linux-4.13: mark as insecure (+required generic changes)

extraMeta was being fed as passthru without being processed by stdenv,
so without those changes, adding the security attribute would be useless.

pkgs/os-specific/linux/kernel/generic.nix

@@ -118,7 +118,7 @@ let
   };
 
   kernel = buildLinux {
-    inherit version modDirVersion src kernelPatches stdenv;
+    inherit version modDirVersion src kernelPatches stdenv extraMeta;
 
     configfile = configfile.nativeDrv or configfile;
 
@@ -131,10 +131,7 @@ let
 
   passthru = {
     features = kernelFeatures;
-
-    meta = kernel.meta // extraMeta;
-
-    passthru = kernel.passthru // (removeAttrs passthru [ "passthru" "meta" ]);
+    passthru = kernel.passthru // (removeAttrs passthru [ "passthru" ]);
   };
 
   nativeDrv = lib.addPassthru kernel.nativeDrv passthru;

pkgs/os-specific/linux/kernel/linux-4.13.nix

@@ -4,6 +4,12 @@ import ./generic.nix (args // rec {
   version = "4.13.16";
   extraMeta.branch = "4.13";
 
+  # TODO: perhaps try being more concrete (ideally CVE numbers).
+  extraMeta.knownVulnerabilities = [
+    "ALSA: usb-audio: Fix potential out-of-bound access at parsing SU"
+    "eCryptfs: use after free in ecryptfs_release_messaging()"
+  ];
+
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
     sha256 = "0cf7prqzl1ajbgl98w0symdyn0k5wl5xaf1l5ldgy6l083yg69dh";

pkgs/os-specific/linux/kernel/manual-config.nix

@@ -39,6 +39,8 @@ in {
   config ? stdenv.lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
   # Cross-compiling config
   crossConfig ? if allowImportFromDerivation then (readConfig crossConfigfile) else config,
+  # Use defaultMeta // extraMeta
+  extraMeta ? {},
   # Whether to utilize the controversial import-from-derivation feature to parse the config
   allowImportFromDerivation ? false
 }:
@@ -228,7 +230,7 @@ let
           maintainers.thoughtpolice
         ];
         platforms = platforms.linux;
-      };
+      } // extraMeta;
     };
 in