NixOS · Nov 30, 2018 · Dec 13, 2018 · Dec 24, 2018 · Dec 25, 2018 · Dec 25, 2018
diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix
@@ -20,6 +20,8 @@ let
       kernelPackages.nvidia_x11_legacy304
     else if elem "nvidiaLegacy340" drivers then
       kernelPackages.nvidia_x11_legacy340
+    else if elem "nvidiaLegacy390" drivers then
+      kernelPackages.nvidia_x11_legacy390
     else null;
 
   nvidia_x11 = nvidiaForKernel config.boot.kernelPackages;

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
@@ -20,6 +20,12 @@ with lib;
 
   security.allowUserNamespaces = mkDefault false;
 
+  security.protectKernelImage = mkDefault true;
+
+  security.allowSimultaneousMultithreading = mkDefault false;
+
+  security.virtualization.flushL1DataCache = mkDefault "always";
+
   security.apparmor.enable = mkDefault true;
 
   boot.kernelParams = [
@@ -28,9 +34,6 @@ with lib;
 
     # Disable legacy virtual syscalls
     "vsyscall=none"
-
-    # Disable hibernation (allows replacing the running kernel)
-    "nohibernate"
   ];
 
   boot.blacklistedKernelModules = [
@@ -44,9 +47,6 @@ with lib;
   # (e.g., parent/child)
   boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
 
-  # Prevent replacing the running kernel image w/o reboot
-  boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
-
   # Restrict access to kernel ring buffer (information leaks)
   boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
 

diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix
@@ -22,18 +22,104 @@ with lib;
         a user namespace fails with "no space left on device" (ENOSPC).
       '';
     };
-  };
 
-  config = mkIf (!config.security.allowUserNamespaces) {
-    # Setting the number of allowed user namespaces to 0 effectively disables
-    # the feature at runtime.  Note that root may raise the limit again
-    # at any time.
-    boot.kernel.sysctl."user.max_user_namespaces" = 0;
-
-    assertions = [
-      { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
-        message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
-      }
-    ];
+    security.protectKernelImage = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to prevent replacing the running kernel image.
+      '';
+    };
+
+    security.allowSimultaneousMultithreading = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to allow SMT/hyperthreading.  Disabling SMT means that only
+        physical CPU cores will be usable at runtime, potentially at
+        significant performance cost.
+        </para>
+
+        <para>
+        The primary motivation for disabling SMT is to mitigate the risk of
+        leaking data between threads running on the same CPU core (due to
+        e.g., shared caches).  This attack vector is unproven.
+        </para>
+
+        <para>
+        Disabling SMT is a supplement to the L1 data cache flushing mitigation
+        (see <xref linkend="opt-security.virtualization.flushL1DataCache"/>)
+        versus malicious VM guests (SMT could "bring back" previously flushed
+        data).
+        </para>
+        <para>
+      '';
+    };
+
+    security.virtualization.flushL1DataCache = mkOption {
+      type = types.nullOr (types.enum [ "never" "cond" "always" ]);
+      default = null;
+      description = ''
+        Whether the hypervisor should flush the L1 data cache before
+        entering guests.
+        See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>.
+        </para>
+
+        <para>
+          <variablelist>
+          <varlistentry>
+            <term><literal>null</literal></term>
+            <listitem><para>uses the kernel default</para></listitem>
+          </varlistentry>
+          <varlistentry>
+            <term><literal>"never"</literal></term>
+            <listitem><para>disables L1 data cache flushing entirely.
+            May be appropriate if all guests are trusted.</para></listitem>
+          </varlistentry>
+          <varlistentry>
+            <term><literal>"cond"</literal></term>
+            <listitem><para>flushes L1 data cache only for pre-determined
+            code paths.  May leak information about the host address space
+            layout.</para></listitem>
+          </varlistentry>
+          <varlistentry>
+            <term><literal>"always"</literal></term>
+            <listitem><para>flushes L1 data cache every time the hypervisor
+            enters the guest.  May incur significant performance cost.
+            </para></listitem>
+          </varlistentry>
+          </variablelist>
+      '';
+    };
   };
+
+  config = mkMerge [
+    (mkIf (!config.security.allowUserNamespaces) {
+      # Setting the number of allowed user namespaces to 0 effectively disables
+      # the feature at runtime.  Note that root may raise the limit again
+      # at any time.
+      boot.kernel.sysctl."user.max_user_namespaces" = 0;
+
+      assertions = [
+        { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
+          message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
+        }
+      ];
+    })
+
+    (mkIf config.security.protectKernelImage {
+      # Disable hibernation (allows replacing the running kernel)
+      boot.kernelParams = [ "nohibernate" ];
+      # Prevent replacing the running kernel image w/o reboot
+      boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
+    })
+
+    (mkIf (!config.security.allowSimultaneousMultithreading) {
+      boot.kernelParams = [ "nosmt" ];
+    })
+
+    (mkIf (config.security.virtualization.flushL1DataCache != null) {
+      boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ];
+    })
+  ];
 }
diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix
@@ -70,5 +70,11 @@ import ./make-test.nix ({ pkgs, ...} : {
         $machine->fail("su -l nobody -s /bin/sh -c 'nix ping-store'");
         $machine->succeed("su -l alice -c 'nix ping-store'") =~ "OK";
       };
+
+      # Test kernel image protection
+      subtest "kernelimage", sub {
+        $machine->fail("systemctl hibernate");
+        $machine->fail("systemctl kexec");
+      };
     '';
 })
diff --git a/pkgs/applications/graphics/k3d/default.nix b/pkgs/applications/graphics/k3d/default.nix
@@ -39,6 +39,10 @@ stdenv.mkDerivation rec {
 
