Commit graph

165224 commits

Author SHA1 Message Date
Joachim Fasting
3f1f443125
nixos/hardened profile: slab/slub hardening
slab_nomerge may reduce surface somewhat

slub_debug is used to enable additional sanity checks and "red zones" around
allocations to detect read/writes beyond the allocated area, as well as
poisoning to overwrite free'd data.

The cost is yet more memory fragmentation ...
2019-01-05 14:07:37 +01:00
Joachim Fasting
d62086e6fc
hardened-config: allow slub/slab free poisoning 2019-01-05 14:07:36 +01:00
Joachim Fasting
11840f5c70
hardened-config: explain HARDENED_USERCOPY_FALLBACK n 2019-01-05 14:07:36 +01:00
Joachim Fasting
dfd77a046d
hardened-config: ensure STRICT_KERNEL_RWX
This is y in the default config, but enable it explicitly here to catch
situations where it has been disabled (explicitly or implicitly).
2019-01-05 14:07:35 +01:00
Joachim Fasting
1801aad7b8
hardened-config: clarify MODIFY_LDT_SYSCALL
This likely never worked; MODIFY_LDT_SYSCALL depends on EXPERT; enabling
EXPERT however seems to introduce quite a few changes that would need to be
properly vetted.

The version guard is unnecessary, however, as this config has been supported
since 4.3.
2019-01-05 14:07:34 +01:00
Joachim Fasting
abc8ed3fca
hardened-config: clarify readonly LSM hooks config
SECURITY_WRITABLE_HOOKS is implicitly controlled by SECURITY_SELINUX_DISABLE;
explicitly unsetting results in an error because the configfile builder fails
to detect that it has in fact been unset (reporting it as an unused option).
For now, leave WRITABLE_HOOKS as an "optional" config for documentation
purposes.
2019-01-05 14:07:33 +01:00
Joachim Fasting
c68e8b05f0
Revert "linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT"
This reverts commit 5dda1324be.

Presumably this was done to work around build errors or something but it
works fine now.
2019-01-05 14:07:21 +01:00
Jörg Thalheim
e36c93b3a0
Merge pull request #53408 from frlan/Update/Geany/1.34.1
Geany: 1.34 -> 1.34.1
2019-01-05 13:24:38 +01:00
Michael Raskin
3b152247ea weechatScripts.weechat-matrix-bridge: 2018-05-29 -> 2018-11-19 (HTTP/2 support fix) 2019-01-05 13:21:30 +01:00
taku0
17f4d415a2
thunderbird: 60.3.3 -> 60.4.0
Picked from PR #53437.  It runs fine for me.
2019-01-05 13:09:04 +01:00
Jörg Thalheim
8e95adcb75
Merge pull request #53439 from dywedir/gpxsee
gpxsee: 6.3 -> 7.1
2019-01-05 13:08:27 +01:00
Jörg Thalheim
38fa1ed0db
Merge pull request #53392 from xzfc/xpointerbarrier
xpointerbarrier: 17.11 -> 18.06
2019-01-05 13:03:53 +01:00
Jörg Thalheim
8832292ace
Merge pull request #52932 from ejpcmac/init-elixir_1_8
elixir_1_8: init at 1.8.0-rc.1
2019-01-05 12:59:33 +01:00
Jörg Thalheim
bf6aa78d0d
Merge pull request #52951 from Gerschtli/update/pdf2image
pythonPackages.pdf2image: 1.0.0 -> 1.3.1
2019-01-05 12:56:47 +01:00
Michael Raskin
fbd6ddadf1
Merge pull request #53434 from tohl/master
sbcl updated, tested on nixos x86_64
2019-01-05 11:48:23 +00:00
Jörg Thalheim
69d3eb6b6f
elixir: link to compatibility table 2019-01-05 12:39:23 +01:00
Jean-Philippe Cugnet
5cefef0d12
elixir_1_3: Remove since it is not supported anymore 2019-01-05 12:34:49 +01:00
Orivej Desh
8dddd6d4a1 clang-tools: override llvm version in all-packages 2019-01-05 11:19:37 +00:00
Tobias Happ
f94016eb84 pythonPackages.pdf2image: 1.0.0 -> 1.3.1 2019-01-05 10:56:50 +01:00
Vladyslav Mykhailichenko
f24d62c1e9
gpxsee: 6.3 -> 7.1 2019-01-05 11:44:07 +02:00
Samuel Dionne-Riel
c620278b63
Merge pull request #53435 from worldofpeace/systemd-logo
nixos/version: add LOGO to /etc/os-release
2019-01-05 00:30:21 -05:00
worldofpeace
21327795ce nixos/version: add LOGO to /etc/os-release 2019-01-05 00:03:39 -05:00
Tomas Hlavaty
2d9d6337f8 sbcl: 1.4.13 -> 1.4.15 2019-01-05 05:19:42 +01:00
John Ericson
1383670a83
Merge pull request #53029 from Ericson2314/windows-ce-arm
lib: Fix Mingw on 32-bit ARM
2019-01-04 20:27:35 -05:00
Michael Weiss
e7e18206dd
fuse: 2.9.8 -> 2.9.9 2019-01-05 02:26:02 +01:00
Dmitry Kalinkin
fb185ff859
Merge pull request #52835 from suhr/musescore
musescore: 2.3.2 -> 3.0
2019-01-04 20:20:34 -05:00
worldofpeace
678dda92a5 libcdr: drop boost159 compat fix 2019-01-04 19:49:05 -05:00
worldofpeace
2764297cc5 libcdr: disable werror is default
So this optional configure flag is uneeded.

See: 10211e95bb/NEWS (L5)
2019-01-04 19:49:05 -05:00
R. RyanTM
d211457188 libcdr: 0.1.4 -> 0.1.5
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/libcdr/versions
2019-01-04 19:49:05 -05:00
Dmitry Kalinkin
fc2a65308f
musescore: switch to QtWebEngine
Since version 3.0 it builds with QtWebEngine by default.
2019-01-04 19:43:23 -05:00
Elis Hirwing
eeb35be95d gitea: 1.6.2 -> 1.6.3
Changelog: https://github.com/go-gitea/gitea/releases/tag/v1.6.3
2019-01-04 19:38:40 -05:00
R. RyanTM
487cbfc563 python37Packages.node-semver: 0.5.1 -> 0.6.1
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/python3.7-node-semver/versions
2019-01-04 17:43:19 -05:00
R. RyanTM
b69d3fae73 python37Packages.django_redis: 4.9.1 -> 4.10.0
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/python3.7-django-redis/versions
2019-01-04 17:42:23 -05:00
R. RyanTM
e65eb19da5 plantuml: 1.2018.13 -> 1.2018.14
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/plantuml/versions
2019-01-04 17:41:15 -05:00
R. RyanTM
bb5ebed17f python37Packages.faker: 0.9.3 -> 1.0.1
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/python3.7-faker/versions
2019-01-04 17:36:39 -05:00
Joachim F
893c51bda8
Merge pull request #53369 from delroth/kernel-hardening
Re-add security features based on GCC plugins in 4.18+ hardened kernels
2019-01-04 21:49:53 +00:00
Alexey Shmalko
125befe16c
Merge pull request #52846 from clefru/fakeroot
fakeroot: Add sed dependency.
2019-01-04 23:36:13 +02:00
Pierre Bourdon
0f7ca26a48
kernel/hardened-config.nix: add STACKLEAK plugin on 4.20+ 2019-01-04 22:24:50 +01:00
Pierre Bourdon
9dc0d94896
kernel/hardened-config.nix: re-enable GCC plugins 2019-01-04 22:24:50 +01:00
Pierre Bourdon
c789f642f0
kernel/generic.nix: provide required dependencies for GCC plugins builds 2019-01-04 22:24:50 +01:00
Maximilian Bosch
da4c73045b
Merge pull request #53402 from geistesk/py-cbor-init
cbor: init at 1.0.0
2019-01-04 21:31:20 +01:00
John Ericson
3bf0e4efc7 lib: Fix Mingw on 32-bit ARM 2019-01-04 12:05:35 -05:00
Matthew Bauer
1a7d28e31f
Merge pull request #53201 from Izorkin/zsh-command-time
zsh-command-time: enable work with options customPkgs
2019-01-04 10:35:54 -06:00
Ryan Mulligan
5a7bc59b07
Merge pull request #53265 from r-ryantm/auto-update/osrm-backend
osrm-backend: 5.20.0 -> 5.21.0
2019-01-04 08:14:58 -08:00
Frank Lanitz
6acde26318 Geany: 1.34 -> 1.34.1 2019-01-04 16:58:22 +01:00
R. RyanTM
7ff3ccfa74 google-compute-engine: 20181023 -> 20181206 (#52894)
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/google-compute-engine/versions
2019-01-04 16:25:54 +01:00
Jörg Thalheim
7d75e31c52
Merge pull request #53316 from r-ryantm/auto-update/imagemagick
imagemagick7: 7.0.8-14 -> 7.0.8-22
2019-01-04 15:46:58 +01:00
Jörg Thalheim
8b19e04d12
Merge pull request #53330 from r-ryantm/auto-update/groonga
groonga: 8.0.9 -> 8.1.0
2019-01-04 15:46:29 +01:00
Jörg Thalheim
3a0945f339
Merge pull request #53400 from JakobBruenker/no-curses-idris
idris-modules/curses.nix: delete
2019-01-04 14:43:28 +01:00
Dominik Xaver Hörl
b7967e9dc4 dbus-broker: 13 -> 17 2019-01-04 14:36:30 +01:00