a27c6c7374
linux: 4.12.9 -> 4.12.10
2017-08-30 07:59:42 -04:00
ff3f6f38c4
linux_rpi: 1.20170515 -> 1.20170811
2017-08-29 02:37:52 +03:00
163b3e853b
linux: 4.13-rc6 -> 4.13-rc7
2017-08-28 11:59:37 -04:00
bebaf083cd
linux-copperhead: 4.12.8.a -> 4.12.9.a
2017-08-27 09:43:23 -04:00
9b9d0cc06b
linux: 4.9.44 -> 4.9.45
2017-08-26 09:50:02 -04:00
d23bed7cc6
linux: 4.12.8 -> 4.12.9
2017-08-26 09:47:57 -04:00
cd85a704a5
linux: 4.13-rc4 -> 4.13-rc6
2017-08-22 03:23:30 -04:00
6bbc3a0b24
Merge commit '3b29468313bc8604fe8f85c8d9316fd276d3985c' into HEAD
2017-08-21 04:44:40 +02:00
7c7c83e233
buildLinux: allow overriding stdenv on each call
2017-08-20 08:24:52 +02:00
7209ed6d4b
linux-copperhead: 4.12.7.a -> 4.12.8.a
2017-08-18 15:47:03 -04:00
9281b05c7f
linux: 4.12.7 -> 4.12.8
2017-08-18 15:33:53 -04:00
a5f01aa745
linux: 4.9.43 -> 4.9.44
2017-08-18 15:30:37 -04:00
b94210b066
linux-copperhead: 4.12.5.a -> 4.12.7.a
2017-08-14 12:51:30 -04:00
13bbaee21d
Merge pull request #27881 from mimadrid/fix/http-https
...
Update homepage attributes: http -> https
2017-08-13 21:53:20 +02:00
5c29873e99
linux: 4.9.42 -> 4.9.43
2017-08-13 15:42:15 -04:00
59e34685da
linux: 4.12.6 -> 4.12.7
2017-08-13 15:42:15 -04:00
345e0e6794
hardened-config: enable read-only LSM hooks
...
Implies that SELinux can no longer be disabled at runtime (only at boot
time, via selinux=0).
See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd0859dccbe291cf8179a96390f5c0e45cb9af1d
2017-08-11 23:27:58 +02:00
05b8cae9ec
linux: remove unused kernel patches
2017-08-11 19:13:09 +02:00
9f3f575ab3
linux_4_4: remove
...
Support ends in Feb 2018
2017-08-11 19:13:09 +02:00
0eb9c5bd42
linux_3_10: remove
...
Support ends in Oct 2017
2017-08-11 19:13:08 +02:00
47d9b48e4d
linux: 4.12.5 -> 4.12.6
2017-08-11 12:14:53 -04:00
f2d420e4c9
linux: 4.9.41 -> 4.9.42
2017-08-11 12:10:10 -04:00
f46f98ad31
Revert 0cf0d7186a
...
Order common kernel config by functionality
See #27949
2017-08-07 17:34:10 -04:00
fa10497834
Merge pull request #27684 from gnidorah/bfq
...
linux: BFQ Group Scheduling support
2017-08-07 11:58:45 -04:00
06af1df857
linux: 4.13-rc3 -> 4.13-rc4
2017-08-07 11:40:01 -04:00
ea2a10e143
linux: 4.4.79 -> 4.4.80
2017-08-07 11:35:42 -04:00
4825e4818b
linux: 4.9.40 -> 4.9.41
2017-08-07 11:32:26 -04:00
dc21f1ad65
linux: BFQ Group Scheduling support
2017-08-07 10:12:21 +03:00
1ec7242bc2
linux-copperhead: 4.12.4.a -> 4.12.5.a
2017-08-06 22:04:46 -04:00
ff9479cd54
linux: 4.12.4 -> 4.12.5
2017-08-06 19:22:15 -04:00
0cf0d7186a
linux-common-config: Refactor, clean up
2017-08-06 19:17:30 -04:00
f963014829
linux-hardened-config: various fixups
...
Note
- the kernel config parser ignores "# foo is unset" comments so they
have no effect; disabling kernel modules would break *everything* and so
is ill-suited for a general-purpose kernel anyway --- the hardened nixos
profile provides a more flexible solution
- removed some overlap with the common config (SECCOMP is *required* by systemd;
YAMA is enabled by default).
- MODIFY_LDT_SYSCALL is guarded by EXPERT on vanilla so setting it to y breaks
the build; fix by making it optional
- restored some original comments which I feel are clearer
2017-08-06 23:38:07 +02:00
5ac00265a8
linux-common-config: add CONFIG_HOTPLUG_PCI_ACPI
2017-08-06 20:41:28 +02:00
ff10bafd00
linux: Expand hardened config
...
Based on latest recommendations at
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
2017-08-06 09:58:02 -04:00
2b4811887a
kernel: add IP_NF_TARGET_REDIRECT
2017-08-04 08:26:09 +02:00
09e0cc7cc7
Update homepage attributes: http -> https
...
Homepage link "http://.../ " is a permanent redirect to "https://.../ " and should be updated
https://repology.org/repository/nix_stable/problems
2017-08-03 11:56:15 +02:00
3db9a2bdff
linux_rpi: 1.20170427 -> 1.20170515
2017-07-31 19:47:23 +03:00
979817d153
linux-testing: 4.13-rc2 -> 4.13-rc3
...
Tested via building the linux_testing attribute, but didn't test it at
runtime (yet).
Diffed unpacked tarball against my local git clone and the contents
match.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-07-31 09:39:42 +02:00
a918521c1e
linux-copperhead: 4.12.3.a -> 4.12.4.a
2017-07-28 17:54:37 -04:00
5a6b5b8daf
linux: 4.4.78 -> 4.4.79
2017-07-28 10:02:29 -04:00
88c0f67ded
linux: 4.9.39 -> 4.9.40
2017-07-28 10:00:25 -04:00
f43c445824
linux: 4.12.3 -> 4.12.4
2017-07-28 09:55:48 -04:00
1dd6e7dcbc
linux: 4.13-rc1 -> 4.13-rc2
2017-07-24 09:50:32 -04:00
887570883e
perf: remove binutils patch by wrapper
...
starting with linux 4.12 our patch no longer applied. In order to
avoid having to maintain patches for different linux kernels it is
easier to use a wrapper instead.
2017-07-23 15:18:02 +01:00
869bb2e486
linux-copperhead: 4.12.2.a -> 4.12.3.a
2017-07-22 19:08:02 -04:00
ba9275da88
linux: Remove 4.11
...
4.11.x has been EOL'd
2017-07-21 07:33:14 -04:00
98ad0f4dab
linux: 4.12.2 -> 4.12.3
2017-07-21 07:28:24 -04:00
232f497169
linux: 4.9.38 -> 4.9.39
2017-07-21 07:25:50 -04:00
5181d7568f
linux: 4.4.77 -> 4.4.78
2017-07-21 07:23:12 -04:00
0b3d29d4ac
linux_samus_4_12: init at 4.12.2
...