   #doCheck = false;
 
+  NIX_CFLAGS_COMPILE = [
+    "-Wno-deprecated-declarations"
+  ];
+
   meta = with stdenv.lib; {
     description = "A 3D editor with support for procedural editing";
     homepage = http://www.k-3d.org/;

diff --git a/pkgs/applications/misc/dmrconfig/default.nix b/pkgs/applications/misc/dmrconfig/default.nix
@@ -3,13 +3,13 @@
 
 stdenv.mkDerivation rec {
   name = "dmrconfig-${version}";
-  version = "1.0";
+  version = "1.1";
 
   src = fetchFromGitHub {
     owner = "sergev";
     repo = "dmrconfig";
     rev = version;
-    sha256 = "1bb3hahfdb5phxyzp1m5ibqwz3mcqplzaibb1aq7w273xcfrd9l9";
+    sha256 = "1qwix75z749628w583fwp7m7kxbj0k3g159sxb7vgqxbadqqz1ab";
   };
 
   buildInputs = [
@@ -18,11 +18,11 @@ stdenv.mkDerivation rec {
 
   preConfigure = ''
     substituteInPlace Makefile \
-      --replace /usr/local/bin/dmrconfig $out/bin/dmrconfig \
-      --replace "\$(shell git describe --tags --abbrev=0)" ${version} \
-      --replace "\$(shell git rev-list HEAD --count)" 0
+      --replace /usr/local/bin/dmrconfig $out/bin/dmrconfig
   '';
 
+  makeFlags = "VERSION=${version} GITCOUNT=0";
+
   installPhase = ''
     mkdir -p $out/bin $out/lib/udev/rules.d
     make install

diff --git a/pkgs/applications/networking/insync/default.nix b/pkgs/applications/networking/insync/default.nix
@@ -2,12 +2,12 @@
 
 stdenv.mkDerivation rec {
   name = "insync-${version}";
-  version = "1.4.5.37069";
+  version = "1.5.5.37367";
   src =
     if stdenv.hostPlatform.system == "x86_64-linux" then
       fetchurl {
         url = "http://s.insynchq.com/builds/insync-portable_${version}_amd64.tar.bz2";
-        sha256 = "0mkqgpq4isngkj20c0ygmxf4cj975d446svhwvl3cqdrjkjm1ybd";
+        sha256 = "1yz8l8xjr0pm30hvv4w59wzs569xzkpn8lv12pyl82r1l16h5zp3";
       }
     else
       throw "${name} is not supported on ${stdenv.hostPlatform.system}";

