swendel/nixpkgs
1
0
Fork 0
mirror of https://github.com/SebastianWendel/nixpkgs.git synced 2024-09-30 09:00:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
229300 commits 5 branches 0 tags 31 GiB
Commit graph

12411 commits

Author SHA1 Message Date
Emily 5a5a2d0342 linux/hardened/update.py: pass encoding to subprocess 2020-05-08 15:49:36 +01:00
Emily b2ad58536c linux/hardened/update.py: commit updates in order 2020-05-08 15:49:36 +01:00
Emily 88486c4e76 linux/hardened/update.py: get versions with nix(1) 2020-05-08 15:49:36 +01:00
Emily e77d174fcd linux/hardened/update.py: add type annotations 2020-05-08 15:49:35 +01:00
Emily d6fe0a4e2d linux/hardened: move files into directory 2020-05-08 15:49:35 +01:00
Emily abe4bef033 linux/update-hardened.py: use pathlib 2020-05-08 15:49:35 +01:00
Emily 83c4ac2eb3 linux/update-hardened.py: reformat 
$ isort --multi-line=3 --trailing-comma --force-grid-wrap=0 --use-parentheses …
$ black --line-length=80 …

(per the black documentation)
 2020-05-08 15:49:35 +01:00
Pavol Rusnak 6abf4a43ad
treewide: per RFC45, remove more unquoted URLs 2020-05-08 15:20:47 +02:00
Tim Steinbach 711667dc3e
linux/hardened-patches/4.14: 4.14.178.a -> 4.14.179.a 2020-05-07 20:56:39 -04:00
Tim Steinbach 3d44729f1e
linux/hardened-patches/4.19: 4.19.120.a -> 4.19.121.a 2020-05-07 20:56:38 -04:00
Tim Steinbach ced789fa62
linux/hardened-patches/5.4: 5.4.38.a -> 5.4.39.a 2020-05-07 20:56:38 -04:00
Tim Steinbach 603741e751
linux/hardened-patches/5.6: 5.6.10.a -> 5.6.11.a 2020-05-07 20:56:38 -04:00
Vladimír Čunát fcc68a43aa
Merge branch 'staging-next' 
The nss update is needed for security update of firefox.
For linux platforms only about 1k aarch64 rebuilds are missing;
the diff on Hydra looks OK.  Darwin needs 20k more rebuilds,
but I don't think we want to wait for that.
 2020-05-07 19:56:25 +02:00
R. RyanTM 044b8c51c9 pax-utils: 1.2.5 -> 1.2.6 2020-05-06 23:15:13 -07:00
Ryan Mulligan 3e73635e51
Merge pull request #86556 from cmacrae/pkgs/os-specific/darwin/spacebar 
spacebar: init at v0.5.0
 2020-05-06 15:19:38 -07:00
Andreas Rammhold 38d043b116
Merge pull request #87139 from mweinelt/pr/security-patch-names 
treewide: add CVE identifiers to patches
 2020-05-06 23:51:53 +02:00
Martin Weinelt e24f5eab66
treewide: add CVE identifiers to patches 
This allows tools like broken.sh to correctly identify the patched
status.
 2020-05-06 23:18:09 +02:00
Tim Steinbach f82e836e1d
linux: 5.6.10 -> 5.6.11 2020-05-06 15:58:09 -04:00
Tim Steinbach bcbc507143
linux: 5.4.38 -> 5.4.39 2020-05-06 15:57:20 -04:00
Tim Steinbach ac287ce319
linux: 4.19.120 -> 4.19.121 2020-05-06 15:56:35 -04:00
Jörg Thalheim d49615dc55
Merge pull request #86918 from Mic92/sysdig 2020-05-06 15:52:29 +01:00
Vladimír Čunát e8d3c1579b
Merge branch 'staging' into staging-next 2020-05-06 08:22:27 +02:00
Vladimír Čunát 54eb2d1018
Merge branch 'staging-next' 
Status on Hydra for linuxes seems good enough:
https://hydra.nixos.org/eval/1585703?filter=linux&compare=1585482&full=#tabs-now-fail
 2020-05-06 08:20:05 +02:00
Jörg Thalheim ee8cde8d1c
Merge pull request #86391 from kwohlfahrt/gpio-utils 2020-05-06 06:57:14 +01:00
Jörg Thalheim b4df84d203
Merge pull request #86989 from r-ryantm/auto-update/lxcfs 2020-05-06 06:29:59 +01:00
R. RyanTM 5ed0514b4f conntrack-tools: 1.4.5 -> 1.4.6 2020-05-05 18:50:47 -07:00
Mario Rodas e08c758913
Merge pull request #86833 from r-ryantm/auto-update/criu 
criu: 3.13 -> 3.14
 2020-05-05 20:17:53 -05:00
Jan Tojnar ea38cf9d96
Merge pull request #87017 from jtojnar/fwupd-1.4.1 2020-05-06 01:20:16 +02:00
Jan Tojnar 88d15ee4ef
fwupd: 1.4.0 → 1.4.1 
ad113b931f
 2020-05-06 00:30:11 +02:00
R. RyanTM 03425b0033 lxcfs: 4.0.1 -> 4.0.3 2020-05-05 20:32:26 +00:00
Tim Steinbach 32585ddcec
linux: 4.9.221 -> 4.9.222 2020-05-05 14:35:55 -04:00
Tim Steinbach 7f75ff0777
linux: 4.4.221 -> 4.4.222 2020-05-05 14:35:46 -04:00
Tim Steinbach 018f49380e
linux: 4.14.178 -> 4.14.179 2020-05-05 14:35:33 -04:00
Frederik Rietdijk 9875bbae75 Merge master into staging-next 2020-05-05 19:51:09 +02:00
Jörg Thalheim 330693c502
linuxPackages.sysdig: 0.26.6 -> 0.26.7 2020-05-05 11:21:35 +01:00
124 82dfd10035
syslinux: fix #86846: build on i686 
vcunat tried tests.boot.biosCdrom.i686-linux - after small local
modification to make that attribute even exist.  Installed file list
also looks fine in comparison with state before the breaking change;
hopefully it will work just fine.
 2020-05-05 10:25:44 +02:00
R. RyanTM 6967ad7185 criu: 3.13 -> 3.14 2020-05-04 20:06:29 +00:00
Jörg Thalheim c5bcac2999
Merge pull request #86779 from r-ryantm/auto-update/bcc 
linuxPackages_hardened.bcc: 0.13.0 -> 0.14.0
 2020-05-04 17:01:22 +01:00
Kai Wohlfahrt 89d3a605e3 gpio-tools: init in kernel 5.4 
Linux provides some tools to interact with the gpiochip interface (which
replaces the deprecated sysfs GPIO interface). Expose these as a
package.

