diff options
Diffstat (limited to 'pkgs/os-specific')
44 files changed, 411 insertions, 147 deletions
diff --git a/pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch b/pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch index f67ca2e507915..2aaa90b76146b 100644 --- a/pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch +++ b/pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch @@ -1,6 +1,6 @@ diff -u -r1.35.2.1 nbtool_config.h.in ---- a/nbtool_config.h.in 22 Apr 2015 07:18:58 -0000 1.35.2.1 -+++ b/nbtool_config.h.in 31 May 2018 01:46:53 -0000 +--- a/tools/compat/nbtool_config.h.in 22 Apr 2015 07:18:58 -0000 1.35.2.1 ++++ b/tools/compat/nbtool_config.h.in 31 May 2018 01:46:53 -0000 @@ -680,5 +680,14 @@ /* Define if you have u_int8_t, but not uint8_t. */ #undef uint8_t diff --git a/pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch b/pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch index 1a69e73e255fc..2758e256a6168 100644 --- a/pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch +++ b/pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch @@ -6,8 +6,8 @@ Date: Wed Sep 1 15:38:56 2021 +0000 diff --git a/Makefile b/Makefile index b5adb8a5f2e9..1a914ef16739 100644 ---- a/Makefile -+++ b/Makefile +--- a/tools/compat/Makefile ++++ b/tools/compat/Makefile @@ -76,11 +76,6 @@ _CURDIR:= ${.CURDIR} SRCS:= ${SRCS:M*.c} diff --git a/pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch b/pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch index cd442d95f412a..117fb7e042982 100644 --- a/pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch +++ b/pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch @@ -8,8 +8,8 @@ Date: Wed Sep 1 15:38:56 2021 +0000 diff --git a/Makefile b/Makefile index 4bcf227f0e75..9ed1d6eea6ff 100644 ---- a/Makefile -+++ b/Makefile +--- a/tools/compat/Makefile ++++ b/tools/compat/Makefile @@ -1,6 +1,6 @@ # $NetBSD: Makefile,v 1.87 2019/05/08 02:25:50 thorpej Exp $ diff --git a/pkgs/os-specific/bsd/netbsd/default.nix b/pkgs/os-specific/bsd/netbsd/default.nix index 82efb1f6a75ff..4219706a35261 100644 --- a/pkgs/os-specific/bsd/netbsd/default.nix +++ b/pkgs/os-specific/bsd/netbsd/default.nix @@ -3,7 +3,7 @@ , buildPackages, splicePackages, newScope , bsdSetupHook, makeSetupHook, fetchcvs, groff, mandoc, byacc, flex , zlib -, writeText, symlinkJoin +, writeShellScript, writeText, runtimeShell, symlinkJoin }: let @@ -94,7 +94,7 @@ in lib.makeScopeWithSplicing }.${stdenv'.hostPlatform.parsed.cpu.name} or stdenv'.hostPlatform.parsed.cpu.name; - BSD_PATH = attrs.path; + COMPONENT_PATH = attrs.path; makeFlags = defaultMakeFlags; @@ -121,12 +121,12 @@ in lib.makeScopeWithSplicing installPhase = "includesPhase"; dontBuild = true; } // attrs // { + # Files that use NetBSD-specific macros need to have nbtool_config.h + # included ahead of them on non-NetBSD platforms. postPatch = lib.optionalString (!stdenv'.hostPlatform.isNetBSD) '' - # Files that use NetBSD-specific macros need to have nbtool_config.h - # included ahead of them on non-NetBSD platforms. set +e grep -Zlr "^__RCSID - ^__BEGIN_DECLS" | xargs -0r grep -FLZ nbtool_config.h | + ^__BEGIN_DECLS" $COMPONENT_PATH | xargs -0r grep -FLZ nbtool_config.h | xargs -0tr sed -i '0,/^#/s//#include <nbtool_config.h>\n\0/' set -e '' + attrs.postPatch or ""; @@ -146,7 +146,7 @@ in lib.makeScopeWithSplicing skipIncludesPhase = true; postPatch = '' - patchShebangs configure + patchShebangs $COMPONENT_PATH/configure ${self.make.postPatch} ''; @@ -281,11 +281,11 @@ in lib.makeScopeWithSplicing # HACK: to ensure parent directories exist. This emulates GNU # install’s -D option. No alternative seems to exist in BSD install. - install = let binstall = writeText "binstall" '' - #!