Merge master into staging-next

pkgs/os-specific/linux/i2c-tools/default.nix

@@ -2,22 +2,23 @@
 
 stdenv.mkDerivation rec {
   name = "i2c-tools-${version}";
-  version = "4.0";
+  version = "4.1";
 
   src = fetchurl {
     url = "https://www.kernel.org/pub/software/utils/i2c-tools/${name}.tar.xz";
-    sha256 = "1mi8mykvl89y6liinc9jv1x8m2q093wrdc2hm86a47n524fcl06r";
+    sha256 = "1m97hpwqfaqjl9xvr4pvz2vdrsdvxbcn0nnx8pamnyc3s7pikcjp";
   };
 
   buildInputs = [ perl ];
 
-  patchPhase = ''
+  postPatch = ''
     substituteInPlace eeprom/decode-edid --replace "/usr/sbin/parse-edid" "${read-edid}/bin/parse-edid"
     substituteInPlace stub/i2c-stub-from-dump --replace "/sbin/" ""
   '';
 
-  installPhase = ''
-    make install prefix=$out
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  postInstall = ''
     rm -rf $out/include # Installs include/linux/i2c-dev.h that conflics with kernel headers
   '';
 

pkgs/os-specific/linux/kernel/hardened-config.nix

@@ -28,9 +28,9 @@ ${optionalString (stdenv.hostPlatform.platform.kernelArch == "x86_64") ''
   # Reduce attack surface by disabling various emulations
   IA32_EMULATION n
   X86_X32 n
-  ${optionalString (versionOlder version "4.17") ''
-    MODIFY_LDT_SYSCALL? n
-  ''}
+  # Note: this config depends on EXPERT y and so will not take effect, hence
+  # it is left "optional" for now.
+  MODIFY_LDT_SYSCALL? n
 
   VMAP_STACK y # Catch kernel stack overflows
 
@@ -52,18 +52,23 @@ ${optionalString (versionOlder version "4.11") ''
   DEBUG_SET_MODULE_RONX y
 ''}
 
-# Mark LSM hooks read-only after init.  Conflicts with SECURITY_SELINUX_DISABLE
-# (disabling SELinux at runtime); hence, SELinux can only be disabled at boot
-# via the selinux=0 boot parameter.
+# Mark LSM hooks read-only after init.  SECURITY_WRITABLE_HOOKS n
+# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
+# implicitly marks LSM hooks read-only after init.
+#
+# SELinux can only be disabled at boot via selinux=0
+#
+# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
+# config builder fails to detect that it has indeed been unset.
 ${optionalString (versionAtLeast version "4.12") ''
   SECURITY_SELINUX_DISABLE n
-''}
-
-${optionalString ((versionAtLeast version "4.12") && (versionOlder version "4.17")) ''
-  SECURITY_WRITABLE_HOOKS n
+  SECURITY_WRITABLE_HOOKS? n
 ''}
 
 DEBUG_WX y # boot-time warning on RWX mappings
+${optionalString (versionAtLeast version "4.11") ''
+  STRICT_KERNEL_RWX y
+''}
 
 # Stricter /dev/mem
 STRICT_DEVMEM? y
@@ -84,7 +89,7 @@ ${optionalString (versionAtLeast version "4.13") ''
 # Perform usercopy bounds checking.
 HARDENED_USERCOPY y
 ${optionalString (versionAtLeast version "4.16") ''
-  HARDENED_USERCOPY_FALLBACK n
+  HARDENED_USERCOPY_FALLBACK n  # for full whitelist enforcement
 ''}
 
 # Randomize allocator freelists.
@@ -94,6 +99,9 @@ ${optionalString (versionAtLeast version "4.14") ''
   SLAB_FREELIST_HARDENED y
 ''}
 
+# Allow enabling slub/slab free poisoning with slub_debug=P
+SLUB_DEBUG y
+
 # Wipe higher-level memory allocations on free() with page_poison=1
 PAGE_POISONING y
 PAGE_POISONING_NO_SANITY y
@@ -117,6 +125,11 @@ ${optionalString (versionAtLeast version "4.20") ''
   GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin
 ''}
 
+${optionalString (versionAtLeast version "4.13") ''
+  GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin
+  GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y
+''}
+
 # Disable various dangerous settings
 ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
 PROC_KCORE n # Exposes kernel text image layout

pkgs/os-specific/linux/sysstat/default.nix

@@ -1,11 +1,11 @@
 { stdenv, fetchurl, gettext, bzip2 }:
 
 stdenv.mkDerivation rec {
-  name = "sysstat-12.1.1";
+  name = "sysstat-12.1.2";
 
   src = fetchurl {
     url = "http://perso.orange.fr/sebastien.godard/${name}.tar.xz";
-    sha256 = "0drrlv2fr64g5zf0a2bkla2rql4nmq4n192wvcr9r4zppg58d8k4";
+    sha256 = "0xiv70x4n24fcycvlq95lqgb3jwjxfzq61bnyqai57x54hhn46yp";
   };
 
   buildInputs = [ gettext ];