP +- bool +- default y if WANT_DEV_COREDUMP +- depends on ALLOW_DEV_COREDUMP +- + config DEBUG_DRIVER + bool "Driver Core verbose debug messages" + depends on DEBUG_KERNEL +-- +2.6.3 + diff --git a/pkgs/os-specific/linux/kernel/chromiumos-patches/fix-double-Kconfig-entry-3.18.patch b/pkgs/os-specific/linux/kernel/chromiumos-patches/fix-double-Kconfig-entry-3.18.patch new file mode 100644 index 00000000000..2d8af8fa745 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/chromiumos-patches/fix-double-Kconfig-entry-3.18.patch @@ -0,0 +1,48 @@ +diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig +index 48398b4..0e37f7d 100644 +--- a/drivers/base/Kconfig ++++ b/drivers/base/Kconfig +@@ -198,30 +198,6 @@ config DEV_COREDUMP + default y if WANT_DEV_COREDUMP + depends on ALLOW_DEV_COREDUMP + +-config WANT_DEV_COREDUMP +- bool +- help +- Drivers should "select" this option if they desire to use the +- device coredump mechanism. +- +-config ALLOW_DEV_COREDUMP +- bool "Allow device coredump" if EXPERT +- default y +- help +- This option controls if the device coredump mechanism is available or +- not; if disabled, the mechanism will be omitted even if drivers that +- can use it are enabled. +- Say 'N' for more sensitive systems or systems that don't want +- to ever access the information to not have the code, nor keep any +- data. +- +- If unsure, say Y. +- +-config DEV_COREDUMP +- bool +- default y if WANT_DEV_COREDUMP +- depends on ALLOW_DEV_COREDUMP +- + config DEBUG_DRIVER + bool "Driver Core verbose debug messages" + depends on DEBUG_KERNEL +diff --git a/drivers/mfd/Kconfig b/drivers/mfd/Kconfig +index 58154a9..53a0d73 100644 +--- a/drivers/mfd/Kconfig ++++ b/drivers/mfd/Kconfig +@@ -81,7 +81,7 @@ config MFD_AXP20X + + config MFD_CROS_EC + tristate "Support ChromeOS Embedded Controller" +- depends on MFD_CORE ++ select MFD_CORE + help + If you say Y here you get support for the ChromeOS Embedded + Controller (EC) providing keyboard, battery and power services. diff --git a/pkgs/os-specific/linux/kernel/chromiumos-patches/mfd-fix-dependency.patch b/pkgs/os-specific/linux/kernel/chromiumos-patches/mfd-fix-dependency.patch new file mode 100644 index 00000000000..f17ecce92d1 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/chromiumos-patches/mfd-fix-dependency.patch @@ -0,0 +1,25 @@ +From 65c5b603489d230b1f1775b01ba1529843cfeba6 Mon Sep 17 00:00:00 2001 +From: Nikolay Amiantov <ab@fmap.me> +Date: Fri, 25 Dec 2015 17:11:56 +0300 +Subject: [PATCH 2/2] mfd: fix dependency for MFD_CROS_EC + +--- + drivers/mfd/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/Kconfig b/drivers/mfd/Kconfig +index f425dce..a62a285 100644 +--- a/drivers/mfd/Kconfig ++++ b/drivers/mfd/Kconfig +@@ -61,7 +61,7 @@ config MFD_AAT2870_CORE + + config MFD_CROS_EC + tristate "Support ChromeOS Embedded Controller" +- depends on MFD_CORE ++ select MFD_CORE + help + If you say Y here you get support for the ChromeOS Embedded + Controller (EC) providing keyboard, battery and power services. +-- +2.6.3 + diff --git a/pkgs/os-specific/linux/kernel/chromiumos-patches/no-link-restrictions.patch b/pkgs/os-specific/linux/kernel/chromiumos-patches/no-link-restrictions.patch new file mode 100644 index 00000000000..ce19dd5d169 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/chromiumos-patches/no-link-restrictions.patch @@ -0,0 +1,15 @@ +diff --git a/fs/namei.c b/fs/namei.c +index d999a86..eb6e530 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -703,8 +703,8 @@ static inline void put_link(struct nameidata *nd, struct path *link, void *cooki + path_put(link); + } + +-int sysctl_protected_symlinks __read_mostly = 1; +-int sysctl_protected_hardlinks __read_mostly = 1; ++int sysctl_protected_symlinks __read_mostly = 0; ++int sysctl_protected_hardlinks __read_mostly = 0; + + /** + * may_follow_link - Check symlink following for unsafe situations diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 8179211ba5c..90b4a6a4824 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -147,7 +147,7 @@ with stdenv.lib; # Video configuration. # Enable KMS for devices whose X.org driver supports it. - ${optionalString (versionOlder version "4.3") '' + ${optionalString (versionOlder version "4.3" && !(features.chromiumos or false)) '' DRM_I915_KMS y ''} # Allow specifying custom EDID on the kernel command line @@ -504,6 +504,67 @@ with stdenv.lib; # Disable the firmware helper fallback, udev doesn't implement it any more FW_LOADER_USER_HELPER_FALLBACK? n + # ChromiumOS support + ${optionalString (features.chromiumos or false) '' + CHROME_PLATFORMS y + VGA_SWITCHEROO n + MMC_SDHCI_PXAV2 n + NET_IPVTI n + IPV6_VTI n + REGULATOR_FIXED_VOLTAGE n + TPS6105X n + CPU_FREQ_STAT y + IPV6 y + MFD_CROS_EC y + MFD_CROS_EC_LPC y + MFD_CROS_EC_DEV y + CHARGER_CROS_USB_PD y + I2C y + MEDIA_SUBDRV_AUTOSELECT n + VIDEO_IR_I2C n + BLK_DEV_DM y + ANDROID_PARANOID_NETWORK n + DM_VERITY n + DRM_VGEM n + CPU_FREQ_GOV_INTERACTIVE n + INPUT_KEYRESET n + DM_BOOTCACHE n + UID_CPUTIME n + + ${optionalString (versionAtLeast version "3.18") '' + CPUFREQ_DT n + EXTCON_CROS_EC n + DRM_POWERVR_ROGUE n + CHROMEOS_OF_FIRMWARE y + TEST_RHASHTABLE n + BCMDHD n + TRUSTY n + ''} + + ${optionalString (versionOlder version "3.18") '' + MALI_MIDGARD n + DVB_USB_DIB0700 n + DVB_USB_DW2102 n + DVB_USB_PCTV452E n + DVB_USB_TTUSB2 n + DVB_USB_AF9015 n + DVB_USB_AF9035 n + DVB_USB_ANYSEE n + DVB_USB_AZ6007 n + DVB_USB_IT913X n + DVB_USB_LME2510 n + DVB_USB_RTL28XXU n + USB_S2255 n + VIDEO_EM28XX n + VIDEO_TM6000 n + USB_DWC2 n + USB_GSPCA n + SPEAKUP n + XO15_EBOOK n + USB_GADGET n + ''} + ''} + ${kernelPlatform.kernelExtraConfig or ""} ${extraConfig} '' diff --git a/pkgs/os-specific/linux/kernel/cve-2016-0728.patch b/pkgs/os-specific/linux/kernel/cve-2016-0728.patch new file mode 100644 index 00000000000..5eec95c6293 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/cve-2016-0728.patch @@ -0,0 +1,78 @@ +From 05fd13592b60c3e9873f56705f80ff934e98b046 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Mon, 18 Jan 2016 10:53:31 +0000 +Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring() + +This fixes CVE-2016-0728. + +If a thread is asked to join as a session keyring the keyring that's already +set as its session, we leak a keyring reference. + +This can be tested with the following program: + + #include <stddef.h> + #include <stdio.h> + #include <sys/types.h> + #include <keyutils.h> + + int main(int argc, const char *argv[]) + { + int i = 0; + key_serial_t serial; + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, + KEY_POS_ALL | KEY_USR_ALL) < 0) { + perror("keyctl"); + return -1; + } + + for (i = 0; i < 100; i++) { + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + } + + return 0; + } + +If, after the program has run, there something like the following line in +/proc/keys: + +3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty + +with a usage count of 100 * the number of times the program has been run, +then the kernel is malfunctioning. If leaked-keyring has zero usages or +has been garbage collected, then the problem is fixed. + +Reported-by: Yevgeny Pats <yevgeny@perception-point.io> +Signed-off-by: David Howells <dhowells@redhat.com> +RH-bugzilla: 1298036 +--- + security/keys/process_keys.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index 43b4cddbf2b3..7877e5cd4e23 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) + ret = PTR_ERR(keyring); + goto error2; + } else if (keyring == new->session_keyring) { ++ key_put(keyring); + ret = 0; + goto error2; + } +-- +2.5.0 + diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix index b42892f9f2d..59d3642e622 100644 --- a/pkgs/os-specific/linux/kernel/generic.nix +++ b/pkgs/os-specific/linux/kernel/generic.nix @@ -23,6 +23,7 @@ # symbolic name and `patch' is the actual patch. The patch may # optionally be compressed with gzip or bzip2. kernelPatches ? [] +, ignoreConfigErrors ? stdenv.platform.name != "pc" , extraMeta ? {} , ... }: @@ -41,14 +42,13 @@ let in lib.concatStringsSep "\n" ([baseConfig] ++ configFromPatches); configfile = stdenv.mkDerivation { + inherit ignoreConfigErrors; name = "linux-config-${version}"; generateConfig = ./generate-config.pl; kernelConfig = kernelConfigFun config; - ignoreConfigErrors = stdenv.platform.name != "pc"; - nativeBuildInputs = [ perl ]; platformName = stdenv.platform.name; diff --git a/pkgs/os-specific/linux/kernel/genksyms-fix-segfault.patch b/pkgs/os-specific/linux/kernel/genksyms-fix-segfault.patch new file mode 100644 index 00000000000..47ae77a5a54 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/genksyms-fix-segfault.patch @@ -0,0 +1,19 @@ +diff --git a/scripts/genksyms/genksyms.c b/scripts/genksyms/genksyms.c +index 88632df..ba6cfa9 100644 +--- a/scripts/genksyms/genksyms.c ++++ b/scripts/genksyms/genksyms.c +@@ -233,11 +233,11 @@ static struct symbol *__add_symbol(const char *name, enum symbol_type type, + free_list(last_enum_expr, NULL); + last_enum_expr = NULL; + enum_counter = 0; +- if (!name) +- /* Anonymous enum definition, nothing more to do */ +- return NULL; + } + ++ if (!name) ++ return NULL; ++ + h = crc32(name) % HASH_BUCKETS; + for (sym = symtab[h]; sym; sym = sym->hash_next) { + if (map_to_ns(sym->type) == map_to_ns(type) && diff --git a/pkgs/os-specific/linux/kernel/linux-3.10.nix b/pkgs/os-specific/linux/kernel/linux-3.10.nix index a231b551dc0..6a4531d9deb 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.10.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.10.nix @@ -9,6 +9,8 @@ import ./generic.nix (args // rec { sha256 = "0z0jdix1mfpnnc8cxw7rzpnhxdayckpnrasvxi1qf0dwhcqgk92d"; }; + kernelPatches = args.kernelPatches ++ [ { name = "cve-2016-0728"; patch = ./cve-2016-0728.patch; } ]; + features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; diff --git a/pkgs/os-specific/linux/kernel/linux-3.12.nix b/pkgs/os-specific/linux/kernel/linux-3.12.nix index 7ed6cd142d1..1e58d4e5029 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.12.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.12.nix @@ -9,6 +9,8 @@ import ./generic.nix (args // rec { sha256 = "1bn07wsrcbg4qgqd4v2810c3qc0ifbcza0fyj8s54yd78g9qj4lj"; }; + kernelPatches = args.kernelPatches ++ [ { name = "cve-2016-0728"; patch = ./cve-2016-0728.patch; } ]; + features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; diff --git a/pkgs/os-specific/linux/kernel/linux-3.14.nix b/pkgs/os-specific/linux/kernel/linux-3.14.nix index 987452618f0..62f1be8b92b 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.14.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.14.nix @@ -10,6 +10,8 @@ import ./generic.nix (args // rec { sha256 = "0jw1023cpn4bjmi0db86lrxri9xj75cj8p2iqs44jabvh35idl7l"; }; + kernelPatches = args.kernelPatches ++ [ { name = "cve-2016-0728"; patch = ./cve-2016-0728.patch; } ]; + features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; diff --git a/pkgs/os-specific/linux/kernel/linux-3.18.nix b/pkgs/os-specific/linux/kernel/linux-3.18.nix index 24a568f5feb..86258308c1e 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.18.