${stdenv.shell} - for last in $@; do true; done + install = let binstall = writeShellScript "binstall" '' + set -eu + for last in "$@"; do true; done mkdir -p $(dirname $last) - xinstall "$@" + @out@/bin/xinstall "$@" ''; in mkDerivation { path = "usr.bin/xinstall"; version = "9.2"; @@ -297,13 +297,18 @@ in lib.makeScopeWithSplicing mandoc groff rsync ]; skipIncludesPhase = true; - buildInputs = with self; compatIfNeeded ++ [ fts ]; + buildInputs = with self; compatIfNeeded + # fts header is needed. glibc already has this header, but musl doesn't, + # so make sure pkgsMusl.netbsd.install still builds in case you want to + # remove it! + ++ [ fts ]; installPhase = '' runHook preInstall install -D install.1 $out/share/man/man1/install.1 install -D xinstall $out/bin/xinstall install -D -m 0550 ${binstall} $out/bin/binstall + substituteInPlace $out/bin/binstall --subst-var out ln -s $out/bin/binstall $out/bin/install runHook postInstall @@ -391,6 +396,7 @@ in lib.makeScopeWithSplicing install mandoc groff rsync ]; }; + ## ## END BOOTSTRAPPING ## @@ -706,10 +712,10 @@ in lib.makeScopeWithSplicing SHLIBINSTALLDIR = "$(out)/lib"; makeFlags = defaultMakeFlags ++ [ "LIBDO.terminfo=${self.libterminfo}/lib" ]; postPatch = '' - sed -i '1i #undef bool_t' el.h - substituteInPlace config.h \ + sed -i '1i #undef bool_t' $COMPONENT_PATH/el.h + substituteInPlace $COMPONENT_PATH/config.h \ --replace "#define HAVE_STRUCT_DIRENT_D_NAMLEN 1" "" - substituteInPlace readline/Makefile --replace /usr/include "$out/include" + substituteInPlace $COMPONENT_PATH/readline/Makefile --replace /usr/include "$out/include" ''; NIX_CFLAGS_COMPILE = [ "-D__noinline=" @@ -729,8 +735,8 @@ in lib.makeScopeWithSplicing buildInputs = with self; compatIfNeeded; SHLIBINSTALLDIR = "$(out)/lib"; postPatch = '' - substituteInPlace term.c --replace /usr/share $out/share - substituteInPlace setupterm.c \ + substituteInPlace $COMPONENT_PATH/term.c --replace /usr/share $out/share + substituteInPlace $COMPONENT_PATH/setupterm.c \ --replace '#include <curses.h>' 'void use_env(bool);' ''; postBuild = '' @@ -758,10 +764,10 @@ in lib.makeScopeWithSplicing MKDOC = "no"; # missing vfontedpr makeFlags = defaultMakeFlags ++ [ "LIBDO.terminfo=${self.libterminfo}/lib" ]; postPatch = lib.optionalString (!stdenv.isDarwin) '' - substituteInPlace printw.c \ + substituteInPlace $COMPONENT_PATH/printw.c \ --replace "funopen(win, NULL, __winwrite, NULL, NULL)" NULL \ --replace "__strong_alias(vwprintw, vw_printw)" 'extern int vwprintw(WINDOW*, const char*, va_list) __attribute__ ((alias ("vw_printw")));' - substituteInPlace scanw.c \ + substituteInPlace $COMPONENT_PATH/scanw.c \ --replace "__strong_alias(vwscanw, vw_scanw)" 'extern int vwscanw(WINDOW*, const char*, va_list) __attribute__ ((alias ("vw_scanw")));' ''; }; @@ -986,7 +992,7 @@ in