Commit graph

178873 commits

Author SHA1 Message Date
Joachim Fasting 87bc514620
hardened-config: enable the SafeSetID LSM
The purpose of this LSM is to allow processes to drop to a less privileged
user id without having to grant them full CAP_SETUID (or use file caps).

The LSM allows configuring a whitelist policy of permitted from:to uid
transitions.  The policy is enforced upon calls to setuid(2) and related
syscalls.

Policies are configured through securityfs by writing to
- safesetid/add_whitelist_policy ; and
- safesetid/flush_whitelist_policies

A process attempting a transition not permitted by current policy is killed
(to avoid accidentally running with higher privileges than intended).

A uid that has a configured policy is prevented from obtaining auxiliary
setuid privileges (e.g., setting up user namespaces).

See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
2019-05-07 13:39:24 +02:00
Renaud 7085da0cef
Merge pull request #60870 from dkudriavtsev/patch-1
miraclecast: 20170427 -> 20190403
2019-05-07 13:37:39 +02:00
Renaud 029adb3ad4
Merge pull request #61003 from r-ryantm/auto-update/ocaml4.06.1-ppxlib
ocamlPackages.ppxlib: 0.5.0 -> 0.6.0
2019-05-07 13:19:50 +02:00
Frederik Rietdijk 01b99a67e9
Merge pull request #61028 from marsam/update-cedille
cedille: fix hash
2019-05-07 13:11:33 +02:00
Renaud ad36fb38e2
Merge pull request #60992 from danieldk/cargo-asm-0.1.17
cargo-asm: 0.1.16 -> 0.1.17
2019-05-07 13:11:17 +02:00
R. RyanTM af46c07eaf python37Packages.lark-parser: 0.6.6 -> 0.7.0
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/python3.7-lark-parser/versions
2019-05-07 13:08:31 +02:00
Andrew Childs 1d754bbe94 qscintilla: fix dylib names on Darwin
On Darwin dylibs are intended to have their install names set to their
absolute path. Without an absolute path, applications using these
libraries will have invalid references embedded, and will be unable to
locate the libraries at runtime.
2019-05-07 13:08:00 +02:00
Elis Hirwing 0269936094
Merge pull request #61080 from DIzFer/jellyfin-remove-emby-ref
jellyfin: remove assertion if emby enabled: no emby module exists
2019-05-07 12:48:26 +02:00
Renaud 78b8ff9be0
Merge pull request #61017 from r-ryantm/auto-update/python3.7-Cerberus
python37Packages.cerberus: 1.2 -> 1.3
2019-05-07 12:23:28 +02:00
Robin Gloster 97450715da
Merge pull request #60678 from mayflower/atomicparsley-cross
atomicparsley: fix cross
2019-05-07 09:50:04 +00:00
Jörg Thalheim 2146e1023a
Merge pull request #61076 from Mic92/linux-fpu
linux_5_0: restore __kernel_fpu_{begin,restore}
2019-05-07 10:35:04 +01:00
Renaud 843a062c43
Merge pull request #61016 from r-ryantm/auto-update/python3.7-braintree
python37Packages.braintree: 3.52.0 -> 3.53.0
2019-05-07 11:30:36 +02:00
Jörg Thalheim 33220585a8
Merge pull request #61071 from dtzWill/update/creduce-2.9.0
creduce: 2.8.0 -> 2.9.0, llvm7
2019-05-07 10:05:02 +01:00
David Izquierdo b24a87fafe jellyfin: remove assertion if emby enabled: no emby module exists 2019-05-07 11:04:57 +02:00
Jörg Thalheim 7ed04c2a6f
postgresqlPackages.timescaledb: 1.2.2 -> 1.3.0 (#61074)
postgresqlPackages.timescaledb: 1.2.2 -> 1.3.0
2019-05-07 09:54:33 +01:00
Renaud 1303cc1136
Merge pull request #60972 from r-ryantm/auto-update/geos
geos: 3.7.1 -> 3.7.2
2019-05-07 10:39:07 +02:00
Joachim Fasting 7defc47944
tor-browser-bundle-bin: meta.homepage is a regular string 2019-05-07 09:48:16 +02:00
Joachim Fasting 501c2c28a4
tor-browser-bundle-bin: 8.0.8 -> 8.0.9 2019-05-07 09:48:10 +02:00
Jörg Thalheim a3f8a25ab3
python.pkgs.imread: inherit native libs on callsite
this avoids potential namespace collisions between python libs
and packages from all-packags.nix:

