Merge remote-tracking branch 'upstream/hardened-stdenv' into staging
This commit is contained in:
Robin Gloster
commit
f3886a6fba
6 changed files with 49 additions and 19 deletions
|
|
@ -62,6 +62,18 @@ in
|
||||||
description = "Whether to enable authentication against an LDAP server.";
|
description = "Whether to enable authentication against an LDAP server.";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
loginPam = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = "Whether to include authentication against LDAP in login PAM";
|
||||||
|
};
|
||||||
|
|
||||||
|
nsswitch = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = "Whether to include lookup against LDAP in NSS";
|
||||||
|
};
|
||||||
|
|
||||||
server = mkOption {
|
server = mkOption {
|
||||||
example = "ldap://ldap.example.org/";
|
example = "ldap://ldap.example.org/";
|
||||||
description = "The URL of the LDAP server.";
|
description = "The URL of the LDAP server.";
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ let
|
||||||
|
|
||||||
inherit (config.services.avahi) nssmdns;
|
inherit (config.services.avahi) nssmdns;
|
||||||
inherit (config.services.samba) nsswins;
|
inherit (config.services.samba) nsswins;
|
||||||
ldap = config.users.ldap.enable;
|
ldap = (config.users.ldap.enable && config.users.ldap.nsswitch);
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -221,7 +221,7 @@ let
|
||||||
(''
|
(''
|
||||||
# Account management.
|
# Account management.
|
||||||
account sufficient pam_unix.so
|
account sufficient pam_unix.so
|
||||||
${optionalString config.users.ldap.enable
|
${optionalString use_ldap
|
||||||
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
${optionalString config.krb5.enable
|
${optionalString config.krb5.enable
|
||||||
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
|
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
|
||||||
|
|
@ -261,7 +261,7 @@ let
|
||||||
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
||||||
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
|
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
|
||||||
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
|
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
|
||||||
${optionalString config.users.ldap.enable
|
${optionalString use_ldap
|
||||||
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
|
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
|
||||||
${optionalString config.krb5.enable ''
|
${optionalString config.krb5.enable ''
|
||||||
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
||||||
|
|
@ -276,7 +276,7 @@ let
|
||||||
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
||||||
${optionalString cfg.pamMount
|
${optionalString cfg.pamMount
|
||||||
"password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
"password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
||||||
${optionalString config.users.ldap.enable
|
${optionalString use_ldap
|
||||||
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
${optionalString config.krb5.enable
|
${optionalString config.krb5.enable
|
||||||
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
|
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
|
||||||
|
|
@ -296,7 +296,7 @@ let
|
||||||
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
|
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
|
||||||
${optionalString config.security.pam.enableEcryptfs
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
||||||
${optionalString config.users.ldap.enable
|
${optionalString use_ldap
|
||||||
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
${optionalString config.krb5.enable
|
${optionalString config.krb5.enable
|
||||||
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
|
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
|
||||||
|
|
@ -322,6 +322,7 @@ let
|
||||||
|
|
||||||
inherit (pkgs) pam_krb5 pam_ccreds;
|
inherit (pkgs) pam_krb5 pam_ccreds;
|
||||||
|
|
||||||
|
use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
|
||||||
pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;
|
pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;
