diff options
Diffstat (limited to 'pkgs/os-specific')
72 files changed, 283 insertions, 192 deletions
diff --git a/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix b/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix index 16cfa9e554b..ce04be0e083 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix @@ -1,4 +1,4 @@ -{ stdenv, appleDerivation, ed, unifdef, Libc_old }: +{ stdenv, appleDerivation, ed, unifdef, Libc_old, Libc_10-9 }: appleDerivation { phases = [ "unpackPhase" "installPhase" ]; @@ -13,6 +13,8 @@ appleDerivation { export PRIVATE_HEADERS_FOLDER_PATH=include bash xcodescripts/headers.sh + cp ${Libc_10-9}/include/NSSystemDirectories.h $out/include + # Ugh Apple stopped releasing this stuff so we need an older one... cp ${Libc_old}/include/spawn.h $out/include cp ${Libc_old}/include/setjmp.h $out/include diff --git a/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix b/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix index 1c9b5879e6e..27d2360a980 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix @@ -5,42 +5,7 @@ appleDerivation rec { phases = [ "unpackPhase" "installPhase" ]; - buildInputs = [ cpio libpthread ]; - - systemlibs = [ "cache" - "commonCrypto" - "compiler_rt" - "copyfile" - "corecrypto" - "dispatch" - "dyld" - "keymgr" - "kxld" - "launch" - "macho" - "quarantine" - "removefile" - "system_asl" - "system_blocks" - # "system_c" # special re-export here to hide newer functions - "system_configuration" - "system_dnssd" - "system_info" - # "system_kernel" # special re-export here to hide newer functions - "system_m" - "system_malloc" - "system_network" - "system_notify" - "system_platform" - "system_pthread" - "system_sandbox" - # does not exist in El Capitan beta - # FIXME: does anything on yosemite actually need this? - # "system_stats" - "unc" - "unwind" - "xpc" - ]; + buildInputs = [ cpio ]; installPhase = '' export NIX_ENFORCE_PURITY= @@ -54,7 +19,7 @@ appleDerivation rec { for dep in ${Libc} ${Libm} ${Libinfo} ${dyld} ${architecture} ${libclosure} ${CarbonHeaders} \ ${libdispatch} ${ncurses.dev} ${CommonCrypto} ${copyfile} ${removefile} ${libresolv} \ - ${Libnotify} ${mDNSResponder} ${launchd} ${libutil}; do + ${Libnotify} ${mDNSResponder} ${launchd} ${libutil} ${libpthread}; do (cd $dep/include && find . -name '*.h' | cpio -pdm $out/include) done @@ -91,33 +56,9 @@ appleDerivation rec { # The startup object files cp ${Csu}/lib/* $out/lib - # selectively re-export functions from libsystem_c and libsystem_kernel - # to provide a consistent interface across OSX verions - mkdir -p $out/lib/system - ld -macosx_version_min 10.7 -arch x86_64 -dylib \ - -o $out/lib/system/libsystem_c.dylib \ - /usr/lib/libSystem.dylib \ - -reexported_symbols_list ${./system_c_symbols} - - ld -macosx_version_min 10.7 -arch x86_64 -dylib \ - -o $out/lib/system/libsystem_kernel.dylib \ - /usr/lib/libSystem.dylib \ - -reexported_symbols_list ${./system_kernel_symbols} - - # Set up the actual library link - clang -c -o CompatibilityHacks.o -Os CompatibilityHacks.c - clang -c -o init.o -Os init.c - ld -macosx_version_min 10.7 \ - -arch x86_64 \ - -dylib \ - -o $out/lib/libSystem.dylib \ - CompatibilityHacks.o init.o \ - -compatibility_version 1.0 \ - -current_version 1197.1.1 \ - -reexport_library $out/lib/system/libsystem_c.dylib \ - -reexport_library $out/lib/system/libsystem_kernel.dylib \ - ${stdenv.lib.concatStringsSep " " - (map (l: "-reexport_library /usr/lib/system/lib${l}.dylib") systemlibs)} + # OMG impurity + ln -s /usr/lib/libSystem.B.dylib $out/lib/libSystem.B.dylib + ln -s /usr/lib/libSystem.dylib $out/lib/libSystem.dylib # Set up links to pretend we work like a conventional unix (Apple's design, not mine!) for name in c dbm dl info m mx poll proc pthread rpcsvc util gcc_s.10.4 gcc_s.10.5; do diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index 1fbacfb9284..24797fc286a 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -3,7 +3,7 @@ appleDerivation { meta.broken = stdenv.cc.nativeLibc; - buildInputs = [ launchd bootstrap_cmds xnu ppp IOKit eap8021x ]; + buildInputs = [ launchd bootstrap_cmds ppp IOKit eap8021x ]; propagatedBuildInputs = [ Security ]; @@ -12,6 +12,11 @@ appleDerivation { ''; patchPhase = '' + HACK=$PWD/hack + mkdir $HACK + cp -r ${xnu}/Library/Frameworks/System.framework/Versions/B/PrivateHeaders/net $HACK + + substituteInPlace SystemConfiguration.fproj/SCNetworkReachabilityInternal.h \ --replace '#include <xpc/xpc.h>' "" @@ -172,9 +177,9 @@ appleDerivation { cc -I. -Ihelper -Iderived -F. -c DHCP.c -o DHCP.o cc -I. -Ihelper -Iderived -F. -c moh.c -o moh.o cc -I. -Ihelper -Iderived -F. -c DeviceOnHold.c -o DeviceOnHold.o - cc -I. -Ihelper -Iderived -I${xnu}/Library/Frameworks/System.framework/Versions/B/PrivateHeaders -F. -c LinkConfiguration.c -o LinkConfiguration.o + cc -I. -Ihelper -Iderived -I $HACK -F. -c LinkConfiguration.c -o LinkConfiguration.o cc -I. -Ihelper -Iderived -F. -c dy_framework.c -o dy_framework.o - cc -I. -Ihelper -Iderived -I${xnu}/Library/Frameworks/System.framework/Versions/B/PrivateHeaders -F. -c VLANConfiguration.c -o VLANConfiguration.o + cc -I. -Ihelper -Iderived -I $HACK -F. -c VLANConfiguration.c -o VLANConfiguration.o cc -I. -Ihelper -Iderived -F. -c derived/configUser.c -o configUser.o cc -I. -Ihelper -Iderived -F. -c SCPreferencesPathKey.c -o SCPreferencesPathKey.o cc -I. -Ihelper -Iderived -I../dnsinfo -F. -c derived/shared_dns_infoUser.c -o shared_dns_infoUser.o @@ -183,8 +188,8 @@ appleDerivation { cc -I. -Ihelper -Iderived -F. -c SCNetworkProtocol.c -o SCNetworkProtocol.o cc -I. -Ihelper -Iderived -F. -c SCNetworkService.c -o SCNetworkService.o cc -I. -Ihelper -Iderived -F. -c SCNetworkSet.c -o SCNetworkSet.o - cc -I. -Ihelper -Iderived -I${xnu}/Library/Frameworks/System.framework/Versions/B/PrivateHeaders -F. -c BondConfiguration.c -o BondConfiguration.o - cc -I. -Ihelper -Iderived -I${xnu}/Library/Frameworks/System.framework/Versions/B/PrivateHeaders -F. -c BridgeConfiguration.c -o BridgeConfiguration.o + cc -I. -Ihelper -Iderived -I $HACK -F. -c BondConfiguration.c -o BondConfiguration.o + cc -I. -Ihelper -Iderived -I $HACK -F. -c BridgeConfiguration.c -o BridgeConfiguration.o cc -I. -Ihelper -Iderived -F. -c helper/SCHelper_client.c -o SCHelper_client.o cc -I. -Ihelper -Iderived -F. -c SCPreferencesKeychainPrivate.c -o SCPreferencesKeychainPrivate.o cc -I. -Ihelper -Iderived -F. -c