jolheiser/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b2efe2babd
nixpkgs/pkgs/os-specific/linux/kernel/patches.nix

148 lines
4.0 KiB
Nix
Raw Normal View History

linux: Add patch to fix CVE-2016-5829 (#16824) Fixed for all available 4.x series kernels. From CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call.
2016-07-12 18:56:50 +00:00
{ stdenv, fetchurl, fetchpatch, pkgs }:
* Use the kernel config generator for Linux 2.6.27. * Move kernel patches out of all-packages.nix to os-specific/linux/kernel/patches.nix. * Make the kernel config available under $out/config (it's also in $out/lib/modules/$version/build/.config, but that's kind of hard to find). svn path=/nixpkgs/branches/kernel-config/; revision=18937
2009-12-14 15:28:55 +00:00
let
Adding tuxonice for some recent kernels. svn path=/nixpkgs/trunk/; revision=26447
2011-03-21 15:53:22 +00:00
makeTuxonicePatch = { version, kernelVersion, sha256,
TuxOnIce: Add a 3.10 linux kernel with the TuxOnIce hibernation patch
2013-11-19 20:36:55 +00:00
url ? "http://tuxonice.nigelcunningham.com.au/downloads/all/tuxonice-for-linux-${kernelVersion}-${version}.patch.bz2" }:
Adding tuxonice for some recent kernels. svn path=/nixpkgs/trunk/; revision=26447
2011-03-21 15:53:22 +00:00
{ name = "tuxonice-${kernelVersion}";
patch = stdenv.mkDerivation {
name = "tuxonice-${version}-for-${kernelVersion}.patch";
src = fetchurl {
inherit url sha256;
};
phases = [ "installPhase" ];
installPhase = ''
source $stdenv/setup
bunzip2 -c $src > $out
'';
};
};
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 22:04:56 +00:00
grsecPatch = { grbranch ? "test", grver ? "3.1", kver, grrev, sha256 }: rec {
name = "grsecurity-${grver}-${kver}-${grrev}";
# Pass these along to allow the caller to determine compatibility
inherit grver kver grrev;
patch = fetchurl {
kernelPatches.grsecurity: 4.5.4-201605122039 -> 4.5.4-201605131918 Also revert to using the grsecurity-scrape mirror; relying on upstream just isn't viable. Lately, updates have been so frequent that a new version is released before Hydra even gets around to building the previous one.
2016-05-14 03:05:08 +00:00
# When updating versions/hashes, ALWAYS use the official version; we use
# this mirror only because upstream removes sources files immediately upon
# releasing a new version ...
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 22:04:56 +00:00
url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch";
inherit sha256;
AppArmor: add a sample patched kernel.
2013-05-11 05:44:30 +00:00
};
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 22:04:56 +00:00
};
* Use the kernel config generator for Linux 2.6.27. * Move kernel patches out of all-packages.nix to os-specific/linux/kernel/patches.nix. * Make the kernel config available under $out/config (it's also in $out/lib/modules/$version/build/.config, but that's kind of hard to find). svn path=/nixpkgs/branches/kernel-config/; revision=18937
2009-12-14 15:28:55 +00:00
in
Suffixed cifs timeout patch with kernel version. Currently suffixed with 2.6.32. This pre-patch prepares the landing of several versions of this patch to support other Linux kernel versions. svn path=/nixpkgs/trunk/; revision=27709
2011-07-11 13:59:40 +00:00
rec {
* Use the kernel config generator for Linux 2.6.27. * Move kernel patches out of all-packages.nix to os-specific/linux/kernel/patches.nix. * Make the kernel config available under $out/config (it's also in $out/lib/modules/$version/build/.config, but that's kind of hard to find). svn path=/nixpkgs/branches/kernel-config/; revision=18937
2009-12-14 15:28:55 +00:00
kernel: fix build of 3.10 and 3.12 on i686 (cherry picked from commit 23730413fef4be7fe365f452fcaef16c5f4e4b1b) Signed-off-by: Domen Kožar <domen@dev.si>
2016-03-25 09:50:08 +00:00
link_lguest =
{ name = "gcc5-link-lguest";
patch = ./gcc5-link-lguest.patch;
};
link_apm =
{ name = "gcc5-link-apm";
patch = ./gcc5-link-apm.patch;
};
kernel: Fix path to stp bridge helper
2015-01-13 23:49:14 +00:00
bridge_stp_helper =
{ name = "bridge-stp-helper";
patch = ./bridge-stp-helper.patch;
};
* Apply a patch that is apparently required to make the kernel work properly on Amazon EC2. * Always apply the CIFS timeout patch. It's rather annoying to have to build a separate kernel for the VM tests. svn path=/nixpkgs/trunk/; revision=22630
2010-07-18 21:10:46 +00:00
no_xsave =
{ name = "no-xsave";
Linux no-xsave.patch: commit patch into Nixpkgs since fetchurl no longer works Patch submitted by Jan Malakhovski <oxij@oxij.org>.
2012-07-02 14:16:27 +00:00
patch = ./no-xsave.patch;
* Apply a patch that is apparently required to make the kernel work properly on Amazon EC2. * Always apply the CIFS timeout patch. It's rather annoying to have to build a separate kernel for the VM tests. svn path=/nixpkgs/trunk/; revision=22630
2010-07-18 21:10:46 +00:00
features.noXsave = true;
* In the VM tests, apply a patch to increase the 15s timeout on CIFS operations to 120s. This is necessary if the host is heavily loaded. For instance, in the Hydra build farm, if there are many concurrent jobs, VM builds often fail because they hit the timeout. svn path=/nixpkgs/trunk/; revision=22347
2010-06-20 20:52:08 +00:00
};
* Ensure that the dell-bluetooth device does not stay in the "hard blocked" state. svn path=/nixpkgs/branches/x-updates/; revision=22730
2010-07-25 12:15:59 +00:00
Adding two kernel patches for mips, that make the life easier on loongson2f (less sigill, less sigbus). Related to bad handling of FPU instructions. I apply them only to linux 3.4, although I think they can apply to many older kernels too. svn path=/nixpkgs/trunk/; revision=34522
2012-06-16 10:49:03 +00:00
mips_fpureg_emu =
{ name = "mips-fpureg-emulation";
patch = ./mips-fpureg-emulation.patch;
};
mips_fpu_sigill =
{ name = "mips-fpu-sigill";
patch = ./mips-fpu-sigill.patch;
};
mips linux: Adding a patch to fix an ext3 bug in 3.5 and 3.6 I made it apply to all Mips, although the bug works only for n32 and o32 ABIs. We don't support any n64 by now.
2012-11-05 23:16:13 +00:00
mips_ext3_n32 =
{ name = "mips-ext3-n32";
patch = ./mips-ext3-n32.patch;
};
fan-networking: updated patches from Ubuntu This pulls in updated Fan Networking patches from Ubuntu. (https://wiki.ubuntu.com/FanNetworking) closes #14328
2016-04-09 23:36:02 +00:00
ubuntu_fan_4_4 =
nixos: add support for Ubuntu Fan Networking This provides support for Ubuntu Fan Networking [1]. This includes: * The fanctl package, and a corresponding NixOS service. * iproute patches. * kernel patches. closes #9188 1: https://wiki.ubuntu.com/FanNetworking
2015-08-09 23:13:40 +00:00
{ name = "ubuntu-fan";
fan-networking: updated patches from Ubuntu This pulls in updated Fan Networking patches from Ubuntu. (https://wiki.ubuntu.com/FanNetworking) closes #14328
2016-04-09 23:36:02 +00:00
patch = ./ubuntu-fan-4.4.patch;
nixos: add support for Ubuntu Fan Networking This provides support for Ubuntu Fan Networking [1]. This includes: * The fanctl package, and a corresponding NixOS service. * iproute patches. * kernel patches. closes #9188 1: https://wiki.ubuntu.com/FanNetworking
2015-08-09 23:13:40 +00:00
};
Unprivileged overlayfs mounts kernel patch from ubuntu This allows to create overlayfs mounts by unprivileged containers (i.e. in user and mount namespace). It's super-useful for containers. The patch is trivial as I understand from the patch description it's does not have security implications (on top of what user namespaces already have). And it's enabled in ubuntu long time ago. Here is a proof: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1357025
2015-09-25 21:42:16 +00:00
ubuntu_unprivileged_overlayfs =
{ name = "ubuntu-unprivileged-overlayfs";
patch = ./ubuntu-unprivileged-overlayfs.patch;
};
TuxOnIce: Add a 3.10 linux kernel with the TuxOnIce hibernation patch
2013-11-19 20:36:55 +00:00
tuxonice_3_10 = makeTuxonicePatch {
version = "2013-11-07";
kernelVersion = "3.10.18";
sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
};
grsecurity: remove expressions for unsupported versions Retain top-level attributes for now but consolidate compatibility attributes. Part of ongoing cleanup, doing it all at once is infeasible.