The tool has not changed much recently, so there is no need to package a
version for each kernel.
 2020-05-04 15:02:55 +01:00
R. RyanTM bd1846f7f4 linuxPackages_hardened.bcc: 0.13.0 -> 0.14.0 2020-05-04 13:33:51 +00:00
Tim Steinbach b6456e528e
linux: 5.7-rc3 -> 5.7-rc4 2020-05-04 08:41:50 -04:00
Maximilian Bosch 8536aeb415
Merge pull request #86605 from BKPepe/wireguard 
wireguard-compat: 1.0.20200426 -> 1.0.20200429
 2020-05-03 19:38:23 +02:00
Tim Steinbach d51998798f
linux/hardened-patches/4.14: 4.14.177.a -> 4.14.178.a 2020-05-03 13:17:07 -04:00
Tim Steinbach 4df77514e7
linux/hardened-patches/4.19: 4.19.119.a -> 4.19.120.a 2020-05-03 13:17:03 -04:00
Tim Steinbach c5d56b1790
linux/hardened-patches/5.4: 5.4.36.a -> 5.4.38.a 2020-05-03 13:16:59 -04:00
Tim Steinbach e7b54c19de
linux/hardened-patches/5.6: 5.6.8.a -> 5.6.10.a 2020-05-03 13:16:49 -04:00
Josef Schlehofer e008d5fc98
wireguard-compat: 1.0.20200426 -> 1.0.20200429 2020-05-03 18:39:08 +02:00
Linus Heckemann 88e07d3a96
Merge pull request #86598 from Valodim/aarch64-hidraw 
linux: CONFIG_HIDRAW=y
 2020-05-03 11:04:56 +02:00
Peter Hoeg 4310c1a4a0
Merge pull request #85094 from helsinki-systems/syslinux_efi 
syslinux: add uefi support
 2020-05-03 12:33:54 +08:00
ajs124 a09878c205 syslinux: fix UEFI support 2020-05-03 02:18:46 +02:00
Vincent Breitmoser bdd2d3ccb2 linux: CONFIG_HIDRAW=y 2020-05-02 17:43:43 +02:00
Daiderd Jordan 64279cff00
Merge pull request #86557 from cmacrae/upgrade/yabai/3.0.0 
yabai: 2.4.3 -> 3.0.0
 2020-05-02 11:34:56 +02:00
Tim Steinbach c46b55e640
linux: 5.6.8 -> 5.6.10 2020-05-02 14:46:24 -04:00
Tim Steinbach ba19c248b7
linux: 5.4.36 -> 5.4.38 2020-05-02 14:46:24 -04:00
Tim Steinbach 13e51bb636
linux: 4.9.220 -> 4.9.221 2020-05-02 14:46:23 -04:00
Tim Steinbach 7e200a0177
linux: 4.4.220 -> 4.4.221 2020-05-02 14:46:23 -04:00
Tim Steinbach 92c2abe85f
linux: 4.19.119 -> 4.19.120 2020-05-02 14:46:23 -04:00
Tim Steinbach 163e5a8d0c
linux: 4.14.177 -> 4.14.178 2020-05-02 14:46:22 -04:00
cmacrae c57532cf4e spacebar: init at v0.5.0 2020-05-02 10:18:34 +01:00
cmacrae fe9938ebd4 yabai: 2.4.3 -> 3.0.0 2020-05-02 10:17:32 +01:00
cmacrae 1e16e652d8 skhd: 0.3.0 -> 0.3.5 2020-05-02 09:58:41 +01:00
R. RyanTM 9f2ecb211d setools: 4.2.2 -> 4.3.0 2020-05-02 10:13:48 +02:00
Frederik Rietdijk 22ea1b9be2 Merge staging-next into staging 2020-05-02 10:13:08 +02:00
Frederik Rietdijk afb1041148 Merge master into staging-next 2020-05-02 09:39:00 +02:00
Daiderd Jordan a57cbb1c36
Merge pull request #86411 from cmacrae/pkgs/os-specific/darwin/yabai 
yabai: init at 2.4.3
 2020-05-01 19:40:59 +02:00
Tim Steinbach 61b97c17d6
linux: 5.7-rc2 -> 5.7-rc3 2020-05-01 11:43:43 -04:00
cmacrae 8e8459921a yabai: init at 2.4.3 2020-05-01 11:57:28 +01:00
Florian Klink b0aa80e427
Merge pull request #86363 from flokli/systemd-245.5 
systemd: 245.3 -> 245.5
 2020-05-01 12:32:40 +02:00
Frederik Rietdijk 00bbfccecf Merge staging into staging-next 2020-05-01 09:28:45 +02:00
Daniel Fullmer 45c0523b77 rtl8812au: 5.2.20.2_28373.20190903 -> 5.6.4.2_35491.20200318 2020-05-01 09:25:36 +02:00
Frederik Rietdijk 484ee79050 Merge staging-next into staging 2020-05-01 08:57:10 +02:00
Frederik Rietdijk 2da19f9483
Merge pull request #85653 from veprbl/pr/darwin_binutils_add_man 
darwin.binutils: propagate man pages from darwin.cctools
 2020-05-01 08:49:56 +02:00
Tim Steinbach 5fa90ed9e2
linux/hardened-patches/4.19: 4.19.118.a -> 4.19.119.a 2020-04-30 10:05:58 -04:00
Tim Steinbach 22c0c49d61
linux/hardened-patches/5.4: 5.4.35.a -> 5.4.36.a 2020-04-30 10:05:56 -04:00
Tim Steinbach 53ea32be28
linux/hardened-patches/5.6: 5.6.7.a -> 5.6.8.a 2020-04-30 10:05:50 -04:00
Florian Klink eb73b71df4 systemd: 245.3 -> 245.5 
Also, update 0005-Add-some-NixOS-specific-unit-directories.patch to
explain how and where these paths are being used.
 2020-04-30 02:08:42 +02:00
Florian Klink a3082bc6b7 systemd: regenerate patches 
It seems nix is much more permissive in applying patches than git am.

These patches were regenerated by running
`git am path/to/nixpkgs/pkgs/os-specific/linux/systemd/*.patch`,
and manually running `patch -p1 < path/to/nixpkgs/pkgs/os-specific/linux/systemd/*N.patch`
where necessary.
 2020-04-30 01:47:35 +02:00
Tim Steinbach bbf8ce13eb
linux: 5.6.7 -> 5.6.8 2020-04-29 15:38:11 -04:00
Tim Steinbach 100e81982d
linux: 5.4.35 -> 5.4.36 2020-04-29 15:38:11 -04:00
Tim Steinbach ca44d3eb1e
linux: 4.19.118 -> 4.19.119 2020-04-29 15:38:11 -04:00
Florian Klink f046de4210
Merge pull request #86168 from lblasc/sof-firmware 
Sound Open Firmware support, sof-firmware: init at 1.4.2, update kernel config
 2020-04-29 12:36:53 +02:00
Matthieu Coudron 8ce65087c3 broadcom_sta: fix build on 5.6 2020-04-29 11:57:03 +02:00
Florian Klink fbc63c4a7b
Merge pull request #86208 from arianvp/fix-linux-systemd-dep 
linux: do not depend on systemd indirectly
 2020-04-29 11:56:51 +02:00
Luka Blaskovic 6fc9fd53db linux config: enable Sound Open Firmware support 2020-04-29 07:31:49 +00:00
Jan Tojnar 2b5e2ffe0a
Merge pull request #86165 from jtojnar/libusb-compat-rename 2020-04-29 08:26:08 +02:00
jakobrs d21cc14114 v4l2loopback: 0.12.4 -> 0.12.5 2020-04-29 07:19:01 +02:00
worldofpeace d85aabfb5f
Merge pull request #84449 from doronbehar/improve-guvcview 
guvcview: fix gsettings filechooser errors
 2020-04-28 13:32:13 -04:00
Bruno Bzeznik 75a3a9af8d libfabric: init at 1.10.0 2020-04-28 17:09:15 +02:00
Arian van Putten d103dc4998 linux: do not depend on systemd indirectly 
utillinux depends on systemd because:

* uuidd supports socket activation
* lslogins can show recent journal entries
* fstrim comes with a service file (and we use this in NixOS)
* logger can write journal entries
(See https://www.openembedded.org/pipermail/openembedded-core/2015-February/102069.html)

systemd doesn't depend on utillinux but on utillinuxMinimal which is a
version of utillinux without these features to avoid cyclic
dependencies.

With this change, the linux kernel (of which i don't fully understand
why it would depend on util-linux in the first place, but this was added in
https://github.com/NixOS/nixpkgs/pull/32137/files without too much
explanation) depends on the minimal version of util-linux too.

This makes it that every time we change build flags in systemd
the linux kernel doesn't have to wastefully rebuild.
 2020-04-28 15:34:44 +02:00
Bruno Bzeznik 5a16436ffb
libpsm2: init at 11.2.156 (#85920) 
* libpsm2: init at 11.2.156
 2020-04-28 11:38:21 +02:00
Luka Blaskovic fe7f770666 sof-firmware: init at 1.4.2 2020-04-28 05:25:38 +00:00
Jan Tojnar e89e2edc73
libusb-compat-0_1: rename from libusb 2020-04-28 05:33:41 +02:00
David Terry e9c44e8956
wireguard-compat: 1.0.20200413 -> 1.0.20200426 
https://lists.zx2c4.com/pipermail/wireguard/2020-April/005237.html
 2020-04-27 08:15:39 +02:00
Tim Steinbach a9fa6028ad
linux/hardened-patches/4.19: 4.19.117.a -> 4.19.118.a 2020-04-26 12:23:07 -04:00
Tim Steinbach 4af476e2b3
linux/hardened-patches/5.4: 5.4.34.a -> 5.4.35.a 2020-04-26 12:23:05 -04:00
Tim Steinbach 334627d92f
linux/hardened-patches/5.6: 5.6.6.a -> 5.6.7.a 2020-04-26 12:23:03 -04:00
Tim Steinbach be48bf2ba8
linux/hardened-patches/4.14: 4.14.176.a -> 4.14.177.a 2020-04-26 12:23:01 -04:00
Tim Steinbach 4883dde6b7
linux: 4.9.219 -> 4.9.220 2020-04-26 12:22:41 -04:00
Tim Steinbach 6efb2ba2bf
linux: 4.4.219 -> 4.4.220 2020-04-26 12:22:05 -04:00
Tim Steinbach 6617a79ba3
linux: 4.14.176 -> 4.14.177 2020-04-26 12:21:32 -04:00
Jörg Thalheim ef959a1d9b
Merge pull request #85984 from Mic92/wireguard 2020-04-26 11:28:55 +01:00
Doron Behar 59588b68cd guvcview: use libsForQt5.callPackage 2020-04-25 21:14:40 +03:00
Martin Weinelt 3e9f3a3ebd
hostapd: apply patch for CVE-2019-16275 
AP mode PMF disconnection protection bypass

Published: September 11, 2019
Identifiers:
- CVE-2019-16275
Latest version available from: https://w1.fi/security/2019-7/

Vulnerability

hostapd (and wpa_supplicant when controlling AP mode) did not perform
sufficient source address validation for some received Management frames
and this could result in ending up sending a frame that caused
associated stations to incorrectly believe they were disconnected from
the network even if management frame protection (also known as PMF) was
negotiated for the association. This could be considered to be a denial
of service vulnerability since PMF is supposed to protect from this type
of issues. It should be noted that if PMF is not enabled, there would be
no protocol level protection against this type of denial service
attacks.

An attacker in radio range of the access point could inject a specially
constructed unauthenticated IEEE 802.11 frame to the access point to
cause associated stations to be disconnected and require a reconnection
to the network.

Vulnerable versions/configurations

All hostapd and wpa_supplicants versions with PMF support
(CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with
PMF being enabled (optional or required). In addition, this would be
applicable only when using user space based MLME/SME in AP mode, i.e.,
when hostapd (or wpa_supplicant when controlling AP mode) would process
authentication and association management frames. This condition would
be applicable mainly with drivers that use mac80211.