Co-authored-by: Nikolay Amiantov <ab@fmap.me>
fixes #26038
2017-07-18 23:31:18 +01:00
df929d6216
linux-copperhead: 4.12.1.a -> 4.12.2.a
2017-07-15 19:44:12 -04:00
b103e9317a
linux-testing: 4.12-rc7 -> 4.13-rc1
2017-07-15 19:30:44 -04:00
81b993369c
linux: 4.4.76 -> 4.4.77
2017-07-15 19:25:42 -04:00
b04858db1b
linux: 4.9.37 -> 4.9.38
...
Remove temporary patches to perf as well
2017-07-15 19:22:07 -04:00
ccec16579d
linux: 4.11.10 -> 4.11.11
2017-07-15 19:17:06 -04:00
c5ef98bb34
linux: 4.12.1 -> 4.12.2
2017-07-15 19:14:44 -04:00
954c66983d
perf: Apply patch for offline kernels
...
As per https://lkml.org/lkml/2017/7/13/314 , perf is broken in 4.9.36 and 4.9.37
Patches in this commit are taken from
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=39f4f2c018bd831c325e11983f8893caf72fd9eb
This will allow perf to build again and should be included in a future 4.9.x release,
allowing the custom patching to be removed again
2017-07-14 20:07:16 -04:00
42395a191b
kernel-config: Disable Xen on non-x86
...
There's an upstream build failure on ARM (not directly related to Xen
but rather some other config options it enables). The xen package is
x86_64-only anyways.
2017-07-13 20:12:50 +03:00
6fda535869
linux-copperhead: Fix modDirVersion
2017-07-13 09:00:44 -04:00
45a2534459
linux-copperhead: 4.12.e -> 4.12.1.a
2017-07-13 08:40:08 -04:00
6131b4d52d
linux: 4.12 -> 4.12.1
2017-07-13 08:36:50 -04:00
24de0bad42
linux: 4.11.9 -> 4.11.10
2017-07-13 08:34:51 -04:00
6da222918e
linux: 4.9.36 -> 4.9.37
2017-07-13 08:30:47 -04:00
1434128a18
linux-copperhead: 4.12.d -> 4.12.e
2017-07-11 08:22:56 -04:00
d38656b3c3
linux-copperhead: 4.12.c -> 4.12.d
2017-07-09 18:20:14 -04:00
fca0b3602d
linux-copperhead: 4.12.b -> 4.12.c
2017-07-09 18:16:58 -04:00
da8bd6df67
Merge pull request #27161 from NeQuissimus/kernel_config_cleanup
...
linux: Clean up kernel config warnings
2017-07-07 09:00:52 -04:00
ff348f4b6d
linux: Enable more I/O schedulers
2017-07-07 11:43:48 +03:00
968e0b2baf
linux-copperhead: 4.11.8.a -> 4.12.b
2017-07-06 11:42:27 -04:00
3ec2a2f476
linux: Clean up kernel config warnings
2017-07-05 20:09:14 -04:00
a04afd1594
linux: 4.4.75 -> 4.4.76
2017-07-05 12:54:56 -04:00
05bd289ff8
linux: 4.9.35 -> 4.9.36
2017-07-05 12:52:05 -04:00
00f0f7e9f6
linux: 4.11.8 -> 4.11.9
2017-07-05 12:49:56 -04:00
cd1f998289
Revert "linux-copperhead: 4.11.8.a -> 4.12.a"
...
This reverts commit cb703f1314
2017-07-04 20:56:02 -04:00
cb703f1314
linux-copperhead: 4.11.8.a -> 4.12.a
2017-07-03 21:03:58 -04:00
f130e0027e
linux: Add 4.12
2017-07-03 11:57:40 -04:00
3130f3ed0a
linux-copperhead: 4.11.7.a -> 4.11.8.a
...
Fixes #26790 by properly including built modules
2017-06-29 23:16:52 -04:00
37bc494949
linux: 4.11.7 -> 4.11.8
2017-06-29 08:29:04 -04:00
d1aff8d2e5
linux: 4.9.34 -> 4.9.35
...
Also, remove XSA-216 patches, the fixes are now integrated upstream
2017-06-29 08:26:25 -04:00
6b35f22e28
linux: 4.4.74 -> 4.4.75
2017-06-29 08:20:06 -04:00
4cc729644e
Merge pull request #26867 from michalpalka/xen-security-2017.06-new
...
xen: patch for XSAs: 216, 217, 218, 219, 220, 221, 222, and 224
2017-06-28 22:43:46 -04:00
e1faeb574a
Merge pull request #26884 from obsidiansystems/purge-stdenv-cross
...
Purge stdenv cross
2017-06-28 21:39:16 -04:00
16781a3892
kernel perf: Don't use stdenv.cross
2017-06-28 20:23:09 -04:00
1e3b45cfdb
kernel manual-config: Don't use stdenv.cross
2017-06-28 20:23:09 -04:00
459d07d41c
kernel generic: Don't use stdenv.cross
2017-06-28 20:22:59 -04:00
d2e199ca3c
linux: 4.4.73 -> 4.4.74
2017-06-27 08:14:47 -04:00
c90a4b8541
linux: 4.12-rc6 -> 4.12-rc7
2017-06-26 09:58:37 -04:00
80e0cda7ff
xen: patch for XSAs: 216, 217, 218, 219, 220, 221, 222, and 224
...
XSA-216 Issue Description:
> The block interface response structure has some discontiguous fields.
> Certain backends populate the structure fields of an otherwise
> uninitialized instance of this structure on their stacks, leaking
> data through the (internal or trailing) padding field.
More: https://xenbits.xen.org/xsa/advisory-216.html
XSA-217 Issue Description:
> Domains controlling other domains are permitted to map pages owned by
> the domain being controlled. If the controlling domain unmaps such a
> page without flushing the TLB, and if soon after the domain being
> controlled transfers this page to another PV domain (via
> GNTTABOP_transfer or, indirectly, XENMEM_exchange), and that third
> domain uses the page as a page table, the controlling domain will have
> write access to a live page table until the applicable TLB entry is
> flushed or evicted. Note that the domain being controlled is
> necessarily HVM, while the controlling domain is PV.
More: https://xenbits.xen.org/xsa/advisory-217.html
XSA-218 Issue Description:
> We have discovered two bugs in the code unmapping grant references.
>
> * When a grant had been mapped twice by a backend domain, and then
> unmapped by two concurrent unmap calls, the frontend may be informed
> that the page had no further mappings when the first call completed rather
> than when the second call completed.
>
> * A race triggerable by an unprivileged guest could cause a grant
> maptrack entry for grants to be "freed" twice. The ultimate effect of
> this would be for maptrack entries for a single domain to be re-used.
More: https://xenbits.xen.org/xsa/advisory-218.html
XSA-219 Issue Description:
> When using shadow paging, writes to guest pagetables must be trapped and
> emulated, so the shadows can be suitably adjusted as well.
>
> When emulating the write, Xen maps the guests pagetable(s) to make the final
> adjustment and leave the guest's view of its state consistent.
