Commit graph

287313 commits

Author SHA1 Message Date
Martin Weinelt
24adc01e2e
nixos/home-assistant: allow netlink sockets and /proc/net inspection
Since v2021.5.0 home-assistant uses the ifaddr library in the zeroconf
component to enumerate network interfaces via netlink. Since discovery
is all over the place lets allow AF_NETLINK unconditionally.

It also relies on pyroute2 now, which additionally tries to access files
in /proc/net, so we relax ProtectProc a bit by default as well.

This leaves us with these options unsecured:

✗ PrivateNetwork=                                             Service has access to the host's network                                                                 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                                                    0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                                       0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                                         0.2
✗ PrivateDevices=                                             Service potentially has access to hardware devices                                                       0.2
✗ PrivateUsers=                                               Service has access to other users                                                                        0.2
✗ SystemCallFilter=~@resources                                System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed)      0.2
✗ RestrictAddressFamilies=~AF_NETLINK                         Service may allocate netlink sockets                                                                     0.1
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                                            0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                                                   0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                                       0.1
✗ ProcSubset=                                                 Service has full access to non-process /proc files (/proc subset=)                                       0.1

→ Overall exposure level for home-assistant.service: 1.6 OK 🙂
2021-05-06 16:55:53 +02:00
Raghav Sood
eb21311135
Merge pull request #121621 from xwvvvvwx/turbo-geth-2021.04.05
turbo-geth 2021.02.01 -> 2021.04.05
2021-05-06 22:42:56 +08:00
Raghav Sood
9332725620
Merge pull request #121850 from asymmetric/polkadot/0.9.0
polkadot: 0.8.30 -> 0.9.0
2021-05-06 22:36:58 +08:00
Robert Hensing
66fd2ea7ee openapi-generator-cli: Invoke install hooks 2021-05-06 16:25:26 +02:00
Robert Hensing
cd855e6746 openapi-generator-cli: Use jre_headless 2021-05-06 16:25:26 +02:00
Robert Hensing
99d5c97a8c openapi-generator-cli: Add passthru.tests.example 2021-05-06 16:25:24 +02:00
Domen Kožar
a4c8569ed5
Merge pull request #121900 from hercules-ci/update-openapi-generator-cli
openapi-generator-cli: 5.0.0 -> 5.1.0
2021-05-06 16:10:37 +02:00
Michael Weiss
93f6089d14
Merge pull request #121914 from primeos/chromiumBeta
chromiumBeta: 91.0.4472.27 -> 91.0.4472.38
2021-05-06 16:03:59 +02:00
Jörg Thalheim
4e783a4cb7
Merge pull request #121724 from Izorkin/update-netdata
netdata: 1.29.3 -> 1.30.1
2021-05-06 14:58:33 +01:00
Michael Weiss
6f6ec9e6f0
chromiumBeta: 91.0.4472.27 -> 91.0.4472.38 2021-05-06 14:26:32 +02:00
Luke Granger-Brown
b418e17a4c
Merge pull request #120646 from dotlambda/qtwebengine-ffmpeg
libsForQt5.qtwebengine: use ffmpeg instead of ffmpeg_3
2021-05-06 12:57:17 +01:00
Robert Schütz
bda9e192dd
Merge pull request #120582 from dotlambda/ffmpeg_2-drop
ffmpeg_2: mark as insecure
2021-05-06 13:51:34 +02:00
Gabriel Ebner
46ecc3e1d3
Merge pull request #121845 from fortuneteller2k/fix-and-update-vieb
vieb: 3.4.0 -> 4.5.1
2021-05-06 13:49:17 +02:00
Robert Schütz
5b69bdf891
Merge pull request #121168 from dotlambda/djvulibre-3.5.28
djvulibre: 3.5.27 -> 3.5.28
2021-05-06 13:43:06 +02:00
Robert Schütz
30c3036793
Merge pull request #121151 from dotlambda/libdeltachat-init
libdeltachat: init at 1.54.0
2021-05-06 13:41:16 +02:00
Robert Schütz
688fee8b8a
pythonPackages.pgpy: 0.5.2 -> 0.5.4 (#121270)
https://github.com/SecurityInnovation/PGPy/releases/tag/v0.5.3
https://github.com/SecurityInnovation/PGPy/releases/tag/v0.5.4
