Commit graph

85363 commits

Author SHA1 Message Date
Joachim Fasting
886c03ad2e Merge pull request #16107 from joachifm/grsec-ng
Rework grsecurity support
2016-06-14 03:52:50 +02:00
Joachim Fasting
7bda8f0a8f
grsecurity: add a xen guest kernel
This is for the benefit of users who want to quickly get up and running
on a Xen host, for which the stock NixOS kernel is likely unsuitable.
2016-06-14 03:38:19 +02:00
Joachim Fasting
544b42f8f5
top-level/release.nix: remove obsolete grsec jobs 2016-06-14 03:38:19 +02:00
Joachim Fasting
dae5f53d25
qemu: apply PaX markings 2016-06-14 03:38:18 +02:00
Joachim Fasting
09cf92ccee
nixos: flesh out the grsecurity test suite
I've failed to figure out what why `paxtest blackhat` hangs the vm, and
have resigned to running individual `paxtest` programs.  This provides
limited coverage, but at least verifies that some important features are
in fact working.

Ideas for future work includes a subtest for basic desktop
functionality.
2016-06-14 03:38:18 +02:00
Joachim Fasting
a53452f3e1
nixos: remove the grsecurity GID
This GID was used to exempt users from Grsecurity's
`/proc` restrictions; we now prefer to rely on
`security.hideProcessInformation`, which uses the `proc` group
for this purpose.  That leaves no use for the grsecurity GID.

More generally, having only a single GID to, presumably, serve as the
default for all of grsecurity's GID based exemption/resriction schemes
would be problematic in any event, so if we decide to enable those
grsecurity features in the future, more specific GIDs should be added.
2016-06-14 03:38:17 +02:00
Joachim Fasting
0677cc61c8
nixos: rewrite the grsecurity module
The new module is specifically adapted to the NixOS Grsecurity/PaX
kernel.  The module declares the required kernel configurations and
so *should* be somewhat compatible with custom Grsecurity kernels.

The module exposes only a limited number of options, minimising the need
for user intervention beyond enabling the module. For experts,
Grsecurity/PaX behavior may be configured via `boot.kernelParams` and
`boot.kernel.sysctl`.

The module assumes the user knows what she's doing (esp. if she decides
to modify configuration values not directly exposed by the module).

Administration of Grsecurity's role based access control system is yet
to be implemented.
2016-06-14 03:38:12 +02:00
Joachim Fasting
3123c7df37 Merge pull request #16204 from vrthra/mlterm
mlterm: Disable darwin compilaton
2016-06-14 03:09:46 +02:00
Tuomas Tynkkynen
7ae1e9bb6d multi_v7_defconfig: Enable AHCI_IMX 2016-06-14 01:31:57 +03:00
Joachim Fasting
75b9a7beac
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-14 00:08:20 +02:00
Joachim Fasting
bdc6690baf Merge pull request #16219 from rasendubi/cython
Cython: fix source link
2016-06-13 23:20:03 +02:00
Peter Simons
8d86c8274f callHackage: generate expressions for the appropriate target system and compiler 2016-06-13 23:09:56 +02:00
Peter Simons
322fe543b6 cabal2nix: bump to version 20160613 2016-06-13 23:09:55 +02:00
Peter Simons
bef99f11cb Add LTS Haskell 6.3. 2016-06-13 23:09:55 +02:00
Peter Simons
ee933f5d73 hackage-packages.nix: update Haskell package set
This update was generated by hackage2nix v20160613 using the following inputs:

  - Hackage: b9e58743e7
  - LTS Haskell: 2a2cddb443
  - Stackage Nightly: 4b8c8abac5
2016-06-13 23:09:44 +02:00
Joachim Fasting
be009c90ca Merge pull request #16211 from mpscholten/fix-php
php: Fixed libiconv error
2016-06-13 22:57:58 +02:00
Robert Helgesson
96fc1e19b8 cacert: remove dependency on LWP
The `mk-ca-bundle.pl` script manages quite well using only curl but
fails without LWP being present due to a `use` statement. This removes
the Perl import of the LWP library and adds curl as a build input.
2016-06-13 22:18:59 +02:00
Alexey Shmalko
1191149cc8
Cython: fix source link
Fixes #16218.
2016-06-13 23:13:01 +03:00
Vladimír Čunát
e68191e6c4 Merge #16216: meld: 3.14.0 -> 3.16.0 2016-06-13 22:10:09 +02:00
mimadrid
1a9a72274a meld: 3.14.0 -> 3.16.0 2016-06-13 21:21:16 +02:00
Thomas Tuegel
8a37d9cb6d Merge pull request #16176 from bendlas/update-emacs-packages
melpa(-unstable)-packages 2016-06-12
2016-06-13 14:07:52 -05:00
Tobias Geerinckx-Rice
ff04cf2522
gparted: 0.26.0 -> 0.26.1
Key changes include:
- Ensure boot loaders work on ext4 < 16 TiB by using 32bit feature
- Fix core dump crash in OperationDelete::get_partition_new()

