The 1.75 patch can't be fetched, because it doesn't apply. But git
can apply it cleanly, so it must just need to do a three-way merge or
something. Regardless, we need to include a version that patch(1) can
apply in Nixpkgs.
This applies the patch for CVE-2023-32233 from kernel 4.19 until 6.3,
testing (6.4-rc1 at the moment) is excluded because it already have the
fix and 4.14 doesn't have this fix queued for the next stable kernel.
Until now we merged kernel updates even if no hardened versions were
available yet. On one hand we don't want to delay patch-level updates,
on the other hand users of hardened kernels have frequent breakage now[1].
This change aims to provide a solution this issue:
* The hardened patchset now references the kernel version it's released
for (including a sha256 hash for the fixed-output path of the source
tarball).
* The `hardenedKernelFor`-function doesn't just append hardened patches
now, but also overrides version & src to match the kernel version the
patch was built & tested for.
Refs #140281
[1] https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.linuxPackages_hardened.kernel.x86_64-linux/all
Ports an OpenWRT patch for Atheros wireless drivers (ath*) which allows
the user to change the regulatory domain code to the one which actually
applies.
All Atheros devices have a regulatory domain burned into their EEPROM.
When using a device as AP, this domain is frequently overly restrictive
when compared to the regulation which applies in the country the device
actually operates in; often, this restriction disallows IR on all
channels making it impossible to use the device as an AP at all.
This commit introduces the NixOS config option
networking.wireless.athUserRegulatoryDomain which, if enabled, applies
the patch and sets the kernel config option ATH_USER_REGD.
The original OpenWRT patch targets Linux 5.8.
This will avoid breaking the build whenever a non-major kernel update
happens. In the update script, we map each kernel version to the latest
patch for the latest kernel version less than or equal to what we
have packaged.
This is an updated version of the former upstream,
https://github.com/AndroidHardeningArchive/linux-hardened, and provides
a minimal set of additional hardening patches on top of upstream.
The patch already incorporates many of our hardened profile defaults,
and releases are timely (Linux 5.5.15 and 5.6.2 were released on
2020-04-02; linux-hardened patches for them came out on 2020-04-03 and
2020-04-04 respectively).
In 5.0er these function were removed from the public interface also zfs needs
them for AVX/AES-NI support. Without this patch for example throughput on a
encrypted zfs dataset drops to 200 MB/s from 1.2 GB/s. These functions were
removed as their was no user within the linux kernel tree itself.
This reverts commit de86af48faa03a824917ac90f4776481c7ce9e54.
(Manual revert due to conflicts.)
See #54509
The patch is causing overlayfs to misbehave.
