nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-24 16:03:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
92,897 Commits 232 Branches 124 Tags 7.4 GiB
98e2b90cf3
Commit Graph

209 Commits

Author SHA1 Message Date
Rok Garbas
03b115f8e0 nixos/i3lock-color: added to pam 2016-05-15 07:47:31 +02:00
Joachim Fasting
d4d7bfe07b
grsecurity: add option to disable chroot caps restriction 
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293

This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
 2016-05-10 16:17:08 +02:00
Joachim Fasting
c5d1bff2b6
apparmor-suid module: fix libcap lib output reference 
After 7382afac40
 2016-05-07 21:48:29 +02:00
Joachim Fasting
da767356f2
grsecurity: support disabling TCP simultaneous connect 
Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.

This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937

[1]: http://article.gmane.org/gmane.linux.documentation/9425
 2016-05-04 03:53:24 +02:00
Joachim Fasting
60a27781d6
grsecurity module: fix grsec-lock unit ordering 
Requirement without ordering implies parallel execution; it is crucial
that sysctl tunables are finalized before the lock is engaged, however.
 2016-05-02 11:28:24 +02:00
Eelco Dolstra
0c5e837b66 acme.nix: Fix unit descriptions 
Unit descriptions should be capitalized, and timer units don't have
to describe that they're timers.
 2016-04-18 14:20:49 +02:00
Vladimír Čunát
39ebb01d6e Merge branch 'staging', containing closure-size #7701 2016-04-13 09:25:28 +02:00
Joachim Fasting
cef2814a4f nixos: add optional process information hiding 
This module adds an option `security.hideProcessInformation` that, when
enabled, restricts access to process information such as command-line
arguments to the process owner.  The module adds a static group "proc"
whose members are exempt from process information hiding.

Ideally, this feature would be implemented by simply adding the
appropriate mount options to `fileSystems."/proc".fsOptions`, but this
was found to not work in vmtests. To ensure that process information
hiding is enforced, we use a systemd service unit that remounts `/proc`
after `systemd-remount-fs.service` has completed.

To verify the correctness of the feature, simple tests were added to
nixos/tests/misc: the test ensures that unprivileged users cannot see
process information owned by another user, while members of "proc" CAN.

Thanks to @abbradar for feedback and suggestions.
 2016-04-10 12:27:06 +02:00
Vladimír Čunát
710573ce6d Merge #12653: rework default outputs 2016-04-07 16:00:09 +02:00
Vladimír Čunát
ab15a62c68 Merge branch 'master' into closure-size 
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
 2016-04-01 10:06:01 +02:00
Vladimír Čunát
d6b46ecb30 Merge branch 'closure-size' into p/default-outputs 2016-03-14 11:27:15 +01:00
Domen Kožar
77ae55308c fix installer tests #13559 2016-03-12 20:19:40 +00:00
Vladimír Čunát
09af15654f Merge master into closure-size 
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
 2016-03-08 09:58:19 +01:00
tg(x)
be3bd972d5 grsecurity: add 4.1 kernel 2016-02-28 15:00:16 +01:00
tg(x)
38614d3f6a grsecurity: use kernel version instead of testing / stable 2016-02-28 04:10:59 +01:00
Leroy Hopson
24d5d28820 cacert: fix formatting of example 2016-02-27 22:25:39 +13:00
zimbatm
2c7e5a6d8e Merge pull request #13434 from spacefrogg/oath-module 
config.security.oath: new module
 2016-02-26 18:06:28 +00:00
tg(x)
629a89343e simp_le: external_pem.sh plugin is now called external.sh 2016-02-26 01:31:58 +01:00
Michael Raitza
d09c7986de config.security.oath: new module 
Add a module to make options to pam_oath module configurable.
These are:
 - enable - enable the OATH pam module
 - window - number of OTPs to check
 - digits - length of the OTP (adds support for two-factor auth)
 - usersFile - filename to store OATH credentials in
 2016-02-25 13:52:45 +00:00
Vladimír Čunát
e9520e81b3 Merge branch 'master' into staging 2016-02-17 10:06:31 +01:00
Vladimír Čunát
d039c87984 Merge branch 'master' into closure-size 2016-02-14 08:33:51 +01:00
Nikolay Amiantov
c420a6f1ef acme service: update plugins enum 2016-02-10 02:06:01 +03:00
Vladimír Čunát
ae74c356d9 Merge recent 'staging' into closure-size 
Let's get rid of those merge conflicts.
 2016-02-03 16:57:19 +01:00
Guillaume Maudoux
9f358f809d Configure a default trust store for openssl 2016-02-03 12:42:01 +01:00
Eelco Dolstra
bfebc7342e Fix some references to deprecated /etc/ssl/certs/ca-bundle.crt 2016-01-29 02:32:05 +01:00
Vladimír Čunát
ab8a691d05 nixos systemPackages: rework default outputs 
- Now `pkg.outputUnspecified = true` but this attribute is missing in
  every output, so we can recognize whether the user chose or not.
  If (s)he didn't choose, we put `pkg.bin or pkg.out or pkg` into
  `systemPackages`.
- `outputsToLink` is replaced by `extraOutputsToLink`.
  We add extra outputs *regardless* of whether the user chose anything.
  It's mainly meant for outputs with docs and debug symbols.
- Note that as a result, some libraries will disappear from system path.
 2016-01-28 11:24:18 +01:00
Eelco Dolstra
2352e2589e audit: Disable in containers 
This barfs:

Jan 18 12:46:32 machine 522i0x9l80z7gw56iahxjjsdjp0xi10q-audit-start[506]: The audit system is disabled
 2016-01-26 16:25:40 +01:00
Tuomas Tynkkynen
8707bf4a3c treewide: Mass replace 'libcap}/lib' to refer the 'out' output 2016-01-24 10:03:35 +02:00
Tuomas Tynkkynen
f412f5f3ee treewide: Mass replace 'attr}/lib' to refer the 'out' output 2016-01-24 10:03:32 +02:00
Vladimír Čunát
716aac2519 Merge branch 'staging' into closure-size 2016-01-19 09:55:31 +01:00
Domen Kožar
7fe7138968 nixos: fix acme service @abbradar 2016-01-12 11:50:34 +01:00
Nikolay Amiantov
f92cec4c1b nixos/acme: add allowKeysForGroup 2016-01-10 07:28:19 +03:00
Dan Peebles
63bfe20b72 security.audit: add NixOS module 
Part of the way towards #11864. We still don't have the auditd
userland logging daemon, but journald also tracks audit logs so we
can already use this.
 2016-01-07 03:06:10 +00:00
Vladimír Čunát
f9f6f41bff Merge branch 'master' into closure-size 
TODO: there was more significant refactoring of qtbase and plasma 5.5
on master, and I'm deferring pointing to correct outputs to later.
 2015-12-31 09:53:02 +01:00
Nikolay Amiantov
5250582396 nixos/acme: fix timer unit 2015-12-13 17:01:59 +03:00
Franz Pletz
1685b9d06e nixos/acme: Add module documentation 2015-12-12 16:06:53 +01:00
Franz Pletz
9374ddb895 nixos/acme: validMin & renewInterval aren't cert-specific 2015-12-12 16:06:53 +01:00
Franz Pletz
0517d59a66 nixos/acme: Improve documentation 2015-12-12 16:06:52 +01:00
Franz Pletz
de24b00d41 nixos/simp_le: Rename to security.acme 2015-12-12 16:06:52 +01:00
Luca Bruno
31ed92f65f Fix system-path with multiout 2015-12-01 15:09:41 +01:00
Luca Bruno
920b1d3591 Merge branch 'master' into closure-size 2015-11-29 16:50:26 +01:00
Luca Bruno
07a0204282 nixos/polkit: fix systemd service after spiltting 2015-11-26 18:14:22 +01:00
obadz
a05a340e26 PAM: reorganize the way pam_ecryptfs and pam_mount get their password 
Run pam_unix an additional time rather than switching it from sufficient
to required. This fixes a potential security issue for
ecryptfs/pam_mount users as with pam_deny gone, if cfg.unixAuth = False
then it is possible to login without a password.
 2015-11-21 21:10:40 +00:00
Tuomas Tynkkynen
d5c9e1aebe nixos/polkit: Reference correct output of polkit 2015-10-28 10:17:10 +01:00
Vladimír Čunát
2490848627 polkit: split dev and bin outputs 2015-10-14 14:32:26 +02:00
Tuomas Tynkkynen
1ac0e05f69 nixos/setuid-wrappers: Build with normal mkDerivation phases 
This way the binary gets stripped & rpath-shrinked etc. as usual.
We'd seem to get a runtime reference to gcc otherwise.
 2015-10-03 14:08:55 +02:00
Vladimír Čunát
5227fb1dd5 Merge commit staging+systemd into closure-size 
Many non-conflict problems weren't (fully) resolved in this commit yet.
 2015-10-03 13:33:37 +02:00
Jan Malakhovski
6eadb16022 nixos: fix some types 2015-09-18 18:48:50 +00:00
Tobias Geerinckx-Rice
c90eb862fc nixos: prey module: fix option descriptions 2015-09-06 23:50:03 +02:00
Jaka Hudoklin
c7bb64cb97 Merge pull request #7344 from joachifm/apparmor-pam 
nixos: add AppArmor PAM support
 2015-08-29 18:59:53 +02:00
obadz
172522e153 ecryptfs: 
- upgrade 106 -> 108
- fix passphrase rewrapper (password changing should now work fine) as
  discussed on https://bugs.launchpad.net/ecryptfs/+bug/1486470
- add lsof dependency so ecryptfs-migrate-home should work out of the
  box
 2015-08-19 12:16:57 +01:00
Joachim Fasting
2e0933787b nixos: add AppArmor PAM support 
Enables attaching AppArmor profiles at the user/group level.