2016-05-15 19:36:24 +00:00
grsecurity_3_14 = throw "grsecurity stable is no longer supported";
Add linux 3.2.48 with grsecurity patches
2013-07-22 19:44:31 +00:00
grsecurity: remove expressions for unsupported versions Retain top-level attributes for now but consolidate compatibility attributes. Part of ongoing cleanup, doing it all at once is infeasible.
2016-05-15 19:36:24 +00:00
grsecurity_4_4 = throw "grsecurity stable is no longer supported";
grsecurity: Fix module loading during boot due to path restrictions
2013-11-26 22:08:51 +00:00
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 22:04:56 +00:00
grsecurity_testing = grsecPatch
grsecurity: 4.6.4-201607242014 -> 4.6.5-201607272152
2016-07-28 22:22:56 +00:00
{ kver = "4.6.5";
grsecurity: 4.6.5-201607272152 -> 4.6.5-201607312210
2016-08-01 10:46:48 +00:00
grrev = "201607312210";
sha256 = "17dnp6w092kvqxqxbdgjpl4mrsn2wkb7z8q5d8ck7dfanpmqap0w";
linuxPackages_grsec_4_5: init at 3.1-4.5.2-201604290633
2016-05-02 05:06:36 +00:00
};
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 22:04:56 +00:00
# This patch relaxes grsec constraints on the location of usermode helpers,
# e.g., modprobe, to allow calling into the Nix store.
grsecurity_nixos_kmod =
{
name = "grsecurity-nixos-kmod";
patch = ./grsecurity-nixos-kmod.patch;
linuxPackages_grsec_4_5: init at 3.1-4.5.2-201604290633
2016-05-02 05:06:36 +00:00
};
linux_3_{10,12,14}: fix upstream regression, fixes #6231 Some modules wouldn't load crc32c dependency due to module renaming.
2015-02-10 12:45:20 +00:00
crc_regression =
{ name = "crc-backport-regression";
patch = ./crc-regression.patch;
};
kernel: add patch to fix btrfs deadlocks to affected kernels
2015-04-08 12:13:42 +00:00
linux_chromiumos_3_18: init at 3.18.0 Co-authored-by: Nikolay Amiantov <ab@fmap.me>
2016-01-10 19:07:45 +00:00
genksyms_fix_segfault =
{ name = "genksyms-fix-segfault";
patch = ./genksyms-fix-segfault.patch;
};
linux_chromiumos_3_14: init at 3.14.0 Co-authored-by: Nikolay Amiantov <ab@fmap.me>
2016-01-10 19:10:11 +00:00
chromiumos_Kconfig_fix_entries_3_14 =
{ name = "Kconfig_fix_entries_3_14";
patch = ./chromiumos-patches/fix-double-Kconfig-entry-3.14.patch;
};
linux_chromiumos_3_18: init at 3.18.0 Co-authored-by: Nikolay Amiantov <ab@fmap.me>
2016-01-10 19:07:45 +00:00
chromiumos_Kconfig_fix_entries_3_18 =
{ name = "Kconfig_fix_entries_3_18";
patch = ./chromiumos-patches/fix-double-Kconfig-entry-3.18.patch;
};
chromiumos_no_link_restrictions =
{ name = "chromium-no-link-restrictions";
patch = ./chromiumos-patches/no-link-restrictions.patch;
};
linux_chromiumos_3_14: init at 3.14.0 Co-authored-by: Nikolay Amiantov <ab@fmap.me>
2016-01-10 19:10:11 +00:00
chromiumos_mfd_fix_dependency =
{ name = "mfd_fix_dependency";
patch = ./chromiumos-patches/mfd-fix-dependency.patch;
};
linux: Add patch to fix CVE-2016-5829 (#16824) Fixed for all available 4.x series kernels. From CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call.
2016-07-12 18:56:50 +00:00
hiddev_CVE_2016_5829 =
{ name = "hiddev_CVE_2016_5829";
patch = fetchpatch {
url = "https://sources.debian.net/data/main/l/linux/4.6.3-1/debian/patches/bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch";
sha256 = "14rm1qr87p7a5prz8g5fwbpxzdp3ighj095x8rvhm8csm20wspyy";
};
};
* Use the kernel config generator for Linux 2.6.27. * Move kernel patches out of all-packages.nix to os-specific/linux/kernel/patches.nix. * Make the kernel config available under $out/config (it's also in $out/lib/modules/$version/build/.config, but that's kind of hard to find). svn path=/nixpkgs/branches/kernel-config/; revision=18937
2009-12-14 15:28:55 +00:00
}
Reference in New Issue Copy Permalink