SCNetworkSignature.c -o SCNetworkSignature.o diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index ce128f14530..d7710abf291 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, pkgs }: +{ stdenv, fetchurl, fetchzip, pkgs }: let # This attrset can in theory be computed automatically, but for that to work nicely we need @@ -6,9 +6,13 @@ let # a stdenv out of something like this. With some care we can probably get rid of this, but for # now it's staying here. versions = { - "osx-10.11.2" = { - dtrace = "168"; - xnu = "3248.20.55"; + "osx-10.11.6" = { + dtrace = "168"; + xnu = "3248.60.10"; + libpthread = "138.10.4"; + }; + "osx-10.11.5" = { + Libc = "1082.50.1"; # 10.11.6 still unreleased :/ }; "osx-10.10.5" = { adv_cmds = "158"; @@ -185,13 +189,18 @@ let CoreOSMakefiles = applePackage "CoreOSMakefiles" "osx-10.5" "0kxp53spbn7109l7cvhi88pmfsi81lwmbws819b6wr3hm16v84f4" {}; Csu = applePackage "Csu" "osx-10.10.5" "0yh5mslyx28xzpv8qww14infkylvc1ssi57imhi471fs91sisagj" {}; dtrace = applePackage "dtrace" "osx-10.10.5" "0pp5x8dgvzmg9vvg32hpy2brm17dpmbwrcr4prsmdmfvd4767wcf" {}; - dtracen = applePackage "dtrace" "osx-10.11.2" "04mi0jy8gy0w59rk9i9dqznysv6fzz1v5mq779s41cp308yi0h1c" {}; + dtracen = applePackage "dtrace" "osx-10.11.6" "04mi0jy8gy0w59rk9i9dqznysv6fzz1v5mq779s41cp308yi0h1c" {}; dyld = applePackage "dyld" "osx-10.10.5" "167f74ln8pmfimwn6kwh199ylvy3fw72fd15da94mf34ii0zar6k" {}; eap8021x = applePackage "eap8021x" "osx-10.10.5" "1f37dpbcgrd1b14nrv2lpqrkap74myjbparz9masx92df6kcn7l2" {}; IOKit = applePackage "IOKit" "osx-10.10.5" "0kcbrlyxcyirvg5p95hjd9k8a01k161zg0bsfgfhkb90kh2s8x0m" { inherit IOKitSrcs; }; launchd = applePackage "launchd" "osx-10.9.5" "0w30hvwqq8j5n90s3qyp0fccxflvrmmjnicjri4i1vd2g196jdgj" {}; libauto = applePackage "libauto" "osx-10.9.5" "17z27yq5d7zfkwr49r7f0vn9pxvj95884sd2k6lq6rfaz9gxqhy3" {}; - Libc = applePackage "Libc" "osx-10.9.5" "1jz5bx9l4q484vn28c6n9b28psja3rpxiqbj6zwrwvlndzmq1yz5" {}; + Libc = applePackage "Libc" "osx-10.11.5" "1qv7r0dgz06jy9i5agbqzxgdibb0m8ylki6g5n5pary88lzrawfd" { + Libc_10-9 = fetchzip { + url = "http://www.opensource.apple.com/tarballs/Libc/Libc-997.90.3.tar.gz"; + sha256 = "1xchgxkxg5288r2b9yfrqji2gsgdap92k4wx2dbjwslixws12pq7"; + }; + }; Libc_old = applePackage "Libc/825_40_1.nix" "osx-10.8.5" "0xsx1im52gwlmcrv4lnhhhn9dyk5ci6g27k6yvibn9vj8fzjxwcf" {}; libclosure = applePackage "libclosure" "osx-10.10.5" "1zqy1zvra46cmqv6vsf1mcsz3a76r9bky145phfwh4ab6y15vjpq" {}; libdispatch = applePackage "libdispatch" "osx-10.9.5" "1lc5033cmkwxy3r26gh9plimxshxfcbgw6i0j7mgjlnpk86iy5bk" {}; @@ -199,7 +208,7 @@ let Libinfo = applePackage "Libinfo" "osx-10.10.5" "19n72s652rrqnc9hzlh4xq3h7xsfyjyklmcgyzyj0v0z68ww3z6h" {}; Libm = applePackage "Libm" "osx-10.7.4" "02sd82ig2jvvyyfschmb4gpz6psnizri8sh6i982v341x6y4ysl7" {}; Libnotify = applePackage "Libnotify" "osx-10.9.5" "164rx4za5z74s0mk9x0m1815r1m9kfal8dz3bfaw7figyjd6nqad" {}; - libpthread = applePackage "libpthread" "osx-10.10.5" "1p2y6xvsfqyakivr6d48fgrd163b5m9r045cxyfwrf8w0r33nfn3" {}; + libpthread = applePackage "libpthread" "osx-10.11.6" "1kbw738cmr9pa7pz1igmajs307clfq7gv2vm1sqdzhcnnjxbl28w" {}; libresolv = applePackage "libresolv" "osx-10.10.5" "0nvssf4qaqgs1dxwayzdy66757k99969f6c7n68n58n2yh6f5f6a" {}; Libsystem = applePackage "Libsystem" "osx-10.9.5" "1yfj2qdrf9vrzs7p9m4wlb7zzxcrim1gw43x4lvz4qydpp5kg2rh" {}; libutil = applePackage "libutil" "osx-10.10.5" "12gsvmj342n5d81kqwba68bmz3zf2757442g1sz2y5xmcapa3g5f" {}; @@ -209,7 +218,7 @@ let ppp = applePackage "ppp" "osx-10.10.5" "01v7i0xds185glv8psvlffylfcfhbx1wgsfg74kx5rh3lyrigwrb" {}; removefile = applePackage "removefile" "osx-10.10.5" "1f2jw5irq6fz2jv5pag1w2ivfp8659v74f0h8kh0yx0rqw4asm33" {}; Security = applePackage "Security" "osx-10.9.5" "1nv0dczf67dhk17hscx52izgdcyacgyy12ag0jh6nl5hmfzsn8yy" {}; - xnu = applePackage "xnu" "osx-10.9.5" "1ssw5fzvgix20bw6y13c39ib0zs7ykpig3irlwbaccpjpci5jl0s" {}; + xnu = applePackage "xnu" "osx-10.11.6" "0yhziq4dqqcbjpf6vyqn8xhwva2zb525gndkx8cp8alzwp76jnr9" {}; # Pending work... we can't change the above packages in place because the bootstrap depends on them, so we detach the expressions # here so we can work on them. diff --git a/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix index 027784e2ea6..c9d4b654a58 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix @@ -6,8 +6,14 @@ appleDerivation { propagatedBuildInputs = [ libdispatch xnu ]; installPhase = '' - mkdir -p $out/include/pthread + mkdir -p $out/include/pthread/ + mkdir -p $out/include/sys/_types cp pthread/*.h $out/include/pthread/ - cp private/*.h $out/include/pthread/ + + # This overwrites qos.h, and is probably not necessary, but I'll leave it here for now + # cp private/*.h $out/include/pthread/ + + cp -r sys $out/include + cp -r sys/_pthread/*.h $out/include/sys/_types/ ''; } diff --git a/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix b/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix index 4933f94d4a9..0ce9c54e48c 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix @@ -30,11 +30,12 @@ appleDerivation { substituteInPlace libsyscall/xcodescripts/mach_install_mig.sh \ --replace "/usr/include" "/include" \ --replace "/usr/local/include" "/include" \ - --replace "MIG=" "# " \ - --replace "MIGCC=" "# " \ + --replace 'MIG=`' "# " \ + --replace 'MIGCC=`' "# " \ --replace " -o 0" "" \ --replace '$SRC/$mig' '-I$DSTROOT/include $SRC/$mig' \ - --replace '$SRC/servers/netname.defs' '-I$DSTROOT/include $SRC/servers/netname.defs' + --replace '$SRC/servers/netname.defs' '-I$DSTROOT/include $SRC/servers/netname.defs' \ + --replace '$BUILT_PRODUCTS_DIR/mig_hdr' '$BUILT_PRODUCTS_DIR' patchShebangs . ''; @@ -46,9 +47,9 @@ appleDerivation { cat > sdk/usr/local/libexec/availability.pl <<EOF #!