Previously, dolphin would build against vendored copies of the
libraries (shipped in source code form). This would result both
in a longer build (wxWidgets takes a while to build!) and in
bulkier binaries that wouldn't share libraries with others,
along with using fixed versions of curl and mbedtls which may
be left with unpatched security vulnerabilities.
It does however contain a copy of cherrypy that doesn't get installed,
which fails tests when it tries to import from cherrypy and gets imports
from the version provided by Nix (which is probably not the same one as
is having its tests run).
This test exercises the linux_hardened kernel along with the various
hardening features (enabled via the hardened profile).
Move hidepid test from misc, so that misc can go back to testing a vanilla
configuration.
The rationale for this is to have a place to enable hardening features
that are either too invasive or that may be speculative/yet proven to be
worthwhile for general-purpose kernels.
Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.
The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.
The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session. This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).
From an aestethic point of view, enabling this option helps make the
configuration more "declarative".
Closes https://github.com/NixOS/nixpkgs/pull/24681
Pyside requires several tools that do not provide Python modules. They
therefore do not need to be build Python-version dependent and so we
move them out of `python-packages.nix`.
Furthermore, shiboken needs libxml2 and libxslt libraries but not their
Python bindings.