More: https://sourceforge.net/projects/gparted/files/gparted/gparted-0.26.1/gparted-0.26.1-README.md/view
2016-06-13 19:35:24 +02:00
Marc Scholten
d1219ba68f php: Fixed libiconv error 2016-06-13 18:25:58 +02:00
Paweł Pacana
d2b58dd39a buildkite-agent: init at 2.1.8
* nixos module included
* install compiled binary
* only one platform now
* limited config options
* relies on providing ssh keys for agent
2016-06-13 17:21:08 +01:00
Luca Bruno
02a1408d9c Merge pull request #16023 from choochootrain/add-xbanish-service
xbanish service: init at 1.4
2016-06-13 17:24:44 +02:00
Luca Bruno
127b4e84f0 Merge pull request #16072 from ejlo/fix/electron-update-v1.2.2
electron: 0.36.2 -> 1.2.2
2016-06-13 17:23:10 +02:00
Joachim Fasting
3d54210566 Merge pull request #15739 from matthewbauer/retroarch-disable-nvidia
Remove nvidia-cg-toolkit as input for retroarch.
2016-06-13 16:46:58 +02:00
Joachim Fasting
70c5ab532f Merge pull request #16110 from womfoo/augeas
augeas: 1.2.0 -> 1.5.0
2016-06-13 16:46:08 +02:00
Joachim Fasting
41bd0dc373 Merge pull request #16078 from mpscholten/php7
php: Now builds on darwin
2016-06-13 16:45:28 +02:00
Rob Vermaas
91436641ec Fix hash for Debian 8.4 Jessie
(cherry picked from commit fd60751ce0c85427423b78d8a46c3f78d65bd0e2)
2016-06-13 12:20:55 +00:00
Gabriel Ebner
de3ccbbdac jabref: 2.10 -> 3.3 2016-06-13 13:40:16 +02:00
obadz
ca17bd0c8a socat: add readline support 2016-06-13 12:09:32 +01:00
Peter Simons
52edff8689 Merge pull request #15989 from mboes/stack-builder-tweaks
haskell.lib.buildStackProject: allow passing in a custom GHC version.
2016-06-13 12:15:11 +02:00
Christoph Hrdinka
17dc0a544c mapnik: 3.0.9 -> 3.0.10 2016-06-13 11:59:04 +02:00
Mathieu Boespflug
3adf86eed6 doc(haskell): Remove pesky tabs in code snippets. 2016-06-13 11:42:50 +02:00
zimbatm
95e9a95099 Merge pull request #16186 from romildo/upd.mate
Update mate themes
2016-06-13 10:33:29 +01:00
Moritz Ulrich
edca4a1b55 Merge pull request #16159 from matthewbauer/neovim-darwin-fixes
Neovim darwin fixes
2016-06-13 10:42:20 +02:00
José Romildo Malaquias
ce50ba74dc numix-gtk-theme: 2016-05-25 -> 2016-06-12
Closes #16188.
2016-06-13 10:03:30 +02:00
José Romildo Malaquias
d76e2f24c2 numix-icon-theme-circle: 2016-05-25 -> 2016-06-10 2016-06-13 10:03:24 +02:00
José Romildo Malaquias
8edc102336 numix-icon-theme: 2016-05-18 -> 2016-06-10 2016-06-13 10:03:24 +02:00
José Romildo Malaquias
0bd6b9ce98 paper-gtk-theme: 2016-05-25 -> 2016-05-27
Closes #16194.
2016-06-13 09:57:25 +02:00
José Romildo Malaquias
25d37fc4eb paper-icon-theme: 2016-05-25 -> 2016-06-08 2016-06-13 09:56:31 +02:00
Michael Alan Dorman
b40e1efe00 haskell generic-builder: don't propagate setupHaskellDepends
Without this patch, attempts to install at least some of the packages
that start to use setupHaskellDepends (mostly gtk-related packages)
results in collisions:

    building path(s) ‘/nix/store/63k5smns43f5r2ad8wcc242x0gwd70m3-ghc-8.0.1’
    collision between `/nix/store/k18i1nm5hgnb82y9w2g9hmlwhk3szjld-ghc-8.0.1/lib/ghc-8.0.1/Cabal-1.24.0.0/Distribution/Compat/Binary.dyn_hi' and `/nix/store/0rwhbwsg9kmywgbrib2bs29p2hmi80za-Cabal-1.24.0.0/lib/ghc-8.0.1/Cabal-1.24.0.0/Distribution/Compat/Binary.dyn_hi'
    builder for ‘/nix/store/vrjkfpm8sb96m9i5k74h8vn0rwddgy4v-ghc-8.0.1.drv’ failed with exit code 25

This would appear to me to be a consequence of setupHaskellDepends
entries being added to propagateBuildInputs.  It is sufficient in the
cases I'm familiar with (taffyBar), and I think correct, to simply add
it to the otherBuildInputs.
2016-06-13 09:51:35 +02:00
José Romildo Malaquias
0072cb8ff1 faba-mono-icons: init at 2016-04-30
Closes #16109.
2016-06-13 09:40:51 +02:00
José Romildo Malaquias
fa447287b0 arc-icon-theme: init at 2016-06-06 2016-06-13 09:40:44 +02:00
José Romildo Malaquias
4e44a330cb moka-icon-theme: init at 2016-06-07 2016-06-13 09:40:43 +02:00
José Romildo Malaquias
c33cf02337 faba-icon-theme: init at 2016-06-02 2016-06-13 09:40:43 +02:00
Nathan Zadoks
ff45ea743f qtpass: 1.1.1 -> 1.1.3
Closes #16202.
2016-06-13 09:30:37 +02:00
Matthew Bauer
e37bb985a3 retroarch: 2015-11-20 -> 1.3.4
also: remove nvidia-cg-toolkit as input for retroarch.
see #15707

darwin is also building but you have to trick it into
thinking it's a desktop app for the GUI to load

platforms is set to "platforms.all".
2016-06-12 22:13:06 -05:00
Matthew Bauer
e0884e85cf neovim: fix build on darwin, cleanup lua paths
fixes #16152

The cmake script had trouble finding the lua paths, this sets them
using “luaPackages.getLuaPath” and “luaPackages.getLuaCPath”.
2016-06-12 21:02:09 -05:00