public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

linux: Init 4.18

Browse Source
This commit is contained in:
Tim Steinbach
2018-08-12 19:42:11 -04:00
parent c9035c6e12
commit 9236990057
3 changed files with 44 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
pkgs/os-specific/linux/kernel/hardened-config.nix
View File

@@ -103,16 +103,17 @@ PAGE_POISONING_ZERO y
PANIC_ON_OOPS y
PANIC_TIMEOUT -1
GCC_PLUGINS y # Enable gcc plugin options
${optionalString (versionOlder version "4.18") ''
GCC_PLUGINS y # Enable gcc plugin options
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
GCC_PLUGIN_LATENT_ENTROPY y
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
GCC_PLUGIN_LATENT_ENTROPY y
${optionalString (versionAtLeast version "4.11") ''
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
''}
${optionalString (versionAtLeast version "4.14") ''
GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
${optionalString (versionAtLeast version "4.11") ''
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
''}
${optionalString (versionAtLeast version "4.14") ''
GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
''}
''}
# Disable various dangerous settings
@@ -121,8 +122,10 @@ PROC_KCORE n # Exposes kernel text image layout
INET_DIAG n # Has been used for heap based attacks in the past
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CC_STACKPROTECTOR_REGULAR n
CC_STACKPROTECTOR_STRONG y
${optionalString (versionOlder version "4.18") ''
CC_STACKPROTECTOR_REGULAR n
CC_STACKPROTECTOR_STRONG y
''}
# Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE
${optionalString (versionAtLeast version "4.13") ''

18
pkgs/os-specific/linux/kernel/linux-4.18.nix Normal file
View File

@@ -0,0 +1,18 @@
{ stdenv, buildPackages, hostPlatform, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
with stdenv.lib;
buildLinux (args // rec {
version = "4.18";
# modDirVersion needs to be x.y.z, will automatically add .0 if needed
modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg;
# branchVersion needs to be x.y
extraMeta.branch = concatStrings (intersperse "." (take 2 (splitString "." version)));
src = fetchurl {
url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
sha256 = "1wgay4k8wj08fc711j290fvi81x75yib8iaa6r7csc7mkvsbrn0r";
};
} // (args.argsOverride or {}))