Merge branch 'master' into closure-size

Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.

pkgs/os-specific/linux/kernel/common-config.nix

@@ -210,7 +210,7 @@ with stdenv.lib;
   OCFS2_DEBUG_MASKLOG? n
   BTRFS_FS_POSIX_ACL y
   UBIFS_FS_ADVANCED_COMPR? y
-  ${optionalString (versionAtLeast version "4.0") ''
+  ${optionalString (versionAtLeast version "4.0" && versionOlder version "4.6") ''
     NFSD_PNFS y
   ''}
   NFSD_V2_ACL y
@@ -478,7 +478,9 @@ with stdenv.lib;
   ''}
   ${optionalString (versionAtLeast version "3.7") ''
     MEDIA_USB_SUPPORT y
-    MEDIA_PCI_SUPPORT y
+    ${optionalString (!(features.chromiumos or false)) ''
+      MEDIA_PCI_SUPPORT y
+    ''}
   ''}
 
   # Our initrd init uses shebang scripts, so can't be modular.

pkgs/os-specific/linux/kernel/grsecurity-path-4.4.patch

@@ -0,0 +1,18 @@
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index a689506..30747b4 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -294,11 +294,8 @@ static int ____call_usermodehelper(void *data)
+ 	   out the path to be used prior to this point and are now operating
+ 	   on that copy
+ 	*/
+-	if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
+-	     strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
+-	     strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
+-	     strncmp(sub_info->path, "/usr/sbin/", 10) &&
+-	     strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
++	if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
++	     strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
+ 		printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
+ 		retval = -EPERM;
+ 		goto out;

pkgs/os-specific/linux/kernel/linux-3.10.nix

@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "3.10.99";
+  version = "3.10.101";
   extraMeta.branch = "3.10";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz";
-    sha256 = "1hq90yn2ry36y317px7f0wy55j70ip3wlxa4qsdl9pzlndadcp24";
+    sha256 = "1g8jx6vla8bjhy3xn0s7r6awinxpfr1w8zqfzjsx88pkqbf8qd9n";
   };
 
   kernelPatches = args.kernelPatches;

pkgs/os-specific/linux/kernel/linux-3.12.nix

@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "3.12.55";
+  version = "3.12.57";
   extraMeta.branch = "3.12";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz";
-    sha256 = "0xg52i6zsrkzv0i2kxrsx0179lkp9f2388r06rahx0anf4ars5p2";
+    sha256 = "0qv88rvi0n45z3888w2gis35lxdx34qg2p7c2cac2szbrzv664s8";
   };
 
   kernelPatches = args.kernelPatches;

pkgs/os-specific/linux/kernel/linux-3.14.nix

@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "3.14.63";
+  version = "3.14.65";
   extraMeta.branch = "3.14";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz";
-    sha256 = "0q3qcgcaxjc298dgjpfn6g17lvki2p87f0zkaxs0h0g13jhykwbz";
+    sha256 = "0pqfgzinwgllvyx0cfv0vnllgvzrrpbr2yi21zgppdd1iw6nipsd";
   };
 
   kernelPatches = args.kernelPatches;

pkgs/os-specific/linux/kernel/linux-3.18.nix

@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "3.18.27";
+  version = "3.18.29";
   extraMeta.branch = "3.18";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz";
-    sha256 = "01lz0c3ns0yp5vnjch1pn10h43g6fr4xw7w3b6kb477083cjr7dc";
+    sha256 = "0g8vlhifl31dyghiamykrpgj6n8h5w6gh6n88ir57z6lj188vaj8";
   };
 
   kernelPatches = args.kernelPatches;

pkgs/os-specific/linux/kernel/linux-4.1.nix

@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.1.17";
+  version = "4.1.20";
   extraMeta.branch = "4.1";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "084ij19vgm27ljrjabqqmlqn27p168nsm9grhr6rajid4n79h6ab";
+    sha256 = "1dpq8dgj351jzm7n6330a4xriz9dxv7d9wxzj9zn9q7ya22np9gs";
   };
 
   kernelPatches = args.kernelPatches;

pkgs/os-specific/linux/kernel/linux-4.4.nix

@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.4.4";
+  version = "4.4.6";
   extraMeta.branch = "4.4";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0b4190mwmxf329n16yl32my7dfi02pi7qf39a8v61sl9b2gxffad";
+    sha256 = "0zapxjnawdn0km6b9pc7399zbjiyb0a28rqmsif3afc9qb2cxg53";
   };
 
   kernelPatches = args.kernelPatches;

pkgs/os-specific/linux/kernel/linux-4.5.nix

@@ -0,0 +1,20 @@
+{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
+
+import ./generic.nix (args // rec {
+  version = "4.5";
+  modDirVersion = "4.5.0";
+  extraMeta.branch = "4.5";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "172i3arrc34mb7nxw31iqrmbwrdnp8dmrbf8p3b3f6z006sfy3d4";
+  };
+
+  kernelPatches = args.kernelPatches;
+
+  features.iwlwifi = true;
+  features.efiBootStub = true;
+  features.needsCifsUtils = true;
+  features.canDisableNetfilterConntrackHelpers = true;
+  features.netfilterRPFilter = true;
+} // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix

@@ -1,5 +1,8 @@
 { stdenv, fetchgit, perl, buildLinux, ncurses, openssh, ... } @ args:
 
+# ChromiumOS requires a 64bit build host
+assert stdenv.is64bit;
+
 import ./generic.nix (args // rec {
   version = "3.14.0";
   extraMeta.branch = "3.14";

pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix

@@ -1,5 +1,8 @@
 { stdenv, fetchgit, perl, buildLinux, ncurses, ... } @ args:
 
+# ChromiumOS requires a 64bit build host
+assert stdenv.is64bit;
+
 import ./generic.nix (args // rec {
   version = "3.18.0";
   extraMeta.branch = "3.18";

pkgs/os-specific/linux/kernel/linux-grsecurity-3.14.nix

@@ -0,0 +1,21 @@
+{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
+
+throw "grsecurity stable is no longer supported; please update your configuration"
+
+import ./generic.nix (args // rec {
+  version = "3.14.51";
+  extraMeta.branch = "3.14";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz";
+    sha256 = "1gqsd69cqijff4c4br4ydmcjl226d0yy6vrmgfvy16xiraavq1mk";
+  };
+
+  kernelPatches = args.kernelPatches;
+
+  features.iwlwifi = true;
+  features.efiBootStub = true;
+  features.needsCifsUtils = true;
+  features.canDisableNetfilterConntrackHelpers = true;
+  features.netfilterRPFilter = true;
+} // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-grsecurity-4.1.nix

@@ -0,0 +1,19 @@
+{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
+
+import ./generic.nix (args // rec {
+  version = "4.1.7";
+  extraMeta.branch = "4.1";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "0g1dnvak0pd03d4miy1025bw64wq71w29a058dzspdr6jcf9qwbn";
+  };
+
+  kernelPatches = args.kernelPatches;
+
+  features.iwlwifi = true;
+  features.efiBootStub = true;
+  features.needsCifsUtils = true;
+  features.canDisableNetfilterConntrackHelpers = true;
+  features.netfilterRPFilter = true;
+} // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-grsecurity-4.4.nix

@@ -0,0 +1,19 @@
+{ stdenv, fetchurl, perl, buildLinux, ... } @ args:
+
+import ./generic.nix (args // rec {
+  version = "4.4.5";
+  extraMeta.branch = "4.4";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "1daavrj2msl85aijh1izfm1cwf14c7mi75hldzidr1h2v629l89h";
+  };
+
+  kernelPatches = args.kernelPatches;
+
+  features.iwlwifi = true;
+  features.efiBootStub = true;
+  features.needsCifsUtils = true;
+  features.canDisableNetfilterConntrackHelpers = true;
+  features.netfilterRPFilter = true;
+} // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-rpi.nix

@@ -2,17 +2,17 @@
 
 let
 
-  rev = "fe4a83540ec73dfc298f16f027277355470ea9a0";
+  rev = "f4b20d47d7df7927967fcd524324b145cfc9e2f9";
 
 in import ./generic.nix (args // rec {
-  version = "3.18.y-${rev}";
+  version = "4.1.y-${rev}";
 
-  modDirVersion = "3.18.7";
+  modDirVersion = "4.1.20-v7";
 
   src = fetchurl {
     url = "https://api.github.com/repos/raspberrypi/linux/tarball/${rev}";
     name = "linux-raspberrypi-${version}.tar.gz";
-    sha256 = "05gq40f038hxjqd3sdb1914g2bzw533dyxy59sgdpybs8801x2vb";
+    sha256 = "0x17hlbi7lpmmnp24dnkync5gzj57j84j0nlrcv1lv9fahjkqsm2";
   };
 
   features.iwlwifi = true;

pkgs/os-specific/linux/kernel/linux-testing.nix

@@ -1,13 +1,13 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.5-rc7";
-  modDirVersion = "4.5.0-rc7";
-  extraMeta.branch = "4.5";
+  version = "4.6-rc1";
+  modDirVersion = "4.6.0-rc1";
+  extraMeta.branch = "4.6";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/testing/linux-${version}.tar.xz";
-    sha256 = "0z43s7ccikmqigv4insjvizs3bkx2lgjvzsz5rmmpcga28dz44kq";
+    sha256 = "1y73sjd7i48d1c8x52z59imx8g8d00wy67r5666cvwqrq8d407h0";
   };
 
   features.iwlwifi = true;

pkgs/os-specific/linux/kernel/patches.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ stdenv, fetchurl, pkgs }:
 
 let
 
@@ -18,11 +18,14 @@ let
       };
     };
 
-  grsecPatch = { grversion ? "3.1", kversion, revision, branch, sha256 }:
+  grsecPatch = { grversion ? "3.1", kernel, patches, kversion, revision, branch ? "test", sha256 }:
+    assert kversion == kernel.version;
     { name = "grsecurity-${grversion}-${kversion}";
-      inherit grversion kversion revision;
+      inherit grversion kernel patches kversion revision;
       patch = fetchurl {
-        url = "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true";
+        url = if branch == "stable"
+              then "https://github.com/kdave/grsecurity-patches/blob/master/grsecurity_patches/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"
+              else "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true";
         inherit sha256;
       };
       features.grsecurity = true;
@@ -79,23 +82,41 @@ rec {
     sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
   };
 
-  grsecurity_stable = grsecPatch
-    { kversion  = "3.14.51";
+  grsecurity_3_14 = grsecPatch
+    { kernel    = pkgs.grsecurity_base_linux_3_14;
+      patches   = [ grsecurity_fix_path_3_14 ];
+      kversion  = "3.14.51";
       revision  = "201508181951";
       branch    = "stable";
       sha256    = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f";
     };
 
-  grsecurity_unstable = grsecPatch
-    { kversion  = "4.3.4";
-      revision  = "201601231215";
-      branch    = "test";
-      sha256    = "1dacld4zlp8mk6ykc0f1v5crppvq3znbdw9rwfrf6qi90984x0mr";
+  grsecurity_4_1 = grsecPatch
+    { kernel    = pkgs.grsecurity_base_linux_4_1;
+      patches   = [ grsecurity_fix_path_3_14 ];
+      kversion  = "4.1.7";
+      revision  = "201509201149";
+      sha256    = "1agv8c3c4vmh5algbzmrq2f6vwk72rikrlcbm4h7jbrb9js6fxk4";
     };
 
-  grsec_fix_path =
-    { name = "grsec-fix-path";
-      patch = ./grsec-path.patch;
+  grsecurity_4_4 = grsecPatch
+    { kernel    = pkgs.grsecurity_base_linux_4_4;
+      patches   = [ grsecurity_fix_path_4_4 ];
+      kversion  = "4.4.5";
+      revision  = "201603131305";
+      sha256    = "04k4nhshl6r5n41ha5620s7cd70dmmmvyf9mnn5359jr1720kxpf";
+    };
+
+  grsecurity_latest = grsecurity_4_4;
+
+  grsecurity_fix_path_3_14 =
+    { name = "grsecurity-fix-path-3.14";
+      patch = ./grsecurity-path-3.14.patch;
+    };
+
+  grsecurity_fix_path_4_4 =
+    { name = "grsecurity-fix-path-4.4";
+      patch = ./grsecurity-path-4.4.patch;
     };
 
   crc_regression =

pkgs/os-specific/linux/kernel/perf.nix

@@ -28,7 +28,7 @@ stdenv.mkDerivation {
 
   # Note: we don't add elfutils to buildInputs, since it provides a
   # bad `ld' and other stuff.
-  NIX_CFLAGS_COMPILE = "-I${elfutils}/include -Wno-error=cpp";
+  NIX_CFLAGS_COMPILE = "-I${elfutils}/include -Wno-error=cpp -Wno-error=bool-compare";
   NIX_CFLAGS_LINK = "-L${elfutils}/lib";
 
   installFlags = "install install-man ASCIIDOC8=1";