Commit graph

3020 commits

Author SHA1 Message Date
Rickard Nilsson
5db9287b7c rtkit: Update from 0.10 to 0.11 2014-04-21 23:22:10 +02:00
Ricardo M. Correia
5d5ca7b260 grsecurity: Update all patches
stable:  3.0-3.2.57-201404131252            -> 3.0-3.2.57-201404182109
test:    3.0-3.13.10-201404141717           -> 3.0-3.14.1-201404201132
vserver: 3.0-3.2.57-vs2.3.2.16-201404131253 -> 3.0-3.2.57-vs2.3.2.16-201404182110
2014-04-21 18:46:41 +02:00
aszlig
625d7b9043
Merge pull request #1928 from 'cross-win-osx'.
This includes a lot of fixes for cross-building to Windows and Mac OS X
and could possibly fix things even for non-cross-builds, like for
example OpenSSL on Windows.

The main reason for merging this in 14.04 already is that we already
have runInWindowsVM in master and it doesn't work until we actually
cross-build Cygwin's setup binary as the upstream version is a fast
moving target which gets _overwritten_ on every new release.

Conflicts:
	pkgs/top-level/all-packages.nix
2014-04-21 10:00:35 +02:00
Eelco Dolstra
4e8c2f0ff9 Merge branch 'systemd-update' 2014-04-20 19:31:01 +02:00
Eelco Dolstra
660d38e838 nvidia-x11: Update to 331.67 2014-04-18 21:50:00 +02:00
Eelco Dolstra
5da309fcaa linux: Enable SND_DYNAMIC_MINORS
This is necessary if you get:

  kernel: Too many HDMI devices
  kernel: Consider building the kernel with CONFIG_SND_DYNAMIC_MINORS=y
2014-04-18 21:50:00 +02:00
Eelco Dolstra
890d0cc3a5 firmware-linux-nonfree: Update to 0.41 2014-04-18 15:34:10 +02:00
Eelco Dolstra
7ea51b1c6c Enable kmod-static-nodes.service
This creates static device nodes such as /dev/fuse or
/dev/snd/seq. The kernel modules for these devices will be loaded on
demand when the device node is opened.
2014-04-17 14:35:05 +02:00
Eelco Dolstra
9594421617 kmod: Respect $MODULE_DIR in ‘kmod static-nodes’ 2014-04-17 13:52:30 +02:00
Eelco Dolstra
51a1e0a4a9 kmod: Update to 17 2014-04-17 13:46:48 +02:00
Eelco Dolstra
3f01caa89f linux: Enable transparent hugepages 2014-04-16 22:40:07 +02:00
Eelco Dolstra
2503e7e0c8 systemd: Apply patch to make container logins work again 2014-04-16 18:15:48 +02:00
Eelco Dolstra
c21ef84810 linux-pam: Update to 1.1.8 2014-04-16 16:44:05 +02:00
Eelco Dolstra
7438b95437 util-linux: Update to 2.24.1 2014-04-16 16:31:58 +02:00
Eelco Dolstra
c81565f6cf Remove hack for using upstream getty units
Also, enable the container-getty@ unit so that "machinectl login"
works.
2014-04-16 16:11:17 +02:00
Eelco Dolstra
19d4e40dfc systemd: Build on i686-linux 2014-04-16 15:25:37 +02:00
Eelco Dolstra
0ac322c7a0 systemd-nspawn: Fix starting NixOS containers 2014-04-16 11:34:34 +02:00
William A. Kennington III
171a58bcd6 cpupower: Add package to replace cpufrequtils 2014-04-16 01:09:57 +02:00
Eelco Dolstra
ee9c068b0c systemd: Update to 212
Note that systemd no longer depends on dbus, so we're rid of the
cyclic dependency problem between systemd and dbus.

This commit incorporates from wkennington's systemd branch
(203dcff45002a63f6be75c65f1017021318cc839,
1f842558a95947261ece66f707bfa24faf5a9d88).
2014-04-16 00:59:26 +02:00
Eelco Dolstra
07cb7451d9 lvm2: Update to 2.02.106 2014-04-15 18:02:07 +02:00
Eelco Dolstra
a37edbbb63 linux-headers: Add 3.14 2014-04-15 16:59:19 +02:00
Eelco Dolstra
0fc9f65ff2 linux-headers-2.6.28: Remove, no longer used 2014-04-15 16:50:29 +02:00
Peter Simons
e572b5c104 Merge pull request #2253 from jwiegley/watch
Add a recipe for installing "watch" from procps (#2227)
2014-04-15 16:12:27 +02:00
Austin Seipp
ba2f861f05 kernel: stable/longterm updates
- stable:   3.14    -> 3.14.1
 - longterm: 3.10.36 -> 3.10.37
 - longterm: 3.4.86  -> 3.4.86

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-14 19:46:39 -05:00
Ricardo M. Correia
1b113178ee grsecurity: Update test patch from 3.0-3.13.9-201404131254 -> 3.0-3.13.10-201404141717 2014-04-15 00:16:29 +02:00
Ricardo M. Correia
3a1c9a2945 linux: Update to 3.13.10 2014-04-15 00:16:29 +02:00
Eelco Dolstra
73b4b287bb linux: Don't use underscores in the timestamp 2014-04-14 21:06:04 +02:00
John Wiegley
7a59054dce Add a recipe for installing "watch" from procps (#2227) 2014-04-14 09:10:10 -05:00
Bjørn Forsman
1296372681 cifs-utils: update 6.2 -> 6.3
January 9, 2014: Release 6.3:
* fixes for various bugs turned up by Coverity
* clean unused cruft out of upcall binary
* add new pam_cifscreds PAM module for establishing NTLM creds on login
* https://lists.samba.org/archive/samba-technical/2014-January/097124.html
2014-04-13 22:56:21 +02:00
Bjørn Forsman
5e50b35a26 bluez5: remove unneeded libusb dependency
bluez >= 5.9 does not depend on libusb[1].

[1] http://www.bluez.org/release-of-bluez-5-9/
2014-04-13 22:46:47 +02:00
Austin Seipp
788d9a13fb grsecurity: stable/vserver/testing updates
- stable:  201404111812            -> 201404131252
 - vserver: vs2.3.2.16-201404111814 -> vs2.3.2.16-201404131253
 - testing: 201404111815            -> 201404131254

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-13 13:11:17 -05:00
Michael Raskin
e86e76e560 Adding sysdig system call tracer for Linux 2014-04-13 20:49:37 +04:00
Bjørn Forsman
d1f875c6af lttng project: update from 2.3.0 to 2.4.1
(And update liburcu to 0.8.4 according to release notes for lttng 2.4.x.)

In addition to new features and bug fixes, version 2.4.x is needed to build
against Linux 3.12 (our new stable kernel).
2014-04-13 10:47:16 +02:00
Austin Seipp
172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Mathijs Kwik
5a3fa7f88f nvidia-x11: patch for kernel 3.14 support 2014-04-11 23:40:16 +02:00
Peter Simons
3c7f5870e3 Merge pull request #2197 from offlinehacker/pkgs/lxc/rootfs_fix
lxc: set rootfs path somewhere outside /nix/store
2014-04-10 12:34:08 +02:00
Mathijs Kwik
4219eb430d intel-microcode: upgrade to 20140122 2014-04-10 11:57:20 +02:00
Jaka Hudoklin
c7e94de91f lxc: set rootfs path somewhere outside /nix/store
This commit fixes lxc to eventually work
2014-04-10 11:46:06 +02:00
Ricardo M. Correia
5dfc6584a5 grsecurity: Update stable patch from 3.0-3.2.56-201404062126 -> 3.0-3.2.57-201404091758 2014-04-10 00:37:33 +02:00
Ricardo M. Correia
c50abd0e13 linux: Update to 3.2.57 2014-04-10 00:37:33 +02:00
Peter Simons
2cc462eb11 lxc: update from 1.0.1 to 1.0.3 2014-04-09 12:41:10 +02:00
Peter Simons
30aa995a42 busybox: update from 1.21.1 to 1.22.1 2014-04-09 12:41:10 +02:00
Austin Seipp
3ff158289a lockdep: refactor into non-kernel package
Lockdep doesn't *really* require the kernel package - just the kernel
sources. It's really a user-space tool just compiled from some portable
code within the kernel, nothing more.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-08 19:21:55 -05:00
Eelco Dolstra
2ba552fb2e Revert "Fix services.udisks.enable."
This reverts commit 02a30bea44,
necessary after reverting to udisks 1.0.4.

http://hydra.nixos.org/build/10194840
2014-04-08 13:28:24 +02:00
Austin Seipp
05ec851050 kernel: longterm updates
- longterm: 3.4.85  -> 3.4.86
 - longterm: 3.10.35 -> 3.10.36
 - longterm: 3.12.15 -> 3.12.17

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-07 13:56:50 -05:00
Austin Seipp
4dc15c087a musl: version 1.0.0
NB: This currently doesn't add a working musl-wrapper around musl-gcc to
allow it to work properly (musl has its own dynamic linker as well as
libc too which must be accounted for). But at the moment it builds fine,
and I plan on working more on it in the future. So lets get it
integrated and building on Hydra.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-07 10:31:31 -05:00
Ricardo M. Correia
807fad571a grsecurity: Update stable and test patches
stable: 3.0-3.2.56-201404012135 -> 3.0-3.2.56-201404062126
test:   3.0-3.13.8-201404011912 -> 3.0-3.13.9-201404062127
2014-04-07 15:31:12 +02:00
Ricardo M. Correia
c494289c12 linux: Update to 3.13.9 2014-04-07 15:31:12 +02:00
Eelco Dolstra
59ea2d7ba5 Apply patch for CVE-2014-0004 to udisks-1.0.4
(cherry picked from commit 3b1f9899618f81794ce8b88fe4eaa867e549eb06)
2014-04-07 13:22:12 +02:00
Eelco Dolstra
fa6b9baea9 Revert "udisks1: bump to fix CVE-2014-0004"
This reverts commit 0194a44d63c613065bb5c55d50470881c00563c2 because
it breaks udisks on 13.10 (e.g. running "udisks --enumerate" will
print "Unit udisks.service failed to load").

(cherry picked from commit d7daf1a47f0d3d759555a3f0a0f09398c69c6b28)
2014-04-07 13:22:12 +02:00