Possible mitigation steps

- Merge the following commit to wpa_supplicant/hostapd and rebuild:

  AP: Silently ignore management frame from unexpected source address

  This patch is available from https://w1.fi/security/2019-7/

- Update to wpa_supplicant/hostapd v2.10 or newer, once available
 2020-04-25 14:35:20 +02:00
Jörg Thalheim 21ec1f5ead
wireguard: 1.0.20200401 -> 1.0.20200413 2020-04-25 11:16:10 +01:00
Maximilian Bosch 61c95a2eec
iwd: 1.6 -> 1.7 2020-04-25 12:13:01 +02:00
Maximilian Bosch 74fcd4f2d6
ell: 0.30 -> 0.31 2020-04-25 12:12:54 +02:00
Doron Behar 6aaab573e2 guvcview: enable to build with both qt5 and gtk3 2020-04-25 12:52:15 +03:00
Doron Behar ac0f42dee8 guvcview: format arguments 2020-04-25 12:52:15 +03:00
Doron Behar 6bac53e691 guvcview: move some packages to nativeBuildInputs 2020-04-25 12:52:14 +03:00
Doron Behar d89ed04ea4 guvcview: fix gsettings filechooser errors 2020-04-25 12:52:14 +03:00
Austin Seipp d403911451
linux_testing: 5.6-rc7 -> 5.7-rc2 
Signed-off-by: Austin Seipp <aseipp@pobox.com>
 2020-04-24 10:58:31 -05:00
Michael Weiss 34276b84c5
nvme-cli: 1.10.1 -> 1.11.1 2020-04-24 17:56:08 +02:00
Jörg Thalheim 16e4b9ca69
Merge pull request #85880 from emilazy/linux-hardened-update-resilience 2020-04-24 12:24:23 +01:00
Savanni D'Gerinel 4db7911b5b Set version to 0.0.1 
ZenStates-Linux doesn't actually have a version, so I'm setting the
version to 0.0.1 in case the developer eventually does start doing
releases.
 2020-04-23 22:17:30 -04:00
Savanni D'Gerinel bfe072dc4b Add a Zenstates derivation 2020-04-23 22:08:34 -04:00
Emily 2c1db9649e linux_*_hardened: index patches by major kernel version 
This will avoid breaking the build whenever a non-major kernel update
happens. In the update script, we map each kernel version to the latest
patch for the latest kernel version less than or equal to what we
have packaged.
 2020-04-23 18:50:26 +01:00
Jörg Thalheim 6dfd563633
linux_latest-hardened: fix evaluation 2020-04-23 16:45:06 +01:00
Jörg Thalheim 1bceaa1cee
linux_hardened: fix evaluation 2020-04-23 15:52:14 +01:00
Tim Steinbach 45c22565f6
linux: 5.6.6 -> 5.6.7 2020-04-23 08:17:15 -04:00
Tim Steinbach 2f10053834
linux: 5.4.34 -> 5.4.35 2020-04-23 08:17:06 -04:00
Tim Steinbach 62a608fd63
linux: 4.19.117 -> 4.19.118 2020-04-23 08:16:58 -04:00
Frederik Rietdijk cff0669a48 Merge master into staging-next 2020-04-23 08:11:16 +02:00
Tim Steinbach 629068fe5b
linux_latest-libre: 17402 -> 17445 2020-04-22 19:40:01 -04:00
kraem fca903c7dd
linux/hardened-patches/4.19.117: init at 4.19.117.a 2020-04-22 02:12:28 +02:00
kraem 99f30a5635
linux/hardened-patches/5.4.34: init at 5.4.34.a 2020-04-22 02:12:25 +02:00
kraem 3c81b3df4e
linux/hardened-patches/5.5.19: init at 5.5.19.a 2020-04-22 02:12:21 +02:00
kraem c8b5e37764
linux/hardened-patches/5.6.6: init at 5.6.6.a 2020-04-22 02:12:17 +02:00
kraem efafc50f5c
linux/hardened-patches/4.19.116: remove 2020-04-21 22:18:03 +02:00
kraem 8f2e9fcadd
linux/hardened-patches/5.5.18: remove 2020-04-21 22:18:03 +02:00
kraem 9ed70f4e46
linux/hardened-patches/5.6.5: remove 2020-04-21 22:18:03 +02:00
kraem 15807c58ad
linux/hardened-patches/5.4.33: remove 2020-04-21 22:18:02 +02:00
kraem c9cf25bc61
linux: 5.6.5 -> 5.6.6 2020-04-21 21:59:59 +02:00
kraem 1e23dcbf22
linux: 5.5.18 -> 5.5.19 2020-04-21 21:59:22 +02:00
kraem 18c2b5a9aa
linux: 5.4.33 -> 5.4.34 2020-04-21 21:58:45 +02:00
kraem e074301be8
linux: 4.19.116 -> 4.19.117 2020-04-21 21:58:03 +02:00
Linus Heckemann 6673a4988e
gnupg: use libusb1 (#85374) 
* gnupg: use libusb1

This fixes scdaemon's direct ccid support.