$SHELL if [ "\$1" == "--macosx" ]; then - echo 10.0 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 + echo 10.0 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 10.10 10.11 elif [ "\$1" == "--ios" ]; then - echo 2.0 2.1 2.2 3.0 3.1 3.2 4.0 4.1 4.2 4.3 5.0 5.1 6.0 6.1 7.0 + echo 2.0 2.1 2.2 3.0 3.1 3.2 4.0 4.1 4.2 4.3 5.0 5.1 6.0 6.1 7.0 8.0 9.0 fi EOF chmod +x sdk/usr/local/libexec/availability.pl @@ -56,7 +57,7 @@ appleDerivation { export SDKROOT_RESOLVED=$PWD/sdk export HOST_SDKROOT_RESOLVED=$PWD/sdk export PLATFORM=MacOSX - export SDKVERSION=10.7 + export SDKVERSION=10.11 export CC=cc export CXX=c++ @@ -87,13 +88,13 @@ appleDerivation { make installhdrs mv $out/usr/include $out - rmdir $out/usr # TODO: figure out why I need to do this cp libsyscall/wrappers/*.h $out/include mkdir -p $out/include/os cp libsyscall/os/tsd.h $out/include/os/tsd.h cp EXTERNAL_HEADERS/AssertMacros.h $out/include + cp EXTERNAL_HEADERS/Availability*.h $out/System/Library/Frameworks/Kernel.framework/Versions/A/Headers/ # Build the mach headers we crave export MIGCC=cc @@ -101,11 +102,21 @@ appleDerivation { export SRCROOT=$PWD/libsyscall export DERIVED_SOURCES_DIR=$out/include export SDKROOT=$out + export OBJROOT=$PWD + export BUILT_PRODUCTS_DIR=$out libsyscall/xcodescripts/mach_install_mig.sh # Get rid of the System prefix mv $out/System/* $out/ + # TODO: do I need this? + mv $out/internal_hdr/include/mach/*.h $out/include/mach + + # Get rid of some junk lying around + rm -rf $out/internal_hdr + rm -rf $out/usr + rm -rf $out/local + # Add some symlinks ln -s $out/Library/Frameworks/System.framework/Versions/B \ $out/Library/Frameworks/System.framework/Versions/Current diff --git a/pkgs/os-specific/darwin/swift-corefoundation/default.nix b/pkgs/os-specific/darwin/swift-corefoundation/default.nix new file mode 100644 index 00000000000..969168fa54b --- /dev/null +++ b/pkgs/os-specific/darwin/swift-corefoundation/default.nix @@ -0,0 +1,32 @@ +{ stdenv, fetchFromGitHub, python, ninja, libxml2 }: + +stdenv.mkDerivation { + name = "swift-corefoundation"; + + src = fetchFromGitHub { + owner = "apple"; + repo = "swift-corelibs-foundation"; + rev = "dce4233f583ec15190b240d6116396bf9641cd57"; + sha256 = "0i2ldvy14x05k2vgl5z0g5l2i5llifdfbij5zwfdwb8jmmq215qr"; + }; + + buildInputs = [ ninja python libxml2 ]; + + patchPhase = '' + substituteInPlace CoreFoundation/build.py \ + --replace '-I''${SYSROOT}/usr/include/libxml2' '-I${libxml2.dev}/include/libxml2' \ + ''; + + configurePhase = ":"; + + buildPhase = '' + cd CoreFoundation + ../configure --sysroot unused + ninja + ''; + + installPhase = '' + mkdir -p $out/lib + cp ../Build/CoreFoundation/libCoreFoundation.a $out/lib + ''; +} diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix index 289b54f1b54..65223a32bad 100644 --- a/pkgs/os-specific/linux/acpi-call/default.nix +++ b/pkgs/os-specific/linux/acpi-call/default.nix @@ -8,7 +8,9 @@ stdenv.mkDerivation { rev = "ac67445bc75ec4fcf46ceb195fb84d74ad350d51"; sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75"; }; - + + hardeningDisable = [ "pic" ]; + preBuild = '' sed -e 's/break/true/' -i examples/turn_off_gpu.sh sed -e 's@/bin/bash@.bin/sh@' -i examples/turn_off_gpu.sh diff --git a/pkgs/os-specific/linux/ati-drivers/default.nix b/pkgs/os-specific/linux/ati-drivers/default.nix index e5eb9b8c6c3..902f0e37e35 100644 --- a/pkgs/os-specific/linux/ati-drivers/default.nix +++ b/pkgs/os-specific/linux/ati-drivers/default.nix @@ -65,6 +65,8 @@ stdenv.mkDerivation rec { curlOpts = "--referer http://support.amd.com/en-us/download/desktop?os=Linux+x86_64"; }; + hardeningDisable = [ "pic" "format" ]; + patchPhaseSamples = "patch -p2 < ${./patches/patch-samples.patch}"; patches = [ ./patches/15.12-xstate-fp.patch diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix index 2eab4c3503b..65fcd07a6e0 100644 --- a/pkgs/os-specific/linux/batman-adv/default.nix +++ b/pkgs/os-specific/linux/batman-adv/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "0pj6jans75pxw9arp1747kmmk72zbc2vgkf2a0w565pj98x1nlk1"; }; + hardeningDisable = [ "pic" ]; + preBuild = '' makeFlags="KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" sed -i -e "s,INSTALL_MOD_DIR=,INSTALL_MOD_PATH=$out INSTALL_MOD_DIR=," \ diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix index ec1e5f2e20b..67b843fac4d 100644 --- a/pkgs/os-specific/linux/bbswitch/default.nix +++ b/pkgs/os-specific/linux/bbswitch/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation { sha256 = "1lbr6pyyby4k9rn2ry5qc38kc738d0442jhhq57vmdjb6hxjya7m"; }) ]; + hardeningDisable = [ "pic" ]; + preBuild = '' substituteInPlace Makefile \ --replace "\$(shell uname -r)" "${kernel.modDirVersion}" \ diff --git a/pkgs/os-specific/linux/blcr/default.nix b/pkgs/os-specific/linux/blcr/default.nix index bc7523858fe..c2e3fa4b9e1 100644 --- a/pkgs/os-specific/linux/blcr/default.nix +++ b/pkgs/os-specific/linux/blcr/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { buildInputs = [ perl makeWrapper ]; + hardeningDisable = [ "pic" ]; + preConfigure = '' configureFlagsArray=( --with-linux=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build @@ -33,7 +35,7 @@ stdenv.mkDerivation { wrapProgram "$prog" --prefix LD_LIBRARY_PATH ":" "$out/lib" done ''; - + meta = { description = "Berkeley Lab Checkpoint/Restart for Linux (BLCR)"; homepage = https://ftg.lbl.gov/projects/CheckpointRestart/; diff --git a/pkgs/os-specific/linux/broadcom-sta/default.nix b/pkgs/os-specific/linux/broadcom-sta/default.nix index 28b23a61ff0..e36512e0076 100644 --- a/pkgs/os-specific/linux/broadcom-sta/default.nix +++ b/pkgs/os-specific/linux/broadcom-sta/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { sha256 = hashes.${stdenv.system}; }; + hardeningDisable = [ "pic" ]; + patches = [ ./i686-build-failure.patch ./license.patch diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index 296b19bc5b6..efb06ba845e 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -33,6 +33,8 @@ stdenv.mkDerivation rec { sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5"; }; + hardeningDisable = [ "format" ]; + patches = [ ./busybox-in-store.patch ]; configurePhase = '' @@ -72,7 +74,7 @@ stdenv.mkDerivation rec { makeFlagsArray+=("CC=gcc -isystem ${musl}/include -B${musl}/lib -L${musl}/lib") ''; - buildInputs = lib.optionals (enableStatic && !useMusl) [ glibc glibc.static ]; + buildInputs = lib.optionals (enableStatic && !useMusl) [ stdenv.cc.libc stdenv.cc.libc.static ]; crossAttrs = { extraCrossConfig = '' diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix index e698c11ad0f..1a879ba3330 100644 --- a/pkgs/os-specific/linux/checksec/default.nix +++ b/pkgs/os-specific/linux/checksec/default.nix @@ -3,6 +3,7 @@ stdenv.mkDerivation rec { name = "checksec-${version}"; version = "1.5"; + src = fetchurl { url = "http://www.trapkit.de/tools/checksec.sh"; sha256 = "0iq9v568mk7g7ksa1939g5f5sx7ffq8s8n2ncvphvlckjgysgf3p"; @@ -11,9 +12,9 @@ stdenv.mkDerivation rec { patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch ]; unpackPhase = '' - mkdir ${name}-${version} - cp $src ${name}-${version}/checksec.sh - cd ${name}-${version} + mkdir ${name} + cp $src ${name}/checksec.sh + cd ${name} ''; installPhase = '' @@ -32,8 +33,6 @@ stdenv.mkDerivation rec { substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" ''; - phases = "unpackPhase patchPhase installPhase"; - meta = { description = "A tool for checking security bits on executables"; homepage = "http://www.trapkit.de/tools/checksec.html"; diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix index 630c4985325..efca4c7bbb5 100644 --- a/pkgs/os-specific/linux/criu/default.nix +++ b/pkgs/os-specific/linux/criu/default.nix @@ -24,7 +24,11 @@ stdenv.mkDerivation rec { ln -sf ${protobuf}/include/google/protobuf/descriptor.proto ./images/google/protobuf/descriptor.proto ''; - buildPhase = "make PREFIX=$out"; + buildPhase = "make PREFIX=$out"; + + makeFlags = "PREFIX=$(out)"; + + hardeningDisable = [ "stackprotector" ]; installPhase = '' mkdir -p $out/etc/logrotate.d diff --git a/pkgs/os-specific/linux/cryptodev/default.nix b/pkgs/os-specific/linux/cryptodev/default.nix index 4ea9295ef4f..f3c26223122 100644 --- a/pkgs/os-specific/linux/cryptodev/default.nix +++ b/pkgs/os-specific/linux/cryptodev/default.nix @@ -1,26 +1,19 @@ { fetchurl, stdenv, kernel, onlyHeaders ? false }: stdenv.mkDerivation rec { - pname = "cryptodev-linux-1.6"; + pname = "cryptodev-linux-1.8"; name = "${pname}-${kernel.version}"; src = fetchurl { url = "http://download.gna.org/cryptodev-linux/${pname}.tar.gz"; - sha256 = "0bryzdb4xz3fp2q00a0mlqkj629md825lnlh4gjwmy51irf45wbm"; + sha256 = "0xhkhcdlds9aiz0hams93dv0zkgcn2abaiagdjlqdck7zglvvyk7"; }; - buildPhase = if !onlyHeaders then '' - make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \ - SUBDIRS=`pwd` INSTALL_PATH=$out - '' else ":"; + hardeningDisable = [ "pic" ]; - installPhase = stdenv.lib.optionalString (!onlyHeaders) '' - make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \ - INSTALL_MOD_PATH=$out SUBDIRS=`pwd` modules_install - '' + '' - mkdir -p $out/include/crypto - cp crypto/cryptodev.h $out/include/crypto - ''; + KERNEL_DIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; + INSTALL_MOD_PATH = "\${out}"; + PREFIX = "\${out}"; meta = { description = "Device that allows access to Linux kernel cryptographic drivers"; diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix index d0d0371ec2d..46ebc923e3b 100644 --- a/pkgs/os-specific/linux/disk-indicator/default.nix +++ b/pkgs/os-specific/linux/disk-indicator/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation { NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; + hardeningDisable = [ "fortify" ]; + installPhase = '' mkdir -p "$out/bin" cp ./disk_indicator "$out/bin/" diff --git a/pkgs/os-specific/linux/dmraid/default.nix b/pkgs/os-specific/linux/dmraid/default.nix index fcbc8cb5125..d39cadf4199 100644 --- a/pkgs/os-specific/linux/dmraid/default.nix +++ b/pkgs/os-specific/linux/dmraid/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0m92971gyqp61darxbiri6a48jz3wq3gkp8r2k39320z0i6w8jgq"; }; + patches = [ ./hardening-format.patch ]; + postPatch = '' sed -i 's/\[\[[^]]*\]\]/[ "''$''${n##*.}" = "so" ]/' */lib/Makefile.in ''; diff --git a/pkgs/os-specific/linux/dmraid/hardening-format.patch b/pkgs/os-specific/linux/dmraid/hardening-format.patch new file mode 100644 index 00000000000..f91a7fb18aa --- /dev/null +++ b/pkgs/os-specific/linux/dmraid/hardening-format.patch @@ -0,0 +1,18 @@ +--- a/1.0.0.rc16/lib/events/libdmraid-events-isw.c 2016-01-29 05:16:57.455425454 +0000 ++++ b/1.0.0.rc16/lib/events/libdmraid-events-isw.c 2016-01-29 05:17:55.520564013 +0000 +@@ -838,13 +838,13 @@ + + sz = _log_all_devs(log_type, rs, NULL, 0); + if (!sz) { +- syslog(LOG_ERR, msg[0]); ++ syslog(LOG_ERR, "%s", msg[0]); + return; + } + + str = dm_malloc(++sz); + if (!str) { +- syslog(LOG_ERR, msg[1]); ++ syslog(LOG_ERR, "%s", msg[1]); + return; + } + diff --git a/pkgs/os-specific/linux/dpdk/default.nix b/pkgs/os-specific/linux/dpdk/default.nix index 9d1d3d666ac..e0c164e6232 100644 --- a/pkgs/os-specific/linux/dpdk/default.nix +++ b/pkgs/os-specific/linux/dpdk/default.nix @@ -22,6 +22,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; outputs = [ "out" "kmod" "examples" ]; + hardeningDisable = [ "pic" ]; + configurePhase = '' make T=x86_64-native-linuxapp-gcc config ''; diff --git a/pkgs/os-specific/linux/e1000e/default.nix b/pkgs/os-specific/linux/e1000e/default.nix index 0b67a5382f7..5406c37522e 100644 --- a/pkgs/os-specific/linux/e1000e/default.nix +++ b/pkgs/os-specific/linux/e1000e/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "07hg6xxqgqshnys1qs9wbl9qr7d4ixdkd1y1fj27cg6bn8s2n797"; }; + hardeningDisable = [ "pic" ]; + configurePhase = '' cd src kernel_version=${kernel.modDirVersion} diff --git a/pkgs/os-specific/linux/ena/default.nix b/pkgs/os-specific/linux/ena/default.nix index 7a047e9f233..051725d32d9 100644 --- a/pkgs/os-specific/linux/ena/default.nix +++ b/pkgs/os-specific/linux/ena/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "03w6xgv3lfn28n38mj9cdi3px5zjyrbxnflpd3ggivkv6grf9fp7"; }; + hardeningDisable = [ "pic" ]; + configurePhase = '' cd kernel/linux/ena @@ -30,5 +32,6 @@ stdenv.mkDerivation rec { homepage = https://github.com/amzn/amzn-drivers; license = lib.licenses.gpl2; maintainers = [ lib.maintainers.eelco ]; + platforms = lib.platforms.linux; }; } diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix index cbacb6ae074..de726d5b42c 100644 --- a/pkgs/os-specific/linux/facetimehd/default.nix +++ b/pkgs/os-specific/linux/facetimehd/default.nix @@ -4,7 +4,6 @@ assert stdenv.lib.versionAtLeast kernel.version "3.19"; stdenv.mkDerivation rec { - name = "facetimehd-${version}-${kernel.version}"; version = "git-20160503"; @@ -29,6 +28,8 @@ stdenv.mkDerivation rec { export INSTALL_MOD_PATH="$out" ''; + hardeningDisable = [ "pic" ]; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ]; @@ -40,5 +41,4 @@ stdenv.mkDerivation rec { maintainers = with maintainers; [ womfoo grahamc ]; platforms = platforms.linux; }; - } diff --git a/pkgs/os-specific/linux/frandom/default.nix b/pkgs/os-specific/linux/frandom/default.nix index 80ad483b367..dfdc79c2005 100644 --- a/pkgs/os-specific/linux/frandom/default.nix +++ b/pkgs/os-specific/linux/frandom/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "15rgyk4hfawqg7z1spk2xlk1nn6rcdls8gdhc70f91shrc9pvlls"; }; + hardeningDisable = [ "pic" ]; + preBuild = '' kernelVersion=${kernel.modDirVersion} substituteInPlace Makefile \ diff --git a/pkgs/os-specific/linux/fusionio/vsl.nix b/pkgs/os-specific/linux/fusionio/vsl.nix index 8e24b5061cd..665c4b4d081 100644 --- a/pkgs/os-specific/linux/fusionio/vsl.nix +++ b/pkgs/os-specific/linux/fusionio/vsl.