Joachim Fasting
77ed860114
linux_hardened: enable checks on scatter-gather tables
...
Recommended by kspp
2017-05-18 12:33:42 +02:00
Tim Steinbach
8eb302d6d7
Merge pull request #25792 from NeQuissimus/linux_4_12_rc1
...
linux-testing: 4.11-rc7 -> 4.12-rc1
2017-05-17 08:30:10 -04:00
Tuomas Tynkkynen
a35ec5dda6
linux_rpi: 1.20170303 -> 1.20170427
2017-05-15 11:14:59 +03:00
Tim Steinbach
336b044dcb
linux-testing: 4.11-rc7 -> 4.12-rc1
2017-05-14 22:03:14 -04:00
Tuomas Tynkkynen
ba585648e7
kernel: 4.9.27 -> 4.9.28
2017-05-15 01:28:01 +03:00
Tuomas Tynkkynen
8de08ff145
kernel: 4.4.67 -> 4.4.68
2017-05-15 01:27:50 +03:00
Tuomas Tynkkynen
c230aee121
kernel: 4.11 -> 4.11.1
2017-05-15 01:27:41 +03:00
Tuomas Tynkkynen
2f1e6c8686
kernel: 4.10.15 -> 4.10.16
2017-05-15 01:27:30 +03:00
Tim Steinbach
8584a16922
linux: 4.10.14 -> 4.10.15
2017-05-09 08:43:37 -04:00
Joachim Fasting
996b65cfba
linux_hardened: enable structleak plugin
...
A port of the PaX structleak plugin. Note that this version of structleak
seems to cover less ground than the PaX original (only marked structs are
zeroed). [1]
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c61f13eaa1ee17728c41370100d2d45c254ce76f
2017-05-09 01:38:26 +02:00
Joachim Fasting
1816e2b960
linux_hardened: BUG on struct validation failure
2017-05-09 01:38:24 +02:00
Joachim Fasting
a7ecdffc28
linux_hardened: move to 4.11
...
Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX &
STRICT_MODULE_RWX, which are on by default (non-optional).
2017-05-09 01:38:22 +02:00
Joachim Fasting
42c58cd2e8
linux_hardened: compile with stackprotector-strong
...
Default is regular, which we need to unset for kconfig to accept the new
value.
2017-05-09 01:38:21 +02:00
Tim Steinbach
8c74ff6534
linux: 4.9.26 -> 4.9.27
2017-05-08 09:26:26 -04:00
Tim Steinbach
4e2c67ff76
linux: 4.4.66 -> 4.4.67
2017-05-08 09:23:52 -04:00
Joachim Fasting
a04d8532c2
linux: support using gcc plugins
...
linux 4.8 onwards support gcc plugins. This patch adds build inputs
required to make use of gcc plugins to the generic kernel build
environment.
2017-05-06 19:47:27 +02:00
Tim Steinbach
2a38ecc055
linux: 4.10.13 -> 4.10.14
2017-05-03 20:46:48 -04:00
Tim Steinbach
6076843be3
linux: 4.9.25 -> 4.9.26
2017-05-03 20:44:09 -04:00
Tim Steinbach
af933bc7d3
linux: 4.4.65 -> 4.4.66
2017-05-03 20:41:46 -04:00
Tim Steinbach
b5169fd277
linux: Add cgroups patches for 4.9, 4.10, 4.11
2017-05-02 08:49:39 -04:00
Shea Levy
207a0af06a
Add linux 4.11
2017-05-01 19:04:45 -04:00
Michael Raskin
1cce0887ee
Merge branch 'master' into mptcp-v91.3
2017-05-01 00:43:08 +02:00
Tim Steinbach
0c4de3c0c9
linux: 4.4.64 -> 4.4.65
2017-04-30 08:58:44 -04:00
Joachim Fasting
ab4fa1cce4
tree-wide: prune some dead grsec leaves
...
The beginning of pruning grsecurity/PaX from the tree.
2017-04-30 12:05:41 +02:00
Joachim Fasting
62f2a1c2be
linux_hardened: init
...
The rationale for this is to have a place to enable hardening features
that are either too invasive or that may be speculative/yet proven to be
worthwhile for general-purpose kernels.
2017-04-30 12:05:39 +02:00
Joachim Fasting
32b8512e54
grsecurity: discontinue support
...
Upstream has decided to make -testing patches private, effectively ceasing
free support for grsecurity/PaX [1]. Consequently, we can no longer
responsibly support grsecurity on NixOS.
This patch turns the kernel and patch expressions into build errors and
adds a warning to the manual, but retains most of the infrastructure, in
an effort to make the transition smoother. For 17.09 all of it should
probably be pruned.
[1]: https://grsecurity.net/passing_the_baton.php
2017-04-28 12:35:15 +02:00
Tim Steinbach
7f3b857d0d
linux: 4.4.63 -> 4.4.64
2017-04-27 22:12:35 -04:00
Tim Steinbach
08c44a5cac
linux: 4.10.12 -> 4.10.13
2017-04-27 22:10:06 -04:00
Tim Steinbach
903fec9922
linux: 4.9.24 -> 4.9.25
2017-04-27 22:07:34 -04:00
Jason A. Donenfeld
b1750d699c
linux-chromiumos: remove 3.14
...
3.14 is no longer supported upstream by kernel.org and thus no longer
receives security patches. The git commit mentioned in this .nix isn't
even available in the linked repository --
https://chromium.googlesource.com/chromiumos/third_party/kernel -- so I
think this .nix might be dead anyway. Finally, it specifies 3.14.0,
which is so ridiculously old (the latest was 3.14.79) that nobody
develops for it.
Fixes : #25145
Supports: #25127
2017-04-23 15:47:46 +02:00
Joachim Fasting
9e6c96f8fc
grsecurity: 4.9.24-201704210851 -> 4.9.24-2201704220732
2017-04-22 16:37:24 +02:00
Joachim Fasting
05911da7bb
grsecurity: 4.9.23-201704181901 -> 4.9.24-201704210851
2017-04-21 15:09:32 +02:00
Tim Steinbach
7fb1b54cc1
linux: 4.4.62 -> 4.4.63
2017-04-21 08:03:43 -04:00
Tim Steinbach
1b3282d52d
linux: 4.10.11 -> 4.10.12
2017-04-21 08:01:22 -04:00
Tim Steinbach
4dda88c89d
linux: 4.9.23 -> 4.9.24
2017-04-21 07:58:45 -04:00
Joachim Fasting
9902d63e84
grsecurity: 4.9.22-201704120836 -> 4.9.23-201704181901
2017-04-20 00:21:41 +02:00
Tim Steinbach
7643c7c8cc
linux: 4.4.61 -> 4.4.62
2017-04-18 08:22:23 -04:00
Tim Steinbach
5283e644ce
linux: 4.10.10 -> 4.10.11
2017-04-18 08:20:40 -04:00
Tim Steinbach
1173fe0b49
linux: 4.9.22 -> 4.9.23
2017-04-18 08:15:48 -04:00
Tim Steinbach
5a7b029fa9
linux: 4.11-rc6 -> 4.11-rc7
2017-04-17 07:41:19 -04:00
Tuomas Tynkkynen
3ed0d7e2df
kernel-config: Explicitly enable CONFIG_NETFILTER
...
This is needed by the NixOS firewall, but isn't enabled by the ARM
defconfig nor kernelAutoModules (as 'm' doesn't seem to be an option)
2017-04-14 20:43:50 +03:00
Joachim Fasting
3fa5605b41
grsecurity: 4.9.21-201704091948 -> 4.9.22-201704120836
2017-04-12 18:58:29 +02:00
Tim Steinbach
5f05792417
linux: 4.4.60 -> 4.4.61
2017-04-12 09:17:53 -04:00
Tim Steinbach
6860eedfd6
linux: 4.10.9 -> 4.10.10
2017-04-12 09:16:08 -04:00
Tim Steinbach
224a8f7358
linux: 4.9.21 -> 4.9.22
2017-04-12 09:13:56 -04:00
Tim Steinbach
205abc1fb6
linux: 4.11-rc5 -> 4.11-rc6
2017-04-10 08:34:23 -04:00
Joachim Fasting
7701cbca6b
grsecurity: 4.9.20-201703310823 -> 4.9.21-201704091948
2017-04-10 03:34:42 +02:00
Nikolay Amiantov
7099e8da83
linux: build with initrd support by default
...
We don't require initrd in some cases but still most boot sequences including ARM use it.
2017-04-09 22:46:07 +03:00
Nikolay Amiantov
c0e77dba0e
linux: add kernelPreferBuiltin platform option
...
This allows to use kernelAutoModules but still compile in any options that are set so in template config.
It's helpful for ARM and maybe other platforms where defaul configurations are useful because they compile in
modules that we and udev cannot autodetect now.
2017-04-09 22:46:07 +03:00
Tim Steinbach
79f9544eca
linux: 4.4.59 -> 4.4.60
2017-04-08 08:04:54 -04:00