Commit graph

106748 commits

Author SHA1 Message Date
Joachim Fasting
ab4fa1cce4
tree-wide: prune some dead grsec leaves
The beginning of pruning grsecurity/PaX from the tree.
2017-04-30 12:05:41 +02:00
Joachim Fasting
8c98e8ca2f
nixos/hardened profile: use the linux_hardened kernel 2017-04-30 12:05:40 +02:00
Joachim Fasting
62f2a1c2be
linux_hardened: init
The rationale for this is to have a place to enable hardening features
that are either too invasive or that may be speculative/yet proven to be
worthwhile for general-purpose kernels.
2017-04-30 12:05:39 +02:00
Joachim Fasting
6a5a5728ee
nixos/hardened profile: lock kernel modules 2017-04-30 12:05:38 +02:00
Joachim Fasting
878ad1ce6e
nixos: add option to lock kernel modules
Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.

The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.

The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session.  This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).

From an aestethic point of view, enabling this option helps make the
configuration more "declarative".

Closes https://github.com/NixOS/nixpkgs/pull/24681
2017-04-30 12:05:37 +02:00
Changlin Li
d6f602c247 RStudio: 0.98.110 -> 1.1.216
This fixes incompatibilities introduced by a new R version in
d16c38a260

It also fixes #25315 as a result.
2017-04-30 05:47:33 -04:00
Vladimír Čunát
7ee05dff30
Merge: efl: 1.18.x -> 1.19.0 (close #25095)
I used a setupHook instead of patching expressions for individual
reverse dependencies (four were broken).
2017-04-30 11:36:36 +02:00
Vladimír Čunát
18a7f7d4a5
efl: set $HOME for reverse dependencies 2017-04-30 11:35:59 +02:00
Vladimír Čunát
aa044dd105
efl: wrap the first line
It was >400 chars long!
2017-04-30 11:35:30 +02:00
Jörg Thalheim
fa5196e47e Merge pull request #25005 from Lassulus/copytoram
nixos/stage1: add copytoram support
2017-04-30 11:22:45 +02:00
Frederik Rietdijk
dce7ebbd9b pythonPackages.basemap: build wheel, fixes #24621 2017-04-30 10:37:04 +02:00
Frederik Rietdijk
a4aaf5adfd pyside: fix on Python 3.x, closes #25328
Pyside requires several tools that do not provide Python modules. They
therefore do not need to be build Python-version dependent and so we
move them out of `python-packages.nix`.

Furthermore, shiboken needs libxml2 and libxslt libraries but not their
Python bindings.
2017-04-30 10:33:19 +02:00
Michael Raskin
d729a25a3e Merge pull request #21321 from rardiol/worldengine
Worldengine
2017-04-30 10:28:40 +02:00
Alexey Lebedeff
4ae18e0463 apitrace: 7.1 -> git (#24829)
After upgrade `qapitrace` have working "Buffers" tab where the data
can be inspected (it was always empty before).

There is no tags after `7.1`, but I think that fixing pretty important
piece of functionality warrants an upgrade to current `master` tip.
2017-04-30 10:27:17 +02:00
Frederik Rietdijk
3425c37ac6 Merge pull request #25336 from matthewbauer/nix-bundle
nix-bundle: v0.1.1 -> v0.1.3
2017-04-30 09:58:18 +02:00
Benjamin Staffin
9827d5f95c
nixos: optional NetworkManager dnsmasq integration 2017-04-30 00:44:19 -07:00
Matthew Bauer
8b5854e260 nix-bundle: 0.1.2 -> 0.1.3 2017-04-30 02:23:31 -05:00
Peter Hoeg
03f939ebf7 kirigami2: 1.90.0 -> 2.1.0
Also use a generic builder.
2017-04-30 14:07:45 +08:00
Guillaume Maudoux
92f53af64d factorio-demo: init at 0.14.23 (#25265) 2017-04-30 02:51:07 +01:00
Shea Levy
99c28df9e5 hackage-packages.nix: automatic Haskell package set update
This update was generated by hackage2nix v2.1.1-8-g19ebdb9 from Hackage revision
3fcb79c182.
2017-04-29 21:31:34 -04:00
Michael Raskin
9031c35b6c julia_05: 0.5.0 -> 0.5.1 2017-04-30 01:13:44 +02:00
John Ericson
f71456ac24 Merge pull request #25301 from matthewbauer/impure-cross
impure.nix: add crossSystem as arg
2017-04-29 23:19:52 +01:00
Volth
f17a0fcdba xfce4-dockbarx-plugin: init at 0.5 2017-04-29 22:15:40 +00:00
Jan Malakhovski
48ec680ddb torbrowser: rename to tor-browser-bundle-bin 2017-04-30 00:08:21 +02:00
SLNOS
00a0b8a574 firefoxPackages: tor-browser: init at 6.5.2 2017-04-30 00:08:19 +02:00
Jan Malakhovski
2f35ab5960 firefoxPackages: implement privacySupport option 2017-04-30 00:08:18 +02:00
Jan Malakhovski
f0f572ff46 firefox: refactor into firefoxPackages, add more options 2017-04-30 00:08:16 +02:00
Jan Malakhovski
1d407173b0 firefox: rename default.nix -> common.nix 2017-04-30 00:08:16 +02:00
zraexy
563fa2c034 nvidia-x11: switch download urls to https 2017-04-29 13:19:04 -08:00
Michael Weiss
8c9b60a830 pykde4: Remove kde4.pykde4
This package is broken since 0a3b7f994e
(python-sip: 4.18.1 -> 4.19.1). Removing it seems reasonable since we're
dropping KDE4 anyway.

Fixes #24548.
2017-04-29 23:10:07 +02:00
Joachim F
f15dae36fe Merge pull request #25295 from mguentner/youtubedl_170428
youtube-dl: 2017.04.17 -> 2017.04.28
2017-04-29 22:06:50 +01:00
Matthew Bauer
5c7815a388
impure.nix: add crossSystem as arg 2017-04-29 15:22:33 -05:00
Michael Raskin
8e3ed32482 Merge pull request #25330 from DavidEGrayson/pr_staging_cmake
cmake: Prevent it from looking for packages in / when cross-compiling for Windows.
2017-04-29 20:03:39 +02:00
Volth
5e8ad49de8 do not create non-deterministic file (rsakeys.ini) in nixstore 2017-04-29 17:23:35 +00:00
Volth
965d0dab78 xrdp: 0.9.1 -> 0.9.2 2017-04-29 17:23:35 +00:00
volth
dad760061e xrdp: init at 0.9.1 2017-04-29 17:23:35 +00:00
Michael Weiss
852813689a desktop-managers: Use a black BG as fallback
Use a solid black background when no background image (via
~/.background-image) is provided. In my case this fixes the really
strange behaviour when i3 without a desktop manager starts with the SDDM
login screen as background image.
2017-04-29 19:03:30 +02:00
David Grayson
934ed02750 cmake: Prevent it from looking for packages in /
when cross-compiling for Windows.
2017-04-29 09:55:37 -07:00
Joachim Fasting
63433537ce
nixos/hardened profile: disable legacy virtual syscalls
This eliminates a theoretical risk of ASLR bypass due to the fixed address
mapping used by the legacy vsyscall mechanism.  Modern glibc use vdso(7)
instead so there is no loss of functionality, but some programs may fail
to run in this configuration.  Programs that fail to run because vsyscall
has been disabled will be logged to dmesg.

For background on virtual syscalls see https://lwn.net/Articles/446528/

Closes https://github.com/NixOS/nixpkgs/pull/25289
2017-04-29 17:27:11 +02:00
Michael Raskin
f1c7d5a6ba gimpPlugins.resynthesizer2: fix build 2017-04-29 16:51:25 +02:00
Maximilian Bosch
b12f76ddd3 geogebra: 5-0-350-0 -> 5-0-355-0 (#25324) 2017-04-29 14:34:57 +01:00
Jörg Thalheim
e715283dca Merge pull request #25306 from NickHu/teamviewer
teamviewer: 12.0.71510 -> 12.0.76279
2017-04-29 15:26:36 +02:00
Michael Raskin
f44165f484 Merge pull request #25303 from tohl/master
sbcl updates
2017-04-29 13:31:14 +02:00
Michael Raskin
4a207b1dd8 gimpPlugins.resynthesizer: fix build 2017-04-29 12:41:31 +02:00
Michael Raskin
316d0ff7c7 libsamplerate: update license information (in effect since 0.1.9) 2017-04-29 12:34:11 +02:00
Michael Raskin
adadf7e5ce androidsdk: meta.url to meta.homepage 2017-04-29 12:26:16 +02:00
Franz Pletz
bd27594bc6
promtheus-node-exporter: 0.13.0 -> 0.14.0 2017-04-29 11:44:39 +02:00
Robin Gloster
154dacde20
grafana: 4.1.2 -> 4.2.0 2017-04-29 11:43:17 +02:00
Jörg Thalheim
ffdc1b0ab0 Merge pull request #25310 from jerith666/command-not-found-is-a-dir
fix 'command-not-found: is a directory' error
2017-04-29 11:41:22 +02:00
Robin Gloster
edb1ea055e
confluence module: needs bash for health checks 2017-04-29 11:15:59 +02:00