2021-05-06 13:40:40 +02:00
Robert Hensing
e32d497623
Merge pull request #121899 from hercules-ci/update-elm-json
elmPackages.elm-json: 0.2.7 -> 0.2.10
2021-05-06 11:58:36 +02:00
Robert Hensing
89fffee73f openapi-generator-cli: 5.0.0 -> 5.1.0 2021-05-06 11:24:56 +02:00
Robert Hensing
377f9ca78d elmPackages.elm-json: 0.2.7 -> 0.2.10 2021-05-06 11:21:40 +02:00
Maximilian Bosch
a50b9e6c23
Merge pull request #113716 from Ma27/wpa_multiple
wpa_supplicant: allow both imperative and declarative networks
2021-05-06 11:01:35 +02:00
Maximilian Bosch
77b82f3535
Merge pull request #121875 from Infinisil/small-module-arg-optimization
lib/modules: Small optimization
2021-05-06 10:33:22 +02:00
fortuneteller2k
9802eed170 vieb: 3.4.0 -> 4.5.1 2021-05-06 16:23:09 +08:00
Maximilian Bosch
74c58a962b
Merge pull request #121877 from marsam/update-nodejs-16_x
nodejs-16_x: 16.0.0 -> 16.1.0
2021-05-06 10:06:26 +02:00
Mario Rodas
625842b8cf
terraform_0_15: 0.15.1 -> 0.15.2 (#121859)
https://github.com/hashicorp/terraform/releases/tag/v0.15.2
2021-05-06 10:00:22 +02:00
Fabian Affolter
882dd01186
Merge pull request #121879 from r-ryantm/auto-update/gitleaks
gitleaks: 7.4.1 -> 7.5.0
2021-05-06 09:42:35 +02:00
Raghav Sood
123db83348
Merge pull request #121882 from r-ryantm/auto-update/go-ethereum
go-ethereum: 1.10.2 -> 1.10.3
2021-05-06 13:14:41 +08:00
Raghav Sood
21f54d2478
Merge pull request #121876 from centromere/openethereum-3.2.5
openethereum: 3.2.4 -> 3.2.5
2021-05-06 13:14:28 +08:00
Anderson Torres
87a0e85736
Merge pull request #121799 from r-ryantm/auto-update/free42
free42: 3.0.2 -> 3.0.3
2021-05-06 01:40:04 -03:00
R. RyanTM
b334d0dc2b go-ethereum: 1.10.2 -> 1.10.3 2021-05-06 04:39:36 +00:00
Maciej Krüger
7155c11426
Merge pull request #121871 from otavio/topic/anydesk-6-1-1
anydesk: 6.1.0 -> 6.1.1
2021-05-06 06:36:35 +02:00
R. RyanTM
4f8435de76 gitleaks: 7.4.1 -> 7.5.0 2021-05-06 04:26:05 +00:00
Mario Rodas
ce0e20df34
Merge pull request #121347 from r-ryantm/auto-update/cargo-watch
cargo-watch: 7.6.1 -> 7.7.2
2021-05-05 23:12:08 -05:00
Mario Rodas
d4d3f29223
Merge pull request #121656 from r-ryantm/auto-update/kbs2
kbs2: 0.2.6 -> 0.3.0
2021-05-05 22:51:27 -05:00
Mario Rodas
a2a367dcfb
Merge pull request #121671 from r-ryantm/auto-update/breezy
breezy: 3.1.0 -> 3.2.0
2021-05-05 22:50:51 -05:00
Mario Rodas
101ab29b40
Merge pull request #121079 from r-ryantm/auto-update/dnsproxy
dnsproxy: 0.37.2 -> 0.37.3
2021-05-05 22:41:37 -05:00
Mario Rodas
a468d76fbd
Merge pull request #120999 from r-ryantm/auto-update/inter
inter: 3.15 -> 3.18
2021-05-05 22:40:55 -05:00
Mario Rodas
0d1d2c6510
Merge pull request #121363 from r-ryantm/auto-update/lefthook
lefthook: 0.7.3 -> 0.7.4
2021-05-05 22:27:56 -05:00
Mario Rodas
d0b013c5c3
Merge pull request #121681 from r-ryantm/auto-update/eksctl
eksctl: 0.46.0 -> 0.47.0
2021-05-05 22:27:02 -05:00
Alex Wied
f8c104d116 openethereum: 3.2.4 -> 3.2.5 2021-05-05 23:15:18 -04:00
Mario Rodas
425b825953
Merge pull request #121861 from marsam/update-lxc
lxc: 4.0.8 -> 4.0.9
2021-05-05 22:11:12 -05:00
Silvan Mosberger
98c77a0b2d lib/modules: Small optimization 2021-05-06 04:59:27 +02:00
Martin Weinelt
3bab9a19ad
home-assistant: 2021.4.6 -> 2021.5.0
https://www.home-assistant.io/blog/2021/05/05/release-20215/
2021-05-06 04:45:55 +02:00
Uri Baghin
a4026fb952
perceptualdiff: fix darwin support (#121646) 2021-05-05 22:36:08 -04:00
Otavio Salvador
fbf1c83c0b anydesk: 6.1.0 -> 6.1.1
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
2021-05-05 22:48:26 -03:00
Fabian Affolter
44078074fa python3Packages.zwave-js-server-python: 0.23.1 -> 0.24.0 2021-05-06 02:30:08 +02:00
happysalada
1374bfa2d3 sqlx-cli: fix darwin build 2021-05-06 08:29:37 +09:00
Robin Gloster
361bea3f00
Merge pull request #121828 from wlib/_1password-1.9.1
_1password: 1.8.0 -> 1.9.1
2021-05-05 17:39:48 -05:00
Robin Gloster
15182d1ab3
Merge pull request #121832 from ryantm/gluster-qemu
qemu_full: add glusterfs support
2021-05-05 17:37:33 -05:00
Robin Gloster
d0e41f05e2
Merge pull request #121833 from markuskowa/upd-ucx
ucx: 1.9.0 -> 1.10.0
2021-05-05 17:37:03 -05:00
Robin Gloster
22bed3c9ee
Merge pull request #121838 from nightmared/transmission-apparmor
nixos/transmission: add a missing apparmor rule
2021-05-05 17:33:28 -05:00