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { src = srcs.vsl; + hardeningDisable = [ "pic" ]; + prePatch = '' cd root/usr/src/iomemory-vsl-* ''; diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix index c33d9cfae9e..7383db95c37 100644 --- a/pkgs/os-specific/linux/gogoclient/default.nix +++ b/pkgs/os-specific/linux/gogoclient/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { makeFlags = ["target=linux"]; installFlags = ["installdir=$(out)"]; + hardeningDisable = [ "format" ]; + buildInputs = [openssl]; preFixup = '' diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix index d8985003b41..b9390d1d589 100644 --- a/pkgs/os-specific/linux/ifenslave/default.nix +++ b/pkgs/os-specific/linux/ifenslave/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { cp -a ifenslave $out/bin ''; + hardeningDisable = [ "format" ]; + meta = { description = "Utility for enslaving networking interfaces under a bond"; license = stdenv.lib.licenses.gpl2; diff --git a/pkgs/os-specific/linux/ixgbevf/default.nix b/pkgs/os-specific/linux/ixgbevf/default.nix index eb90c9fb1eb..1f8ced6c2d2 100644 --- a/pkgs/os-specific/linux/ixgbevf/default.nix +++ b/pkgs/os-specific/linux/ixgbevf/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1i6ry3vd77190sxb47xhbz3v30gighwax6prav4ggs3q80a389c8"; }; + hardeningDisable = [ "pic" ]; + configurePhase = '' cd src makeFlagsArray+=(KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build INSTALL_MOD_PATH=$out MANDIR=/share/man) diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index 389dcc22053..274d0cc4139 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { src = sourceAttrs.src; + hardeningDisable = [ "pic" ]; + prePatch = '' sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile ''; diff --git a/pkgs/os-specific/linux/kernel-headers/3.18.nix b/pkgs/os-specific/linux/kernel-headers/3.18.nix index 0cc38a0548c..22650747ba2 100644 --- a/pkgs/os-specific/linux/kernel-headers/3.18.nix +++ b/pkgs/os-specific/linux/kernel-headers/3.18.nix @@ -34,6 +34,9 @@ stdenv.mkDerivation { buildInputs = [perl]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + extraIncludeDirs = if cross != null then (if cross.arch == "powerpc" then ["ppc"] else []) diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index c5a4ba2b18a..f4693417e20 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -222,6 +222,8 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); + hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" ]; + makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" ]; diff --git a/pkgs/os-specific/linux/kernel/perf.nix b/pkgs/os-specific/linux/kernel/perf.nix index 34cd0cbd433..4b1120afa4e 100644 --- a/pkgs/os-specific/linux/kernel/perf.nix +++ b/pkgs/os-specific/linux/kernel/perf.nix @@ -25,18 +25,15 @@ stdenv.mkDerivation { # binutils is required for libbfd. nativeBuildInputs = [ asciidoc xmlto docbook_xsl docbook_xml_dtd_45 libxslt flex bison libiberty ]; - buildInputs = [ python perl newt slang pkgconfig libunwind binutils zlib ] ++ + buildInputs = [ elfutils python perl newt slang pkgconfig libunwind binutils zlib ] ++ stdenv.lib.optional withGtk gtk; # Note: we don't add elfutils to buildInputs, since it provides a # bad `ld' and other stuff. - NIX_CFLAGS_COMPILE = "-I${elfutils}/include -Wno-error=cpp -Wno-error=bool-compare -Wno-error=deprecated-declarations"; - NIX_CFLAGS_LINK = "-L${elfutils}/lib"; + NIX_CFLAGS_COMPILE = "-Wno-error=cpp -Wno-error=bool-compare -Wno-error=deprecated-declarations"; installFlags = "install install-man ASCIIDOC8=1"; - inherit elfutils; - crossAttrs = { /* I don't want cross-python or cross-perl - I don't know if cross-python even works */ diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index d7d79b0257d..cb30de44a81 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "03cj7w2l5fqn72xfhl4q6z0zbziwkp9bfn0gs7gaf9i44jv6gkhl"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ zlib ]; meta = with stdenv.lib; { diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix index 02ec36d64ba..84b66ac0d9c 100644 --- a/pkgs/os-specific/linux/klibc/default.nix +++ b/pkgs/os-specific/linux/klibc/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ perl ]; + hardeningDisable = [ "format" "stackprotector" ]; + makeFlags = commonMakeFlags ++ [ "KLIBCARCH=${stdenv.platform.kernelArch}" "KLIBCKERNELSRC=${linuxHeaders}" diff --git a/pkgs/os-specific/linux/ldm/default.nix b/pkgs/os-specific/linux/ldm/default.nix index 9a9fca2431a..0c333feab1c 100644 --- a/pkgs/os-specific/linux/ldm/default.nix +++ b/pkgs/os-specific/linux/ldm/default.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation rec { sed '16i#include <sys/stat.h>' -i ldm.c ''; - buildPhase = "make ldm"; + buildFlags = "ldm"; installPhase = '' mkdir -p $out/bin diff --git a/pkgs/os-specific/linux/libaio/default.nix b/pkgs/os-specific/linux/libaio/default.nix index b3df129912e..1e85182d6c3 100644 --- a/pkgs/os-specific/linux/libaio/default.nix +++ b/pkgs/os-specific/linux/libaio/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { makeFlags = "prefix=$(out)"; + hardeningDisable = stdenv.lib.optional (stdenv.isi686) "stackprotector"; + meta = { description = "Library for asynchronous I/O in Linux"; homepage = http://lse.sourceforge.net/io/aio.html; diff --git a/pkgs/os-specific/linux/libnl/default.nix b/pkgs/os-specific/linux/libnl/default.nix index 6e5c63a2722..7e6fd1d1990 100644 --- a/pkgs/os-specific/linux/libnl/default.nix +++ b/pkgs/os-specific/linux/libnl/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchFromGitHub, autoreconfHook, bison, flex, pkgconfig }: -let version = "3.2.27"; in +let version = "3.2.28"; in stdenv.mkDerivation { name = "libnl-${version}"; src = fetchFromGitHub { - sha256 = "1rc8plgl2ijq2pwlzinpfr06kiggjyx71r3lw505m6rvxvdac82r"; - rev = "libnl3_2_27"; + sha256 = "02cm57z4h7rhjlxza07zhk02924acfz6m5gbmm5lbkkp6qh81328"; + rev = "libnl3_2_28"; repo = "libnl"; owner = "thom311"; }; diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix index 9e24d5f46ef..10551c08077 100644 --- a/pkgs/os-specific/linux/lttng-modules/default.nix +++ b/pkgs/os-specific/linux/lttng-modules/default.nix @@ -10,6 +10,10 @@ stdenv.mkDerivation rec { sha256 = "0a9xwq0kgpx1y800l232h524f19g3py6cnxff10j9p01q6lzhrxh"; }; + hardeningDisable = [ "pic" ]; + + NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration"; + preConfigure = '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" export INSTALL_MOD_PATH="$out" diff --git a/pkgs/os-specific/linux/mba6x_bl/default.nix b/pkgs/os-specific/linux/mba6x_bl/default.nix index 010bda4bb15..2a0e53b3925 100644 --- a/pkgs/os-specific/linux/mba6x_bl/default.nix +++ b/pkgs/os-specific/linux/mba6x_bl/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "pic" ]; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" "INSTALL_MOD_PATH=$(out)" diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix index ba69b421c3d..409eb31e14f 100644 --- a/pkgs/os-specific/linux/multipath-tools/default.nix +++ b/pkgs/os-specific/linux/multipath-tools/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1yd6l1l1c62xjr1xnij2x49kr416anbgfs4y06r86kp9hkmz2g7i"; }; + hardeningDisable = [ "format" ]; + postPatch = '' sed -i -re ' s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'", diff --git a/pkgs/os-specific/linux/mxu11x0/default.nix b/pkgs/os-specific/linux/mxu11x0/default.nix index 4af40432403..ed88fc643fd 100644 --- a/pkgs/os-specific/linux/mxu11x0/default.nix +++ b/pkgs/os-specific/linux/mxu11x0/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation { enableParallelBuilding = true; + hardeningDisable = [ "pic" ]; + meta = with stdenv.lib; { description = "MOXA UPort 11x0 USB to Serial Hub driver"; homepage = "https://github.com/ellysh/mxu11x0"; diff --git a/pkgs/os-specific/linux/ndiswrapper/default.nix b/pkgs/os-specific/linux/ndiswrapper/default.nix index f95de433564..eabc2840881 100644 --- a/pkgs/os-specific/linux/ndiswrapper/default.nix +++ b/pkgs/os-specific/linux/ndiswrapper/default.nix @@ -3,6 +3,8 @@ stdenv.mkDerivation { name = "ndiswrapper-1.59-${kernel.version}"; + hardeningDisable = [ "pic" ]; + patches = [ ./no-sbin.patch ]; # need at least .config and include diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix index 5d54d0a21ff..5177ea45e7a 100644 --- a/pkgs/os-specific/linux/netatop/default.nix +++ b/pkgs/os-specific/linux/netatop/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation { buildInputs = [ zlib ]; + hardeningDisable = [ "pic" ]; + preConfigure = '' patchShebangs mkversion sed -i -e 's,^KERNDIR.*,KERNDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build,' \ diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix index 55edff57712..ed84c41001b 100644 --- a/pkgs/os-specific/linux/numad/default.nix +++ b/pkgs/os-specific/linux/numad/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4"; }; + hardeningDisable = [ "format" ]; + patches = [ ./numad-linker-flags.patch ]; diff --git a/pkgs/os-specific/linux/nvidia-x11/beta.nix b/pkgs/os-specific/linux/nvidia-x11/beta.nix index d3111a4f75a..6fd5fb6c0b6 100644 --- a/pkgs/os-specific/linux/nvidia-x11/beta.nix +++ b/pkgs/os-specific/linux/nvidia-x11/beta.nix @@ -41,6 +41,8 @@ stdenv.mkDerivation { kernel = if libsOnly then null else kernel.dev; + hardeningDisable = [ "pic" "format" ]; + dontStrip = true; glPath = makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr]; diff --git a/pkgs/os-specific/linux/nvidia-x11/default.nix b/pkgs/os-specific/linux/nvidia-x11/default.nix index cbd4e466b70..f561c0addc8 100644 --- a/pkgs/os-specific/linux/nvidia-x11/default.nix +++ b/pkgs/os-specific/linux/nvidia-x11/default.nix @@ -42,6 +42,8 @@ stdenv.mkDerivation { kernel = if libsOnly then null else kernel.dev; + hardeningDisable = [ "pic" "format" ]; + dontStrip = true; glPath = makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr]; diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy173.nix b/pkgs/os-specific/linux/nvidia-x11/legacy173.nix index 91813d67e1c..27c963f4bd9 100644 --- a/pkgs/os-specific/linux/nvidia-x11/legacy173.nix +++ b/pkgs/os-specific/linux/nvidia-x11/legacy173.nix @@ -26,6 +26,8 @@ stdenv.mkDerivation { kernel = kernel.dev; + hardeningDisable = [ "pic" "format" ]; + inherit versionNumber; dontStrip = true; diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy304.nix b/pkgs/os-specific/linux/nvidia-x11/legacy304.nix index 5cf3583e873..65cf42333e0 100644 --- a/pkgs/os-specific/linux/nvidia-x11/legacy304.nix +++ b/pkgs/os-specific/linux/nvidia-x11/legacy304.nix @@ -32,6 +32,8 @@ stdenv.mkDerivation { kernel = if libsOnly then null else kernel.dev; + hardeningDisable = [ "pic" "format" ]; + dontStrip = true; glPath = stdenv.lib.makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr]; diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy340.nix b/pkgs/os-specific/linux/nvidia-x11/legacy340.nix index fa9d6442e42..0682954d558 100644 --- a/pkgs/os-specific/linux/nvidia-x11/legacy340.nix +++ b/pkgs/os-specific/linux/nvidia-x11/legacy340.nix @@ -42,6 +42,8 @@ stdenv.mkDerivation { kernel = if libsOnly then null else kernel.dev; + hardeningDisable = [ "pic" "format" ]; + dontStrip = true; glPath = makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr]; diff --git a/pkgs/os-specific/linux/nvidiabl/default.nix b/pkgs/os-specific/linux/nvidiabl/default.nix index a6797608664..881c29c1ce0 100644 --- a/pkgs/os-specific/linux/nvidiabl/default.nix +++ b/pkgs/os-specific/linux/nvidiabl/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "1c7ar39wc8jpqh67sw03lwnyp0m9l6dad469ybqrgcywdiwxspwj"; }; + hardeningDisable = [ "pic" ]; + patches = [ ./linux4compat.patch ]; preConfigure = '' diff --git a/pkgs/os-specific/linux/otpw/default.nix b/pkgs/os-specific/linux/otpw/default.nix index ff5367b9839..69c6dd1510c 100644 --- a/pkgs/os-specific/linux/otpw/default.nix +++ b/pkgs/os-specific/linux/otpw/default.nix @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { buildInputs = [ pam ]; + hardeningDisable = [ "stackprotector" ]; + meta = { homepage = http://www.cl.cam.ac.uk/~mgk25/otpw.html; description = "A one-time password login package"; diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix index afb342768c3..7ef98eb2353 100644 --- a/pkgs/os-specific/linux/paxctl/default.nix +++ b/pkgs/os-specific/linux/paxctl/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { "MANDIR=share/man/man1" ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + setupHook = ./setup-hook.sh; meta = with stdenv.lib; { diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix index 2b86238b2df..56c12e9a4f0 100644 --- a/pkgs/os-specific/linux/phc-intel/default.nix +++ b/pkgs/os-specific/linux/phc-intel/default.nix @@ -21,6 +21,8 @@ in stdenv.mkDerivation rec { buildInputs = [ which ]; + hardeningDisable = [ "pic" ]; + makeFlags = with kernel; [ "DESTDIR=$(out)" "KERNELSRC=${dev}/lib/modules/${modDirVersion}/build" diff --git a/pkgs/os-specific/linux/prl-tools/default.nix b/pkgs/os-specific/linux/prl-tools/default.nix index da5d7d5f607..9ca48ccaf05 100644 --- a/pkgs/os-specific/linux/prl-tools/default.nix +++ b/pkgs/os-specific/linux/prl-tools/default.nix @@ -47,6 +47,8 @@ stdenv.mkDerivation rec { ''; }; + hardeningDisable = [ "pic" ]; + # also maybe python2 to generate xorg.conf nativeBuildInputs = [ p7zip ] ++ lib.optionals (!libsOnly) [ makeWrapper ]; diff --git a/pkgs/os-specific/linux/psmouse-alps/default.nix b/pkgs/os-specific/linux/psmouse-alps/default.nix deleted file mode 100644 index 9dd78f5885a..00000000000 --- a/pkgs/os-specific/linux/psmouse-alps/default.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ stdenv, fetchurl, kernel, zlib }: - -/* Only useful for kernels 3.2 to 3.5. - Fails to build in 3.8. - 3.9 upstream already includes a proper alps driver for this */ - -assert builtins.compareVersions "3.8" kernel.version == 1; - -let - ver = "1.3"; - bname = "psmouse-alps-${ver}"; -in -stdenv.mkDerivation { - name = "psmouse-alps-${kernel.version}-${ver}"; - - src = fetchurl { - url = http://www.dahetral.com/public-download/alps-psmouse-dlkm-for-3-2-and-3-5/at_download/file; - name = "${bname}-alt.tar.bz2"; - sha256 = "1ghr8xcyidz31isxbwrbcr9rvxi4ad2idwmb3byar9n2ig116cxp"; - }; - - buildPhase = '' - cd src/${bname}/src - make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \ - SUBDIRS=`pwd` INSTALL_PATH=$out - ''; - - installPhase = '' - make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \ - INSTALL_MOD_PATH=$out SUBDIRS=`pwd` modules_install - ''; - - meta = { - description = "ALPS dlkm driver with all known touchpads"; - homepage = http://www.dahetral.com/public-download/alps-psmouse-dlkm-for-3-2-and-3-5/view; - license = stdenv.lib.licenses.gpl2; - platforms = stdenv.lib.platforms.linux; - maintainers = with stdenv.lib.maintainers; [viric]; - }; -} diff --git a/pkgs/os-specific/linux/rtl8723bs/default.nix b/pkgs/os-specific/linux/rtl8723bs/default.nix index 04644534590..39f6a3826c2 100644 --- a/pkgs/os-specific/linux/rtl8723bs/default.nix +++ b/pkgs/os-specific/linux/rtl8723bs/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "07srd457wnz29nvvq02wz66s387bhjbydnmbs3qr7ljprabhsgmi"; }; + hardeningDisable = [ "pic" ]; + buildInputs = [ nukeReferences ]; makeFlags = concatStringsSep " " [ diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix index bc6a97029c7..c38fa8843f4 100644 --- a/pkgs/os-specific/linux/rtl8812au/default.nix +++ b/pkgs/os-specific/linux/rtl8812au/default.nix @@ -3,25 +3,29 @@ stdenv.mkDerivation rec { name = "rtl8812au-${kernel.version}-${version}"; version = "4.2.2-1"; - + src = fetchFromGitHub { owner = "csssuf"; repo = "rtl8812au"; rev = "874906aec694c800bfc29b146737b88dae767832"; sha256 = "14ifhplawipfd6971mxw76dv3ygwc0n8sbz2l3f0vvkin6x88bsj"; }; - + + hardeningDisable = [ "pic" ]; + + NIX_CFLAGS_COMPILE="-Wno-error=incompatible-pointer-types"; + patchPhase = '' substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/" substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}" substituteInPlace ./Makefile --replace /sbin/depmod # substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" ''; - + preInstall = '' mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" ''; - + meta = { description = "Driver for Realtek 802.11ac, rtl8812au, provides the 8812au mod"; homepage = "https://github.com/csssuf/rtl8812au"; diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix index bb17683800f..5f539b9a97e 100644 --- a/pkgs/os-specific/linux/setools/default.nix +++ b/pkgs/os-specific/linux/setools/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { "--with-tcl=${tcl}/lib" ]; + hardeningDisable = [ "format" ]; + NIX_CFLAGS_COMPILE = "-fstack-protector-all"; NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib"; diff --git a/pkgs/os-specific/linux/sinit/default.nix b/pkgs/os-specific/linux/sinit/default.nix index 783e5fa2063..bf8367fcd45 100644 --- a/pkgs/os-specific/linux/sinit/default.nix +++ b/pkgs/os-specific/linux/sinit/default.nix @@ -3,13 +3,14 @@ let s = # Generated upstream information rec { baseName="sinit"; - version="0.9.2"; + version="1.0"; name="${baseName}-${version}"; url="http://git.suckless.org/sinit/"; - sha256="0nncyzwnszwlqcvx1jf42rn1n2dd5vcxkndqb1b546pgpifniivp"; + sha256="0cf8yylgrrj1wxm5v6jdlbnxpx97m38yxrc9nmv1l8hldjqsj9pc"; rev = "refs/tags/v${version}"; }; buildInputs = [ + (stdenv.lib.getOutput "static" stdenv.cc.libc) ]; in stdenv.mkDerivation { diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix index 45926228b6c..d5a235084d4 100644 --- a/pkgs/os-specific/linux/spl/default.nix +++ b/pkgs/os-specific/linux/spl/default.nix @@ -30,6 +30,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; + hardeningDisable = [ "pic" ]; + preConfigure = '' substituteInPlace ./module/spl/spl-generic.c --replace /usr/bin/hostid hostid substituteInPlace ./module/spl/spl-generic.c --replace "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PATH=${coreutils}:${gawk}:/bin" diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix index cda63ea70af..76858ab5e48 100644 --- a/pkgs/os-specific/linux/sysdig/default.nix +++ b/pkgs/os-specific/linux/sysdig/default.nix @@ -1,17 +1,8 @@ {stdenv, fetchurl, fetchFromGitHub, cmake, luajit, kernel, zlib, ncurses, perl, jsoncpp, libb64, openssl, curl}: let inherit (stdenv.lib) optional optionalString; - s = rec { - name = "sysdig-${version}"; - version = "0.11.0"; - owner = "draios"; - repo = "sysdig"; - rev = version; - sha256 = "131bafa7jy16r2jwph50j0bxwqdvr319fsfhqkavx6xy18i31q3v"; - }; - buildInputs = [ - cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl - ]; + baseName = "sysdig"; + version = "0.10.0"; # sysdig-0.11.0 depends on some headers from jq which are not # installed by default. # Relevant sysdig issue: https://github.com/draios/sysdig/issues/626 @@ -21,11 +12,19 @@ let }; in stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchFromGitHub { - inherit (s) owner repo rev sha256; + name = "${baseName}-${version}"; + + src = fetchurl { + url = "https://github.com/draios/sysdig/archive/${version}.tar.gz"; + sha256 = "0hs0r9z9j7padqdcj69bwx52iw6gvdl0w322qwivpv12j3prcpsj"; }; + + buildInputs = [ + cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl + ]; + + hardeningDisable = [ "pic" ]; + postPatch = '' sed '1i#include <cmath>' -i userspace/libsinsp/{cursesspectro,filterchecks}.cpp ''; @@ -33,17 +32,20 @@ stdenv.mkDerivation { cmakeFlags = [ "-DUSE_BUNDLED_DEPS=OFF" "-DUSE_BUNDLED_JQ=ON" - "-DSYSDIG_VERSION=${s.version}" + "-DSYSDIG_VERSION=${version}" ] ++ optional (kernel == null) "-DBUILD_DRIVER=OFF"; + preConfigure = '' export INSTALL_MOD_PATH="$out" '' + optionalString (kernel != null) '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ''; + preBuild = '' mkdir -p jq-prefix/src cp ${jq-prefix} jq-prefix/src/jq-1.5.tar.gz ''; + postInstall = optionalString (kernel != null) '' make install_driver kernel_dev=${kernel.dev} @@ -59,8 +61,7 @@ stdenv.mkDerivation { ''; meta = with stdenv.lib; { - inherit (s) version; - description = ''A tracepoint-based system tracing tool for Linux (with clients for other OSes)''; + description = "A tracepoint-based system tracing tool for Linux (with clients for other OSes)"; license = licenses.gpl2; maintainers = [maintainers.raskin]; platforms = platforms.linux ++ platforms.darwin; diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix index c051aac4312..f4ad94b5085 100644 --- a/pkgs/os-specific/linux/syslinux/default.nix +++ b/pkgs/os-specific/linux/syslinux/default.nix @@ -16,6 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ libuuid makeWrapper ]; enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...' + hardeningDisable = [ "pic" "stackprotector" "fortify" ]; preBuild = '' substituteInPlace Makefile --replace /bin/pwd $(type -P pwd) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index baf303f6f33..eff515c3dad 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -80,6 +80,8 @@ stdenv.mkDerivation rec { "--with-rc-local-script-path-stop=/etc/halt.local" ] ++ (if enableKDbus then [ "--enable-kdbus" ] else [ "--disable-kdbus" ]); + hardeningDisable = [ "stackprotector" ]; + preConfigure = '' ./autogen.sh diff --git a/pkgs/os-specific/linux/tp_smapi/default.nix b/pkgs/os-specific/linux/tp_smapi/default.nix index 38f2c8545db..f0f25f14e49 100644 --- a/pkgs/os-specific/linux/tp_smapi/default.nix +++ b/pkgs/os-specific/linux/tp_smapi/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "09rdg7fm423x6sbbw3lvnvmk4nyc33az8ar93xgq0n9qii49z3bv"; }; + hardeningDisable = [ "pic" ]; + makeFlags = [ "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}" "SHELL=/bin/sh" diff --git a/pkgs/os-specific/linux/uclibc/default.nix b/pkgs/os-specific/linux/uclibc/default.nix index 448c9f3f4ee..81c8b7b4df7 100644 --- a/pkgs/os-specific/linux/uclibc/default.nix +++ b/pkgs/os-specific/linux/uclibc/default.nix @@ -79,6 +79,8 @@ stdenv.mkDerivation { make oldconfig ''; + hardeningDisable = [ "stackprotector" ]; + # Cross stripping hurts. dontStrip = cross != null; diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index 5c3a0d78d99..4d4a22fc720 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -2,11 +2,14 @@ stdenv.mkDerivation rec { name = "util-linux-${version}"; - version = "2.28"; + version = stdenv.lib.concatStringsSep "." ([ majorVersion ] + ++ stdenv.lib.optional (patchVersion != "") patchVersion); + majorVersion = "2.28"; + patchVersion = "1"; src = fetchurl { - url = "mirror://kernel/linux/utils/util-linux/v${version}/${name}.tar.xz"; - sha256 = "1fql204qn3098j34yd358l85ffp7a4kqjf7jf1qk2b4al7i4fn1r"; + url = "mirror://kernel/linux/utils/util-linux/v${majorVersion}/${name}.tar.xz"; + sha256 = "03xnaw3c7pavxvvh1vnimcr44hlhhf25whawiyv8dxsflfj4xkiy"; }; patches = [ diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix index 5fa81a0d3a7..57f4b9ab674 100644 --- a/pkgs/os-specific/linux/v4l2loopback/default.nix +++ b/pkgs/os-specific/linux/v4l2loopback/default.nix @@ -8,7 +8,9 @@ stdenv.mkDerivation rec { url = "https://github.com/umlaeute/v4l2loopback/archive/v${version}.tar.gz"; sha256 = "1crkhxlnskqrfj3f7jmiiyi5m75zmj7n0s26xz07wcwdzdf2p568"; }; - + + hardeningDisable = [ "format" "pic" ]; + preBuild = '' substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install" sed -i '/depmod/d' Makefile @@ -16,7 +18,7 @@ stdenv.mkDerivation rec { ''; buildInputs = [ kmod ]; - + makeFlags = [ "KERNELRELEASE=${kernel.modDirVersion}" "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/v86d/default.nix b/pkgs/os-specific/linux/v86d/default.nix index 0ef992a4b44..073a6ded998 100644 --- a/pkgs/os-specific/linux/v86d/default.nix +++ b/pkgs/os-specific/linux/v86d/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { configureFlags = [ "--with-klibc" "--with-x86emu" ]; + hardeningDisable = [ "stackprotector" ]; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source" "DESTDIR=$(out)" diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix index 84f67bfd8cf..3264194f125 100644 --- a/pkgs/os-specific/linux/wireguard/default.nix +++ b/pkgs/os-specific/linux/wireguard/default.nix @@ -30,6 +30,8 @@ let sed -i '/depmod/,+1d' Makefile ''; + hardeningDisable = [ "pic" ]; + KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; INSTALL_MOD_PATH = "\${out}"; diff --git a/pkgs/os-specific/linux/xf86-video-nested/default.nix b/pkgs/os-specific/linux/xf86-video-nested/default.nix index 247ec6e152a..8d3e490db87 100644 --- a/pkgs/os-specific/linux/xf86-video-nested/default.nix +++ b/pkgs/os-specific/linux/xf86-video-nested/default.nix @@ -16,10 +16,9 @@ stdenv.mkDerivation { pkgconfig renderproto utilmacros xorgserver ]; + hardeningDisable = [ "fortify" ]; - configurePhase = '' - ./configure --prefix=$out CFLAGS="-I${pixman}/include/pixman-1" - ''; + CFLAGS = "-I${pixman}/include/pixman-1"; meta = { homepage = http://cgit.freedesktop.org/xorg/driver/xf86-video-nested; diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index 3ae41bc00b8..4b5d7e35dae 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation rec { # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work NIX_CFLAGS_LINK = "-lgcc_s"; + hardeningDisable = [ "pic" ]; + preConfigure = '' substituteInPlace ./module/zfs/zfs_ctldir.c --replace "umount -t zfs" "${utillinux}/bin/umount -t zfs" substituteInPlace ./module/zfs/zfs_ctldir.c --replace "mount -t zfs" "${utillinux}/bin/mount -t zfs" |