diff options
Diffstat (limited to 'pkgs/os-specific/linux')
32 files changed, 276 insertions, 91 deletions
diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index 0a74554d6c60d..933b4e176f762 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -18,16 +18,17 @@ , writeShellScript , closureInfo , runCommand +, libxcrypt }: let - apparmor-version = "3.0.7"; + apparmor-version = "3.1.1"; apparmor-meta = component: with lib; { homepage = "https://apparmor.net/"; description = "A mandatory access control system - ${component}"; license = licenses.gpl2; - maintainers = with maintainers; [ joachifm julm thoughtpolice ]; + maintainers = with maintainers; [ julm thoughtpolice ]; platforms = platforms.linux; }; @@ -35,7 +36,7 @@ let owner = "apparmor"; repo = "apparmor"; rev = "v${apparmor-version}"; - hash = "sha256-iLZY0wZQr+YvR8JCwTeECDuqFb1sQCQtkiUksiYCvWs="; + hash = "sha256-phEHfrza0EeX2HEM5ts8wVCFlSLlnEtZd2MwbG/XbFY="; }; aa-teardown = writeShellScript "aa-teardown" '' @@ -93,7 +94,8 @@ let perl ] ++ lib.optional withPython python; - buildInputs = lib.optional withPerl perl + buildInputs = [ libxcrypt ] + ++ lib.optional withPerl perl ++ lib.optional withPython python; # required to build apparmor-parser diff --git a/pkgs/os-specific/linux/bpftools/default.nix b/pkgs/os-specific/linux/bpftools/default.nix index 640ab5f76a96e..d3bb96afb3e78 100644 --- a/pkgs/os-specific/linux/bpftools/default.nix +++ b/pkgs/os-specific/linux/bpftools/default.nix @@ -8,13 +8,15 @@ stdenv.mkDerivation rec { pname = "bpftools"; - version = "5.19.8"; + version = "5.19.12"; src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "1kl7fifsa6vsm34xg3kd2svhx18n771hfj67nhwnlalmb9whhqv1"; + sha256 = "sha256-xDalSMcxLOb8WjRyy+rYle749ShB++fHH9jki9/isLo="; }; + patches = [ ./strip-binary-name.patch ]; + nativeBuildInputs = [ python3 bison flex ]; buildInputs = (if (lib.versionAtLeast version "5.20") then [ libopcodes libbfd ] diff --git a/pkgs/os-specific/linux/bpftools/strip-binary-name.patch b/pkgs/os-specific/linux/bpftools/strip-binary-name.patch new file mode 100644 index 0000000000000..623e90963bd9b --- /dev/null +++ b/pkgs/os-specific/linux/bpftools/strip-binary-name.patch @@ -0,0 +1,15 @@ +Strip path to the binary from prints. + +I see no sense in including the full path in outputs like bpftool --version +Especially as argv[0] may not include it, based on calling via $PATH or not. +--- a/tools/bpf/bpftool/main.c ++++ b/tools/bpf/bpftool/main.c +@@ -443 +443,7 @@ +- bin_name = argv[0]; ++ /* Strip the path if any. */ ++ const char *bin_name_slash = strrchr(argv[0], '/'); ++ if (bin_name_slash) { ++ bin_name = bin_name_slash + 1; ++ } else { ++ bin_name = argv[0]; ++ } diff --git a/pkgs/os-specific/linux/cryptsetup/default.nix b/pkgs/os-specific/linux/cryptsetup/default.nix index 62f3f0c4db14b..1ac2ccf842a21 100644 --- a/pkgs/os-specific/linux/cryptsetup/default.nix +++ b/pkgs/os-specific/linux/cryptsetup/default.nix @@ -1,5 +1,12 @@ { lib, stdenv, fetchurl, lvm2, json_c, asciidoctor -, openssl, libuuid, pkg-config, popt }: +, openssl, libuuid, pkg-config, popt, nixosTests + + # The release tarballs contain precomputed manpage files, so we don't need + # to run asciidoctor on the man sources. By avoiding asciidoctor, we make + # the bare NixOS build hash independent of changes to the ruby ecosystem, + # saving mass-rebuilds. +, rebuildMan ? false +}: stdenv.mkDerivation rec { pname = "cryptsetup"; @@ -13,6 +20,11 @@ stdenv.mkDerivation rec { sha256 = "sha256-kYSm672c5+shEVLn90GmyC8tHMDiSoTsnFKTnu4PBUI="; }; + patches = [ + # Allow reading tokens from a relative path, see #167994 + ./relative-token-path.patch + ]; + postPatch = '' patchShebangs tests @@ -28,6 +40,8 @@ stdenv.mkDerivation rec { "--enable-cryptsetup-reencrypt" "--with-crypto_backend=openssl" "--disable-ssh-token" + ] ++ lib.optionals (!rebuildMan) [ + "--disable-asciidoc" ] ++ lib.optionals stdenv.hostPlatform.isStatic [ "--disable-external-tokens" # We have to