nixpkgs/pkgs/os-specific/linux/kernel/patches.nix
Emily 0d4f35efd4 linux_*_hardened: use linux-hardened patch set
This is an updated version of the former upstream,
https://github.com/AndroidHardeningArchive/linux-hardened, and provides
a minimal set of additional hardening patches on top of upstream.

The patch already incorporates many of our hardened profile defaults,
and releases are timely (Linux 5.5.15 and 5.6.2 were released on
2020-04-02; linux-hardened patches for them came out on 2020-04-03 and
2020-04-04 respectively).
2020-04-17 16:13:39 +01:00

102 lines
2.9 KiB
Nix

{ lib, fetchpatch, fetchurl }:
{
bridge_stp_helper =
{ name = "bridge-stp-helper";
patch = ./bridge-stp-helper.patch;
};
request_key_helper =
{ name = "request-key-helper";
patch = ./request-key-helper.patch;
};
request_key_helper_updated =
{ name = "request-key-helper-updated";
patch = ./request-key-helper-updated.patch;
};
p9_fixes =
{ name = "p9-fixes";
patch = ./p9-fixes.patch;
};
modinst_arg_list_too_long =
{ name = "modinst-arglist-too-long";
patch = ./modinst-arg-list-too-long.patch;
};
genksyms_fix_segfault =
{ name = "genksyms-fix-segfault";
patch = ./genksyms-fix-segfault.patch;
};
cpu-cgroup-v2 = import ./cpu-cgroup-v2-patches;
tag_hardened = {
name = "tag-hardened";
patch = ./tag-hardened.patch;
};
hardened = let
mkPatch = kernelVersion: patch: let
fullVersion = "${kernelVersion}.${patch.version_suffix}";
name = "linux-hardened-${fullVersion}";
in {
inherit name;
patch = fetchurl {
name = "${name}.patch";
inherit (patch) url sha256;
meta.maintainers = with lib.maintainers; [ emily ];
};
};
patches = builtins.fromJSON (builtins.readFile ./hardened-patches.json);
in lib.mapAttrs mkPatch patches;
# https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6
iwlwifi_mvm_support_version_7_scan_req_umac_fw_command = rec {
name = "iwlwifi_mvm_support_version_7_scan_req_umac_fw_command";
patch = fetchpatch {
name = name + ".patch";
url = "https://bugzilla.kernel.org/attachment.cgi?id=260597";
sha256 = "09096npxpgvlwdz3pb3m9brvxh7vy0xc9z9p8hh85xyczyzcsjhr";
};
};
# https://github.com/NixOS/nixpkgs/issues/42755
xen-netfront_fix_mismatched_rtnl_unlock = rec {
name = "xen-netfront_fix_mismatched_rtnl_unlock";
patch = fetchpatch {
name = name + ".patch";
url = "https://github.com/torvalds/linux/commit/cb257783c2927b73614b20f915a91ff78aa6f3e8.patch";
sha256 = "0xhblx2j8wi3kpnfpgjjwlcwdry97ji2aaq54r3zirk5g5p72zs8";
};
};
# https://github.com/NixOS/nixpkgs/issues/42755
xen-netfront_update_features_after_registering_netdev = rec {
name = "xen-netfront_update_features_after_registering_netdev";
patch = fetchpatch {
name = name + ".patch";
url = "https://github.com/torvalds/linux/commit/45c8184c1bed1ca8a7f02918552063a00b909bf5.patch";
sha256 = "1l8xq02rd7vakxg52xm9g4zng0ald866rpgm8kjlh88mwwyjkrwv";
};
};
export_kernel_fpu_functions = {
"4.14" = {
name = "export_kernel_fpu_functions";
patch = ./export_kernel_fpu_functions_4_14.patch;
};
"5.3" = {
name = "export_kernel_fpu_functions";
patch = ./export_kernel_fpu_functions_5_3.patch;
};
};
# patches from https://lkml.org/lkml/2019/7/15/1748
mac_nvme_t2 = rec {
name = "mac_nvme_t2";
patch = ./mac-nvme-t2.patch;
};
}