>
> However, when mapping the frame, Xen drops the page reference before
> performing the write. This is a race window where the underlying frame can
> change ownership.
>
> One possible attack scenario is for the frame to change ownership and to be
> inserted into a PV guest's pagetables. At that point, the emulated write will
> be an unaudited modification to the PV pagetables whose value is under guest
> control.
More: https://xenbits.xen.org/xsa/advisory-219.html
XSA-220 Issue Description:
> Memory Protection Extensions (MPX) and Protection Key (PKU) are features in
> newer processors, whose state is intended to be per-thread and context
> switched along with all other XSAVE state.
>
> Xen's vCPU context switch code would save and restore the state only
> if the guest had set the relevant XSTATE enable bits. However,
> surprisingly, the use of these features is not dependent (PKU) or may
> not be dependent (MPX) on having the relevant XSTATE bits enabled.
>
> VMs which use MPX or PKU, and context switch the state manually rather
> than via XSAVE, will have the state leak between vCPUs (possibly,
> between vCPUs in different guests). This in turn corrupts state in
> the destination vCPU, and hence may lead to weakened protections
>
> Experimentally, MPX appears not to make any interaction with BND*
> state if BNDCFGS.EN is set but XCR0.BND{CSR,REGS} are clear. However,
> the SDM is not clear in this case; therefore MPX is included in this
> advisory as a precaution.
More: https://xenbits.xen.org/xsa/advisory-220.html
XSA-221 Issue Description:
> When polling event channels, in general arbitrary port numbers can be
> specified. Specifically, there is no requirement that a polled event
> channel ports has ever been created. When the code was generalised
> from an earlier implementation, introducing some intermediate
> pointers, a check should have been made that these intermediate
> pointers are non-NULL. However, that check was omitted.
More: https://xenbits.xen.org/xsa/advisory-221.html
XSA-222 Issue Description:
> Certain actions require removing pages from a guest's P2M
> (Physical-to-Machine) mapping. When large pages are in use to map
> guest pages in the 2nd-stage page tables, such a removal operation may
> incur a memory allocation (to replace a large mapping with individual
> smaller ones). If this allocation fails, these errors are ignored by
> the callers, which would then continue and (for example) free the
> referenced page for reuse. This leaves the guest with a mapping to a
> page it shouldn't have access to.
>
> The allocation involved comes from a separate pool of memory created
> when the domain is created; under normal operating conditions it never
> fails, but a malicious guest may be able to engineer situations where
> this pool is exhausted.
More: https://xenbits.xen.org/xsa/advisory-222.html
XSA-224 Issue Description:
> We have discovered a number of bugs in the code mapping and unmapping
> grant references.
>
> * If a grant is mapped with both the GNTMAP_device_map and
> GNTMAP_host_map flags, but unmapped only with host_map, the device_map
> portion remains but the page reference counts are lowered as though it
> had been removed. This bug can be leveraged cause a page's reference
> counts and type counts to fall to zero while retaining writeable
> mappings to the page.
>
> * Under some specific conditions, if a grant is mapped with both the
> GNTMAP_device_map and GNTMAP_host_map flags, the operation may not
> grab sufficient type counts. When the grant is then unmapped, the
> type count will be erroneously reduced. This bug can be leveraged
> cause a page's reference counts and type counts to fall to zero while
> retaining writeable mappings to the page.
>
> * When a grant reference is given to an MMIO region (as opposed to a
> normal guest page), if the grant is mapped with only the
> GNTMAP_device_map flag set, a mapping is created at host_addr anyway.
> This does *not* cause reference counts to change, but there will be no
> record of this mapping, so it will not be considered when reporting
> whether the grant is still in use.
More: https://xenbits.xen.org/xsa/advisory-224.html
2017-06-26 07:01:24 +00:00
03aed4cfcf
linux-copperhead: 4.11.6.d -> 4.11.7.a
2017-06-24 14:50:41 -04:00
b06cb59fc1
linux: 4.9.33 -> 4.9.34
2017-06-24 11:22:56 -04:00
3a68f0bb78
linux: 4.11.6 -> 4.11.7
2017-06-24 11:20:32 -04:00
4e08459f9b
linux-hardened-copperhead: 4.11.6c -> 4.11.6d
2017-06-22 21:12:20 -04:00
dd3f2e648a
linux_hardened_copperhead: init at 4.11.6.c
2017-06-21 23:49:00 +02:00
e89e96a755
linux_4_11: renable CONFIG_UPROBE_EVENTS
...
CONFIG_UPROBE_EVENT was renamed to CONFIG_UPROBE_EVENTS.
2017-06-21 17:16:46 +01:00
2764961b87
linux: 4.12-rc5 -> 4.12-rc6
2017-06-19 21:21:15 -04:00
bbb9182cbc
linux: 4.9.32 -> 4.9.33
2017-06-17 18:45:29 +02:00
a470aa0924
linux: 4.4.72 -> 4.4.73
2017-06-17 18:45:29 +02:00
c973a4a887
linux: 4.11.5 -> 4.11.6
2017-06-17 18:45:29 +02:00
b4576c5108
linux: 4.11.4 -> 4.11.5
2017-06-15 08:54:55 -04:00
a7efc9f0cd
linux: 4.9.31 -> 4.9.32
2017-06-15 08:53:35 -04:00
07edb44d15
linux: 4.4.71 -> 4.4.72
2017-06-15 08:52:26 -04:00
d74f8351a5
kernel: enable audio jack reconfiguration
...
Change kernel config to allow for changing the functions of the audio
jacks at run-time as well as at boot time.
2017-06-13 08:50:34 +03:00
63e9d1c51e
perf: Fix perf annotate
...
This command requires objdump, so make sure it can find it.
2017-06-12 13:23:18 +02:00
5fbab5dfb3
linux: 4.12-rc4 -> 4.12-rc5
2017-06-11 21:37:46 -04:00
370ace4cf0
kernel: Don't build self-test modules
2017-06-11 19:33:24 +03:00
c7abd6943e
linux: 4.9.30 -> 4.9.31
2017-06-07 08:09:37 -04:00
01fc1a80b3
linux: 4.4.70 -> 4.4.71
2017-06-07 08:07:53 -04:00
66faa421c9
linux: 4.11.3 -> 4.11.4
2017-06-07 08:05:45 -04:00
7c476b98df
linux: 4.12-rc3 -> 4.12-rc4
2017-06-05 10:01:53 -04:00
a78af5196c
linux: 4.12-rc2 -> 4.12-rc3
2017-05-29 09:32:52 -04:00
690a83091b
linux: FS_ENCRYPTION only for >= 4.9 kernels
2017-05-25 18:25:08 -04:00
8f0ca4f44a
linux: 4.4.69 -> 4.4.70
2017-05-25 18:21:54 -04:00
446c57fdb2
linux: 4.9.29 -> 4.9.30
2017-05-25 18:19:16 -04:00
f618a6caa1
linux: 4.11.2 -> 4.11.3
2017-05-25 18:16:57 -04:00
aa73b7df30
linux: 4.12-rc1 -> 4.12-rc2
2017-05-22 11:40:04 -04:00
a42c54057f
linux: 4.11.1 -> 4.11.2
2017-05-20 17:17:35 -04:00
a551ca61b7
linux: 4.9.28 -> 4.9.29
2017-05-20 17:17:34 -04:00
82852ac60e
linux: 4.4.68 -> 4.4.69
2017-05-20 17:17:33 -04:00
de263072b5
kernel: 4.10 is end-of-life
...
https://lkml.org/lkml/2017/5/20/75
2017-05-20 19:54:18 +03:00
77ed860114
linux_hardened: enable checks on scatter-gather tables
...