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.18.nix @@ -9,6 +9,8 @@ import ./generic.nix (args // rec { sha256 = "14pz8mvk48i2y1ffkhczjcm2icpb2g9xlpzyrvvis42n5178fjf6"; }; + kernelPatches = args.kernelPatches ++ [ { name = "cve-2016-0728"; patch = ./cve-2016-0728.patch; } ]; + features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; diff --git a/pkgs/os-specific/linux/kernel/linux-4.1.nix b/pkgs/os-specific/linux/kernel/linux-4.1.nix index d9efce840fa..29d4870597a 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.1.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.1.nix @@ -9,6 +9,8 @@ import ./generic.nix (args // rec { sha256 = "18sr0dl5ax6pcx6nqp9drb4l6a38g07vxihiqpbwb231jv68h8j7"; }; + kernelPatches = args.kernelPatches ++ [ { name = "cve-2016-0728"; patch = ./cve-2016-0728.patch; } ]; + features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; diff --git a/pkgs/os-specific/linux/kernel/linux-4.2.nix b/pkgs/os-specific/linux/kernel/linux-4.2.nix deleted file mode 100644 index 6d2deead3a2..00000000000 --- a/pkgs/os-specific/linux/kernel/linux-4.2.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ stdenv, fetchurl, perl, buildLinux, ... } @ args: - -import ./generic.nix (args // rec { - version = "4.2.6"; - # Remember to update grsecurity! - extraMeta.branch = "4.2"; - - src = fetchurl { - url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "0p7v6v3v9kn7w5iragi5hx0dylhis0jy6xmk77gka486q1ynpnqp"; - }; - - features.iwlwifi = true; - features.efiBootStub = true; - features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; - features.netfilterRPFilter = true; -} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.3.nix b/pkgs/os-specific/linux/kernel/linux-4.3.nix index 1a33f4828cd..c8a994ba0b3 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.3.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.3.nix @@ -1,13 +1,13 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.3.3"; + version = "4.3.4"; extraMeta.branch = "4.3"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "8cad4ce7d049c2ecc041b0844bd478bf85f0d3071c93e0c885a776d57cbca3cf"; + sha256 = "0vcsvnpxkpxiidlbw3cy1kl02hfml2jy3cbrvwj2nc4a9y5fb3hj"; }; features.iwlwifi = true; diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix index 36a297b95e5..cf17e915f8b 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix @@ -10,6 +10,8 @@ import ./generic.nix (args // rec { sha256 = "401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2"; }; + kernelPatches = args.kernelPatches ++ [ { name = "cve-2016-0728"; patch = ./cve-2016-0728.patch; } ]; + features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; diff --git a/pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix b/pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix new file mode 100644 index 00000000000..fb52b14c9ae --- /dev/null +++ b/pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix @@ -0,0 +1,19 @@ +{ stdenv, fetchgit, perl, buildLinux, ncurses, openssh, ... } @ args: + +import ./generic.nix (args // rec { + version = "3.14.0"; + extraMeta.branch = "3.14"; + + src = fetchgit { + url = "https://chromium.googlesource.com/chromiumos/third_party/kernel"; + rev = "63a768b40c91c6f3518ea1f20d0cb664ed4e6a57"; + sha256 = "613527a032699be32c18d3f5d8d4c215d7718279a1c372c9f371d4e6c0b9cc34"; + }; + + features.iwlwifi = true; + features.efiBootStub = true; + features.needsCifsUtils = true; + features.canDisableNetfilterConntrackHelpers = true; + features.netfilterRPFilter = true; + features.chromiumos = true; +} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix b/pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix new file mode 100644 index 00000000000..9ab3f70c97f --- /dev/null +++ b/pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix @@ -0,0 +1,21 @@ +{ stdenv, fetchgit, perl, buildLinux, ncurses, ... } @ args: + +import ./generic.nix (args // rec { + version = "3.18.0"; + extraMeta.branch = "3.18"; + + src = fetchgit { + url = "https://chromium.googlesource.com/chromiumos/third_party/kernel"; + rev = "3179ec7e3f07fcc3ca35817174c5fc6584030ab3"; + sha256 = "0hfa97fs216x8q20fsmw02kvf6mw6c6zczfjk2bpym6v7zxdzj28"; + }; + + features.iwlwifi = true; + features.efiBootStub = true; + features.needsCifsUtils = true; + features.canDisableNetfilterConntrackHelpers = true; + features.netfilterRPFilter = true; + features.chromiumos = true; + + extraMeta.hydraPlatforms = []; +} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-mptcp.nix b/pkgs/os-specific/linux/kernel/linux-mptcp.nix new file mode 100644 index 00000000000..2b0e3017979 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/linux-mptcp.nix @@ -0,0 +1,49 @@ +{ stdenv, fetchurl, perl, buildLinux, ... } @ args: + +import ./generic.nix (args // rec { + mptcpVersion = "0.90"; + modDirVersion = "3.18.20"; + version = "${modDirVersion}-mptcp_v${mptcpVersion}"; + + extraMeta = { + branch = "3.18"; + maintainer = stdenv.lib.maintainers.layus; + }; + + src = fetchurl { + url = "https://github.com/multipath-tcp/mptcp/archive/v${mptcpVersion}.tar.gz"; + sha256 = "1wzdvd1j1wqjkysj98g451y6mxr9a5hff5kn9inxwbzm9yg4icj5"; + }; + + extraConfig = '' + IPV6 y + MPTCP y + IP_MULTIPLE_TABLES y + + # Enable advanced path-managers... + MPTCP_PM_ADVANCED y + MPTCP_FULLMESH y + MPTCP_NDIFFPORTS y + # ... but use none by default. + # The default is safer if source policy routing is not setup. + DEFAULT_DUMMY y + DEFAULT_MPTCP_PM "default" + + # MPTCP scheduler selection. + # Disabled as the only non-default is the useless round-robin. + MPTCP_SCHED_ADVANCED n + DEFAULT_MPTCP_SCHED "default" + + # Smarter TCP congestion controllers + TCP_CONG_LIA m + TCP_CONG_OLIA m + TCP_CONG_WVEGAS m + TCP_CONG_BALIA m + ''; + + features.iwlwifi = true; + features.efiBootStub = true; + features.needsCifsUtils = true; + features.canDisableNetfilterConntrackHelpers = true; + features.netfilterRPFilter = true; +} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index cd34819a848..7e95f1dedb1 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -87,10 +87,10 @@ rec { }; grsecurity_unstable = grsecPatch - { kversion = "4.2.3"; - revision = "201510130858"; + { kversion = "4.3.4"; + revision = "201601231215"; branch = "test"; - sha256 = "0ndzcx9i94c065dlyvgykmin5bfkbydrv0kxxq52a4c9is6nlsrb"; + sha256 = "1dacld4zlp8mk6ykc0f1v5crppvq3znbdw9rwfrf6qi90984x0mr"; }; grsec_fix_path = @@ -103,4 +103,29 @@ rec { patch = ./crc-regression.patch; }; + genksyms_fix_segfault = + { name = "genksyms-fix-segfault"; + patch = ./genksyms-fix-segfault.patch; + }; + + + chromiumos_Kconfig_fix_entries_3_14 = + { name = "Kconfig_fix_entries_3_14"; + patch = ./chromiumos-patches/fix-double-Kconfig-entry-3.14.patch; + }; + + chromiumos_Kconfig_fix_entries_3_18 = + { name = "Kconfig_fix_entries_3_18"; + patch = ./chromiumos-patches/fix-double-Kconfig-entry-3.18.patch; + }; + + chromiumos_no_link_restrictions = + { name = "chromium-no-link-restrictions"; + patch = ./chromiumos-patches/no-link-restrictions.patch; + }; + + chromiumos_mfd_fix_dependency = + { name = "mfd_fix_dependency"; + patch = ./chromiumos-patches/mfd-fix-dependency.patch; + }; } diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index 5c6114040ff..2199524154d 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -1,8 +1,8 @@ { stdenv, fetchurl, zlib }: -let version = "2.0.11"; in stdenv.mkDerivation rec { name = "kexec-tools-${version}"; + version = "2.0.11"; src = fetchurl { urls = [ @@ -15,7 +15,6 @@ stdenv.mkDerivation rec { buildInputs = [ zlib ]; meta = with stdenv.lib; { - inherit version; homepage = http://horms.net/projects/kexec/kexec-tools; description = "Tools related to the kexec Linux feature"; platforms = platforms.linux; diff --git a/pkgs/os-specific/linux/libselinux/fPIC.patch b/pkgs/os-specific/linux/libselinux/fPIC.patch deleted file mode 100644 index fdc1fa41a33..00000000000 --- a/pkgs/os-specific/linux/libselinux/fPIC.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/Makefile b/src/Makefile -index ac019df..00432b9 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -132,7 +132,7 @@ $(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR) - - %.o: %.c policy.h -- $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $< -+ $(CC) $(CFLAGS) $(TLSFLAGS) -fPIC -c -o $@ $< - - %.lo: %.c policy.h - $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $< diff --git a/pkgs/os-specific/linux/lvm2/default.nix b/pkgs/os-specific/linux/lvm2/default.nix index 32a8ba4ad46..9147cb81371 100644 --- a/pkgs/os-specific/linux/lvm2/default.nix +++ b/pkgs/os-specific/linux/lvm2/default.nix @@ -1,7 +1,7 @@ { stdenv, fetchurl, pkgconfig, systemd, libudev, utillinux, coreutils, enable_dmeventd ? false }: let - version = "2.02.132"; + version = "2.02.140"; in stdenv.mkDerivation { @@ -9,7 +9,7 @@ stdenv.mkDerivation { src = fetchurl { url = "ftp://sources.redhat.com/pub/lvm2/releases/LVM2.${version}.tgz"; - sha256 = "0ac8izssflj371zzar16965zlia6a6zd97i0n00jxfxssnfa0fj1"; + sha256 = "1jd46diyv7074fw8kxwq7imn4pl76g01d8y7z4scq0lkxf8jmpai"; }; configureFlags = [ diff --git a/pkgs/os-specific/linux/mcelog/default.nix b/pkgs/os-specific/linux/mcelog/default.nix index a6818ae86b9..113d59d641d 100644 --- a/pkgs/os-specific/linux/mcelog/default.nix +++ b/pkgs/os-specific/linux/mcelog/default.nix @@ -1,8 +1,8 @@ { stdenv, fetchFromGitHub }: -let version = "129"; in -stdenv.mkDerivation { +stdenv.mkDerivation rec { name = "mcelog-${version}"; + version = "129"; src = fetchFromGitHub { sha256 = "143xh5zvgax88yhg6mg6img64nrda85yybf76fgsk7a8gc57ghyk"; @@ -25,7 +25,6 @@ stdenv.mkDerivation { installFlags = [ "DESTDIR=$(out)" "prefix=" "DOCDIR=/share/doc" ]; meta = with stdenv.lib; { - inherit version; description = "Log x86 machine checks: memory, IO, and CPU hardware errors"; longDescription = '' The mcelog daemon accounts memory and some other errors in various ways diff --git a/pkgs/os-specific/linux/mdadm/default.nix b/pkgs/os-specific/linux/mdadm/default.nix index 128f0d1aafc..3fe9d462412 100644 --- a/pkgs/os-specific/linux/mdadm/default.nix +++ b/pkgs/os-specific/linux/mdadm/default.nix @@ -1,5 +1,7 @@ { stdenv, fetchurl, groff }: +assert stdenv.isLinux; + stdenv.mkDerivation rec { name = "mdadm-3.3.4"; diff --git a/pkgs/os-specific/linux/mmc-utils/default.nix b/pkgs/os-specific/linux/mmc-utils/default.nix new file mode 100644 index 00000000000..8f7881b13e8 --- /dev/null +++ b/pkgs/os-specific/linux/mmc-utils/default.nix @@ -0,0 +1,26 @@ +{ stdenv, fetchgit }: + +stdenv.mkDerivation rec { + name = "mmc-utils-${version}"; + version = "2015-11-18"; + + src = fetchgit { + url = "git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc-utils.git"; + rev = "44f94b925894577f9ffcf2c418dd013a5e582648"; + sha256 = "1c1g9jpyhykhmidz7mjzrf63w3xlzqkijrqz1g6j4dz6p9pv1gax"; + }; + + installPhase = '' + make install prefix=$out + mkdir -p $out/share/man/man1 + cp man/mmc.1 $out/share/man/man1/ + ''; + + meta = with stdenv.lib; { + description = "Configure MMC storage devices from userspace"; + homepage = http://git.kernel.org/cgit/linux/kernel/git/cjb/mmc-utils.git/; + license = licenses.gpl2; + maintainers = [ maintainers.dezgeg ]; + platforms = platforms.linux; + }; +} diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix index e2daa9199a9..ba69b421c3d 100644 --- a/pkgs/os-specific/linux/multipath-tools/default.nix +++ b/pkgs/os-specific/linux/multipath-tools/default.nix @@ -1,30 +1,32 @@ -{ stdenv, fetchurl, lvm2, libaio, gzip, readline, systemd }: +{ stdenv, fetchurl, lvm2, libaio, gzip, readline, udev }: stdenv.mkDerivation rec { - name = "multipath-tools-0.4.9"; + name = "multipath-tools-0.5.0"; src = fetchurl { url = "http://christophe.varoqui.free.fr/multipath-tools/${name}.tar.bz2"; - sha256 = "04n7kazp1zrlqfza32phmqla0xkcq4zwn176qff5ida4a60whi4d"; + sha256 = "1yd6l1l1c62xjr1xnij2x49kr416anbgfs4y06r86kp9hkmz2g7i"; }; - sourceRoot = "."; + postPatch = '' + sed -i -re ' + s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'", + ' libmultipath/defaults.h + sed -i -e 's,\$(DESTDIR)/\(usr/\)\?,$(prefix)/,g' \ + kpartx/Makefile libmpathpersist/Makefile + ''; - buildInputs = [ lvm2 libaio readline ]; + nativeBuildInputs = [ gzip ]; + buildInputs = [ udev lvm2 libaio readline ]; - preBuild = - '' - makeFlagsArray=(GZIP="${gzip}/bin/gzip -9n -c" prefix=$out mandir=$out/share/man/man8 man5dir=$out/share/man/man5 LIB=lib) - - substituteInPlace multipath/Makefile --replace /etc $out/etc - substituteInPlace kpartx/Makefile --replace /etc $out/etc - - substituteInPlace kpartx/kpartx.rules --replace /sbin/kpartx $out/sbin/kpartx - substituteInPlace kpartx/kpartx_id --replace /sbin/dmsetup ${lvm2}/sbin/dmsetup - - substituteInPlace libmultipath/defaults.h --replace /lib/udev/scsi_id ${systemd.udev.lib}/lib/udev/scsi_id - substituteInPlace libmultipath/hwtable.c --replace /lib/udev/scsi_id ${systemd.udev.lib}/lib/udev/scsi_id - ''; + makeFlags = [ + "LIB=lib" + "prefix=$(out)" + "mandir=$(out)/share/man/man8" + "man5dir=$(out)/share/man/man5" + "man3dir=$(out)/share/man/man3" + "unitdir=$(out)/lib/systemd/system" + ]; meta = { description = "Tools for the Linux multipathing driver"; diff --git a/pkgs/os-specific/linux/nfs-utils/default.nix b/pkgs/os-specific/linux/nfs-utils/default.nix index 34cf0196079..504d3790d86 100644 --- a/pkgs/os-specific/linux/nfs-utils/default.nix +++ b/pkgs/os-specific/linux/nfs-utils/default.nix @@ -3,11 +3,11 @@ }: stdenv.mkDerivation rec { - name = "nfs-utils-1.3.2"; # NOTE: when updating, remove the HACK BUG FIX below + name = "nfs-utils-1.3.3"; src = fetchurl { url = "mirror://sourceforge/nfs/${name}.tar.bz2"; - sha256 = "1xwilpdr1vizq2yhpzxpwqqr9f8kn0dy2wcpc626mf30ybp7572v"; + sha256 = "1svn27j5c873nixm46l111g7cgyaj5zd51ahfq8mx5v9m3vh93py"; }; buildInputs = @@ -31,10 +31,6 @@ stdenv.mkDerivation rec { chmod +x "$i" done sed -i s,/usr/sbin,$out/sbin, utils/statd/statd.c - - # HACK BUG FIX: needed for 1.3.2 - # http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=17a3e5bffb7110d46de1bf42b64b90713ff5ea50 - sed -e 's,daemon_init(!,daemon_init(,' -i utils/statd/statd.c ''; preBuild = diff --git a/pkgs/os-specific/linux/nvidia-x11/builder-legacy304.sh b/pkgs/os-specific/linux/nvidia-x11/builder-legacy304.sh index 20666fdb061..fe826783141 100755 --- a/pkgs/os-specific/linux/nvidia-x11/builder-legacy304.sh +++ b/pkgs/os-specific/linux/nvidia-x11/builder-legacy304.sh @@ -93,6 +93,10 @@ installPhase() { substituteInPlace $out/share/applications/nvidia-settings.desktop \ --replace '__UTILS_PATH__' $out/bin \ --replace '__PIXMAP_PATH__' $out/share/pixmaps + + # Move VDPAU libraries to their place + mkdir "$out"/lib/vdpau + mv "$out"/lib/libvdpau* "$out"/lib/vdpau fi } diff --git a/pkgs/os-specific/linux/nvidia-x11/builder-legacy340.sh b/pkgs/os-specific/linux/nvidia-x11/builder-legacy340.sh index d0eec0f7403..899f12daf6b 100755 --- a/pkgs/os-specific/linux/nvidia-x11/builder-legacy340.sh +++ b/pkgs/os-specific/linux/nvidia-x11/builder-legacy340.sh @@ -108,8 +108,12 @@ installPhase() { #patchelf --set-rpath $cudaPath $out/lib/libcuda.so.*.* #patchelf --set-rpath $openclPath $out/lib/libnvidia-opencl.so.*.* - # we distribute these separately in `libvdpau` + # We distribute these separately in `libvdpau` rm "$out"/lib/libvdpau{.*,_trace.*} + + # Move VDPAU libraries to their place + mkdir "$out"/lib/vdpau + mv "$out"/lib/libvdpau* "$out"/lib/vdpau } diff --git a/pkgs/os-specific/linux/nvidia-x11/builder.sh b/pkgs/os-specific/linux/nvidia-x11/builder.sh index 502648c1d51..c1f165c45dd 100755 --- a/pkgs/os-specific/linux/nvidia-x11/builder.sh +++ b/pkgs/os-specific/linux/nvidia-x11/builder.sh @@ -119,8 +119,12 @@ installPhase() { # For simplicity and dependency reduction, don't support the gtk3 interface. rm $out/lib/libnvidia-gtk3.* - # we distribute these separately in `libvdpau` + # We distribute these separately in `libvdpau` rm "$out"/lib/libvdpau{.*,_trace.*} + + # Move VDPAU libraries to their place + mkdir "$out"/lib/vdpau + mv "$out"/lib/libvdpau* "$out"/lib/vdpau } diff --git a/pkgs/os-specific/linux/pagemon/default.nix b/pkgs/os-specific/linux/pagemon/default.nix new file mode 100644 index 00000000000..3c94362b820 --- /dev/null +++ b/pkgs/os-specific/linux/pagemon/default.nix @@ -0,0 +1,38 @@ +{ stdenv, fetchFromGitHub, ncurses }: + +stdenv.mkDerivation rec { + name = "pagemon-${version}"; + version = "0.01.06"; + + src = fetchFromGitHub { + sha256 = "0p6mzmyjn5dq1ma9ld47gnrszyf0yph76dd5k7hl60a5zq5741aa"; + rev = "V${version}"; + repo = "pagemon"; + owner = "ColinIanKing"; + }; + + buildInputs = [ ncurses ]; + + makeFlags = [ + "BINDIR=$(out)/bin" + "MANDIR=$(out)/share/man/man8" + ]; + + meta = with stdenv.lib; { + inherit (src.meta) homepage; + description = "Interactive memory/page monitor for Linux"; + longDescription = '' + pagemon is an ncurses based interactive memory/page monitoring tool + allowing one to browse the memory map of an active running process + on Linux. + pagemon reads the PTEs of a given process and