commit f3886a6fba7dec4d5c97a51558ab0a4489f89d76

pyrox.dev / nixpkgs

lol

fork atom

Merge remote-tracking branch 'upstream/hardened-stdenv' into staging

Robin Gloster 9 years ago f3886a6f 6303b6eb

+49 -19

6 changed files

expand all

unified split

nixos

modules

config

ldap.nix

nsswitch.nix

security

pam.nix

pkgs

applications

networking

browsers

qutebrowser

default.nix

build-support

cc-wrapper

add-hardening.sh

default.nix

+12

nixos/modules/config/ldap.nix

··· 62 62 description = "Whether to enable authentication against an LDAP server."; 63 63 }; 64 64 65 + loginPam = mkOption { 66 + type = types.bool; 67 + default = true; 68 + description = "Whether to include authentication against LDAP in login PAM"; 69 + }; 70 + 71 + nsswitch = mkOption { 72 + type = types.bool; 73 + default = true; 74 + description = "Whether to include lookup against LDAP in NSS"; 75 + }; 76 + 65 77 server = mkOption { 66 78 example = "ldap://ldap.example.org/"; 67 79 description = "The URL of the LDAP server.";

+1 -1

nixos/modules/config/nsswitch.nix

··· 8 8 9 9 inherit (config.services.avahi) nssmdns; 10 10 inherit (config.services.samba) nsswins; 11 - ldap = config.users.ldap.enable; 11 + ldap = (config.users.ldap.enable && config.users.ldap.nsswitch); 12 12 13 13 in 14 14

+5 -4

nixos/modules/security/pam.nix

··· 221 221 ('' 222 222 # Account management. 223 223 account sufficient pam_unix.so 224 - ${optionalString config.users.ldap.enable 224 + ${optionalString use_ldap 225 225 "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} 226 226 ${optionalString config.krb5.enable 227 227 "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} ··· 261 261 "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} 262 262 ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth 263 263 "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} 264 - ${optionalString config.users.ldap.enable 264 + ${optionalString use_ldap 265 265 "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} 266 266 ${optionalString config.krb5.enable '' 267 267 auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass ··· 276 276 "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 277 277 ${optionalString cfg.pamMount 278 278 "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} 279 - ${optionalString config.users.ldap.enable 279 + ${optionalString use_ldap 280 280 "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} 281 281 ${optionalString config.krb5.enable 282 282 "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} ··· 296 296 "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} 297 297 ${optionalString config.security.pam.enableEcryptfs 298 298 "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 299 - ${optionalString config.users.ldap.enable 299 + ${optionalString use_ldap 300 300 "session optional ${pam_ldap}/lib/security/pam_ldap.so"} 301 301 ${optionalString config.krb5.enable 302 302 "session optional ${pam_krb5}/lib/security/pam_krb5.so"} ··· 322 322 323 323 inherit (pkgs) pam_krb5 pam_ccreds; 324 324 325 + use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam); 325 326 pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap; 326 327 327 328 # Create a limits.conf(5) file.

+21 -3

pkgs/applications/networking/browsers/qutebrowser/default.nix

··· 1 - { stdenv, fetchurl, buildPythonApplication, makeQtWrapper, wrapGAppsHook 1 + { stdenv, fetchurl, unzip, buildPythonApplication, makeQtWrapper, wrapGAppsHook 2 2 , qtbase, pyqt5, jinja2, pygments, pyyaml, pypeg2, glib_networking 3 3 , asciidoc, docbook_xml_dtd_45, docbook_xsl, libxml2, libxslt 4 4 , gst-plugins-base, gst-plugins-good, gst-plugins-bad, gst-plugins-ugly, gst-libav 5 5 , qtwebkit-plugins }: 6 6 7 - let version = "0.8.2"; in 7 + let 8 + pdfjs = stdenv.mkDerivation rec { 9 + name = "pdfjs-${version}"; 10 + version = "1.4.20"; 8 11 9 - buildPythonApplication rec { 12 + src = fetchurl { 13 + url = "https://github.com/mozilla/pdf.js/releases/download/v${version}/${name}-dist.zip"; 14 + sha256 = "1ca1fzyc5qnan6gavcd8bnfqriqqvgdsf4m8ka4nayf50k64xxj9"; 15 + }; 16 + 17 + nativeBuildInputs = [ unzip ]; 18 + 19 + buildCommand = '' 20 + mkdir $out 21 + unzip -d $out $src 22 + ''; 23 + }; 24 + 25 + in buildPythonApplication rec { 10 26 name = "qutebrowser-${version}"; 27 + version = "0.8.2"; 11 28 namePrefix = ""; 12 29 13 30 src = fetchurl { ··· 34 51 35 52 postPatch = '' 36 53 sed -i "s,/usr/share/qutebrowser,$out/share/qutebrowser,g" qutebrowser/utils/standarddir.py 54 + sed -i "s,/usr/share/pdf.js,${pdfjs},g" qutebrowser/browser/pdfjs.py 37 55 ''; 38 56 39 57 postBuild = ''

+2 -8

pkgs/build-support/cc-wrapper/add-hardening.sh

··· 4 4 hardeningLDFlags=() 5 5 hardeningDisable=${hardeningDisable:-""} 6 6 7 - if [[ -z "@ld_supports_bindnow@" ]]; then 8 - hardeningDisable+=" bindnow" 9 - fi 10 - 11 - if [[ -z "@ld_supports_relro@" ]]; then 12 - hardeningDisable+=" relro" 13 - fi 7 + hardeningDisable+=" @hardening_unsupported_flags@" 14 8 15 9 if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi 16 10 17 - if [[ ! $hardeningDisable == "all" ]]; then 11 + if [[ ! $hardeningDisable =~ "all" ]]; then 18 12 if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi 19 13 for flag in "${hardeningFlags[@]}" 20 14 do

+8 -3

pkgs/build-support/cc-wrapper/default.nix

··· 237 237 cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook 238 238 rm $out/nix-support/setup-hook.tmp 239 239 240 - # some linkers on some platforms don't support -z 241 - export ld_supports_bindnow=$([[ "$($ldPath/ld -z now 2>&1 || true)" =~ "un(known|recognized) option" ]]) 242 - export ld_supports_relro=$([[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "un(known|recognized) option" ]]) 240 + # some linkers on some platforms don't support specific -z flags 241 + hardening_unsupported_flags="" 242 + if [[ "$($ldPath/ld -z now 2>&1 || true)" =~ "unknown option" ]]; then 243 + hardening_unsupported_flags+=" bindnow" 244 + fi 245 + if [[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "unknown option" ]]; then 246 + hardening_unsupported_flags+=" relro" 247 + fi 243 248 244 249 substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh 245 250 substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh