add pkgsExtraHardening package set

this package set can be used to trial new hardening flags or
enable those which are still known to cause some problems
This commit is contained in:
Robert Scott 2023-12-11 18:01:24 +00:00
parent 40868719b0
commit e79c133858
3 changed files with 16 additions and 0 deletions

View File

@ -214,6 +214,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
- [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11.
- A new top-level package set, `pkgsExtraHardening` is added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features).
- `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module
(such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.

View File

@ -53,6 +53,7 @@ let
pkgsStatic = true;
pkgsCross = true;
pkgsi686Linux = true;
pkgsExtraHardening = true;
};
# No release package attrname may have any of these at a component

View File

@ -276,6 +276,19 @@ let
gcc.abi = "elfv2";
};
});
pkgsExtraHardening = nixpkgsFun {
overlays = [
(self': super': {
pkgsExtraHardening = super';
stdenv = super'.withDefaultHardeningFlags (
super'.stdenv.cc.defaultHardeningFlags ++ [
"zerocallusedregs"
]
) super'.stdenv;
})
] ++ overlays;
};
};
# The complete chain of package set builders, applied from top to bottom.