display the soft/dirty + activity in real time. The tool identifies the type of memory mapping + a page belongs to, so one can easily scan through memory looking at + pages of memory belonging data, code, heap, stack, anonymous mappings + or even swapped-out pages. + ''; + license = licenses.gpl2Plus; + platforms = platforms.linux; + maintainers = with maintainers; [ nckx ]; + }; +} diff --git a/pkgs/os-specific/linux/paxtest/default.nix b/pkgs/os-specific/linux/paxtest/default.nix new file mode 100644 index 00000000000..7c8e5eb70a1 --- /dev/null +++ b/pkgs/os-specific/linux/paxtest/default.nix @@ -0,0 +1,28 @@ +{ stdenv, fetchurl }: + +stdenv.mkDerivation rec { + name = "paxtest-${version}"; + version = "0.9.14"; + + src = fetchurl { + url = "https://www.grsecurity.net/~spender/${name}.tar.gz"; + sha256 = "0j40h3x42k5mr5gc5np4wvr9cdf9szk2f46swf42zny8rlgxiskx"; + }; + + buildPhase = '' + make $makeFlags RUNDIR=$out/bin/ linux + ''; + + installPhase = '' + mkdir -p $out/bin + find . -executable -exec cp {} $out/bin \; + ''; + + meta = with stdenv.lib; { + description = "Test various memory protection measures"; + license = licenses.gpl2; + platforms = platforms.linux; + maintainer = [ maintainers.copumpkin ]; + }; +} + diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix index 4eed41254f9..2b86238b2df 100644 --- a/pkgs/os-specific/linux/phc-intel/default.nix +++ b/pkgs/os-specific/linux/phc-intel/default.nix @@ -1,7 +1,7 @@ { stdenv, fetchurl, kernel, which }: assert stdenv.isLinux; -# Don't bother with older versions, though some would probably work: +# Don't bother with older versions, though some might even work: assert stdenv.lib.versionAtLeast kernel.version "4.3"; # Disable on grsecurity kernels, which break module building: assert !kernel.features ? grsecurity; @@ -9,9 +9,9 @@ assert !kernel.features ? grsecurity; let release = "0.4.0"; revbump = "rev19"; # don't forget to change forum download id... - version = "${release}-${revbump}"; -in stdenv.mkDerivation { +in stdenv.mkDerivation rec { name = "linux-phc-intel-${version}-${kernel.version}"; + version = "${release}-${revbump}"; src = fetchurl { sha256 = "1apvjp2rpaf3acjvsxgk6xiwrx4n9p565gxvra05pvicwikfiqa8"; @@ -38,7 +38,6 @@ in stdenv.mkDerivation { ''; meta = with stdenv.lib; { - inherit version; description = "Undervolting kernel driver for Intel processors"; longDescription = '' PHC is a Linux kernel patch to undervolt processors. This can divide the diff --git a/pkgs/os-specific/linux/radeontop/default.nix b/pkgs/os-specific/linux/radeontop/default.nix index b86486d4584..0ed76e790cc 100644 --- a/pkgs/os-specific/linux/radeontop/default.nix +++ b/pkgs/os-specific/linux/radeontop/default.nix @@ -1,8 +1,8 @@ { stdenv, fetchFromGitHub, pkgconfig, gettext, ncurses, libdrm, libpciaccess }: -let version = "2015-11-24"; in -stdenv.mkDerivation { +stdenv.mkDerivation rec { name = "radeontop-${version}"; + version = "2015-11-24"; src = fetchFromGitHub { sha256 = "0irwq6rps5mnban8cxbrm59wpyv4j80q3xdjm9fxvfpiyys2g2hz"; @@ -23,7 +23,6 @@ stdenv.mkDerivation { makeFlags = [ "PREFIX=$(out)" ]; meta = with stdenv.lib; { - inherit version; description = "Top-like tool for viewing AMD Radeon GPU utilization"; longDescription = '' View GPU utilization, both for the total activity percent and individual diff --git a/pkgs/os-specific/linux/spl/const.patch b/pkgs/os-specific/linux/spl/const.patch index 3bfcaa22b13..932e8a9eb1c 100644 --- a/pkgs/os-specific/linux/spl/const.patch +++ b/pkgs/os-specific/linux/spl/const.patch @@ -1,10 +1,10 @@ diff --git a/module/spl/spl-proc.c b/module/spl/spl-proc.c -index f25239a..b731123 100644 +index eb00505..6f38cef 100644 --- a/module/spl/spl-proc.c +++ b/module/spl/spl-proc.c -@@ -38,7 +38,7 @@ - - #define SS_DEBUG_SUBSYS SS_PROC +@@ -36,7 +36,7 @@ + #include <linux/uaccess.h> + #include <linux/version.h> -#if defined(CONSTIFY_PLUGIN) && LINUX_VERSION_CODE >= KERNEL_VERSION(3,8,0) +#if defined(CONSTIFY_PLUGIN) diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix index b8aad109c5a..959523ec597 100644 --- a/pkgs/os-specific/linux/spl/default.nix +++ b/pkgs/os-specific/linux/spl/default.nix @@ -17,13 +17,13 @@ assert buildKernel -> kernel != null; stdenv.mkDerivation rec { name = "spl-${configFile}-${version}${optionalString buildKernel "-${kernel.version}"}"; - version = "0.6.5.3"; + version = "0.6.5.4"; src = fetchFromGitHub { owner = "zfsonlinux"; repo = "spl"; rev = "spl-${version}"; - sha256 = "0lj57apwsy8cfwsvg9z62k71r3qms2p87lgcdk54g7352cwziqps"; + sha256 = "0k80xvl15ahbs0mylfl2bd5widxhngpf7dl6zq46s21wk0795jl4"; }; patches = [ ./const.patch ./install_prefix.patch ]; diff --git a/pkgs/os-specific/linux/spl/install_prefix.patch b/pkgs/os-specific/linux/spl/install_prefix.patch index 0f12f531f7a..dc91392bd2f 100644 --- a/pkgs/os-specific/linux/spl/install_prefix.patch +++ b/pkgs/os-specific/linux/spl/install_prefix.patch @@ -1,5 +1,5 @@ diff --git a/Makefile.am b/Makefile.am -index 89af931..674420c 100644 +index 4977448..ac17217 100644 --- a/Makefile.am +++ b/Makefile.am @@ -12,10 +12,10 @@ endif @@ -40,10 +40,10 @@ index e0da4b3..d6d7af0 100644 kernel_HEADERS = $(KERNEL_H) endif diff --git a/include/linux/Makefile.am b/include/linux/Makefile.am -index 1cca44a..e0d843b 100644 +index 712e94e..4af9fb7 100644 --- a/include/linux/Makefile.am +++ b/include/linux/Makefile.am -@@ -19,6 +19,6 @@ USER_H = +@@ -18,6 +18,6 @@ USER_H = EXTRA_DIST = $(COMMON_H) $(KERNEL_H) $(USER_H) if CONFIG_KERNEL @@ -76,10 +76,10 @@ index 10e7093..febecdf 100644 kernel_HEADERS = $(KERNEL_H) endif diff --git a/include/sys/Makefile.am b/include/sys/Makefile.am -index 2d21c57..3958cfd 100644 +index 73c4a84..31a9f50 100644 --- a/include/sys/Makefile.am +++ b/include/sys/Makefile.am -@@ -104,7 +104,7 @@ USER_H = +@@ -107,7 +107,7 @@ USER_H = EXTRA_DIST = $(COMMON_H) $(KERNEL_H) $(USER_H) if CONFIG_KERNEL @@ -125,7 +125,7 @@ index 63d9af3..de1aa18 100644 kernel_HEADERS = $(KERNEL_H) endif diff --git a/include/util/Makefile.am b/include/util/Makefile.am -index b721b50..cbb9a05 100644 +index e2bf09f..3f5d6ce 100644 --- a/include/util/Makefile.am +++ b/include/util/Makefile.am @@ -9,6 +9,6 @@ USER_H = @@ -149,7 +149,7 @@ index 7faab0a..8148b3d 100644 kernel_HEADERS = $(KERNEL_H) endif diff --git a/module/Makefile.in b/module/Makefile.in -index 41c1010..3141397 100644 +index d4e62e1..73fa01c 100644 --- a/module/Makefile.in +++ b/module/Makefile.in @@ -21,15 +21,15 @@ clean: @@ -162,8 +162,9 @@ index 41c1010..3141397 100644 KERNELRELEASE=@LINUX_VERSION@ @# Remove extraneous build products when packaging - kmoddir=$(DESTDIR)$(INSTALL_MOD_PATH)/lib/modules/@LINUX_VERSION@; \ +- if [ -n "$(DESTDIR)" ]; then \ + kmoddir=@prefix@/$(INSTALL_MOD_PATH)/lib/modules/@LINUX_VERSION@; \ - if [ -n $$kmoddir ]; then \ ++ if [ -n "@prefix@" ]; then \ find $$kmoddir -name 'modules.*' | xargs $(RM); \ fi - sysmap=$(DESTDIR)$(INSTALL_MOD_PATH)/boot/System.map-@LINUX_VERSION@; \ diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 0e94b4ec130..b164693612d 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchFromGitHub, pkgconfig, intltool, gperf, libcap, kmod , zlib, xz, pam, acl, cryptsetup, libuuid, m4, utillinux, libffi -, glib, kbd, libxslt, coreutils, libgcrypt +, glib, kbd, libxslt, coreutils, libgcrypt, libapparmor, audit, lz4 , kexectools, libmicrohttpd, linuxHeaders, libseccomp , autoreconfHook, gettext, docbook_xsl, docbook_xml_dtd_42, docbook_xml_dtd_45 , enableKDbus ? false @@ -32,7 +32,7 @@ stdenv.mkDerivation rec { buildInputs = [ linuxHeaders pkgconfig intltool gperf libcap kmod xz pam acl /* cryptsetup */ libuuid m4 glib libxslt libgcrypt - libmicrohttpd kexectools libseccomp libffi + libmicrohttpd kexectools libseccomp libffi audit lz4 libapparmor /* FIXME: we may be able to prevent the following dependencies by generating an autoconf'd tarball, but that's probably not worth it. */ @@ -54,6 +54,7 @@ stdenv.mkDerivation rec { "--enable-compat-libs" # get rid of this eventually "--disable-tests" + "--enable-lz4" "--enable-hostnamed" "--enable-networkd" "--disable-sysusers" diff --git a/pkgs/os-specific/linux/udisks/cve-2014-0004.patch b/pkgs/os-specific/linux/udisks/cve-2014-0004.patch deleted file mode 100644 index ce907507538..00000000000 --- a/pkgs/os-specific/linux/udisks/cve-2014-0004.patch +++ /dev/null @@ -1,82 +0,0 @@ -commit ebf61ed8471a45cf8bce7231de00cb1bbc140708 -Author: Martin Pitt <martin.pitt@ubuntu.com> -Date: Wed Mar 5 14:07:44 2014 +0100 - - Fix buffer overflow in mount path parsing - - In the mount monitor we parse mount points from /proc/self/mountinfo. Ensure - that we don't overflow the buffers on platforms where mount paths could be - longer than PATH_MAX (unknown if that can actually happen), as at least the - mount paths for hotpluggable devices are somewhat user-controlled. - - Thanks to Florian Weimer for discovering this bug, and to David Zeuthen - for his initial patch! - - CVE-2014-0004 - -Index: udisks-1.0.4/src/mount-monitor.c -=================================================================== ---- udisks-1.0.4.orig/src/mount-monitor.c 2011-08-25 20:27:33.000000000 +0200 -+++ udisks-1.0.4/src/mount-monitor.c 2014-03-10 13:38:18.309406561 +0100 -@@ -39,6 +39,11 @@ - #include "mount.h" - #include "private.h" - -+/* build a %Ns format string macro with N == PATH_MAX */ -+#define xstr(s) str(s) -+#define str(s) #s -+#define PATH_MAX_FMT "%" xstr(PATH_MAX) "s" -+ - /*--------------------------------------------------------------------------------------------------------------*/ - - enum -@@ -320,8 +325,8 @@ mount_monitor_ensure (MountMonitor *moni - guint mount_id; - guint parent_id; - guint major, minor; -- gchar encoded_root[PATH_MAX]; -- gchar encoded_mount_point[PATH_MAX]; -+ gchar encoded_root[PATH_MAX + 1]; -+ gchar encoded_mount_point[PATH_MAX + 1]; - gchar *mount_point; - dev_t dev; - -@@ -329,7 +334,7 @@ mount_monitor_ensure (MountMonitor *moni - continue; - - if (sscanf (lines[n], -- "%d %d %d:%d %s %s", -+ "%d %d %d:%d " PATH_MAX_FMT " " PATH_MAX_FMT, - &mount_id, - &parent_id, - &major, -@@ -340,6 +345,8 @@ mount_monitor_ensure (MountMonitor *moni - g_warning ("Error parsing line '%s'", lines[n]); - continue; - } -+ encoded_root[sizeof encoded_root - 1] = '\0'; -+ encoded_mount_point[sizeof encoded_mount_point - 1] = '\0'; - - /* ignore mounts where only a subtree of a filesystem is mounted */ - if (g_strcmp0 (encoded_root, "/") != 0) -@@ -358,15 +365,17 @@ mount_monitor_ensure (MountMonitor *moni - sep = strstr (lines[n], " - "); - if (sep != NULL) - { -- gchar fstype[PATH_MAX]; -- gchar mount_source[PATH_MAX]; -+ gchar fstype[PATH_MAX + 1]; -+ gchar mount_source[PATH_MAX + 1]; - struct stat statbuf; - -- if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2) -+ if (sscanf (sep + 3, PATH_MAX_FMT " " PATH_MAX_FMT, fstype, mount_source) != 2) - { - g_warning ("Error parsing things past - for '%s'", lines[n]); - continue; - } -+ fstype[sizeof fstype - 1] = '\0'; -+ mount_source[sizeof mount_source - 1] = '\0'; - - if (g_strcmp0 (fstype, "btrfs") != 0) - continue; diff --git a/pkgs/os-specific/linux/uksmtools/default.nix b/pkgs/os-specific/linux/uksmtools/default.nix index 3e8b37a2faf..cd7c7527fe9 100644 --- a/pkgs/os-specific/linux/uksmtools/default.nix +++ b/pkgs/os-specific/linux/uksmtools/default.nix @@ -1,8 +1,8 @@ { stdenv, fetchgit, cmake }: -let version = "2015-09-25"; in -stdenv.mkDerivation { +stdenv.mkDerivation rec { name = "uksmtools-${version}"; + version = "2015-09-25"; # This project uses git submodules, which fetchFromGitHub doesn't support: src = fetchgit { @@ -18,7 +18,6 @@ stdenv.mkDerivation { doCheck = false; meta = with stdenv.lib; { - inherit version; description = "Tools to control Linux UKSM (Ultra Kernel Same-page Merging)"; homepage = https://github.com/pfactum/uksmtools/; license = licenses.gpl3Plus; diff --git a/pkgs/os-specific/linux/wpa_supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/pkgs/os-specific/linux/wpa_supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch deleted file mode 100644 index de1964ca769..00000000000 --- a/pkgs/os-specific/linux/wpa_supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@qca.qualcomm.com> -Date: Tue, 7 Apr 2015 11:32:11 +0300 -Subject: [PATCH] P2P: Validate SSID element length before copying it - (CVE-2015-1863) - -This fixes a possible memcpy overflow for P2P dev->oper_ssid in -p2p_add_device(). The length provided by the peer device (0..255 bytes) -was used without proper bounds checking and that could have resulted in -arbitrary data of up to 223 bytes being written beyond the end of the -dev->oper_ssid[] array (of which about 150 bytes would be beyond the -heap allocation) when processing a corrupted management frame for P2P -peer discovery purposes. - -This could result in corrupted state in heap, unexpected program -behavior due to corrupted P2P peer device information, denial of service -due to process crash, exposure of memory contents during GO Negotiation, -and potentially arbitrary code execution. - -Thanks to Google security team for reporting this issue and smart -hardware research group of Alibaba security team for discovering it. - -Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> ---- - src/p2p/p2p.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c -index f584fae..a45fe73 100644 ---- a/src/p2p/p2p.c -+++ b/src/p2p/p2p.c -@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq, - if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0) - os_memcpy(dev->interface_addr, addr, ETH_ALEN); - if (msg.ssid && -+ msg.ssid[1] <= sizeof(dev->oper_ssid) && - (msg.ssid[1] != P2P_WILDCARD_SSID_LEN || - os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) - != 0)) { --- -1.9.1 - diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index 28fc35efbd4..42da97a7a7b 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -20,13 +20,13 @@ assert buildKernel -> kernel != null && spl != null; stdenv.mkDerivation rec { name = "zfs-${configFile}-${version}${optionalString buildKernel "-${kernel.version}"}"; - version = "0.6.5.3"; + version = "0.6.5.4"; src = fetchFromGitHub { owner = "zfsonlinux"; repo = "zfs"; rev = "zfs-${version}"; - sha256 = "1hq65kq50hzhd1zqgyzqq2whg1fckigq8jmhhdsnbwrwmx5y76lh"; + sha256 = "10zf1kdgmdiaaa3zmz4sz5aj5ql6v24wcwixlxbwhwc51mr46k50"; }; patches = [ ./nix-build.patch ]; diff --git a/pkgs/os-specific/linux/zfs/nix-build.patch b/pkgs/os-specific/linux/zfs/nix-build.patch index ae8e82f703a..cc9e36838c7 100644 --- a/pkgs/os-specific/linux/zfs/nix-build.patch +++ b/pkgs/os-specific/linux/zfs/nix-build.patch @@ -1,8 +1,8 @@ diff --git a/Makefile.am b/Makefile.am -index 49b417a..f4af44d 100644 +index f8abb5f..82e8fb6 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -12,10 +12,10 @@ endif +@@ -11,10 +11,10 @@ endif if CONFIG_KERNEL SUBDIRS += module @@ -28,10 +28,10 @@ index a94cad5..a160fe2 100644 kernel_HEADERS = $(COMMON_H) $(KERNEL_H) endif diff --git a/include/linux/Makefile.am b/include/linux/Makefile.am -index d00b1c8..3242d2e 100644 +index 595d1db..d41375d 100644 --- a/include/linux/Makefile.am +++ b/include/linux/Makefile.am -@@ -17,6 +17,6 @@ libzfs_HEADERS = $(COMMON_H) $(USER_H) +@@ -18,6 +18,6 @@ libzfs_HEADERS = $(COMMON_H) $(USER_H) endif if CONFIG_KERNEL @@ -40,10 +40,10 @@ index d00b1c8..3242d2e 100644 kernel_HEADERS = $(COMMON_H) $(KERNEL_H) endif diff --git a/include/sys/Makefile.am b/include/sys/Makefile.am -index 7ddace0..8da3870 100644 +index 77ecfb2..52b3612 100644 --- a/include/sys/Makefile.am +++ b/include/sys/Makefile.am -@@ -102,6 +102,6 @@ libzfs_HEADERS = $(COMMON_H) $(USER_H) +@@ -114,6 +114,6 @@ libzfs_HEADERS = $(COMMON_H) $(USER_H) endif if CONFIG_KERNEL @@ -88,7 +88,7 @@ index 0859b9f..b0c6eec 100644 kernel_HEADERS = $(COMMON_H) $(KERNEL_H) endif diff --git a/module/Makefile.in b/module/Makefile.in -index 686402b..9cbf598 100644 +index d4ddee2..876c811 100644 --- a/module/Makefile.in +++ b/module/Makefile.in @@ -18,9 +18,9 @@ modules: @@ -107,7 +107,7 @@ index 686402b..9cbf598 100644 "*** - @SPL_OBJ@/module/@SPL_SYMBOLS@\n"; \ exit 1; \ fi -+ @# when copying a file out of the nix store, we need to make it writable again. ++ @# when copying a file out of the nix store, we need to make it writable again. + chmod +w @SPL_SYMBOLS@ $(MAKE) -C @LINUX_OBJ@ SUBDIRS=`pwd` @KERNELMAKE_PARAMS@ CONFIG_ZFS=m $@ @@ -122,8 +122,9 @@ index 686402b..9cbf598 100644 KERNELRELEASE=@LINUX_VERSION@ @# Remove extraneous build products when packaging - kmoddir=$(DESTDIR)$(INSTALL_MOD_PATH)/lib/modules/@LINUX_VERSION@; \ +- if [ -n "$(DESTDIR)" ]; then \ + kmoddir=@prefix@/$(INSTALL_MOD_PATH)/lib/modules/@LINUX_VERSION@; \ - if [ -n $$kmoddir ]; then \ ++ if [ -n "@prefix@" ]; then \ find $$kmoddir -name 'modules.*' | xargs $(RM); \ fi - sysmap=$(DESTDIR)$(INSTALL_MOD_PATH)/boot/System.map-@LINUX_VERSION@; \ |