84c0098117
This allows to create overlayfs mounts by unprivileged containers (i.e. in user and mount namespace). It's super-useful for containers. The patch is trivial as I understand from the patch description it's does not have security implications (on top of what user namespaces already have). And it's enabled in ubuntu long time ago. Here is a proof: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1357025
106 lines
2.5 KiB
Nix
106 lines
2.5 KiB
Nix
{ stdenv, fetchurl }:
|
|
|
|
let
|
|
|
|
makeTuxonicePatch = { version, kernelVersion, sha256,
|
|
url ? "http://tuxonice.nigelcunningham.com.au/downloads/all/tuxonice-for-linux-${kernelVersion}-${version}.patch.bz2" }:
|
|
{ name = "tuxonice-${kernelVersion}";
|
|
patch = stdenv.mkDerivation {
|
|
name = "tuxonice-${version}-for-${kernelVersion}.patch";
|
|
src = fetchurl {
|
|
inherit url sha256;
|
|
};
|
|
phases = [ "installPhase" ];
|
|
installPhase = ''
|
|
source $stdenv/setup
|
|
bunzip2 -c $src > $out
|
|
'';
|
|
};
|
|
};
|
|
|
|
grsecPatch = { grversion ? "3.1", kversion, revision, branch, sha256 }:
|
|
{ name = "grsecurity-${grversion}-${kversion}";
|
|
inherit grversion kversion revision;
|
|
patch = fetchurl {
|
|
url = "http://grsecurity.net/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch";
|
|
inherit sha256;
|
|
};
|
|
features.grsecurity = true;
|
|
};
|
|
|
|
in
|
|
|
|
rec {
|
|
|
|
bridge_stp_helper =
|
|
{ name = "bridge-stp-helper";
|
|
patch = ./bridge-stp-helper.patch;
|
|
};
|
|
|
|
no_xsave =
|
|
{ name = "no-xsave";
|
|
patch = ./no-xsave.patch;
|
|
features.noXsave = true;
|
|
};
|
|
|
|
mips_fpureg_emu =
|
|
{ name = "mips-fpureg-emulation";
|
|
patch = ./mips-fpureg-emulation.patch;
|
|
};
|
|
|
|
mips_fpu_sigill =
|
|
{ name = "mips-fpu-sigill";
|
|
patch = ./mips-fpu-sigill.patch;
|
|
};
|
|
|
|
mips_ext3_n32 =
|
|
{ name = "mips-ext3-n32";
|
|
patch = ./mips-ext3-n32.patch;
|
|
};
|
|
|
|
ubuntu_fan =
|
|
{ name = "ubuntu-fan";
|
|
patch = ./ubuntu-fan-3.patch;
|
|
};
|
|
|
|
ubuntu_fan_4 =
|
|
{ name = "ubuntu-fan";
|
|
patch = ./ubuntu-fan-4.patch;
|
|
};
|
|
|
|
ubuntu_unprivileged_overlayfs =
|
|
{ name = "ubuntu-unprivileged-overlayfs";
|
|
patch = ./ubuntu-unprivileged-overlayfs.patch;
|
|
};
|
|
|
|
tuxonice_3_10 = makeTuxonicePatch {
|
|
version = "2013-11-07";
|
|
kernelVersion = "3.10.18";
|
|
sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
|
|
};
|
|
|
|
grsecurity_stable = grsecPatch
|
|
{ kversion = "3.14.51";
|
|
revision = "201508181951";
|
|
branch = "stable";
|
|
sha256 = "1sp1gwa7ahzflq7ayb51bg52abrn5zx1hb3pff3axpjqq7vfai6f";
|
|
};
|
|
|
|
grsecurity_unstable = grsecPatch
|
|
{ kversion = "4.1.7";
|
|
revision = "201509131604";
|
|
branch = "test";
|
|
sha256 = "1frfyi1pkiqc3awri3sr7xv41qxc8m2kb1yhfvj6xkrwb9li2bki";
|
|
};
|
|
|
|
grsec_fix_path =
|
|
{ name = "grsec-fix-path";
|
|
patch = ./grsec-path.patch;
|
|
};
|
|
|
|
crc_regression =
|
|
{ name = "crc-backport-regression";
|
|
patch = ./crc-regression.patch;
|
|
};
|
|
|
|
}
|