https://github.com/NixOS/nixpkgs/pull/61033#issuecomment-489926103
2019-05-07 07:34:13 +01:00
Jörg Thalheim 6bcc5e2080
pythonPackages.imread: 0.6 -> 0.7.0 (#61033)
pythonPackages.imread: 0.6 -> 0.7.0
2019-05-07 07:23:33 +01:00
Jörg Thalheim 8da4d318d1
nix-review: 2.0.0 -> 2.0.1 (#61078)
nix-review: 2.0.0 -> 2.0.1
2019-05-07 07:19:19 +01:00
Jörg Thalheim 4a0fcfd3cc
flow: 0.98.0 -> 0.98.1 (#61075)
flow: 0.98.0 -> 0.98.1
2019-05-07 07:16:42 +01:00
Jörg Thalheim cf5ed1d004
nix-review: 2.0.0 -> 2.0.1 2019-05-07 07:12:55 +01:00
Jörg Thalheim dd2052ce36
awesome: use makeWrapper rather than wrapProgram (#61060)
awesome: use makeWrapper rather than wrapProgram
2019-05-07 07:07:36 +01:00
Jörg Thalheim 3a83427e6d
Merge pull request #61055 from nyanloutre/radarr_update_0_2_0_1344
radarr: 0.2.0.1293 -> 0.2.0.1344
2019-05-07 07:05:49 +01:00
Jörg Thalheim 6d207876db
Merge pull request #61057 from dywedir/i3status-rust
i3status-rust: 0.9.0.2019-03-21 -> 0.9.0.2019-04-27
2019-05-07 07:05:15 +01:00
Jörg Thalheim c28f0c39d2
Merge pull request #61073 from marsam/fix-mpv-darwin
mpv: fix darwin build
2019-05-07 06:59:41 +01:00
Mario Rodas 2d6f91f26c
Merge pull request #61064 from mstojcevich/influxdb-176
influxdb: 1.7.5 -> 1.7.6
2019-05-07 00:32:41 -05:00
Michael Raskin 2ca644ea9a
Merge pull request #61070 from dtzWill/update/libreoffice-fresh-6.2.3.2
libreoffice-fresh: 6.2.2.2 -> 6.2.3.2
2019-05-07 05:16:55 +00:00
adisbladis ca088617ac
firefox-beta-bin: 67.0b16 -> 67.0b17 2019-05-07 06:10:31 +01:00
adisbladis 5985cd73dc
firefox-devedition-bin: 67.0b7 -> 67.0b17 2019-05-07 06:10:31 +01:00
adisbladis baf17a4042
pipenv: Add missing build input virtualenv-clone 2019-05-07 06:10:28 +01:00
Mario Rodas dbba6f0b3c
flow: 0.98.0 -> 0.98.1 2019-05-07 00:05:00 -05:00
Mario Rodas 5a9983a76e
postgresqlPackages.timescaledb: 1.2.2 -> 1.3.0 2019-05-07 00:02:25 -05:00
Mario Rodas 20eda8246c
mpv: fix darwin build 2019-05-06 23:57:10 -05:00
Mario Rodas bdbd5f6026
Merge pull request #61044 from greydot/fix-pipenv-deps
pipenv: fix missing dependency issue (#61027)
2019-05-06 23:53:19 -05:00
Will Dietz 5fe0547457 creduce: 2.8.0 -> 2.9.0, llvm7 2019-05-06 23:39:56 -05:00
Will Dietz d90da9197a libreoffice-fresh: 6.2.2.2 -> 6.2.3.2 2019-05-06 23:38:11 -05:00
Mario Rodas 5e407fcbb0
Merge pull request #61042 from xrelkd/update/cargo-bloat
cargo-bloat: 0.6.2 -> 0.6.3
2019-05-06 22:07:24 -05:00
Profpatsch 6ad3c59f03 ultrastar-manager: 2017-05-24 -> 2019-04-23 2019-05-07 02:02:11 +02:00
Profpatsch 59aef0aa9c ultrastar-creator: 2017-04-12 -> 2019-04-23 2019-05-07 02:02:11 +02:00
Profpatsch 3a0fbc17e2 libbass: update 2019-05-07 02:02:11 +02:00
Marcus Stojcevich 118487b694
influxdb: 1.7.5 -> 1.7.6 2019-05-06 19:38:37 -04:00
Renaud 0852a6e22a
Merge pull request #59654 from r-ryantm/auto-update/python3.7-fonttools
python37Packages.fonttools: 3.39.0 -> 3.41.0
2019-05-06 23:51:14 +02:00
Renaud dfac1543d0
pythonPackages.fonttools: 3.40.0 -> 3.41.0
and specify license
2019-05-06 22:42:31 +02:00
Renaud 7c93bbec22
Merge pull request #60957 from r-ryantm/auto-update/bacula
bacula: 9.4.2 -> 9.4.3
2019-05-06 22:33:22 +02:00
Renaud c9f1f40cb2
Merge pull request #60525 from r-ryantm/auto-update/flacon
flacon: 5.2.0 -> 5.4.0
2019-05-06 22:30:47 +02:00
Stefano Mazzucco 88f84c08d7 awesome: use makeWrapper rather than wrapProgram
Using wrapProgram makes so that the generated "awesome" wrapper duplicates its
command line options at every restart.

As @psychon puts it:

> AwesomeWM restarts via execvp(argv[0], argv). In NixOS, wrapProgram is used
> to generate a wrapper around the real binary. wrapProgram calls makeWrapper
> with --argv0 '$0'. I guess this is what makes awesomeWM run the wrapper again
> on restart. Without this --argv0 awesomeWM would directly restart itself
> instead of the wrapper, I think.
2019-05-06 21:08:55 +01:00
Renaud 834d8018f3
Merge pull request #60963 from r-ryantm/auto-update/dovecot-pigeonhole
dovecot_pigeonhole: 0.5.5 -> 0.5.6
2019-05-06 22:01:02 +02:00
Matthew Bauer 69cf07ec0f
Merge pull request #60828 from matthewbauer/mark-bad-platforms
Mark some bad platforms
2019-05-06 15:54:08 -04:00