| Age | Commit message (Collapse) | Author |
|---|
|
grsecurity module: disable EFI runtime services by default
|
|
In light of Emacs packaging improvements such as those mentioned
in #11503, and with the addition of a systemd service (#15807
and #16356), and considering that the wiki page is completely
out of date (#13217), it seems that some documentation is in order.
|
|
Enabling EFI runtime services provides a venue for injecting code into
the kernel.
When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services. The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).
This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
|
|
|
|
|
|
|
|
Declarative nginx module with ACME support
|
|
|
|
|
|
|
|
* Hydra doesn't like spaces in filenames.
* The zip file contained nix/store/.../OEBPS rather than OEBPS at
top-level, causing some programs (like okular) to barf.
* Remove the redundant $dst/epub directory.
|
|
PDF is very 20th century and nobody reads technical documentation this
way anymore.
|
|
This prevents gratuitous rebuilds of the manual every time the Git
revision changes.
Should help a bit with #17261.
|
|
Relying on environment variables to override configuration options is
ugly, and there is no reason for them.
|
|
redis: 3.0.7 -> 3.2.2
|
|
Declarative containers: more veth interfaces
|
|
Mopidy will start if the configuration is empty.
Fixes #17381.
|
|
|
|
Adds a new chain in the raw table for reverse path filtering and optional
logging. A rule to allow serving DHCPv4 was also added as it is commonly
needed and poses no security risk even when no DHCPv4 server is running.
Fixes #10101.
|
|
Pulseaudio doesn’t like being restarted too quickly.
|
|
Adds options for tcp streaming and avahi zeroconf support (so that the
server can be easily found by clients).
There is also an option to allow anonymous clients to stream to the
server (by default pulseaudio uses a cookie mechanism, see manpage).
|
|
Instead of one package `extra-cmake-modules`, there is now `ecm` and
`ecmNoHooks`. The latter is used when one does not want to incur a Qt 5
dependency; it is also available as a top-level package
`extra-cmake-modules`.
|
|
|
|
|
|
|
|
(cherry picked from commit 1425a1f964adc2e2eb668810f3f158089035cd3d)
|
|
Seems like the right thing to do.
|
|
With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network.
The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers.
Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing.
|
|
This makes the container a bit more secure, by preventing root
creating device nodes to access the host file system, for
instance. (Reference: systemd-nspawn@.service in systemd.)
|
|
|
|
Adds ::1 as allowed host and turns of access_log for the status page.
|
|
Revert httpConfig its old behaviour and make it mutually exclusive to
the new structured configuration. Adds appendHttpConfig to have the
ability to write custom config in the generated http block.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