Recommended by kspp
2017-05-18 12:33:42 +02:00
8eb302d6d7
Merge pull request #25792 from NeQuissimus/linux_4_12_rc1
...
linux-testing: 4.11-rc7 -> 4.12-rc1
2017-05-17 08:30:10 -04:00
a35ec5dda6
linux_rpi: 1.20170303 -> 1.20170427
2017-05-15 11:14:59 +03:00
336b044dcb
linux-testing: 4.11-rc7 -> 4.12-rc1
2017-05-14 22:03:14 -04:00
ba585648e7
kernel: 4.9.27 -> 4.9.28
2017-05-15 01:28:01 +03:00
8de08ff145
kernel: 4.4.67 -> 4.4.68
2017-05-15 01:27:50 +03:00
c230aee121
kernel: 4.11 -> 4.11.1
2017-05-15 01:27:41 +03:00
2f1e6c8686
kernel: 4.10.15 -> 4.10.16
2017-05-15 01:27:30 +03:00
8584a16922
linux: 4.10.14 -> 4.10.15
2017-05-09 08:43:37 -04:00
996b65cfba
linux_hardened: enable structleak plugin
...
A port of the PaX structleak plugin. Note that this version of structleak
seems to cover less ground than the PaX original (only marked structs are
zeroed). [1]
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c61f13eaa1ee17728c41370100d2d45c254ce76f
2017-05-09 01:38:26 +02:00
1816e2b960
linux_hardened: BUG on struct validation failure
2017-05-09 01:38:24 +02:00
a7ecdffc28
linux_hardened: move to 4.11
...
Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX &
STRICT_MODULE_RWX, which are on by default (non-optional).
2017-05-09 01:38:22 +02:00
42c58cd2e8
linux_hardened: compile with stackprotector-strong
...
Default is regular, which we need to unset for kconfig to accept the new
value.
2017-05-09 01:38:21 +02:00
8c74ff6534
linux: 4.9.26 -> 4.9.27
2017-05-08 09:26:26 -04:00
4e2c67ff76
linux: 4.4.66 -> 4.4.67
2017-05-08 09:23:52 -04:00
a04d8532c2
linux: support using gcc plugins
...
linux 4.8 onwards support gcc plugins. This patch adds build inputs
required to make use of gcc plugins to the generic kernel build
environment.
2017-05-06 19:47:27 +02:00
2a38ecc055
linux: 4.10.13 -> 4.10.14
2017-05-03 20:46:48 -04:00
6076843be3
linux: 4.9.25 -> 4.9.26
2017-05-03 20:44:09 -04:00
af933bc7d3
linux: 4.4.65 -> 4.4.66
2017-05-03 20:41:46 -04:00
b5169fd277
linux: Add cgroups patches for 4.9, 4.10, 4.11
2017-05-02 08:49:39 -04:00
207a0af06a
Add linux 4.11
2017-05-01 19:04:45 -04:00
1cce0887ee
Merge branch 'master' into mptcp-v91.3
2017-05-01 00:43:08 +02:00
0c4de3c0c9
linux: 4.4.64 -> 4.4.65
2017-04-30 08:58:44 -04:00
ab4fa1cce4
tree-wide: prune some dead grsec leaves
...
The beginning of pruning grsecurity/PaX from the tree.
2017-04-30 12:05:41 +02:00
62f2a1c2be
linux_hardened: init
...
The rationale for this is to have a place to enable hardening features
that are either too invasive or that may be speculative/yet proven to be
worthwhile for general-purpose kernels.
2017-04-30 12:05:39 +02:00
32b8512e54
grsecurity: discontinue support
...
Upstream has decided to make -testing patches private, effectively ceasing
free support for grsecurity/PaX [1]. Consequently, we can no longer
responsibly support grsecurity on NixOS.
This patch turns the kernel and patch expressions into build errors and
adds a warning to the manual, but retains most of the infrastructure, in
an effort to make the transition smoother. For 17.09 all of it should
probably be pruned.
[1]: https://grsecurity.net/passing_the_baton.php
2017-04-28 12:35:15 +02:00
7f3b857d0d
linux: 4.4.63 -> 4.4.64
2017-04-27 22:12:35 -04:00
08c44a5cac
linux: 4.10.12 -> 4.10.13
2017-04-27 22:10:06 -04:00
903fec9922
linux: 4.9.24 -> 4.9.25
2017-04-27 22:07:34 -04:00
b1750d699c
linux-chromiumos: remove 3.14
...
3.14 is no longer supported upstream by kernel.org and thus no longer
receives security patches. The git commit mentioned in this .nix isn't
even available in the linked repository --
https://chromium.googlesource.com/chromiumos/third_party/kernel -- so I
think this .nix might be dead anyway. Finally, it specifies 3.14.0,
which is so ridiculously old (the latest was 3.14.79) that nobody
develops for it.
Fixes : #25145
Supports: #25127
2017-04-23 15:47:46 +02:00
9e6c96f8fc
grsecurity: 4.9.24-201704210851 -> 4.9.24-2201704220732
2017-04-22 16:37:24 +02:00
05911da7bb
grsecurity: 4.9.23-201704181901 -> 4.9.24-201704210851
2017-04-21 15:09:32 +02:00
7fb1b54cc1
linux: 4.4.62 -> 4.4.63
2017-04-21 08:03:43 -04:00
1b3282d52d
linux: 4.10.11 -> 4.10.12
2017-04-21 08:01:22 -04:00
4dda88c89d
linux: 4.9.23 -> 4.9.24
2017-04-21 07:58:45 -04:00
9902d63e84
grsecurity: 4.9.22-201704120836 -> 4.9.23-201704181901
2017-04-20 00:21:41 +02:00
7643c7c8cc
linux: 4.4.61 -> 4.4.62
2017-04-18 08:22:23 -04:00
5283e644ce
linux: 4.10.10 -> 4.10.11
2017-04-18 08:20:40 -04:00
1173fe0b49
linux: 4.9.22 -> 4.9.23
2017-04-18 08:15:48 -04:00
5a7b029fa9
linux: 4.11-rc6 -> 4.11-rc7
2017-04-17 07:41:19 -04:00
3ed0d7e2df
kernel-config: Explicitly enable CONFIG_NETFILTER
...
This is needed by the NixOS firewall, but isn't enabled by the ARM
defconfig nor kernelAutoModules (as 'm' doesn't seem to be an option)
2017-04-14 20:43:50 +03:00
3fa5605b41
grsecurity: 4.9.21-201704091948 -> 4.9.22-201704120836
2017-04-12 18:58:29 +02:00
5f05792417
linux: 4.4.60 -> 4.4.61
2017-04-12 09:17:53 -04:00
6860eedfd6
linux: 4.10.9 -> 4.10.10
2017-04-12 09:16:08 -04:00
224a8f7358
linux: 4.9.21 -> 4.9.22
2017-04-12 09:13:56 -04:00
205abc1fb6
linux: 4.11-rc5 -> 4.11-rc6
2017-04-10 08:34:23 -04:00
7701cbca6b
grsecurity: 4.9.20-201703310823 -> 4.9.21-201704091948
2017-04-10 03:34:42 +02:00
7099e8da83
linux: build with initrd support by default
...
We don't require initrd in some cases but still most boot sequences including ARM use it.
2017-04-09 22:46:07 +03:00
c0e77dba0e
linux: add kernelPreferBuiltin platform option
...
This allows to use kernelAutoModules but still compile in any options that are set so in template config.
It's helpful for ARM and maybe other platforms where defaul configurations are useful because they compile in
modules that we and udev cannot autodetect now.
2017-04-09 22:46:07 +03:00
79f9544eca
linux: 4.4.59 -> 4.4.60
2017-04-08 08:04:54 -04:00
1988c1fa41
linux: 4.10.8 -> 4.10.9
2017-04-08 08:02:18 -04:00
016a319b50
linux: 4.9.20 -> 4.9.21
2017-04-08 07:59:27 -04:00
a29d0df28c
linux: 4.11-rc4 -> 4.11-rc5
2017-04-03 09:02:37 -04:00
b78f16b337
kernel: do not remove .o files on installPhase
2017-04-01 16:05:17 +03:00
ed41d50e9f
kernel: fix 9p issues
...
[tuomas: rename the patch from 9p-hacks to something slighly more
meaningful]
Signed-off-by: Tuomas Tynkkynen <tuomas@tuxera.com>
2017-04-01 15:49:14 +03:00
a41668f441
grsecurity: 4.9.19-201703300917 -> 4.9.20-201703310823
2017-04-01 00:08:50 +02:00
cb791371c5
linux: 4.4.58 -> 4.4.59
2017-03-31 09:19:07 -04:00
bff456bd55
linux: 4.10.7 -> 4.10.8
2017-03-31 09:16:52 -04:00
501429d120
linux: 4.9.19 -> 4.9.20
2017-03-31 09:14:19 -04:00
ecca152887
linux: 4.10.6 -> 4.10.7
2017-03-30 22:12:26 -04:00
6b5193bcd9
linux: 4.4.57 -> 4.4.58
2017-03-30 22:12:05 -04:00
f9cb8775b3
linux_4_9: 4.9.18 -> 4.9.19
2017-03-30 22:50:38 +02:00
4d4488e793
grsecurity: 4.9.18-201703261106 -> 4.9.19-201703300917
2017-03-30 16:28:34 +02:00
310bb3e6bb
linux: 4.11-rc3 -> 4.11-rc4
2017-03-26 19:04:21 -04:00
5fe81c1bdb
grsecurity: 4.9.17-201703221829 -> 4.9.18-201703261106
2017-03-26 21:35:36 +02:00
23d0f01e95
linux: 4.4.56 -> 4.4.57
2017-03-26 10:08:56 -04:00
c0411ea229
linux: 4.10.5 -> 4.10.6
2017-03-26 10:05:22 -04:00
422a8b9cd1
linux: 4.9.17 -> 4.9.18
2017-03-26 10:00:57 -04:00
d431ff2776
linux_mptcp: 0.91.2 -> 0.91.3 (kernel 4.1.38)
2017-03-23 22:36:24 +01:00
37f7470269
linux: drop 3.12 and 4.1
...
Support ends before 17.09 is released:
https://www.kernel.org/category/releases.html
2017-03-23 22:06:04 +01:00
37a965c1de
linux: 4.10.4 -> 4.10.5
2017-03-23 16:43:31 -04:00
a20602d8e2
linux: 4.4.55 -> 4.4.56
2017-03-23 16:38:46 -04:00
94ab4932ae
grsecurity: 4.9.16-201703180820 -> 4.9.17-201703221829
2017-03-23 01:03:14 +01:00
a2fdf72ec4
linux_4_9: 4.9.16 -> 4.9.17
2017-03-23 01:03:11 +01:00
c60102d177
linux: 4.11-rc2 -> 4.11-rc3
2017-03-21 20:32:36 -04:00
bef5607e20
linux: 4.4.54 -> 4.4.55
2017-03-19 12:18:46 -04:00
6879d560cb
linux: 4.10.3 -> 4.10.4
2017-03-19 12:15:40 -04:00
b5da6ca213
linux_4_9: 4.9.15 -> 4.9.16
2017-03-18 15:32:56 +01:00
d4409817a6
grsecurity: 4.9.15-201703150049 -> 4.9.16-201703180820
2017-03-18 15:32:48 +01:00
ca3fb4d1d4
linux: 4.4.53 -> 4.4.54
2017-03-17 17:25:40 -04:00
81ad24d4d7
linux: 4.10.2 -> 4.10.3
2017-03-17 17:19:59 -04:00
12648a455b
linux_4_9: 4.9.14 -> 4.9.15
2017-03-15 20:03:34 +01:00
9e60a17cb8
grsecurity: 4.9.14-201703121245 -> 4.9.15-201703150049
...
Contains a fix for the n_hdlc double free bug.
2017-03-15 07:25:21 +01:00
44bd7c45dc
linux_4_10: 4.10.1 -> 4.10.2
2017-03-14 23:08:43 +01:00
a691c06556
linux_testing: 4.11-rc1 -> 4.11-rc2
2017-03-14 23:08:43 +01:00
18684a4892
linux: 4.1.38 -> 4.1.39
2017-03-13 20:15:42 -04:00
9ac82a773c
linux: 4.4.52 -> 4.4.53
2017-03-13 20:15:26 -04:00
b2c96062ca
kernel: Add a validity check for modDirVersion
...
Because if you get it wrong, you get a very confusing error message at
the end of the kernel build, which is quite painful as the build can
take a long time.
2017-03-13 18:47:21 +02:00
8091c1b208
linux_4_9: 4.9.13 -> 4.9.14
2017-03-12 18:44:29 +01:00
4c211bdc63
grsecurity: 4.9.13-201703052141 -> 4.9.14-201703121245
2017-03-12 18:44:27 +01:00
c1ccedeaff
linux: make some new config settings optional
...
These are not support on older kernels pre 4.0.
2017-03-11 08:14:29 +01:00
ff2313a6c6
linux: 3.12.70 -> 3.12.71
2017-03-11 08:14:29 +01:00
77c49794cd
linux_testing: 4.10-rc7 -> 4.11-rc1
...
Some config options got removed, so conditionalize them.
2017-03-11 01:27:06 +02:00
5f5b87107f
raspberrypifw, linux_rpi: 1.20161020 -> 1.20170303
2017-03-08 21:35:31 +02:00
17d80c49fa
grsecurity: 4.9.13-201702270729 -> 201703052141
2017-03-06 15:59:30 +01:00
57c6fac3e9
kernel config: Enable IP_MULTICAST
...
