BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'upstream/hardened-stdenv' into staging

Browse source
This commit is contained in:
Robin Gloster 2016-08-24 10:30:35 +00:00
commit f3886a6fba
6 changed files with 49 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
nixos/modules/config/ldap.nix
View file

@ -62,6 +62,18 @@ in
description = "Whether to enable authentication against an LDAP server.";
};
loginPam = mkOption {
type = types.bool;
default = true;
description = "Whether to include authentication against LDAP in login PAM";
};
nsswitch = mkOption {
type = types.bool;
default = true;
description = "Whether to include lookup against LDAP in NSS";
};
server = mkOption {
example = "ldap://ldap.example.org/";
description = "The URL of the LDAP server.";

2
nixos/modules/config/nsswitch.nix
View file

@ -8,7 +8,7 @@ let
inherit (config.services.avahi) nssmdns;
inherit (config.services.samba) nsswins;
ldap = config.users.ldap.enable;
ldap = (config.users.ldap.enable && config.users.ldap.nsswitch);
in

9
nixos/modules/security/pam.nix
View file

@ -221,7 +221,7 @@ let
(''
# Account management.
account sufficient pam_unix.so
${optionalString config.users.ldap.enable
${optionalString use_ldap
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
@ -261,7 +261,7 @@ let
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
${optionalString config.users.ldap.enable
${optionalString use_ldap
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
${optionalString config.krb5.enable ''
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
@ -276,7 +276,7 @@ let
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
${optionalString cfg.pamMount
"password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
${optionalString config.users.ldap.enable
${optionalString use_ldap
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
@ -296,7 +296,7 @@ let
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
${optionalString config.security.pam.enableEcryptfs
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
${optionalString config.users.ldap.enable
${optionalString use_ldap
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
@ -322,6 +322,7 @@ let
inherit (pkgs) pam_krb5 pam_ccreds;
use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;
# Create a limits.conf(5) file.

24
pkgs/applications/networking/browsers/qutebrowser/default.nix
View file

@ -1,13 +1,30 @@
{ stdenv, fetchurl, buildPythonApplication, makeQtWrapper, wrapGAppsHook
{ stdenv, fetchurl, unzip, buildPythonApplication, makeQtWrapper, wrapGAppsHook
, qtbase, pyqt5, jinja2, pygments, pyyaml, pypeg2, glib_networking
, asciidoc, docbook_xml_dtd_45, docbook_xsl, libxml2, libxslt
, gst-plugins-base, gst-plugins-good, gst-plugins-bad, gst-plugins-ugly, gst-libav
, qtwebkit-plugins }:
let version = "0.8.2"; in
let
pdfjs = stdenv.mkDerivation rec {
name = "pdfjs-${version}";
version = "1.4.20";
buildPythonApplication rec {
src = fetchurl {
url = "https://github.com/mozilla/pdf.js/releases/download/v${version}/${name}-dist.zip";
sha256 = "1ca1fzyc5qnan6gavcd8bnfqriqqvgdsf4m8ka4nayf50k64xxj9";
};
nativeBuildInputs = [ unzip ];
buildCommand = ''
mkdir $out
unzip -d $out $src
'';
};
in buildPythonApplication rec {
name = "qutebrowser-${version}";
version = "0.8.2";
namePrefix = "";
src = fetchurl {
@ -34,6 +51,7 @@ buildPythonApplication rec {
postPatch = ''
sed -i "s,/usr/share/qutebrowser,$out/share/qutebrowser,g" qutebrowser/utils/standarddir.py
sed -i "s,/usr/share/pdf.js,${pdfjs},g" qutebrowser/browser/pdfjs.py
'';
postBuild = ''

10
pkgs/build-support/cc-wrapper/add-hardening.sh
View file

@ -4,17 +4,11 @@ hardeningCFlags=()
hardeningLDFlags=()
hardeningDisable=${hardeningDisable:-""}
if [[ -z "@ld_supports_bindnow@" ]]; then
hardeningDisable+=" bindnow"
fi
if [[ -z "@ld_supports_relro@" ]]; then
hardeningDisable+=" relro"
fi
hardeningDisable+=" @hardening_unsupported_flags@"
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi
if [[ ! $hardeningDisable == "all" ]]; then
if [[ ! $hardeningDisable =~ "all" ]]; then
if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi
for flag in "${hardeningFlags[@]}"
do

11
pkgs/build-support/cc-wrapper/default.nix
View file

@ -237,9 +237,14 @@ stdenv.mkDerivation {
cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook
rm $out/nix-support/setup-hook.tmp
# some linkers on some platforms don't support -z
export ld_supports_bindnow=$([[ "$($ldPath/ld -z now 2>&1 || true)" =~ "un(known|recognized) option" ]])
export ld_supports_relro=$([[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "un(known|recognized) option" ]])
# some linkers on some platforms don't support specific -z flags
hardening_unsupported_flags=""
if [[ "$($ldPath/ld -z now 2>&1 || true)" =~ "unknown option" ]]; then
hardening_unsupported_flags+=" bindnow"
fi
if [[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "unknown option" ]]; then
hardening_unsupported_flags+=" relro"
fi
substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh
substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh