Commit Graph

1915 Commits

Author SHA1 Message Date
Joachim Fasting
886c03ad2e Merge pull request #16107 from joachifm/grsec-ng
Rework grsecurity support
2016-06-14 03:52:50 +02:00
Joachim Fasting
75b9a7beac
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-14 00:08:20 +02:00
Rob Vermaas
91436641ec Fix hash for Debian 8.4 Jessie
(cherry picked from commit fd60751ce0)
2016-06-13 12:20:55 +00:00
zimbatm
a42b7faaec nix-prefetch-git: shellcheck fixes
Used shellcheck (https://github.com/koalaman/shellcheck) to validate
the script and fixed any resulting escaping and ambiguity issues.
2016-06-12 13:45:20 +01:00
Nikolay Amiantov
b341de88e9 Merge pull request #16030 from abbradar/fhs-refactor
Improvements for FHS user chrootenv
2016-06-11 21:04:20 +04:00
Kamil Chmielewski
7eb671ebcd no more goPackages 2016-06-09 13:08:00 +02:00
Nikolay Amiantov
3d8664ee42 buildFHSUserEnv: mark CHROOTENV_EXTRA_BINDS as discussed for deprecation 2016-06-07 14:22:38 +03:00
Nikolay Amiantov
3e90b00c10 buildFHSEnv: link 'bin' output 2016-06-07 04:06:35 +03:00
Nikolay Amiantov
8d9e5d297d buildFHSEnv: don't link GCC compiler part 2016-06-07 04:06:35 +03:00
Nikolay Amiantov
74107a7867 buildFHSEnv: refactor and simplify, drop buildFHSChrootEnv
This takes another approach at binding FHS directory structure. We
now bind-mount all the root filesystem to directory "/host" in the target tree.
From that we symlink all the directories into the tree if they do not already
exist in FHS structure.

This probably makes `CHROOTENV_EXTRA_BINDS` unnecessary -- its main usecase was
to add bound directories from the host to the sandbox, and we not just symlink
all of them. I plan to get some feedback on its usage and maybe deprecate it.

This also drops old `buildFHSChrootEnv` infrastructure. The main problem with it
is it's very difficult to unmount a recursive-bound directory when mount is not
sandboxed. This problem is a bug even without these changes -- if
you have for example `/home/alice` mounted to somewhere, you wouldn't see
it in `buildFHSChrootEnv` now. With the new directory structure, it's
impossible to use regular bind at all. After some tackling with this I realized
that the fix would be brittle and dangerous (if you don't unmount everything
clearly and proceed to removing the temporary directory, bye-bye fs!). It also
probably doesn't worth it because I haven't heard that someone actually uses it
for a long time, and `buildFHSUserEnv` should cover most cases while being much
more maintainable and safe for the end-user.
2016-06-07 04:06:35 +03:00
David Craven
c22f0c7474 Fix buildRustPackage edge cases
1. When multiple versions of the same package are required
   $revs is an array.
2. When cargo fetch is run it usually doesn't need a network
   connection. But when it does SSL_CERT_FILE isn't set.
2016-06-02 17:15:52 +02:00
Nikolay Amiantov
1b2139b3e2 buildFHSEnv: use separate gcc for 64- and 32-bit 2016-05-29 23:22:58 +03:00
Moritz Ulrich
d8b0618e6c buildRustPackage: Don't specify logLevel by default. 2016-05-28 15:05:11 +02:00
Moritz Ulrich
1e04865e87 buildRustPackage: Add log-level argument. 2016-05-28 15:05:11 +02:00
Vladimír Čunát
e4832c7541 Merge branch 'staging'
Includes a security update of libxml2.
2016-05-27 15:58:40 +02:00
Nikolay Amiantov
ebe1cbe0da symlinkJoin: allow arbitrary additional attributes 2016-05-27 13:42:22 +03:00
Vladimír Čunát
81039713fa Merge branch 'master' into staging
... to get the systemd update (rebuilding ~7k jobs).
2016-05-26 16:50:22 +02:00
Domen Kožar
56714859f4 add CentOS 7.1 2016-05-24 11:35:39 +01:00
Domen Kožar
7fc845aeb1 add OpenSuse 13.2
(cherry picked from commit 2cf5dcd99a)
Signed-off-by: Domen Kožar <domen@dev.si>
2016-05-24 11:06:11 +01:00
Domen Kožar
ba0d4ecaf7 debian7: change hash due to 7.10 release
(cherry picked from commit 00df301ac2fd1818fa1f96debcee23dbb979834d)
Signed-off-by: Domen Kožar <domen@dev.si>
2016-05-24 10:40:39 +01:00
Vladimír Čunát
0b192a0976 Merge branch 'master' into staging
That's to get mesa rebuild from master, as it's nontrivial.
2016-05-23 09:02:10 +02:00
Guillaume Maudoux
bfd522da63 setup-hooks: do not pass missing dirs to find (close #15405)
find fails when called with an inexistent search path.
That situation may arise when the output is created after by a postFixup hook.
vcunat amended the PR by clarifying one more `return` to `return 0`.
2016-05-22 12:08:01 +02:00
Nikolay Amiantov
ca38376566 buildFHSUserEnv: don't run bash in login mode for .env
Fixes https://github.com/NixOS/nixpkgs/issues/12406 for `.env`
2016-05-20 14:17:49 +03:00
Profpatsch
28f8ca560f debian-build: fix checkinstall invocation (#15538)
Checkinstall had two problems:
1. when it was called without a version (e.g. with a derivation created
by fetchFromGitHub) it would use `src` as debian version, which caused
dpkg to fail
2. when dpkg failed, it would invoke the pager with the log, which hangs
the build