diff --git a/pkgs/applications/window-managers/dwm/dwm-status.nix b/pkgs/applications/window-managers/dwm/dwm-status.nix
@@ -1,30 +1,30 @@
 { stdenv, lib, rustPlatform, fetchFromGitHub, dbus, gdk_pixbuf, libnotify, makeWrapper, pkgconfig, xorg
-, enableAlsaUtils ? true, alsaUtils, bash, coreutils }:
+, enableAlsaUtils ? true, alsaUtils, coreutils
+, enableNetwork ? true, dnsutils, iproute, wirelesstools }:
 
 let
-  binPath = stdenv.lib.makeBinPath [
-    alsaUtils bash coreutils
-  ];
+  bins = lib.optionals enableAlsaUtils [ alsaUtils coreutils ]
+    ++ lib.optionals enableNetwork [ dnsutils iproute wirelesstools ];
 in
 
 rustPlatform.buildRustPackage rec {
   name = "dwm-status-${version}";
-  version = "1.5.0";
+  version = "1.6.0";
 
   src = fetchFromGitHub {
     owner = "Gerschtli";
     repo = "dwm-status";
     rev = version;
-    sha256 = "0mfzpyacd7i6ipbjwyl1zc0x3lnz0f4qqzsmsb07p047z95mw4v6";
+    sha256 = "02gvlxv6ylx4mdkf59crm2zyahiz1zd4cr5zz29dnhx7r7738i9a";
   };
 
   nativeBuildInputs = [ makeWrapper pkgconfig ];
   buildInputs = [ dbus gdk_pixbuf libnotify xorg.libX11 ];
 
-  cargoSha256 = "1cngcacsbzijs55k4kz8fidki3p8jblk3v5s21hjsn4glzjdbkmm";
+  cargoSha256 = "1khknf1bjs80cc2n4jnpilf8cc15crykhhyvvff6q4ay40353gr6";
 
-  postInstall = lib.optionalString enableAlsaUtils ''
-    wrapProgram $out/bin/dwm-status --prefix "PATH" : "${binPath}"
+  postInstall = lib.optionalString (bins != [])  ''
+    wrapProgram $out/bin/dwm-status --prefix "PATH" : "${stdenv.lib.makeBinPath bins}"
   '';
 
   meta = with stdenv.lib; {

diff --git a/pkgs/data/icons/zafiro-icons/default.nix b/pkgs/data/icons/zafiro-icons/default.nix
@@ -1,15 +1,14 @@
 { stdenv, fetchFromGitHub, gtk3 }:
 
 stdenv.mkDerivation rec {
-  name = "${pname}-${version}";
   pname = "zafiro-icons";
-  version = "0.7.7";
+  version = "0.7.9";
 
   src = fetchFromGitHub {
     owner = "zayronxio";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0471gf4s32dhcm3667l1bnam04jk4miw3c6s557vix59rih1y71p";
+    sha256 = "08cd4hcmhyrm91ps6j3c6jpwg5b9y635smnmrzgiz33iy2pa0qm7";
   };
 
   nativeBuildInputs = [ gtk3 ];