This is lacking on ARM and causes libuv tests to fail.
2017-03-04 12:49:50 +02:00
49bdf9803a
linux: IPV6_FOU_TUNNEL is available since 4.7
2017-03-02 17:19:55 +01:00
75e85cae42
linux: enable FOU tunnels and VRF interfaces
2017-03-02 17:19:55 +01:00
a20a53300d
grsecurity: 4.9.13-201702261126 -> 201702270729
2017-02-27 16:04:32 +01:00
f3a6991f3d
grsecurity: 4.9.12-201702231830 -> 4.9.13-201702261126
2017-02-26 18:20:50 +01:00
701544d0a7
linux: 4.9.12 -> 4.9.13
2017-02-26 18:09:16 +01:00
62857b1f21
linux: 4.4.51 -> 4.4.52
2017-02-26 18:09:16 +01:00
8a75569619
linux: 4.10 -> 4.10.1
2017-02-26 18:09:15 +01:00
0150d9a95c
grsecurity: 4.9.11-201702222257 -> 4.9.12-201702231830
2017-02-26 14:01:57 +01:00
d36b1ccc13
Revert "Revert "linux kernels: patch against DCCP double free (CVE-2017-6074)""
...
This reverts commit 53a2baabbe
2017-02-23 19:23:29 -05:00
53a2baabbe
Revert "linux kernels: patch against DCCP double free (CVE-2017-6074)"
...
This reverts commit 1d68edbef4
2017-02-23 18:47:16 -05:00
1d68edbef4
linux kernels: patch against DCCP double free (CVE-2017-6074)
2017-02-23 18:44:43 -05:00
82aae8f631
kernel: 4.4.50 -> 4.4.51
2017-02-23 17:47:51 -05:00
18c2be2862
kernel: 4.9.11 -> 4.9.12
2017-02-23 17:47:18 -05:00
b92501f0d8
grsecurity: 4.9.11-201702181444 -> 201702222257
2017-02-23 19:18:39 +01:00
f454297a7d
linux 4.10
2017-02-20 07:32:46 -05:00
b191ac0d89
Revert "linux 4.10"
...
Somehow the tarball was actually linux 4.4.10
This reverts commit fea71f84d0
2017-02-20 07:29:47 -05:00
fea71f84d0
linux 4.10
2017-02-20 06:47:49 -05:00
7274fc32d2
linux: 4.4.48 -> 4.4.50
2017-02-18 18:40:04 -05:00
2423313581
kernel: 4.9.10 -> 4.9.11
2017-02-18 18:33:36 -05:00
ca016c2626
grsecurity: 4.9.10-201702152052 -> 4.9.11-201702181444
2017-02-18 22:01:16 +01:00
e8007c0e89
linux_4_9: patch for CVE-2017-5986
...
Seems fairly low impact[1] but we might as well patch it until a new 4.9
version is released
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1420276
2017-02-17 19:11:30 +01:00
73577a2b05
linux_4_9: 4.9.9 -> 4.9.10
2017-02-17 19:11:24 +01:00
bc2f53fd29
grsecurity: 4.9.8-201702071801 -> 4.9.10-201702152052
2017-02-16 14:51:25 +01:00
0ec9e695c8
linux: 3.10.104 -> 3.10.105
2017-02-13 18:47:01 -05:00
c71a893334
Revert "Use looser 9pfs caching in VM tests/builds"
...
This reverts commit bbd03e236a
2017-02-13 14:38:19 +01:00
4af79a7331
Revert "linux: Apply 9p veryloose patch to 4.9"
...
This reverts commit a82810c7a7Fixes #22695 .
2017-02-13 12:16:39 +01:00
9dec33dc4f
linux: 4.9.8 -> 4.9.9
2017-02-09 16:27:29 +01:00
9d8248517e
linux: 4.4.47 -> 4.4.48
2017-02-09 16:27:16 +01:00
dced724c00
linux_3_18: remove due to EOL
2017-02-08 23:50:59 +01:00
bd46a375df
grsecurity: 4.9.8-201702060653 -> 201702071801
2017-02-08 01:31:18 +01:00
cf94e18627
linux-testing: 4.10-rc4 -> 4.10-rc7
...
Tested via building the linux_testing attribute only, not in production.
Verified unpacked tarball with GnuPG:
gpg: Signature made Mon 06 Feb 2017 12:21:50 AM CET
gpg: using RSA key 79BE3E4300411886
gpg: Good signature from "Linus Torvalds <torvalds@linux-foundation.org>" [unknown]
Primary key fingerprint: ABAF 11C6 5A29 70B1 30AB E3C4 79BE 3E43 0041 1886
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-07 10:23:50 +01:00
0d422c5db5
grsecurity: 4.8.17-201701151620 -> 4.9.8-201702060653
...
The first release in the 4.9 branch.
I've also migrated my update scripts to SHA-512 so that'll
be the hash of choice for grsec packages going forward.
2017-02-06 15:49:34 +01:00
a2c867fd39
Merge branch 'staging'
2017-02-04 21:02:46 +01:00
73d798549f
protobuf, perf: fix my bad condition on gcc version
2017-02-04 20:58:47 +01:00
949f9aff1d
linux: 3.12.69 -> 3.12.70
2017-02-04 09:18:50 -05:00
7f69dc48b9
linux: 4.9.7 -> 4.9.8
2017-02-04 09:09:19 -05:00
17b5ae4fe4
linux: 4.4.46 -> 4.4.47
2017-02-04 09:09:02 -05:00
26e5b42106
linux: 4.4.45 -> 4.4.46
2017-02-03 18:36:50 -05:00
e7c968fbf2
linuxPackages*.perf: fix build with default gcc
...
Broken since 9842a107
2017-02-03 12:38:18 +01:00
adab4cd58b
Merge branch 'master' into staging
2017-02-03 11:47:38 +01:00
d1738c19bb
kernel: 4.9.6 -> 4.9.7
2017-02-02 21:08:24 +01:00
424cfe7686
Merge remote-tracking branch 'upstream/master' into staging
2017-01-29 02:16:29 +02:00
99c9252e3f
kernel: 4.9.5 -> 4.9.6
2017-01-26 19:56:26 -05:00
4345dfb5ba
kernel: 4.4.44 -> 4.4.45
2017-01-26 19:55:58 -05:00
be0e48e48f
Merge remote-tracking branch 'upstream/master' into staging
2017-01-27 02:18:44 +02:00
e2a2f6d595
Merge pull request #22117 from dezgeg/aarch64-for-merge
...
Aarch64 (ARM64) support
2017-01-26 17:52:28 +02:00
6973c7739e
Merge branch 'master' into staging
...
There were some larger rebuilds because of security.
2017-01-26 16:49:41 +01:00
9842a107da
linuxPackages.perf: fix build with gcc6
2017-01-25 20:12:38 +01:00
b9b95aa4d4
Merge pull request #22034 from mayflower/conntrack-helpers
...
Disable conntrack helper autoloading by default
2017-01-25 14:18:41 +01:00
2bfd83ab6d
platforms.nix: Add some aarch64-specific kernel config
...
This makes Raspberry Pi 3 and some Cavium ThunderX server hardware work.
2017-01-25 02:14:46 +02:00
c50c551142
grsecurity: 4.8.16-201701062021 -> 4.8.17-201701151620
2017-01-25 00:58:57 +01:00
482c67af70
grsecurity: adapt new to mirror url structure
2017-01-25 00:58:54 +01:00
403fdd737e
linux: remove canDisableNetfilterConntrackHelpers feature
...
This feature is available in all kernels in nixpkgs.
2017-01-25 00:28:55 +01:00
fcc51d3256
linux: fix installTargets for AArch64
...
[dezgeg: note that we are currently using just 'Image' instead of
'Image.gz' as U-Boot doesn't support the latter yet. We might switch
once it does since the kernel images are quite big]
2017-01-25 00:01:54 +02:00
a82810c7a7
linux: Apply 9p veryloose patch to 4.9
2017-01-24 13:05:02 +01:00
fc8233a64f
kernel: 4.4.43 -> 4.4.44
2017-01-22 12:11:50 -05:00
61caacbf47
linux: 4.1.36 -> 4.1.38
2017-01-21 20:41:38 +01:00
ce3b98d08b
linux: 3.18.45 -> 3.18.47
2017-01-21 20:41:36 +01:00
34c52896d1
linux 4.9.4 -> 4.9.5
2017-01-20 09:36:04 -05:00
9fc3ce73d1
kernel config: Enable BONDING and TMPFS_POSIX_ACL
...
Yet again something that's lacking on other platforms than x86.
2017-01-18 01:21:08 +02:00
e9109b1b97
linux: 4.4.42 -> 4.4.43
2017-01-17 12:02:46 +01:00
9a9be9296f
linux: 4.9.3 -> 4.9.4
2017-01-17 12:02:46 +01:00
08ddb16865
linux_testing: 4.10-rc2 -> 4.10-rc4
2017-01-16 11:41:13 +02:00
04d11637cb
linux_4_9: enable support for amdgpu on older chipsets
...
Linux 4.9 includes experimental amdgpu support for AMD Southern Islands
chipsets. (By default, only Sea Islands and newer chipsets are supported.)
Southern Islands chips will still use radeon by default, but daring users may
set `services.xserver.videoDrivers = [ "amdgpu" ];` to try the experimental
driver.
2017-01-15 16:29:50 -06:00
295337ead5
linux: 4.9.2 -> 4.9.3
2017-01-14 11:02:26 -05:00
9158b89fd3
linux: 4.4.41 -> 4.4.42
2017-01-14 11:01:52 -05:00
d483a871d1
linux: Remove 4.8
2017-01-11 16:59:29 -05:00
6b01b229c2
linux: 4.9.1 -> 4.9.2
2017-01-10 07:45:19 +01:00
3b17823187
linux: 4.8.16 -> 4.8.17
2017-01-10 07:45:19 +01:00
4c43937af0
linux: 4.4.40 -> 4.4.41
2017-01-10 07:45:18 +01:00
d6ff445f10
grsecurity: 4.8.15-201612301949 -> 4.8.16-201701062021
2017-01-07 08:01:41 +01:00
c1d20ea50c
kernel: 4.9.0 -> 4.9.1
2017-01-06 16:15:18 -05:00
ecf87b11f2
kernel: 4.8.15 -> 4.8.16
2017-01-06 16:15:02 -05:00
8fda707027
kernel: 4.4.39 -> 4.4.40
2017-01-06 16:14:30 -05:00
2a4c8313e4
linux_testing: 4.10-rc1 -> 4.10-rc2
2017-01-03 13:51:23 +02:00
75ce714818
grsecurity: 4.8.15-201612151923 -> 201612301949
2017-01-01 06:01:04 +01:00
bbd03e236a
Use looser 9pfs caching in VM tests/builds
...
This can give significant speed ups, see
7e20254412
2016-12-29 21:26:16 +01:00
c6bcc485de
linux_4_8: add patch to fix CVE-2016-9919
2016-12-28 06:35:11 +01:00
5ba7f33e3a
linux_testing: 4.9-rc8 -> 4.10-rc1
2016-12-27 01:35:10 +02:00
3ffb5ba60c
linux:3.18.44 -> 3.18.45
2016-12-21 21:08:47 -05:00
53e21529d4
linux:3.12.68 -> 3.12.69
2016-12-21 21:08:47 -05:00
0e8e4a08f3
linux: 4.8.14 -> 4.8.15
2016-12-16 08:16:45 -05:00
cb9ff3f7f9
linux: 4.4.38 -> 4.4.39
2016-12-16 08:16:22 -05:00
f0e77cd07d
grsecurity: 4.8.14-201612110933 -> 4.8.15-201612151923
2016-12-16 12:46:44 +01:00
01d022e16b
Merge pull request #21118 from grahamc/fix-rsa-build-failure
...
linux_{4_8,grsec_nixos}: patch to fix build failure
2016-12-13 09:15:50 -05:00
d918c80e13
grsecurity: disable verbose initify
...
Not as useful/informative as I had hoped.
2016-12-13 15:12:34 +01:00
7a813d3f6d
linux_{4_8,grsec_nixos}: patch to fix build failure
...
crypto/rsa_helper.c:18:28: fatal error: rsapubkey-asn1.h: No such file or directory
2016-12-13 07:25:46 -05:00
f6daae391f
linux: add 4.9
2016-12-11 19:33:05 -05:00
601058e0e2
grsecurity: 4.8.13-201612082118 -> 4.8.14-201612110933
2016-12-11 19:09:16 +01:00
f576c490e3
linux: 4.4.37 -> 4.4.38
2016-12-10 15:18:52 -05:00
b69822c505
linux: 4.8.13 -> 4.8.14
2016-12-10 15:15:44 -05:00
bdab6fe5a1
kernel: Use built-in dtbs_install target instead of rolling our own
...
In particular, on aarch64 all the .dtb files will be in subdirectories
and *.dtb won't match anything.
2016-12-10 20:24:08 +02:00
9074d9859e
linux: add patch to fix CVE-2016-8655
...
See https://lwn.net/Articles/708319/ for more information.
2016-12-10 17:08:42 +01:00
2077385421
kernel: enable CONFIG_DYNAMIC_DEBUG (like Fedora and Ubuntu)
...
It was useful in tracking down CIFS + DFS issue, and it's apparently
enabled by default in two major distros.
2016-12-10 00:01:21 +02:00
d429520b13
kernel: add CONFIG_CIFS_* like Fedora, Ubuntu
...
The plan is to fix mounting DFS shares on NixOS (for which some of these
options are needed), but I figured it might be a good idea to enable all
CONFIG_CIFS_* like Fedora 24 and Ubuntu 16.04 while at it. Ubuntu even
has CONFIG_CIFS_SMB311, but as Fedora do not, I left it out.