* systemd: fix gnupg-minimal
 2020-04-21 08:35:40 +02:00
Frederik Rietdijk 803b3d296c Merge staging-next into staging 2020-04-21 08:29:51 +02:00
oxalica 7760cff5d7 util-linux: 2.33.2 -> 2.35.1 2020-04-21 08:12:29 +02:00
Dmitry Kalinkin c00ad799a0
darwin.cctools: install ar man pages 
In the distribution they are located in a separate directory from the
others and the standard installation doesn't process them.
 2020-04-20 23:56:51 -04:00
Dmitry Kalinkin 125c469d3e
darwin.binutils.bintools: propagate man pages from cctools 2020-04-20 23:49:02 -04:00
Dmitry Kalinkin 3e880bad79
darwin.cctools: split man output 2020-04-20 19:51:49 -04:00
kraem 523fe98821 linux/hardened-patches/4.19.116: 4.19.116.NixOS-a -> 4.19.116.a 2020-04-20 10:05:36 -04:00
kraem 45343beffe linux/hardened-patches/5.4.33: 5.4.33.NixOS-a -> 5.4.33.a 2020-04-20 10:05:36 -04:00
kraem 48d908b731 linux/hardened-patches/5.5.18: init at 5.5.18.a 2020-04-20 10:05:36 -04:00
kraem 0fd9293703 linux/hardened-patches/5.6.5: init at 5.6.5.a 2020-04-20 10:05:36 -04:00
kraem e7a65e6c41 linux/hardened-patches/5.5.17: remove 2020-04-20 10:05:36 -04:00
kraem eb41f8122e linux/hardened-patches/5.6.4: remove 2020-04-20 10:05:36 -04:00
kraem 8879086cfc linux: 5.5.17 -> 5.5.18 2020-04-20 10:05:36 -04:00
kraem 4307923b86 linux: 5.6.4 -> 5.6.5 2020-04-20 10:05:36 -04:00
Yegor Timoshenko 6f1165a0cb
Merge pull request #84522 from emilazy/add-linux-hardened-patches 
linux_*_hardened: use linux-hardened patch set
 2020-04-19 20:01:35 +03:00
Peter Simons 00222dbb0e bbswitch: fix build with Linux kernel version >= 5.6.0 
Fixes https://github.com/NixOS/nixpkgs/issues/85564.
 2020-04-19 16:25:48 +02:00
Maximilian Bosch 19de59a9be
Merge pull request #85334 from flokli/systemd-mainline2 
systemd: 243.7 -> 245
 2020-04-19 16:02:52 +02:00
Vladimír Čunát e233a9d4dd
Merge #84442: staging-next branch 2020-04-18 23:11:00 +02:00
John Ericson 1ea80c2cc3 Merge remote-tracking branch 'upstream/master' into staging 2020-04-18 15:40:49 -04:00
Jan Tojnar 09c4736405
Merge pull request #83755 from jtojnar/jcat-0.1 2020-04-18 20:38:24 +02:00
Mario Rodas e5dd52b99d
Merge pull request #85422 from marsam/update-lxc 
lxc: 4.0.1 -> 4.0.2
 2020-04-18 13:24:22 -05:00
Jan Tojnar 06e5800a73
fwupd: 1.3.9 → 1.4.0 
https://github.com/fwupd/fwupd/releases/tag/1.4.0
 2020-04-18 19:51:08 +02:00
Pavol Rusnak fadcfc3ea4
treewide: per RFC45, remove more unquoted URLs 2020-04-18 14:04:37 +02:00
Vladimír Čunát d96487b9ca
Merge branch 'master' into staging-next 
Hydra nixpkgs: ?compare=1582510
 2020-04-18 07:42:26 +02:00
John Ericson cc880cd91f Merge remote-tracking branch 'upstream/master' into staging 2020-04-17 18:50:55 -04:00
John Ericson e99a409065
Merge pull request #85190 from Ericson2314/fwupdate 
fwupdate: Clean up -I flags
 2020-04-17 18:50:22 -04:00
John Ericson 33c2a76c5e Merge remote-tracking branch 'upstream/master' into staging 2020-04-17 18:40:51 -04:00
Emily 7fdfe5381d linux_*_hardened: don't set FORTIFY_SOURCE 
Upstreamed in anthraxx/linux-hardened@d12c0d5f0c.
 2020-04-17 16:13:39 +01:00
Emily ed89b5b3f1 linux_*_hardened: don't set PANIC_ON_OOPS 
Upstreamed in anthraxx/linux-hardened@366e0216f1.
 2020-04-17 16:13:39 +01:00
Emily 0d5f1697b7 linux_*_hardened: don't set SLAB_FREELIST_{RANDOM,HARDENED} 
Upstreamed in anthraxx/linux-hardened@786126f177,
anthraxx/linux-hardened@44822ebeb7.
 2020-04-17 16:13:39 +01:00
Emily 4fb796e341 linux_*_hardened: don't set HARDENED_USERCOPY_FALLBACK 
Upstreamed in anthraxx/linux-hardened@c1fe7a68e3,
anthraxx/linux-hardened@2c553a2bb1.
 2020-04-17 16:13:39 +01:00
Emily 3eeb5240ac linux_*_hardened: don't set DEBUG_LIST 
Upstreamed in anthraxx/linux-hardened@6b20124185.
 2020-04-17 16:13:39 +01:00
Emily 0611462e33 linux_*_hardened: don't set {,IO_}STRICT_DEVMEM 
STRICT_DEVMEM is on by default in upstream 5.6.2; IO_STRICT_DEVMEM is
turned on by anthraxx/linux-hardened@103d23cb66.