So now
1. the default version is the dummy `0.0.0`
2. the used pager is `cat`
2016-05-19 09:41:10 +01:00
Domen Kožar
a01b6a0d07 fetchzip: improve error message 2016-05-17 17:32:53 +01:00
Vladimír Čunát
af364c0f77 fetchurl mirrors: fix gnupg URLs
Some mirrors were missing /gcrypt. Now they should be consistent.
Fixes 15510. Closes 15511.
2016-05-17 11:35:49 +02:00
Eelco Dolstra
a5fa7c25cb Merge pull request #15469 from NixOS/fetchgit
fetchgit: remove only .git folder
2016-05-16 16:44:55 +02:00
Domen Kožar
64a072e357 fetchgit: remove only .git
Source of this change goes back to 2009 and original version of
fetchgit at 205fb0c87e.

The nondeterminism is really caused by changing .git so leave other
files alone as they might be interesting.

Note: this causes a hash mismatch with Hydra's version of Git Plugin
which we should fix to comply.
2016-05-15 00:24:04 +01:00
Thomas Tuegel
21efdd8003 Merge pull request #15420 from samuelrivas/emacs-wrapper
emacs: hide wrapper dependencies
2016-05-13 11:58:24 -05:00
Samuel Rivas
67394f9152 emacs: hide wrapper dependencies
Move all the dependencies to their own derivation, so that we don't publish all
of them if the wrapper is installed in a profile.

The previous solution just moved them to a custom directory to avoid conflicts,
this refactors that and completely hides them, while preserving the desired
improvement of adding only one directory to each of the emacs search paths
2016-05-12 22:43:30 +02:00
Vladimír Čunát
6c2fbfbd77 Merge branch 'master' into staging 2016-05-12 04:53:38 +02:00
Carles Pagès
e7ab828da1 makeImageFromDebDist: accept additional parameters for vm, as in rpm version. 2016-05-11 15:43:24 +02:00
Joachim Fasting
d4d7bfe07b
grsecurity: add option to disable chroot caps restriction
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293

This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
2016-05-10 16:17:08 +02:00
Eelco Dolstra
cb37ab146b Add mirror://mozilla scheme 2016-05-09 19:37:22 +02:00
Vladimír Čunát
65a9fa8cdc Merge branch 'master' into staging 2016-05-08 21:24:48 +02:00
zimbatm
4ba7767d91 Merge pull request #14722 from puffnfresh/bug/dockertools-postmount
dockerTools: only add "/nix" if it exists
2016-05-06 17:40:23 +01:00
Joachim Fasting
50d915c758
grsecurity: optionally disable features for redistributed kernels 2016-05-06 16:37:25 +02:00
Vladimír Čunát
1dc36904d8 Merge #14920: windows improvements, mainly mingw 2016-05-05 08:30:19 +02:00
Vladimír Čunát
7a005601d4 Merge branch 'master' to resolve conflicts 2016-05-05 08:25:38 +02:00
Vladimír Čunát
2cbb7bf9d1 cc-wrapper: add -B flag with cc.lib
This fixes `gcc --print-file-name=libstdc++.so`
and thus it should fix #14967.
2016-05-04 14:23:54 +02:00
Peter Simons
397c75aeb4 Revert "Just strip everything by default"
This reverts commit 2362891dc8. The patch
is broken. :-(
2016-05-04 13:40:53 +02:00
Joachim Fasting
da767356f2
grsecurity: support disabling TCP simultaneous connect
Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.

This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937

[1]: http://article.gmane.org/gmane.linux.documentation/9425
2016-05-04 03:53:24 +02:00
Tuomas Tynkkynen
aadaa91379 Merge remote-tracking branch 'upstream/master' into staging
Conflicts:
	pkgs/applications/networking/browsers/vivaldi/default.nix
	pkgs/misc/emulators/wine/base.nix
2016-05-03 23:12:48 +03:00
Guillaume Maudoux
2362891dc8 Just strip everything by default
Run strip of each file and discard expected failure types.
Also default to stripping the entire output.
2016-05-03 11:04:34 +02:00
Joachim Fasting
39db90eaf6
grsecurity: simplify preConfigure 2016-05-02 11:28:06 +02:00
Joachim Fasting
a69501a936
grsecurity: ensure that PaX ELF markings are enabled
The upstream default is to enable only xattr markings, breaking the
paxmarks facility.
2016-05-02 11:28:06 +02:00
Maxim Ivanov
dea920bfdc Remove obsolete scatter output hook
There are no users of it in main tree and recent merge
of multiple outputs branch makes it obsolete for private trees
too.

At the time hook was created, recently merged multiple output
branch was relying on passing flags to autotools to split
outputs, which obviously wasn't working for other build systems

Scatter output was taking different approach where files were
moved out from a build tree based on known  paths, which is more
or less what current multiple-outputs.sh hook is able to do too.
2016-04-30 22:05:33 +01:00
Domen Kožar
8a3b70791c vmTools.diskImages: add ubuntu 16.04 2016-04-29 11:50:27 +01:00
Tuomas Tynkkynen
4ff8f377af Merge remote-tracking branch 'upstream/master' into staging 2016-04-28 00:13:53 +03:00
Nikolay Amiantov
f6eb686222 Merge pull request #15002 from abbradar/symlink-join-wrappers
Use symlinkJoin for wrappers
2016-04-26 16:47:43 +04:00