|
||||||
|
|
||||||
# Create a limits.conf(5) file.
|
# Create a limits.conf(5) file.
|
||||||
|
|
|
||||||
|
|
@ -1,13 +1,30 @@
|
||||||
{ stdenv, fetchurl, buildPythonApplication, makeQtWrapper, wrapGAppsHook
|
{ stdenv, fetchurl, unzip, buildPythonApplication, makeQtWrapper, wrapGAppsHook
|
||||||
, qtbase, pyqt5, jinja2, pygments, pyyaml, pypeg2, glib_networking
|
, qtbase, pyqt5, jinja2, pygments, pyyaml, pypeg2, glib_networking
|
||||||
, asciidoc, docbook_xml_dtd_45, docbook_xsl, libxml2, libxslt
|
, asciidoc, docbook_xml_dtd_45, docbook_xsl, libxml2, libxslt
|
||||||
, gst-plugins-base, gst-plugins-good, gst-plugins-bad, gst-plugins-ugly, gst-libav
|
, gst-plugins-base, gst-plugins-good, gst-plugins-bad, gst-plugins-ugly, gst-libav
|
||||||
, qtwebkit-plugins }:
|
, qtwebkit-plugins }:
|
||||||
|
|
||||||
let version = "0.8.2"; in
|
let
|
||||||
|
pdfjs = stdenv.mkDerivation rec {
|
||||||
|
name = "pdfjs-${version}";
|
||||||
|
version = "1.4.20";
|
||||||
|
|
||||||
buildPythonApplication rec {
|
src = fetchurl {
|
||||||
|
url = "https://github.com/mozilla/pdf.js/releases/download/v${version}/${name}-dist.zip";
|
||||||
|
sha256 = "1ca1fzyc5qnan6gavcd8bnfqriqqvgdsf4m8ka4nayf50k64xxj9";
|
||||||
|
};
|
||||||
|
|
||||||
|
nativeBuildInputs = [ unzip ];
|
||||||
|
|
||||||
|
buildCommand = ''
|
||||||
|
mkdir $out
|
||||||
|
unzip -d $out $src
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
in buildPythonApplication rec {
|
||||||
name = "qutebrowser-${version}";
|
name = "qutebrowser-${version}";
|
||||||
|
version = "0.8.2";
|
||||||
namePrefix = "";
|
namePrefix = "";
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
|
|
@ -34,6 +51,7 @@ buildPythonApplication rec {
|
||||||
|
|
||||||
postPatch = ''
|
postPatch = ''
|
||||||
sed -i "s,/usr/share/qutebrowser,$out/share/qutebrowser,g" qutebrowser/utils/standarddir.py
|
sed -i "s,/usr/share/qutebrowser,$out/share/qutebrowser,g" qutebrowser/utils/standarddir.py
|
||||||
|
sed -i "s,/usr/share/pdf.js,${pdfjs},g" qutebrowser/browser/pdfjs.py
|
||||||
'';
|
'';
|
||||||
|
|
||||||
postBuild = ''
|
postBuild = ''
|
||||||
|
|
|
||||||
|
|
@ -4,17 +4,11 @@ hardeningCFlags=()
|
||||||
hardeningLDFlags=()
|
hardeningLDFlags=()
|
||||||
hardeningDisable=${hardeningDisable:-""}
|
hardeningDisable=${hardeningDisable:-""}
|
||||||
|
|
||||||
if [[ -z "@ld_supports_bindnow@" ]]; then
|
hardeningDisable+=" @hardening_unsupported_flags@"
|
||||||
hardeningDisable+=" bindnow"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ -z "@ld_supports_relro@" ]]; then
|
|
||||||
hardeningDisable+=" relro"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi
|
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi
|
||||||
|
|
||||||
if [[ ! $hardeningDisable == "all" ]]; then
|
if [[ ! $hardeningDisable =~ "all" ]]; then
|
||||||
if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi
|
if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi
|
||||||
for flag in "${hardeningFlags[@]}"
|
for flag in "${hardeningFlags[@]}"
|
||||||
do
|
do
|
||||||
|
|
|
||||||
|
|
@ -237,9 +237,14 @@ stdenv.mkDerivation {
|
||||||
cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook
|
cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook
|
||||||
rm $out/nix-support/setup-hook.tmp
|
rm $out/nix-support/setup-hook.tmp
|
||||||
|
|
||||||
# some linkers on some platforms don't support -z
|
# some linkers on some platforms don't support specific -z flags
|
||||||
export ld_supports_bindnow=$([[ "$($ldPath/ld -z now 2>&1 || true)" =~ "un(known|recognized) option" ]])
|
hardening_unsupported_flags=""
|
||||||
export ld_supports_relro=$([[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "un(known|recognized) option" ]])
|
if [[ "$($ldPath/ld -z now 2>&1 || true)" =~ "unknown option" ]]; then
|
||||||
|
hardening_unsupported_flags+=" bindnow"
|
||||||
|
fi
|
||||||
|
if [[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "unknown option" ]]; then
|
||||||
|
hardening_unsupported_flags+=" relro"
|
||||||
|
fi
|
||||||
|
|
||||||
substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh
|
substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh
|
||||||
substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh
|
substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue