This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
- mark llvm34 as broken on darwin (so it doesn't install by default with nix-env)
- don't use our gcc for llvm_34 (might fix the build)
- switch also clang default to 3.3 on darwin (llvm was before)
Lockdep doesn't *really* require the kernel package - just the kernel
sources. It's really a user-space tool just compiled from some portable
code within the kernel, nothing more.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
NB: This currently doesn't add a working musl-wrapper around musl-gcc to
allow it to work properly (musl has its own dynamic linker as well as
libc too which must be accounted for). But at the moment it builds fine,
and I plan on working more on it in the future. So lets get it
integrated and building on Hydra.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
There are two versions here because beginning with 1.6.0, Boolector has
a more restrictive, unfree license which disallows commercial use.
As a result, Boolector 1.5 is the default 'boolector' expression.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
- Vte, add gtk3 support, enable introspection, update to 0.35.90
- Spice-gtk, add gtk3 support
- gtk-vnc, add gtk3 support
- Add libvirt-glib (thanks @bjornfor)
- Add usbredir
- qemu, enable usbredir
- spice-gtk, enable usbredir
- virt-manager, update to 1.0.1
[Bjørn:
* Set namePrefix = "" to preserve package name "virt-manager"
(instead of "python2.7-virt-manager")
* Add dconf to GIO_EXTRA_MODULES to get persistent settings in
virt-manager. Without it:
GLib-GIO-Message: Using the 'memory' GSettings backend. Your settings will not be saved or shared with other applications.
* Add ${gtk3}/share to XDG_DATA_DIRS to unbreak "Take Screenshot"
feature (fixes "Settings schema 'org.gtk.Settings.FileChooser' is not installed")
* gtk-vnc: don't pull "pkgs" attrset for optionalString, use stdenv.lib.optionalString instead.
]
Lockdep is the kernel's locking validation/debugging tool and has seen
heavy pro-active usage and development. In Linux 3.14, it's now
available directly to userspace for the same purpose. It comes with a
convenient utility to LD_PRELOAD a shared library for validation, or a
user-space API to link to directly.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
These are packages for precompiled ARM microcontroller compilers from
https://launchpad.net/gcc-arm-embedded.
[Bjørn: modify commit message (add paragraph).]
- Make dhcp work, use dhcpcd without udev in container
- Make login shell work, patch getty to not wait for /dev/tty0
- Make ssh work, sshd/pam do not start session
By default the jenkins server is executed under the user "jenkins". Which can be configured using
users.jenkins.* options. If a different user is requested by changing services.jenkins.user then
none of the users.jenkins options apply.
This patch does not include jenkins slave configuration. Some config options will probably change
when this is implemented.
Aspects like the user and environment are typically identical between slave and master. The service
configs are different. The design is for users.jenkins to cover the shared aspects while
services.jenkins and services.jenkins-slave cover the master and slave specific aspects,
respectively.
Another option would be to place everything under services.jenkins and have a config that selects
master vs slave.
Both branches have quite a lot in common, so it's time for a merge and
do the cleanups with respect to both implementations and also generalize
both implementations as much as possible.
This also closes#1876.
Conflicts:
pkgs/development/interpreters/lua-5/5.2.nix
pkgs/development/libraries/SDL/default.nix
pkgs/development/libraries/glew/default.nix
pkgs/top-level/all-packages.nix
At the moment, this includes only dyldinfo, dwarfdump and dsymutil, but
we'll see whether we need more of these utilities later.
Tho reason those are wrapped in cctools-port is because it is the
binutils used to cross-compile for Mac OS X.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This provides a port of Mac OS X's CoreFoundation and is needed if we
want to be able to run dsymutil using maloader.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Let's finally hook everything into the existing cross-building
infrastructure. We're using --with-sysroot instead of --with-headers
here, because the XCode SDK contains references to /usr/lib.
I've tried to patch those references, but unfortunately (at least with
install_name_tool) it isn't possible to change those refernces in stub
dylibs.
So after bugging @tpoechtrager with annoying questions (thanks again), I
think my initial approach (patching the SDK itself and/or regenerating
the dylib stubs) was way to complicated so I ended up with this
implementation.
Also, I've added a condition to binutilsCross to use cctools if the libc
is set to libSystem. This might need some cleanups someday, mainly to
figure out how to properly bridge cctools and binutils.
So, as an example on how to cross-compile GNU Hello to Darwin, you can
use something like this:
(import <nixpkgs> {
crossSystem = {
config = "x86_64-apple-darwin13";
arch = "x86_64";
libc = "libSystem";
platform = {};
};
}).hello.crossDrv
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This basically is binutils for Mac OS X, but ported to work on
(GNU/)Linux and FreeBSD.
And it's up-to-date as well! I'm mentioning this, because it was quite
hard to find a recent port of it and I just accidentally stumbled on it
while trying to do the port by myself.
So thanks to @tpoechtrager for doing this.
Also, I've added two more patches, which essentially are:
* ld-rpath-nonfinal:
This allows -rpath to be used for linking non-final builds, which
was allowed for earlier versions of cctools and got a check for
that in more recent versions.
* ld-ignore-rpath-link:
Ignores the -rpath-link option, because the cross-wrapper uses it
in different places. Unfortunately, the cctools linker doesn't
support it, so we might need to implement this later if it's
possible (I'm not a Mach-O man^H^H^Hexpert).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This package provides the SDK and standard library needed for
cross-compiling to Mac US X. We're using xpwn here to extract the DMG.
Also, this version (XCode 5.0.2) only contains the SDKs for version 10.9
and 10.8, so we might need to add requireFile directives for older
versions as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This really hase some nice utilities for coping with HFS+ and DMG
format. We're going to use it for extracting the xcode DMG, but it could
be used for more, even generating DMGs.
The reason I'm using the fork instead of the repository from
@planetbeing is thet the fork contains a few fixes, especially for
dealing with symlinks in HFS+ images.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I.e. append a suffix *before* the version, rather than after. So we
get "sqlite-interactive-3.8.0.2" instead of
"sqlite-3.8.0.2-interactive". The latter is broken since nix-env just
sees it the suffix as part of the version, so "nix-env -u" will
happily upgrade "sqlite-3.8.0.2-interactive" to "sqlite-3.9".