Mounting DFS shares still doesn't work; need to configure cifs.upcall
and /etc/request-key.conf. Until then, using GVFS as a workaround.
2016-12-10 00:01:21 +02:00
d1a5dc0b1c
grsecurity: 4.8.12-201612062306 -> 4.8.13-201612082118
2016-12-09 15:31:02 +01:00
9a63779d64
grsecurity: use upstream url as the primary source
2016-12-09 15:31:00 +01:00
ca7cc96ee8
grsecurity: enable PAX_INITIFY
...
Uses gcc plugin to detect more instances where memory used during init
can be freed.
2016-12-09 15:30:40 +01:00
bfffbb5ea6
linux: 4.8.12 -> 4.8.13
2016-12-09 08:27:11 -05:00
e861a5f7af
linux: 4.4.36 -> 4.4.37
2016-12-09 08:26:46 -05:00
5fd4ffe00f
grsecurity: 4.8.12-201612031658 -> 201612062306
2016-12-08 12:22:13 +01:00
c9d1d430ec
linux: 4.9-rc7 -> 4.9-rc8
2016-12-05 19:40:11 -05:00
9578299bbe
grsecurity: 4.8.11-201611271225 -> 4.8.12-201612031658
2016-12-06 01:24:32 +01:00
cc396697a6
grsecurity: enable ability to lock in readonly mounts
2016-12-06 01:24:12 +01:00
0e765c72e5
grsecurity: enable module hardening
2016-12-06 01:23:58 +01:00
071fbcda24
grsecurity: enable optional sysfs restrictions
...
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
2016-12-06 01:23:36 +01:00
8c1f5afdf3
grsecurity: delay toggling of sysctls until system is up
...
We generally trust init, so there's little point in having these enabled
during early bootup; it accomplishes little except fill our logs with
spam.
2016-12-06 01:22:53 +01:00
9ccc14b1bc
linux_rpi: Add some feature flags
...
Copied from linux_4_4 (except for the EFI stub thing).
Otherwise the firewall module fails to evaluate:
Failed assertions:
- This kernel does not support rpfilter
2016-12-04 18:18:06 +02:00
4f8b74b401
Merge pull request #20866 from NeQuissimus/linux_4_8_12
...
linux: 4.8.11 -> 4.8.12
2016-12-02 18:28:46 -05:00
853b6493c8
linux: 4.8.11 -> 4.8.12
2016-12-02 14:29:00 -05:00
654f5df5dc
linux: 4.4.35 -> 4.4.36
2016-12-02 14:28:26 -05:00
5afc6b506c
linux: 4.1.35 -> 4.1.36
2016-12-01 20:34:02 -05:00
18a3225dac
linux: 3.12.67 -> 3.12.68
2016-11-29 17:40:17 -05:00
b90ed0cc80
grsecurity: 4.8.10-201611232213 -> 4.8.11-201611271225
2016-11-28 11:41:10 +01:00
4c7323545b
Revert "grsecurity: work around for #20490 "
...
This reverts commit e38b74ba89
2016-11-28 11:40:55 +01:00
eecf76eaa2
linux: 4.9-rc6 -> 4.9-rc7
2016-11-27 19:48:24 -05:00
86ea3126bc
linux_rpi: 1.20160620 -> 1.20161020
2016-11-28 00:24:00 +02:00
b47307bd74
linux: 4.8.10 -> 4.8.11
2016-11-26 16:29:23 -05:00
cc77360bed
linux: 4.4.34 -> 4.4.35
2016-11-26 16:28:58 -05:00
01172c2ccf
Merge pull request #20591 from NeQuissimus/linux_4_9_rc6
...
linux: 4.9-rc5 -> 4.9-rc6
2016-11-26 16:00:16 +01:00
f9d787c67b
grsecurity: 4.8.10-201611210813 -> 201611232213
2016-11-24 12:08:12 +01:00
7974d7493a
linux: compress kernel image with xz
2016-11-23 02:24:13 +01:00
e4a1b76457
linux: 4.8.9 -> 4.8.10
2016-11-21 18:07:17 -05:00
d62069aca4
linux: 4.4.33 -> 4.4.34
2016-11-21 18:06:57 -05:00
96194467e6
grsecurity: 4.8.8-201611150756 -> 4.8.10-201611210813
2016-11-21 23:15:14 +01:00
f6bbc6c477
linux: 4.9-rc5 -> 4.9-rc6
2016-11-20 17:23:32 -05:00
f7e0bc2ae7
Make all meta.maintainers attributes lists
2016-11-20 18:06:03 +01:00
13491f9f48
Merge pull request #20552 from NeQuissimus/linux_4_8_9
...
linux: 4.8.8 -> 4.8.9
2016-11-19 09:03:00 -05:00
d3b8a77834
linux: 4.4.32 -> 4.4.33
2016-11-19 08:56:31 -05:00
250224bf01
linux: 4.8.8 -> 4.8.9
2016-11-19 08:55:57 -05:00
e38b74ba89
grsecurity: work around for #20490
...
In `scripts/Makefile.modinst`, the code that generates the list of
modules to install passes file names via the command line. When
installing a grsecurity kernel, this list appears to exceed the
shell's argument list limit, as in
make[2]: execvp: /nix/store/[...]-bash-4.3-p46/bin/bash: Argument list too long
The build does not fail, however, but the list of modules to be installed ends
up being empty. Thus, the resulting kernel package output contains no modules,
rendering it useless.
We work around this by patching the makefile to use `find -exec` to
process files. Why this would occur for grsecurity and not other
kernels is unknown, most likely there's something *else* that is
actually causing this behaviour, so this is a temporary fix until that
cause is found.
Fixes https://github.com/NixOS/nixpkgs/issues/20490
2016-11-18 16:14:26 +01:00
a4cd6f1378
Merge pull request #20441 from NeQuissimus/linux_4_4_32
...
linux: 4.4.31 -> 4.4.32
2016-11-15 17:49:00 -05:00
819884119c
Merge pull request #20439 from NeQuissimus/linux_4_8_8
...
linux: 4.8.7 -> 4.8.8
2016-11-15 17:48:07 -05:00
0d4e1b5edd
grsecurity: 4.8.7-201611142350 -> 4.8.8-201611150756
2016-11-15 22:57:25 +01:00
24c342fde7
linux: 4.4.31 -> 4.4.32
2016-11-15 12:31:27 -05:00
Tim Steinbach
Tuomas Tynkkynen
Frederik Rietdijk
Vladimír Čunát
Frederik Rietdijk
Joachim Fasting
Robin Gloster
Tim Steinbach
gnidorah
Heitham Omar
mimadrid
aszlig
Jörg Thalheim
Al Zohali
John Ericson
hsloan
Michał Pałka
Franz Pletz
timor
Eelco Dolstra
Tuomas Tynkkynen
Shea Levy
Michael Raskin
Jason A. Donenfeld
Nikolay Amiantov
Volth
Guillaume Maudoux
Graham Christensen
Pascal Bach
Nathan Zadoks
Thomas Tuegel
Bjørn Forsman
Jörg Thalheim
Pascal Wittmann