Note that anthraxx/linux-hardened@db1d27e10e
disables DEVMEM by default, so this is only relevant if that default is
overridden to turn it back on.
 2020-04-17 16:13:39 +01:00
Emily 303bb60fb1 linux_*_hardened: don't set DEBUG_WX 
Upstreamed in anthraxx/linux-hardened@55ee7417f3.
 2020-04-17 16:13:39 +01:00
Emily 33b94e5a44 linux_*_hardened: don't set BUG_ON_DATA_CORRUPTION 
Upstreamed in anthraxx/linux-hardened@3fcd15014c.
 2020-04-17 16:13:39 +01:00
Emily db6b327508 linux_*_hardened: don't set LEGACY_VSYSCALL_NONE 
Upstreamed in anthraxx/linux-hardened@d300b0fdad.
 2020-04-17 16:13:39 +01:00
Emily 130f6812be linux_*_hardened: don't set RANDOMIZE_{BASE,MEMORY} 
These are on by default for x86 in upstream linux-5.6.2, and turned on
for arm64 by anthraxx/linux-hardened@90f9670bc3.
 2020-04-17 16:13:39 +01:00
Emily 8c68055432 linux_*_hardened: don't set MODIFY_LDT_SYSCALL 
Upstreamed in anthraxx/linux-hardened@05644876fa.
 2020-04-17 16:13:39 +01:00
Emily 8efe83c22e linux_*_hardened: don't set DEFAULT_MMAP_MIN_ADDR 
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd.
 2020-04-17 16:13:39 +01:00
Emily 3d4c8ae901 linux_*_hardened: don't set VMAP_STACK 
This has been on by default upstream for as long as it's been an option.
 2020-04-17 16:13:39 +01:00
Emily 7d5352df31 linux_*_hardened: don't set X86_X32 
As far as I can tell, this has never defaulted to on upstream, and our
common kernel configuration doesn't turn it on, so the attack surface
reduction here is somewhat homeopathic.
 2020-04-17 16:13:39 +01:00
Emily 0d4f35efd4 linux_*_hardened: use linux-hardened patch set 
This is an updated version of the former upstream,
https://github.com/AndroidHardeningArchive/linux-hardened, and provides
a minimal set of additional hardening patches on top of upstream.

The patch already incorporates many of our hardened profile defaults,
and releases are timely (Linux 5.5.15 and 5.6.2 were released on
2020-04-02; linux-hardened patches for them came out on 2020-04-03 and
2020-04-04 respectively).
 2020-04-17 16:13:39 +01:00
Emily 3d01e802bd linux: explicitly enable SYSVIPC 
The linux-hardened patch set removes this default, probably because of
its original focus on Android kernel hardening.
 2020-04-17 16:12:29 +01:00
Tim Steinbach e341107367
linux: 5.4.32 -> 5.4.33 2020-04-17 08:34:01 -04:00
Tim Steinbach d9258d33be
linux: 4.19.115 -> 4.19.116 2020-04-17 08:34:01 -04:00
Vladimír Čunát acb4710214
alsaTools: 1.1.7 -> 1.2.2 
Fixes build regression (after alsa update, I assume).
Despite the version number change, the diff is trivial:
https://git.alsa-project.org/?p=alsa-tools.git;a=log;h=refs/tags/v1.2.2
 2020-04-17 13:49:20 +02:00
Florian Klink b3f14109a8 systemd: explicitly disable portabled for now 
This hasn't worked with 243, let's disable it for now, until we have
tests and can ensure it works and keeps working.
 2020-04-17 00:31:03 +02:00
Florian Klink ce7c1230ea systemd: explicitly disable homed for now 
We don't currently have tests to ensure it works and keeps working.