override this even though we're removing token @@ -36,7 +50,7 @@ stdenv.mkDerivation rec { "--with-luks2-external-tokens-path=/" ]; - nativeBuildInputs = [ pkg-config asciidoctor ]; + nativeBuildInputs = [ pkg-config ] ++ lib.optionals rebuildMan [ asciidoctor ]; buildInputs = [ lvm2 json_c openssl libuuid popt ]; # The test [7] header backup in compat-test fails with a mysterious @@ -44,6 +58,19 @@ stdenv.mkDerivation rec { # Issue filed upstream: https://gitlab.com/cryptsetup/cryptsetup/-/issues/763 doCheck = !stdenv.hostPlatform.isMusl; + passthru = { + tests = { + nixos = + lib.optionalAttrs stdenv.hostPlatform.isLinux ( + lib.recurseIntoAttrs ( + lib.filterAttrs + (name: _value: lib.hasPrefix "luks" name) + nixosTests.installer + ) + ); + }; + }; + meta = { homepage = "https://gitlab.com/cryptsetup/cryptsetup/"; description = "LUKS for dm-crypt"; diff --git a/pkgs/os-specific/linux/cryptsetup/relative-token-path.patch b/pkgs/os-specific/linux/cryptsetup/relative-token-path.patch new file mode 100644 index 0000000000000..dffd0ba3bb520 --- /dev/null +++ b/pkgs/os-specific/linux/cryptsetup/relative-token-path.patch @@ -0,0 +1,50 @@ +From 4f95ab1f8110a8ab9d7b0e192731ce467f6e5c26 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Janne=20He=C3=9F?= <janne@hess.ooo> +Date: Sun, 4 Sep 2022 11:15:02 -0600 +Subject: [PATCH] Allow loading token handlers from the default search path + +Since [1] landed in cryptsetup, token handlers (libcryptsetup-token-*.so) +are loaded from a fixed path defined at compile-time. This is +problematic with NixOS since it introduces a dependency cycle +between cryptsetup and systemd. + +This downstream patch [2] allows loading token plugins from the +default library search path. This approach is not accepted upstream [3] +due to security concerns, but the potential attack vectors require +root access and they are sufficiently addressed: + +* cryptsetup could be used as a setuid binary (not used in NixOS). + In this case, LD_LIBRARY_PATH is ignored because of secure-execution + mode. +* cryptsetup running as root could lead to a malicious token handler + being loaded through LD_LIBRARY_PATH. However, fixing the path + doesn't prevent the same malicious .so being loaded through LD_PRELOAD. + +[1] https://gitlab.com/cryptsetup/cryptsetup/-/commit/5b9e98f94178d3cd179d9f6e2a0a68c7d9eb6507 +[2] https://github.com/NixOS/nixpkgs/issues/167994#issuecomment-1094249369 +[3] https://gitlab.com/cryptsetup/cryptsetup/-/issues/733 +--- + lib/luks2/luks2_token.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c +index 26467253..6f8329f0 100644 +--- a/lib/luks2/luks2_token.c ++++ b/lib/luks2/luks2_token.c +@@ -151,12 +151,10 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp + + token = &ret->u.v2; + +- r = snprintf(buf, sizeof(buf), "%s/libcryptsetup-token-%s.so", crypt_token_external_path(), name); ++ r = snprintf(buf, sizeof(buf), "libcryptsetup-token-%s.so", name); + if (r < 0 || (size_t)r >= sizeof(buf)) + return -EINVAL; + +- assert(*buf == '/'); +- + log_dbg(cd, "Trying to load %s.", buf); + + h = dlopen(buf, RTLD_LAZY); +-- +2.37.2 + diff --git a/pkgs/os-specific/linux/exfat/default.nix b/pkgs/os-specific/linux/exfat/default.nix index d459d24084427..ee6f448112d88 100644 --- a/pkgs/os-specific/linux/exfat/default.nix +++ b/pkgs/os-specific/linux/exfat/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" "ARCH=${stdenv.hostPlatform.linuxArch}" - ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [ + ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ "CROSS_COMPILE=${stdenv.cc.targetPrefix}" ]; diff --git a/pkgs/os-specific/linux/gobi_loader/default.nix b/pkgs/os-specific/linux/gobi_loader/default.nix index b7972007719c9..2b251242119c8 100644 --- a/pkgs/os-specific/linux/gobi_loader/default.nix +++ b/pkgs/os-specific/linux/gobi_loader/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { substituteInPlace 60-gobi.rules --replace "/lib/firmware" "/run/current-system/firmware" ''; - makeFlags = "prefix=${placeholder "out"}"; + makeFlags = [ "prefix=${placeholder "out"}" ]; meta = with lib; { description = "Firmware loader for Qualcomm Gobi USB chipsets"; diff --git a/pkgs/os-specific/linux/kernel-headers/default.nix b/pkgs/os-specific/linux/kernel-headers/default.nix index daa8c1ae2019f..ebf20a015c046 100644 --- a/pkgs/os-specific/linux/kernel-headers/default.nix +++ b/pkgs/os-specific/linux/kernel-headers/default.nix @@ -27,7 +27,7 @@ let flex bison python rsync ]; - extraIncludeDirs = lib.optional (with stdenvNoCC.hostPlatform; isPower && is32bit && isBigEndian) ["ppc"]; + extraIncludeDirs = lib.optionals (with stdenvNoCC.hostPlatform; isPower && is32bit && isBigEndian) ["ppc"]; inherit patches; @@ -84,12 +84,12 @@ let in { inherit makeLinuxHeaders; - linuxHeaders = let version = "5.19"; in + linuxHeaders = let version = "6.0"; in makeLinuxHeaders { inherit version; src = fetchurl { - url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "1a05a3hw4w3k530mxhns96xw7hag743xw5w967yazqcykdbhq97z"; + url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz"; + sha256 = "sha256-XCRDpVON5SaI77VcJ6sFOcH161jAz9FqK5+7CP2BeI4="; }; patches = [ ./no-relocs.patch # for building x86 kernel headers on non-ELF platforms diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 2e07606345875..57fe7420f4818 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -411,6 +411,7 @@ let XFS_QUOTA = option yes; XFS_POSIX_ACL = option yes; XFS_RT = option yes; # XFS Realtime subvolume support + XFS_ONLINE_SCRUB = option yes; OCFS2_DEBUG_MASKLOG = option no; diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index 34d6a38748018..95ef57ece2d95 100644 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -21,42 +21,42 @@ }, "5.10": { "patch": { - "extra": "-hardened2", - "name": "linux-hardened-5.10.147-hardened2.patch", - "sha256": "0j44mfyc66vq6hncc5w3mxxw8jcpa66w4w40d3wm7ka6yr6p34sh", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.147-hardened2/linux-hardened-5.10.147-hardened2.patch" + "extra": "-hardened1", + "name": "linux-hardened-5.10.148-hardened1.patch", + "sha256": "1r4s7qpwjhhbp1phkk2dd8rbm3x9l3i3g10jz865l1vp253pmb65", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.148-hardened1/linux-hardened-5.10.148-hardened1.patch" }, - "sha256": "16pdpjmvrdml7am7s2kydrif1l7f4aq0wh4ak0xh3dby16zkl9c5", - "version": "5.10.147" + "sha256": "0mp9qs8f50hxf72b6cgh8izkyjbhrrmij6slxja701i1w9mkylhj", + "version": "5.10.148" }, "5.15": { "patch": { - "extra": "-hardened3", - "name": "linux-hardened-5.15.73-hardened3.patch", - "sha256": "1p4cm1viyryf4npbfvg72a4kpqs22vqvfqj2hl6pq5wrpgg677g0", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.73-hardened3/linux-hardened-5.15.73-hardened3.patch" + "extra": "-hardened1", + "name": "linux-hardened-5.15.74-hardened1.patch", + "sha256": "0ygfz210zz0k5fza2530vwayjz3r32973lbhfsyyc0fq6vghqhn2", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.74-hardened1/linux-hardened-5.15.74-hardened1.patch" }, - "sha256": "0pbi640llcdbx57vwwzc5axa75w0y5rixa9r752h725f4naz08m8", - "version": "5.15.73" + "sha256": "0ra2ijpw7w07gm3kjwyszlwfq2rbnmq84z50qhv5r0svz2i3j59c", + "version": "5.15.74" }, "5.19": { "patch": { - "extra": "-hardened2", - "name": "linux-hardened-5.19.15-hardened2.patch", - "sha256": "12si2gy6maxbvf252ircp94ci0ihqlxv3l9sf4xwxrs66gn3z2fa", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.19.15-hardened2/linux-hardened-5.19.15-hardened2.patch" + "extra": "-hardened1", + "name": "linux-hardened-5.19.16-hardened1.patch", + "sha256": "1y9c26pyyvifkza7anl9gphnn3jpw7jwiqwjw6i748wwxynhx596", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.19.16-hardened1/linux-hardened-5.19.16-hardened1.patch" }, - "sha256": "06zband5q6m9imyvn4y4naafdakjcj00rg23227cagnv8wwf71j6", - "version": "5.19.15" + "sha256": "13g0c6ljxk3sd0ja39ndih5vrzp2ssj78qxaf8nswn8hgrkazsx1", + "version": "5.19.16" }, "5.4": { "patch": { - "extra": "-hardened2", - "name": "linux-hardened-5.4.217-hardened2.patch", - "sha256": "16hcwjll5dkfc8sb81w3dipqx9j1np91f5gad45b0xfcnqcn70ab", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.217-hardened2/linux-hardened-5.4.217-hardened2.patch" + "extra": "-hardened1", + "name": "linux-hardened-5.4.218-hardened1.patch", + "sha256": "1ylhkhkm4vamdap0kb6vnw9w0rjaacdfgly1yin75dxxymy0x026", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.218-hardened1/linux-hardened-5.4.218-hardened1.patch" }, - "sha256": "0qrfrk0g1dky5apg8gdxczj2ir0g0z41zmdmbwwcxkxjz76jdf1b", - "version": "5.4.217" + "sha256": "0f7lm5qq763zrnwwq9jmfpgvskhzi3gwy5rbq2q7gmiphl179p9x", + "version": "5.4.218" } } diff --git a/pkgs/os-specific/linux/kernel/linux-5.10.nix b/pkgs/os-specific/linux/kernel/linux-5.10.nix index be2e09bc6a3d0..68515e2e84c3f 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.10.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.10.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "5.10.148"; + version = "5.10.149"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "0mp9qs8f50hxf72b6cgh8izkyjbhrrmij6slxja701i1w9mkylhj"; + sha256 = "1lv5q0m24ccbiqywy03s9s3wyxzm0v7f691rag89qfsn6z2k8q8g"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-5.4.nix b/pkgs/os-specific/linux/kernel/linux-5.4.nix index a39e28bfc91f6..57d4d41add947 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.4.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "5.4.218"; + version = "5.4.219"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "0f7lm5qq763zrnwwq9jmfpgvskhzi3gwy5rbq2q7gmiphl179p9x"; + sha256 = "0qd2a0cx6bq11qq2513xmm5jxzfrq6axvsc0pjbvdpv9fa9av4sj"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-6.0.nix b/pkgs/os-specific/linux/kernel/linux-6.0.nix index 27f8166ecefcb..574f04c386c45 100644 --- a/pkgs/os-specific/linux/kernel/linux-6.0.nix +++ b/pkgs/os-specific/linux/kernel/linux-6.0.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "6.0.2"; + version = "6.0.3"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz"; - sha256 = "17awx4c5fz7f656ig5bydccci052jsai0lczrn2bdk5cihw2cg51"; + sha256 = "1krx3kp7ivgp91fkcvgvqsb698b3l0dk6zd6yf54sy8530j25mdh"; }; } // (args.argsOverride or { })) diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix index 3709520547362..99980b46e08bd 100644 --- a/pkgs/os-specific/linux/kernel/zen-kernels.nix +++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix @@ -4,16 +4,16 @@ let # comments with variant added for update script # ./update-zen.py zen zenVariant = { - version = "6.0.2"; #zen - suffix = "zen1"; #zen - sha256 = "1x80ah2cszj3fbxfpdnlr30r1fblgrhydslfh9vrk48l0z3z80a7"; #zen + version = "6.0.3"; #zen + suffix = "zen2"; #zen + sha256 = "1paywv7y4jizlq092irjcn9r62npzglrf5s008l6129b9q5ib0v8"; #zen isLqx = false; }; # ./update-zen.py lqx lqxVariant = { version = "5.19.16"; #lqx - suffix = "lqx2"; #lqx - sha256 = "1n4hbkb1af9gzdvk7cp73i004j2slb0im9yk1b869h27pxs4il6s"; #lqx + suffix = "lqx4"; #lqx + sha256 = "0mzrgy2kq0i26vgcdfc7nz7m6rw17s0lr9idwy71iz1f8i1pz82w"; #lqx isLqx = true; }; zenKernelsFor = { version, suffix, sha256, isLqx }: buildLinux (args // { diff --git a/pkgs/os-specific/linux/kexec-tools/default.nix b/pkgs/os-specific/linux/kexec-tools/default.nix index 6faa401eccc56..e10f3e4defb85 100644 --- a/pkgs/os-specific/linux/kexec-tools/default.nix +++ b/pkgs/os-specific/linux/kexec-tools/default.nix @@ -2,14 +2,14 @@ stdenv.mkDerivation rec { pname = "kexec-tools"; - version = "2.0.23"; + version = "2.0.25"; src = fetchurl { urls = [ "mirror://kernel/linux/utils/kernel/kexec/${pname}-${version}.tar.xz" "http://horms.net/projects/kexec/kexec-tools/${pname}-${version}.tar.xz" ]; - sha256 = "qmPNbH3ZWwbOumJAp/3GeSeJytp1plXmcUmHF1IkJBs="; + sha256 = "sha256-fOLl3vOOwE95/rEH0CJD3VhvvGhWnszwL0S606E+wH0="; }; patches = [ diff --git a/pkgs/os-specific/linux/mxu11x0/srcs.nix b/pkgs/os-specific/linux/mxu11x0/srcs.nix index 5c4e9137c6a6e..1f7b75e6bc1e3 100644 --- a/pkgs/os-specific/linux/mxu11x0/srcs.nix +++ b/pkgs/os-specific/linux/mxu11x0/srcs.nix @@ -5,14 +5,14 @@ version = "4.1"; src = fetchurl { url = "https://www.moxa.com/getmedia/b152d8c2-b9d6-4bc7-b0f4-420633b4bc2d/moxa-uport-1100-series-linux-kernel-4.x-driver-v4.1.tgz"; - sha256 = "sha256-sbq5M5FQjrrORtSS07PQHf+MAZArxFcUDN5wszBwbnc="; + sha256 = "sha256-cM3imuMG483ZinFazVa8V4Id0kUGlHaezDHnYtSSb28="; }; }; mxu11x0_5 = { version = "5.1"; src = fetchurl { url = "https://www.moxa.com/getmedia/57dfa4c1-8a2a-4da6-84c1-a36944ead74d/moxa-uport-1100-series-linux-kernel-5.x-driver-v5.1.tgz"; - sha256 = "sha256-pdFIiD5naSDdYwRz8ww8Mg8z1gDOfZ/OeO6Q5n+kjDQ="; + sha256 = "sha256-P1YMlyAhS955CSBiZ/tyu5m6ds2PiFMcHmyrdTjloPs="; }; }; } diff --git a/pkgs/os-specific/linux/nsncd/default.nix b/pkgs/os-specific/linux/nsncd/default.nix new file mode 100644 index 0000000000000..f2005f50a580f --- /dev/null +++ b/pkgs/os-specific/linux/nsncd/default.nix @@ -0,0 +1,30 @@ +{ lib +, stdenv +, fetchFromGitHub +, rustPlatform +, nix-gitignore +}: + +rustPlatform.buildRustPackage rec { + pname = "nsncd"; + version = "unstable-2021-10-20"; + + src = fetchFromGitHub { + owner = "nix-community"; + repo = "nsncd"; + rev = "b9425070bb308565a6e4dc5aefd568952a07a4ed"; + hash = "sha256-ZjInzPJo+PWAM2gAKhlasLXiqo+2Df4DIXpNwtqQVc8="; + }; + + cargoSha256 = "sha256-hxdI+HHB0PB/zDMI21Pg5Xr9mTDn4T+OcAAenUox4bs="; + + meta = with lib; { + description = "the name service non-caching daemon"; + longDescription = '' + nsncd is a nscd-compatible daemon that proxies lookups, without caching. + ''; + homepage = "https://github.com/twosigma/nsncd"; + license = licenses.asl20; + maintainers = with maintainers; [ flokli ninjatrappeur ]; + }; +} diff --git a/pkgs/os-specific/linux/numactl/default.nix b/pkgs/os-specific/linux/numactl/default.nix index ac17a18273a77..28157ffe1677a 100644 --- a/pkgs/os-specific/linux/numactl/default.nix +++ b/pkgs/os-specific/linux/numactl/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "numactl"; - version = "2.0.15"; + version = "2.0.16"; src = fetchFromGitHub { owner = pname; repo = pname; rev = "v${version}"; - sha256 = "sha256-mowDqCkAHDEV9AWCgAEWL0//sNMUk/K8w3eO7Wg+AwQ="; + sha256 = "sha256-aDKzkmvrPDzQl4n0KgeiU5LOLhQA0tmwzGiXvJDp7ZI="; }; nativeBuildInputs = [ autoreconfHook ]; diff --git a/pkgs/os-specific/linux/nvidia-x11/generic.nix b/pkgs/os-specific/linux/nvidia-x11/generic.nix index 351d71ab8e2d4..ea9dbcabd0e90 100644 --- a/pkgs/os-specific/linux/nvidia-x11/generic.nix +++ b/pkgs/os-specific/linux/nvidia-x11/generic.nix @@ -101,7 +101,7 @@ let nativeBuildInputs = [ perl nukeReferences ] ++ optionals (!libsOnly) kernel.moduleBuildDependencies; - disallowedReferences = optional (!libsOnly) [ kernel.dev ]; + disallowedReferences = optionals (!libsOnly) [ kernel.dev ]; passthru = { open = mapNullable (hash: callPackage ./open.nix { diff --git a/pkgs/os-specific/linux/otpw/default.nix b/pkgs/os-specific/linux/otpw/default.nix index 14381ac68c164..6c53bf16efc19 100644 --- a/pkgs/os-specific/linux/otpw/default.nix +++ b/pkgs/os-specific/linux/otpw/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, pam }: +{ lib, stdenv, fetchurl, pam, libxcrypt }: stdenv.mkDerivation rec { pname = "otpw"; @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { cp *.8 $out/share/man/man8 ''; - buildInputs = [ pam ]; + buildInputs = [ pam libxcrypt ]; hardeningDisable = [ "stackprotector" ]; diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix index 72f91e89c7454..22e7057e343f7 100644 --- a/pkgs/os-specific/linux/pam/default.nix +++ b/pkgs/os-specific/linux/pam/default.nix @@ -1,6 +1,6 @@ { lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit , nixosTests -, withLibxcrypt ? false, libxcrypt +, withLibxcrypt ? true, libxcrypt }: stdenv.mkDerivation rec { diff --git a/pkgs/os-specific/linux/pam_mysql/default.nix b/pkgs/os-specific/linux/pam_mysql/default.nix index 807899cf2b28c..036d4b20cb4c5 100644 --- a/pkgs/os-specific/linux/pam_mysql/default.nix +++ b/pkgs/os-specific/linux/pam_mysql/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchFromGitHub, meson, ninja, pam, pkg-config, libmysqlclient, mariadb }: +{ lib, stdenv, fetchFromGitHub, meson, ninja, pam, pkg-config, libmysqlclient, mariadb, libxcrypt }: stdenv.mkDerivation rec { pname = "pam_mysql"; @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { }; nativeBuildInputs = [ meson pkg-config ninja ]; - buildInputs = [ pam libmysqlclient mariadb ]; + buildInputs = [ pam libmysqlclient mariadb libxcrypt ]; meta = with lib; { description = "PAM authentication module against a MySQL database"; diff --git a/pkgs/os-specific/linux/pam_pgsql/default.nix b/pkgs/os-specific/linux/pam_pgsql/default.nix index 3cfa6733efa84..2eabcefe584c6 100644 --- a/pkgs/os-specific/linux/pam_pgsql/default.nix +++ b/pkgs/os-specific/linux/pam_pgsql/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, postgresql, libgcrypt, pam }: +{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, postgresql, libgcrypt, pam, libxcrypt }: stdenv.mkDerivation rec { pname = "pam_pgsql"; @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { }; nativeBuildInputs = [ autoreconfHook pkg-config ]; - buildInputs = [ libgcrypt pam postgresql ]; + buildInputs = [ libgcrypt pam postgresql libxcrypt ]; meta = with lib; { description = "Support to authenticate against PostgreSQL for PAM-enabled appliations"; diff --git a/pkgs/os-specific/linux/policycoreutils/default.nix b/pkgs/os-specific/linux/policycoreutils/default.nix index c066dd4c4c5c5..33875049747dd 100644 --- a/pkgs/os-specific/linux/policycoreutils/default.nix +++ b/pkgs/os-specific/linux/policycoreutils/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage }: +{ lib, stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage, libxcrypt }: stdenv.mkDerivation rec { pname = "policycoreutils"; @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { ''; nativeBuildInputs = [ gettext ]; - buildInputs = [ libsepol libselinux libsemanage ]; + buildInputs = [ libsepol libselinux libsemanage libxcrypt ]; makeFlags = [ "PREFIX=$(out)" diff --git a/pkgs/os-specific/linux/rdma-core/default.nix b/pkgs/os-specific/linux/rdma-core/default.nix index 25bdce3b902f9..2506b654fb473 100644 --- a/pkgs/os-specific/linux/rdma-core/default.nix +++ b/pkgs/os-specific/linux/rdma-core/default.nix @@ -5,13 +5,13 @@ stdenv.mkDerivation rec { pname = "rdma-core"; - version = "42.0"; + version = "43.0"; src = fetchFromGitHub { owner = "linux-rdma"; repo = "rdma-core"; rev = "v${version}"; - sha256 = "sha256-MtvrKdo6Lkt064ol7+hlU7b1r+Dt5236bmE21wM5aDo="; + sha256 = "sha256-tqlanUZpDYT3wgvD0hA1D5RrMdzPzOqoELzuXGhjnz8="; }; strictDeps = true; diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix index 03a5c0f4aeb41..6a1c4fc80daeb 100644 --- a/pkgs/os-specific/linux/rtl8812au/default.nix +++ b/pkgs/os-specific/linux/rtl8812au/default.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ("CONFIG_PLATFORM_I386_PC=" + (if stdenv.hostPlatform.isx86 then "y" else "n")) ("CONFIG_PLATFORM_ARM_RPI=" + (if stdenv.hostPlatform.isAarch then "y" else "n")) - ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [ + ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ "CROSS_COMPILE=${stdenv.cc.targetPrefix}" ]; diff --git a/pkgs/os-specific/linux/shadow/default.nix b/pkgs/os-specific/linux/shadow/default.nix index 5537f9f6aacb0..c6fd417d0d6fa 100644 --- a/pkgs/os-specific/linux/shadow/default.nix +++ b/pkgs/os-specific/linux/shadow/default.nix @@ -1,6 +1,6 @@ { lib, stdenv, nixosTests, fetchpatch, fetchFromGitHub, autoreconfHook, libxslt , libxml2 , docbook_xml_dtd_45, docbook_xsl, itstool, flex, bison, runtimeShell -, pam ? null, glibcCross ? null +, libxcrypt, pam ? null, glibcCross ? null }: let @@ -28,7 +28,8 @@ stdenv.mkDerivation rec { sha256 = "sha256-PxLX5V0t18JftT5wT41krNv18Ew7Kz3MfZkOi/80ODA="; }; - buildInputs = lib.optional (pam != null && stdenv.isLinux) pam; + buildInputs = [ libxcrypt ] + ++ lib.optional (pam != null && stdenv.isLinux) pam; nativeBuildInputs = [autoreconfHook libxslt libxml2 docbook_xml_dtd_45 docbook_xsl flex bison itstool ]; @@ -62,6 +63,8 @@ stdenv.mkDerivation rec { configureFlags = [ "--enable-man" "--with-group-name-max-length=32" + "--with-bcrypt" + "--with-yescrypt" ] ++ lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd"; preBuild = lib.optionalString (stdenv.hostPlatform.libc == "glibc") diff --git a/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch b/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch new file mode 100644 index 0000000000000..1cd3c2105e1a2 --- /dev/null +++ b/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: oxalica <oxalicc@pm.me> +Date: Tue, 4 Oct 2022 09:18:07 +0800 +Subject: [PATCH] core: don't taint on unmerged /usr + +NixOS has very different approach towards /bin and /sbin - they don't +really exist (except for /bin/sh and /usr/bin/env, because these are used +heavily in shebangs around the world). The concept of merged or unmerged +usr doesn't really apply here at all, it's neither of the two. +Users don't execute things from /bin or /sbin, there's nothing else in +there. In all cases, systemd doesn't look things up from /usr/bin or /bin, +so showing the taint isn't really helpful. + +See also: https://github.com/systemd/systemd/issues/24191 +--- + src/core/manager.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 33ded94a7c..8847479799 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -4488,10 +4488,6 @@ char* manager_taint_string(const Manager *m) { + if (m->taint_usr) + stage[n++] = "split-usr"; + +- _cleanup_free_ char *usrbin = NULL; +- if (readlink_malloc("/bin", &usrbin) < 0 || !PATH_IN_SET(usrbin, "usr/bin", "/usr/bin")) +- stage[n++] = "unmerged-usr"; +- + if (access("/proc/cgroups", F_OK) < 0) + stage[n++] = "cgroups-missing"; + diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 5b417369a5584..9ccebdff2e063 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -7,6 +7,7 @@ , fetchpatch , fetchzip , buildPackages +, makeBinaryWrapper , ninja , meson , m4 @@ -27,6 +28,7 @@ , util-linux , kbd , kmod +, libxcrypt # Optional dependencies , pam @@ -92,7 +94,7 @@ , withOomd ? true , withPCRE2 ? true , withPolkit ? true -, withPortabled ? false +, withPortabled ? !stdenv.hostPlatform.isMusl , withRemote ? !stdenv.hostPlatform.isMusl , withResolved ? true , withShellCompletions ? true @@ -120,7 +122,7 @@ assert withHomed -> withCryptsetup; let wantCurl = withRemote || withImportd; wantGcrypt = withResolved || withImportd; - version = "251.4"; + version = "251.5"; # Bump this variable on every (major) version change. See below (in the meson options list) for why. # command: @@ -137,7 +139,7 @@ stdenv.mkDerivation { owner = "systemd"; repo = "systemd-stable"; rev = "v${version}"; - sha256 = "sha256-lfG6flT1k8LZBAdDK+cF9RjmJMkHMJquMjQK3MINFd8="; + sha256 = "sha256-2MEmvFT1D+9v8OazBwjnKc7i/x7i196Eoi8bODk1cM4="; }; # On major changes, or when otherwise required, you *must* reformat the patches, @@ -163,6 +165,7 @@ stdenv.mkDerivation { ./0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch ./0016-pkg-config-derive-prefix-from-prefix.patch ./0017-inherit-systemd-environment-when-calling-generators.patch + ./0018-core-don-t-taint-on-unmerged-usr.patch ] ++ lib.optional stdenv.hostPlatform.isMusl ( let oe-core = fetchzip { @@ -331,6 +334,7 @@ stdenv.mkDerivation { nativeBuildInputs = [ pkg-config + makeBinaryWrapper gperf ninja meson @@ -359,6 +363,7 @@ stdenv.mkDerivation { acl audit kmod + libxcrypt libcap libidn2 libuuid @@ -571,21 +576,22 @@ stdenv.mkDerivation { ]; # { replacement, search, where } -> List[str] - mkSubstitute = { replacement, search, where, ignore ? [] }: + mkSubstitute = { replacement, search, where, ignore ? [ ] }: map (path: "substituteInPlace ${path} --replace '${search}' \"${replacement}\"") where; - mkEnsureSubstituted = { replacement, search, where, ignore ? [] }: - let - ignore' = lib.concatStringsSep "|" (ignore ++ ["^test" "NEWS"]); - in '' - set +e - search=$(grep '${search}' -r | grep -v "${replacement}" | grep -Ev "${ignore'}") - set -e - if [[ -n "$search" ]]; then - echo "Not all references to '${search}' have been replaced. Found the following matches:" - echo "$search" - exit 1 - fi - ''; + mkEnsureSubstituted = { replacement, search, where, ignore ? [ ] }: + let + ignore' = lib.concatStringsSep "|" (ignore ++ [ "^test" "NEWS" ]); + in + '' + set +e + search=$(grep '${search}' -r | grep -v "${replacement}" | grep -Ev "${ignore'}") + set -e + if [[ -n "$search" ]]; then + echo "Not all references to '${search}' have been replaced. Found the following matches:" + echo "$search" + exit 1 + fi + ''; in '' mesonFlagsArray+=(-Dntp-servers="0.nixos.pool.ntp.org 1.nixos.pool.ntp.org 2.nixos.pool.ntp.org 3.nixos.pool.ntp.org") @@ -664,7 +670,14 @@ stdenv.mkDerivation { preFixup = lib.optionalString withEfi '' mv $out/lib/systemd/boot/efi $out/dont-strip-me ''; - postFixup = lib.optionalString withEfi '' + + # Wrap in the correct path for LUKS2 tokens. + postFixup = lib.optionalString withCryptsetup '' + for f in lib/systemd/systemd-cryptsetup bin/systemd-cryptenroll; do + # This needs to be in LD_LIBRARY_PATH because rpath on a binary is not propagated to libraries using dlopen, in this case `libcryptsetup.so` + wrapProgram $out/$f --prefix LD_LIBRARY_PATH : ${placeholder "out"}/lib/cryptsetup + done + '' + lib.optionalString withEfi '' mv $out/dont-strip-me $out/lib/systemd/boot/efi ''; @@ -677,7 +690,7 @@ stdenv.mkDerivation { # runtime; otherwise we can't and we need to reboot. interfaceVersion = 2; - inherit withCryptsetup withHostnamed withImportd withLocaled withMachined withTimedated withUtmp util-linux kmod kbd; + inherit withCryptsetup withHostnamed withImportd withLocaled withMachined withPortabled withTimedated withUtmp util-linux kmod kbd; tests = { inherit (nixosTests) switchTest; diff --git a/pkgs/os-specific/linux/sysvinit/default.nix b/pkgs/os-specific/linux/sysvinit/default.nix index 87b5b81066c20..c8ba3164ab09d 100644 --- a/pkgs/os-specific/linux/sysvinit/default.nix +++ b/pkgs/os-specific/linux/sysvinit/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, withoutInitTools ? false }: +{ lib, stdenv, fetchurl, libxcrypt, withoutInitTools ? false }: stdenv.mkDerivation rec { pname = if withoutInitTools then "sysvtools" else "sysvinit"; @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { sed -i -e "s,/sbin/,$out/sbin/," src/halt.c src/init.c src/paths.h ''; + buildInputs = [ libxcrypt ]; + makeFlags = [ "SULOGINLIBS=-lcrypt" "ROOT=$(out)" "MANDIR=/share/man" ]; preInstall = diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index d57fdba7310be..8df231c961e22 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -1,6 +1,7 @@ { lib, stdenv, fetchurl, pkg-config, zlib, shadow , capabilitiesSupport ? true , libcap_ng +, libxcrypt , ncursesSupport ? true , ncurses , pamSupport ? true @@ -68,7 +69,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkg-config ] ++ lib.optionals translateManpages [ po4a ]; - buildInputs = [ zlib ] + buildInputs = [ zlib libxcrypt ] ++ lib.optionals pamSupport [ pam ] ++ lib.optionals capabilitiesSupport [ libcap_ng ] ++ lib.optionals ncursesSupport [ ncurses ] diff --git a/pkgs/os-specific/linux/wiringpi/default.nix b/pkgs/os-specific/linux/wiringpi/default.nix index a06e25b9eb8eb..eed71188eb075 100644 --- a/pkgs/os-specific/linux/wiringpi/default.nix +++ b/pkgs/os-specific/linux/wiringpi/default.nix @@ -2,6 +2,7 @@ , stdenv , symlinkJoin , fetchFromGitHub +, libxcrypt }: let @@ -35,6 +36,9 @@ let inherit mkSubProject; wiringPi = mkSubProject { subprj = "wiringPi"; + buildInputs = [ + libxcrypt + ]; }; devLib = mkSubProject { subprj = "devLib"; @@ -45,6 +49,7 @@ let wiringPiD = mkSubProject { subprj = "wiringPiD"; buildInputs = [ + libxcrypt passthru.wiringPi passthru.devLib ]; @@ -52,6 +57,7 @@ let gpio = mkSubProject { subprj = "gpio"; buildInputs = [ + libxcrypt passthru.wiringPi passthru.devLib ]; |