This is not intended to be used directly, but as part of a
role-based access control scheme. For now, profile attachment
is 'session optional', but should be changed to 'required' once
a more comprehensive solution is in place.
 2015-07-15 12:40:06 +02:00
William A. Kennington III
d605663ae2 Merge branch 'master.upstream' into staging.upstream 2015-07-05 13:06:02 -07:00
Thomas Strobel
7b6f279142 pam_mount module: integrate pam_mount into PAM of NixOS 2015-07-04 23:42:31 +02:00
William A. Kennington III
8e19ac8d7c Merge branch 'master.upstream' into staging.upstream 2015-06-17 11:57:40 -07:00
Eelco Dolstra
6e6a96d42c Some more type cleanup 2015-06-15 18:18:46 +02:00
William A. Kennington III
9d6555dc0a Merge branch 'master.upstream' into staging.upstream 2015-06-06 12:04:42 -07:00
William A. Kennington III
ffd0539eba cacert: store ca-bundle.crt in $out/etc/ssl/certs instead of $out 2015-06-05 13:00:52 -07:00
William A. Kennington III
867d2c5c46 openssl: Remove References to OPENSSL_X509_CERT_FILE 2015-05-31 15:50:51 -07:00
William A. Kennington III
d6cbb061e3 cacert: Build directly from nss instead of our own tarball 2015-05-29 13:52:07 -07:00
Ricardo M. Correia
aa75bb25d8 grsecurity: Update stable and test patches 
stable: 3.1-3.14.41-201505072056 -> 3.1-3.14.41-201505101121
test:   3.1-4.0.2-201505072057   -> 3.1-4.0.2-201505101122
 2015-05-11 02:45:38 +02:00
Vladimír Čunát
3b9ef2c71b fix "libc}/lib" and similar references 
Done mostly without any verification.
I didn't bother with libc}/include, as the path is still correct.
 2015-05-05 11:52:08 +02:00
Philip Potter
2216728979 add support for pam_u2f to nixos pam module 
This adds support for authenticating using a U2F device such as a
yubikey neo.
 2015-05-03 19:22:00 +01:00
Austin Seipp
8d3b8d0dc8 Merge pull request #7149 from joachifm/grsec-gradm-optional 
grsecurity module: configure gradm iff RBAC is enabled
 2015-04-13 17:11:29 -05:00
Austin Seipp
b86f6a3ed6 Merge pull request #7148 from joachifm/grsec-trivial 
grsecurity module: trivial improvements
 2015-04-13 17:10:47 -05:00
Nicolas B. Pierron
6de931a0f8 Merge rename.nix changes. 2015-04-03 23:12:12 +02:00
Arseniy Seroka
8592c6c004 Merge pull request #7150 from joachifm/grsec-types 
grsecurity module: use types.enum
 2015-04-03 16:03:49 +03:00
Joachim Fasting
3e847d512d grsecurity module: configure gradm iff RBAC is enabled 2015-04-03 13:45:57 +02:00
Joachim Fasting
ba93a75724 grsecurity module: use types.enum 
Also
- set desktop as default system
- make virtualisationSoftware nullOr
- make virtualisationConfig nullOr
 2015-04-03 13:45:45 +02:00
Joachim Fasting
66c4f51046 grsecurity module: simplify assertion 2015-04-03 13:38:32 +02:00
Joachim Fasting
2e88605a91 grsecurity module: remove reference to systemd-sysctl 
First, that's not what the service is called, and secondly it's
most likely irrelevant to the user.
 2015-04-03 13:38:32 +02:00
Arseniy Seroka
4fa554e32b Merge pull request #7017 from obadz/sg+sudo-g 
Ability to switch groups with sg and sudo -g
 2015-04-02 02:11:10 +03:00
obadz
be7f104502 sg: add setuid wrapper. (newgrp is a symlink to sg and was already setuid). 
sudo: add ability for wheel users to change group (as well as user)
 2015-03-30 23:50:45 +01:00
Austin Seipp
3ff22a924f Merge pull request #6871 from joachifm/apparmor-fixups 
Apparmor fixups
 2015-03-20 15:36:42 -05:00
Joachim Fasting
532337d673 Cleanup AppArmor module 
Remove excessive whitespace & comment sections
 2015-03-18 12:07:43 +01:00
Austin Seipp
ef95600372 Merge pull request #6771 from joachifm/apparmor-2.9 
Apparmor 2.9
 2015-03-15 14:16:24 -05:00
Ricardo M. Correia
7c8247a8c5 grsecurity: Update stable and test patches 
stable: 3.1-3.14.35-201503071140 -> 3.1-3.14.35-201503092203
test:   3.1-3.18.9-201503071142  -> 3.1-3.19.1-201503122205
 2015-03-15 03:49:58 +01:00
Shea Levy
1d62ad4746 modules.nix: Generate the extra argument set from the configuration 
This allows for module arguments to be handled modularly, in particular
allowing the nixpkgs module to handle the nixpkgs import internally.
This creates the __internal option namespace, which should only be added
to by the module system itself.
 2015-03-12 23:42:57 +01:00
Joachim Fasting
7a9a24a95e Update AppArmor service module 
- Use AppArmor 2.9
- Enable PAM support
 2015-03-12 11:49:05 +01:00
obadz
e5d4624420 PAM/eCryptfs now able to mount ecryptfs'd home directories on login 2015-03-08 16:03:51 -07:00
lethalman
c97d7819ab Merge pull request #6624 from joachifm/grsec-lock 
nixos: grsec-lock service fixes
 2015-03-02 18:49:39 +01:00
Joachim Fasting
18320d3b21 nixos: fix grsec-lock requires 2015-03-02 18:39:04 +01:00
Joachim Fasting
ccd6f5a313 nixos: make the grsec-lock unit depend on the path it writes to 
The grsec-lock unit fails unless /proc/sys/kernel/grsecurity/grsec_lock
exists and so prevents switching into a new configuration after enabling
grsecurity.sysctl.
 2015-03-02 18:39:01 +01:00
Lluís Batlle i Rossell
b26e939111 fix pam (OATH related) 
the pam config was wrong.

Issue #6551
 2015-02-24 17:52:41 +01:00
Lluís Batlle i Rossell
4e99901961 nixos: Adding OATH in pam. 
(cherry picked from commit cb3cba54a1)

Conflicts:
	nixos/modules/security/pam.nix
 2015-02-22 15:25:38 +01:00
Eelco Dolstra
5092d625d6 /etc/ssl/certs/ca-bundle.crt -> ca-certificates.crt 
Even though there is no "official" standard location, it's better to
stick to what most distros are using.
 2015-02-15 19:06:31 +01:00
Eelco Dolstra
75e1b5e317 Provide symlinks to ca-bundle.crt for compat with other distros 
There is no "standard" location for the certificate bundle, so many
programs/libraries have various hard-coded default locations that
don't exist on NixOS. To make these more likely to work, provide
some symlinks.
 2015-02-15 19:06:31 +01:00
Eelco Dolstra
d2bfb5ceb0 Add options for installing additional root certificates 2015-02-05 18:08:35 +01:00
Ricardo M. Correia
a11dc2f0a3 grsecurity: Add denyUSB option to grsec NixOS module 
The option had been added to the grsec build-support code,
but it hadn't been added to the grsec module.

After this commit, grsec module users will be able to change
the default value. It also serves to document that this option
exists and that NixOS will disable it by default.
 2015-01-20 19:18:06 +01:00
Luca Bruno
804a958663 pam: add pam_wheel 2015-01-14 18:32:08 +01:00
Shea Levy
cca8bae86e Merge branch 'rngd-fix' of git://github.com/abbradar/nixpkgs 2015-01-08 09:36:29 -05:00
Nikolay Amiantov
dbc0395b2b nixos/rngd: some fixes 2015-01-06 17:27:07 +03:00
Nikolay Amiantov
a164a0b4c5 nixos/fprintd: add service and pam support 2015-01-03 19:50:40 +03:00
Tobias Geerinckx-Rice
c64257b8e5 Fix user-facing typos (mainly in descriptions) 2014-12-30 03:31:03 +01:00
Ricardo M. Correia
1d44322d53 grsecurity: Update stable and test patches 
stable: 3.0-3.14.27-201412211908 -> 3.0-3.14.27-201412280859
test:   3.0-3.17.7-201412211910  -> 3.0-3.18.1-201412281149
 2014-12-29 03:00:47 +01:00
Eelco Dolstra
89697b0fc1 Improve /etc/sudoers message 2014-12-18 11:51:42 +01:00
wmertens
3cecef15d7 Revert $GIT_SSL_CAINFO removal 
Users have an older git in their user environment and it doesn't work without it. We should keep it around for a while.
 2014-12-01 23:07:50 +01:00
wmertens
45c1b9147f Merge pull request #5130 from wmertens/git-ssl-env 
Let git use $SSL_CERT_FILE
 2014-11-27 13:24:08 +01:00
Wout Mertens
72b81cf8bb Remove unnecessary $GIT_SSL_CAINFO from sys env 2014-11-26 00:30:07 +01:00
Ricardo M. Correia
389143d808 grsecurity: Update assertion msg to correct major kernel versions 2014-11-16 18:52:39 +01:00