So instead of having it accidentially working, and possibly breaking it
in the future, disable it for now.
 2020-04-17 00:30:52 +02:00
Jörg Thalheim c18ceab106 systemd: remove myself as maintainer 2020-04-17 00:30:52 +02:00
Florian Klink b0b7f673dc systemd: 245 -> 245.3 2020-04-17 00:30:52 +02:00
Florian Klink d2871a723a systemd: 244.3 -> 245 2020-04-17 00:30:51 +02:00
Florian Klink 9de0ac3770 systemd: 243.7 -> 244.3 
This required some changes in how we treat DEFAULT_PATH_NORMAL.
 2020-04-17 00:30:51 +02:00
Florian Klink b4cbcba5b1 systemd: update paths kmod-static-nodes.service 
The previous patch just removed a `ConditionFileNotEmpty=…` line from
`kmod-static-nodes.service` referring to a location not existing on
NixOS. We know better, and can actually replace this Condition to point
to `run/booted-system/kernel-modules/lib/modules/%v/`, instead of just
patching it out.
 2020-04-17 00:28:58 +02:00
Florian Klink a6710adab2 systemd: join 000{3,8}-Don-t-try-to-unmount-nix-or-nix-store.patch 2020-04-17 00:27:30 +02:00
Florian Klink 4f346cd849 systemd: drop 0017-Fix-mount-option-x-initrd.mount-handling-35268-16.patch 
This was simply undoing a hunk from
0008-Don-t-try-to-unmount-nix-or-nix-store.patch, so drop that one from
there and omit
0017-Fix-mount-option-x-initrd.mount-handling-35268-16.patch entirely.
 2020-04-17 00:27:29 +02:00
Florian Klink a16ebf8561 systemd: drop 001{4,5}-{catalog,hwdb}-don-t-update-on-install.patch 
These patches removed logic in the meson install phase invoking
`journalctl --update-catalog` and `systemd-hwdb update`, which would
mutate the running system, and obviously fails in the sandbox.

Upstream also knows this is a bad thing if you're not on the machine you
want to deploy to, so there's logic in there to not execute it when
DESTDIR isn't empty. In our case, it is - as we set --prefix instead for
other reasons, but by just setting DESTIDIR to "/", we can still trigger
these things to be skipped.

The patches removed some context from
0018-Install-default-configuration-into-out-share-factory.patch, which
we need to introduce there to make that patch still apply.
 2020-04-17 00:27:29 +02:00
Florian Klink 1ad4accdaf systemd: drop 0027-Start-getty-on-lxc.patch 
Since quite some time, systemd starts getty on these consoles
automatically.
 2020-04-17 00:27:29 +02:00
Florian Klink 22bb3a6771 systemd: remove local-fs patch and revert of it 2020-04-17 00:27:29 +02:00
Florian Klink ba770e599c systemd: switch from our own fork to upstream repo + local patches 
After patching, this produces exactly the same source code as in our
custom fork, but having the actual patches inlined inside nixpkgs makes
it easier to get rid of them.

In case more complicated rebasing is necessary, maintainers can

 - Clone the upstream systemd/systemd[-stable] repo
 - Checkout the current rev mentioned in src
 - Apply the patches from this folder via `git am 00*.patch`
 - Rebase the repo on top of a new version
 - Export the patch series via `git format-patch $newVersion`
 - Update the patches = [ … ] attribute (if necessary)
 2020-04-17 00:27:19 +02:00
Mario Rodas fc7efb2d49
lxc: 4.0.1 -> 4.0.2 2020-04-16 04:20:00 -05:00
Jan Tojnar 4b706490da
Merge branch 'staging-next' into staging 2020-04-16 10:10:38 +02:00
Jan Tojnar 3d8e436917
Merge branch 'master' into staging-next 2020-04-16 10:09:43 +02:00
markuskowa 4289160b17
Merge pull request #85281 from r-ryantm/auto-update/rdma-core 
rdma-core: 28.0 -> 29.0
 2020-04-15 13:27:20 +02:00
R. RyanTM d6d2b1ee6d rdma-core: 28.0 -> 29.0 2020-04-15 07:31:00 +00:00
Niklas Hambüchen f16ae2da3e linux: Enable CONFIG_NET_DROP_MONITOR by default. 
Needed for subscribing to dropped packets (e.g. via `dropwatch`).
 2020-04-14 20:07:51 +02:00