diff --git a/pkgs/development/libraries/allegro/allegro4-mesa-18.2.5.patch b/pkgs/development/libraries/allegro/allegro4-mesa-18.2.5.patch
@@ -0,0 +1,26 @@
+--- a/addons/allegrogl/include/alleggl.h
++++ b/addons/allegrogl/include/alleggl.h
+@@ -63,9 +63,11 @@ typedef __int64 INT64;
+ /* HACK: Prevent both Mesa and SGI's broken headers from screwing us */
+ #define __glext_h_
+ #define __glxext_h_
++#define __glx_glxext_h_
+ #include <GL/gl.h>
+ #undef  __glext_h_
+ #undef  __glxext_h_
++#undef  __glx_glxext_h_
+
+ #endif /* ALLEGRO_MACOSX */
+
+--- a/addons/allegrogl/include/allegrogl/GLext/glx_ext_defs.h
++++ b/addons/allegrogl/include/allegrogl/GLext/glx_ext_defs.h
+@@ -1,7 +1,9 @@
+ /* HACK: Prevent both Mesa and SGI's broken headers from screwing us */
+ #define __glxext_h_
++#define __glx_glxext_h_
+ #include <GL/glx.h>
+ #undef __glxext_h_
++#undef __glx_glxext_h_
+
+ #ifndef GLX_VERSION_1_3
+ #define AGLX_VERSION_1_3
diff --git a/pkgs/development/libraries/allegro/default.nix b/pkgs/development/libraries/allegro/default.nix
@@ -13,6 +13,7 @@ stdenv.mkDerivation rec {
   };
 
   patches = [
+    ./allegro4-mesa-18.2.5.patch
     ./nix-unstable-sandbox-fix.patch
   ];
 

diff --git a/pkgs/development/libraries/libs3/default.nix b/pkgs/development/libraries/libs3/default.nix
@@ -1,26 +1,23 @@
 { stdenv, fetchFromGitHub, curl, libxml2 }:
 
 stdenv.mkDerivation {
-  name = "libs3-2017-06-01";
+  name = "libs3-2018-12-03";
 
   src = fetchFromGitHub {
     owner = "bji";
     repo = "libs3";
-    rev = "fd8b149044e429ad30dc4c918f0713cdd40aadd2";
-    sha256 = "0a4c9rsd3wildssvnvph6cd11adn0p3rd4l02z03lvxkjhm20gw3";
+    rev = "111dc30029f64bbf82031f3e160f253a0a63c119";
+    sha256 = "1ahf08hc7ql3fazfmlyj9vrhq7cvarsmgn2v8149y63zr1fl61hs";
   };
 
   buildInputs = [ curl libxml2 ];
 
-  # added to fix build with gcc7, review on update
-  NIX_CFLAGS_COMPILE = [ "-Wno-error=format-truncation" ];
-
-  DESTDIR = "\${out}";
+  makeFlags = [ "DESTDIR=$(out)" ];
 
   meta = with stdenv.lib; {
     homepage = https://github.com/bji/libs3;
     description = "A library for interfacing with amazon s3";
-    license = licenses.lgpl3;
+    license = licenses.lgpl3Plus;
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/development/libraries/lmdb/default.nix b/pkgs/development/libraries/lmdb/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   name = "lmdb-${version}";
-  version = "0.9.22";
+  version = "0.9.23";
 
   src = fetchFromGitHub {
     owner = "LMDB";
     repo = "lmdb";
     rev = "LMDB_${version}";
-    sha256 = "0lng4ra2qrbqcf8klvqp68qarha0z4bkqhhv8lhh45agsxyrhfkj";
+    sha256 = "0ag7l5180ajvm73y59m7sn3p52xm8m972d08cshxhpwgwa4v35k6";
   };
 
   postUnpack = "sourceRoot=\${sourceRoot}/libraries/liblmdb";

diff --git a/pkgs/development/libraries/science/math/mkl/default.nix b/pkgs/development/libraries/science/math/mkl/default.nix
@@ -60,7 +60,7 @@ stdenvNoCC.mkDerivation rec {
   outputHashAlgo = "sha256";
   outputHashMode = "recursive";
   outputHash = if stdenvNoCC.isDarwin
-    then "0000000000000000000000000000000000000000000000000000"
+    then "00d49ls9vcjan1ngq2wx2q4p6lnm05zwh67hsmj7bnq43ykrfibw"
     else "1amagcaan0hk3x9v7gg03gkw02n066v4kmjb32yyzsy5rfrivb1a";
 
   meta = with stdenvNoCC.lib; {