lib.makeScopeWithSplicing # man0 generates a man.pdf using ps2pdf, but doesn't install it later, # so we can avoid the dependency on ghostscript postPatch = '' - substituteInPlace man0/Makefile --replace "ps2pdf" "echo noop " + substituteInPlace $COMPONENT_PATH/man0/Makefile --replace "ps2pdf" "echo noop " ''; makeFlags = defaultMakeFlags ++ [ "FILESDIR=$(out)/share" diff --git a/pkgs/os-specific/bsd/netbsd/getent.patch b/pkgs/os-specific/bsd/netbsd/getent.patch index e9e34d19a315b..18258b6486186 100644 --- a/pkgs/os-specific/bsd/netbsd/getent.patch +++ b/pkgs/os-specific/bsd/netbsd/getent.patch @@ -1,8 +1,8 @@ Author: Matthew Bauer Description: Remove unavailable getent databases Version: 7.1.2 ---- a/getent.c 2018-04-16 13:33:49.000000000 -0500 -+++ b/getent.c 2018-04-16 13:29:30.000000000 -0500 +--- a/usr.bin/getent/getent.c 2018-04-16 13:33:49.000000000 -0500 ++++ b/usr.bin/getent/getent.c 2018-04-16 13:29:30.000000000 -0500 @@ -42,7 +42,6 @@ #include <grp.h> #include <limits.h> diff --git a/pkgs/os-specific/bsd/netbsd/locale.patch b/pkgs/os-specific/bsd/netbsd/locale.patch index 1df9eb385625c..4b7f478552879 100644 --- a/pkgs/os-specific/bsd/netbsd/locale.patch +++ b/pkgs/os-specific/bsd/netbsd/locale.patch @@ -1,5 +1,5 @@ ---- a/locale.c 2018-06-11 14:39:06.449762000 -0400 -+++ b/locale.c 2018-06-11 14:42:28.461122899 -0400 +--- a/usr.bin/locale/locale.c 2018-06-11 14:39:06.449762000 -0400 ++++ b/usr.bin/locale/locale.c 2018-06-11 14:42:28.461122899 -0400 @@ -56,14 +56,8 @@ #include <stringlist.h> #include <unistd.h> diff --git a/pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch b/pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch index 5a2b9092a5c56..b3e9f3c88a13c 100644 --- a/pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch +++ b/pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch @@ -4,8 +4,8 @@ rcsdiff: /ftp/cvs/cvsroot/src/sys/arch/i386/stand/efiboot/Makefile.efiboot,v: wa retrieving revision 1.16 retrieving revision 1.17 diff -u -p -r1.16 -r1.17 ---- sys/arch/i386/stand/efiboot/Makefile.efiboot 2019/09/13 02:19:45 1.16 -+++ sys/arch/i386/stand/efiboot/Makefile.efiboot 2020/04/04 15:30:46 1.17 +--- a/sys/arch/i386/stand/efiboot/Makefile.efiboot 2019/09/13 02:19:45 1.16 ++++ b/sys/arch/i386/stand/efiboot/Makefile.efiboot 2020/04/04 15:30:46 1.17 @@ -41,6 +41,7 @@ BINMODE=444 .PATH: ${.CURDIR}/../../libsa diff --git a/pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch b/pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch index ed85f8ea5b0cf..5cfb2a54c8db2 100644 --- a/pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch +++ b/pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch @@ -1,7 +1,7 @@ diff --git a/Makefile b/Makefile index 3f1e18dc659d..163362b82f94 100644 ---- a/Makefile -+++ b/Makefile +--- a/sys/Makefile ++++ b/sys/Makefile @@ -2,6 +2,8 @@ .include <bsd.own.mk> diff --git a/pkgs/os-specific/bsd/setup-hook.sh b/pkgs/os-specific/bsd/setup-hook.sh index 4bdfde68b62e7..e0afefcd73f71 100644 --- a/pkgs/os-specific/bsd/setup-hook.sh +++ b/pkgs/os-specific/bsd/setup-hook.sh @@ -48,6 +48,7 @@ addMakeFlags() { makeFlags="BINDIR=${!outputBin}/bin $makeFlags" makeFlags="LIBDIR=${!outputLib}/lib $makeFlags" makeFlags="SHLIBDIR=${!outputLib}/lib $makeFlags" + makeFlags="SHAREDIR=${!outputLib}/share $makeFlags" makeFlags="MANDIR=${!outputMan}/share/man $makeFlags" makeFlags="INFODIR=${!outputInfo}/share/info $makeFlags" makeFlags="DOCDIR=${!outputDoc}/share/doc $makeFlags" @@ -61,10 +62,13 @@ setBSDSourceDir() { sourceRoot=$PWD/$sourceRoot export BSDSRCDIR=$sourceRoot export _SRC_TOP_=$BSDSRCDIR - cd $sourceRoot - if [ -d "$BSD_PATH" ] - then sourceRoot=$sourceRoot/$BSD_PATH +} + +cdBSDPath() { + if [ -d "$COMPONENT_PATH" ] + then sourceRoot=$sourceRoot/$COMPONENT_PATH + cd $COMPONENT_PATH fi } @@ -104,6 +108,7 @@ moveUsrDir() { } postUnpackHooks+=(setBSDSourceDir) +postPatchHooks+=(cdBSDPath) preConfigureHooks+=(addMakeFlags) preInstallHooks+=(includesPhase) fixupOutputHooks+=(moveUsrDir) diff --git a/pkgs/os-specific/darwin/apple-source-releases/ICU/default.nix b/pkgs/os-specific/darwin/apple-source-releases/ICU/default.nix index cdebfe6d2f727..ed5e998714afe 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/ICU/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/ICU/default.nix @@ -13,7 +13,7 @@ in appleDerivation { nativeBuildInputs = [ python3 ]; - depsBuildBuild = lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [ buildPackages.stdenv.cc ]; + depsBuildBuild = lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ buildPackages.stdenv.cc ]; postPatch = '' substituteInPlace makefile \ diff --git a/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix b/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix index 8b0d2054d58af..266c2ef4dfef5 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix @@ -12,7 +12,7 @@ appleDerivation' (if headersOnly then stdenvNoCC else stdenv) ( nativeBuildInputs = [ bootstrap_cmds bison flex gnum4 unifdef perl python3 ]; - patches = lib.optional stdenv.isx86_64 [ ./python3.patch ]; + patches = lib.optionals stdenv.isx86_64 [ ./python3.patch ]; postPatch = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/darwin/cctools/darwin-no-memstream.patch b/pkgs/os-specific/darwin/cctools/darwin-no-memstream.patch new file mode 100644 index 0000000000000..bb8a4ad68f3b2 --- /dev/null +++ b/pkgs/os-specific/darwin/cctools/darwin-no-memstream.patch @@ -0,0 +1,21 @@ +MacOS SDKs before 10.13 don't support open_memstream. This is already replaced +by a runtime check in cctools-port, but because we build with SDK 10.12 by +default, linking still fails for us. Disable it entirely here. + +--- a/cctools/include/stuff/diagnostics.h ++++ b/cctools/include/stuff/diagnostics.h +@@ -60,13 +60,6 @@ void diagnostics_log_msg(enum diagnostic_level level, const char* message); + */ + void diagnostics_write(void); + +-#if defined(__APPLE__ ) && defined(__has_builtin) +-# if __has_builtin(__builtin_available) +-# define HAVE_OPENMEMSTREAM_RUNTIME __builtin_available(macOS 10.13, *) +-# endif +-#endif +-#ifndef HAVE_OPENMEMSTREAM_RUNTIME +-# define HAVE_OPENMEMSTREAM_RUNTIME 1 +-#endif ++#define HAVE_OPENMEMSTREAM_RUNTIME 0 + + #endif /* diagnostics_h */ diff --git a/pkgs/os-specific/darwin/cctools/port.nix b/pkgs/os-specific/darwin/cctools/port.nix index bace6f0689d9e..3c48c3ebc0c46 100644 --- a/pkgs/os-specific/darwin/cctools/port.nix +++ b/pkgs/os-specific/darwin/cctools/port.nix @@ -19,13 +19,17 @@ assert (!stdenv.hostPlatform.isDarwin) -> maloader != null; stdenv.mkDerivation { pname = "${targetPrefix}cctools-port"; - version = "949.0.1"; + version = "973.0.1"; src = fetchFromGitHub { owner = "tpoechtrager"; repo = "cctools-port"; - rev = "43f32a4c61b5ba7fde011e816136c550b1b3146f"; - sha256 = "10yc5smiczzm62q6ijqccc58bwmfhc897f3bwa5i9j98csqsjj0k"; + # This is the commit before: https://github.com/tpoechtrager/cctools-port/pull/114 + # That specific change causes trouble for us (see the PR discussion), but + # is also currently the last commit on master at the time of writing, so we + # can just go back one step. + rev = "457dc6ddf5244ebf94f28e924e3a971f1566bd66"; + sha256 = "0ns12q7vg9yand4dmdsps1917cavfbw67yl5q7bm6kb4ia5kkx13"; }; outputs = [ "out" "dev" "man" ]; @@ -35,7 +39,11 @@ stdenv.mkDerivation { ++ lib.optionals stdenv.isDarwin [ libobjc ] ++ lib.optional enableTapiSupport libtapi; - patches = [ ./ld-ignore-rpath-link.patch ./ld-rpath-nonfinal.patch ]; + patches = [ + ./ld-ignore-rpath-link.patch + ./ld-rpath-nonfinal.patch + ] + ++ lib.optional stdenv.isDarwin ./darwin-no-memstream.patch; __propagatedImpureHostDeps = [ # As far as I can tell, otool from cctools is the only thing that depends on these two, and we should fix them @@ -64,32 +72,99 @@ stdenv.mkDerivation { --replace "-isystem /usr/local/include -isystem /usr/pkg/include" "" \ --replace "-L/usr/local/lib" "" \ - substituteInPlace cctools/include/Makefile \ - --replace "/bin/" "" + # Appears to use new libdispatch API not available in macOS SDK 10.12. + substituteInPlace cctools/ld64/src/ld/libcodedirectory.c \ + --replace "#define LIBCD_PARALLEL 1" "" patchShebangs tools sed -i -e 's/which/type -P/' tools/*.sh - # Workaround for https://www.sourceware.org/bugzilla/show_bug.cgi?id=11157 - cat > cctools/include/unistd.h <<EOF - #ifdef __block - # undef __block - # include_next "unistd.h" - # define __block __attribute__((__blocks__(byref))) - #else - # include_next "unistd.h" - #endif - EOF - cd cctools ''; preInstall = '' - pushd include - make DSTROOT=$out/include RC_OS=common install + installManPage ar/ar.{1,5} + + # The makefile rules for installing headers are missing in 973.0.1. + # The below is derived from 949.0.1. + mkdir -p $dev/include/mach-o/i386 + mkdir -p $dev/include/mach-o/ppc + mkdir -p $dev/include/mach-o/x86_64 + mkdir -p $dev/include/mach-o/arm + mkdir -p $dev/include/mach-o/arm64 + mkdir -p $dev/include/mach-o/m68k + mkdir -p $dev/include/mach-o/sparc + mkdir -p $dev/include/mach-o/hppa + mkdir -p $dev/include/mach-o/i860 + mkdir -p $dev/include/mach-o/m88k + mkdir -p $dev/include/dyld + mkdir -p $dev/include/cbt + + pushd include/mach-o + install -c -m 444 arch.h ldsyms.h reloc.h \ + stab.h loader.h fat.h swap.h getsect.h nlist.h \ + ranlib.h $dev/include/mach-o popd - installManPage ar/ar.{1,5} + pushd include/mach-o/i386 + install -c -m 444 swap.h \ + $dev/include/mach-o/i386 + popd + + pushd include/mach-o/ppc + install -c -m 444 reloc.h swap.h \ + $dev/include/mach-o/ppc + popd + + pushd include/mach-o/x86_64 + install -c -m 444 reloc.h \ + $dev/include/mach-o/x86_64 + popd + + pushd include/mach-o/arm + install -c -m 444 reloc.h \ + $dev/include/mach-o/arm + popd + + pushd include/mach-o/arm64 + install -c -m 444 reloc.h \ + $dev/include/mach-o/arm64 + popd + + pushd include/mach-o/m68k + install -c -m 444 swap.h \ + $dev/include/mach-o/m68k + popd + + pushd include/mach-o/sparc + install -c -m 444 reloc.h swap.h \ + $dev/include/mach-o/sparc + popd + + pushd include/mach-o/hppa + install -c -m 444 reloc.h swap.h \ + $dev/include/mach-o/hppa + popd + + pushd include/mach-o/i860 + install -c -m 444 reloc.h swap.h \ + $dev/include/mach-o/i860 + popd + + pushd include/mach-o/m88k + install -c -m 444 reloc.h swap.h \ + $dev/include/mach-o/m88k + popd + + pushd include/stuff + install -c -m 444 bool.h \ + $dev/include/dyld + popd + + pushd include/cbt + install -c -m 444 libsyminfo.h \ + $dev/include/cbt + popd ''; passthru = { diff --git a/pkgs/os-specific/darwin/libtapi/default.nix b/pkgs/os-specific/darwin/libtapi/default.nix index eba61a15ccb95..d109e0edcbd81 100644 --- a/pkgs/os-specific/darwin/libtapi/default.nix +++ b/pkgs/os-specific/darwin/libtapi/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation { # Also means we don't have to manually fix the result with install_name_tool. patches = [ ./disable-rpath.patch - ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [ + ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ # TODO: make unconditional and rebuild the world # TODO: send upstream ./native-clang-tblgen.patch @@ -30,7 +30,7 @@ stdenv.mkDerivation { buildInputs = [ ncurses ]; cmakeFlags = [ "-DLLVM_INCLUDE_TESTS=OFF" ] - ++ lib.optional (stdenv.buildPlatform != stdenv.hostPlatform) [ + ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [ "-DCMAKE_CROSSCOMPILING=True" # This package could probably have a llvm_6 llvm-tblgen and clang-tblgen # provided to reduce some building. This package seems intended to diff --git a/pkgs/os-specific/darwin/sigtool/default.nix b/pkgs/os-specific/darwin/sigtool/default.nix index 4c573af95be13..b9c385ebd31c0 100644 --- a/pkgs/os-specific/darwin/sigtool/default.nix +++ b/pkgs/os-specific/darwin/sigtool/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "sigtool"; - version = "0.1.2"; + version = "0.1.3"; src = fetchFromGitHub { owner = "thefloweringash"; repo = "sigtool"; rev = "v${version}"; - sha256 = "sha256-v4udqW37vwcqBdqfvfwHnoyXpuLFt188ekVCPCPsTPM"; + sha256 = "sha256-K3VSFaqcZEomF7kROJz+AwxdW1MmxxEFDaRnWnzcw54="; }; nativeBuildInputs = [ pkg-config ]; diff --git a/pkgs/os-specific/darwin/utm/default.nix b/pkgs/os-specific/darwin/utm/default.nix index 7eae819a9736f..979780e3ca701 100644 --- a/pkgs/os-specific/darwin/utm/default.nix +++ b/pkgs/os-specific/darwin/utm/default.nix @@ -6,11 +6,11 @@ stdenvNoCC.mkDerivation rec { pname = "utm"; - version = "3.2.4"; + version = "4.0.8"; src = fetchurl { url = "https://github.com/utmapp/UTM/releases/download/v${version}/UTM.dmg"; - sha256 = "sha256-ejUfL6UHqMusVfaglGlODKtFfKbNwzZ1LmRkcSzieso="; + sha256 = "sha256-a6GQyiW8pqw6fN3WVuTVUfnsl/qPtmzDxUvWNElli5k="; }; nativeBuildInputs = [ undmg ]; @@ -41,12 +41,14 @@ stdenvNoCC.mkDerivation rec { - Hardware accelerated virtualization using Hypervisor.framework and QEMU - Boot macOS guests with Virtualization.framework on macOS 12+ + + See https://docs.getutm.app/ for more information. ''; homepage = "https://mac.getutm.app/"; changelog = "https://github.com/utmapp/${pname}/releases/tag/v${version}"; mainProgram = "UTM"; license = licenses.apsl20; - platforms = platforms.darwin; + platforms = platforms.darwin; # 11.3 is the minimum supported version as of UTM 4. sourceProvenance = with sourceTypes; [ binaryNativeCode ]; maintainers = with maintainers; [ rrbutani ]; }; diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index 0a74554d6c60d..933b4e176f762 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -18,16 +18,17 @@ , writeShellScript , closureInfo , runCommand +, libxcrypt }: let - apparmor-version = "3.0.7"; + apparmor-version = "3.1.1"; apparmor-meta = component: with lib; { homepage = "https://apparmor.net/"; description = "A mandatory access control system - ${component}"; license = licenses.gpl2; - maintainers = with maintainers; [ joachifm julm thoughtpolice ]; + maintainers = with maintainers; [ julm thoughtpolice ]; platforms = platforms.linux; }; @@ -35,7 +36,7 @@ let owner = "apparmor"; repo = "apparmor"; rev = "v${apparmor-version}"; - hash = "sha256-iLZY0wZQr+YvR8JCwTeECDuqFb1sQCQtkiUksiYCvWs="; + hash = "sha256-phEHfrza0EeX2HEM5ts8wVCFlSLlnEtZd2MwbG/XbFY="; }; aa-teardown = writeShellScript "aa-teardown" '' @@ -93,7 +94,8 @@ let perl ] ++ lib.optional withPython python; - buildInputs = lib.optional withPerl perl + buildInputs = [ libxcrypt ] + ++ lib.optional withPerl perl ++ lib.optional withPython python; # required to build apparmor-parser diff --git a/pkgs/os-specific/linux/bpftools/default.nix b/pkgs/os-specific/linux/bpftools/default.nix index 640ab5f76a96e..d3bb96afb3e78 100644 --- a/pkgs/os-specific/linux/bpftools/default.nix +++ b/pkgs/os-specific/linux/bpftools/default.nix @@ -8,13 +8,15 @@ stdenv.mkDerivation rec { pname = "bpftools"; - version = "5.19.8"; + version = "5.19.12"; src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "1kl7fifsa6vsm34xg3kd2svhx18n771hfj67nhwnlalmb9whhqv1"; + sha256 = "sha256-xDalSMcxLOb8WjRyy+rYle749ShB++fHH9jki9/isLo="; }; + patches = [ ./strip-binary-name.patch ]; + nativeBuildInputs = [ python3 bison flex ]; buildInputs = (if (lib.versionAtLeast version "5.20") then [ libopcodes libbfd ] diff --git a/pkgs/os-specific/linux/bpftools/strip-binary-name.patch b/pkgs/os-specific/linux/bpftools/strip-binary-name.patch new file mode 100644 index 0000000000000..623e90963bd9b --- /dev/null +++ b/pkgs/os-specific/linux/bpftools/strip-binary-name.patch @@ -0,0 +1,15 @@ +Strip path to the binary from prints. + +I see no sense in including the full path in outputs like bpftool --version +Especially as argv[0] may not include it, based on calling via $PATH or not. +--- a/tools/bpf/bpftool/main.c ++++ b/tools/bpf/bpftool/main.c +@@ -443 +443,7 @@ +- bin_name = argv[0]; ++ /* Strip the path if any. */ ++ const char *bin_name_slash = strrchr(argv[0], '/'); ++ if (bin_name_slash) { ++ bin_name = bin_name_slash + 1; ++ } else { ++ bin_name = argv[0]; ++ } diff --git a/pkgs/os-specific/linux/cryptsetup/default.nix b/pkgs/os-specific/linux/cryptsetup/default.nix index 62f3f0c4db14b..1ac2ccf842a21 100644 --- a/pkgs/os-specific/linux/cryptsetup/default.nix +++ b/pkgs/os-specific/linux/cryptsetup/default.nix @@ -1,5 +1,12 @@ { lib, stdenv, fetchurl, lvm2, json_c, asciidoctor -, openssl, libuuid, pkg-config, popt }: +, openssl, libuuid, pkg-config, popt, nixosTests + + # The release tarballs contain precomputed manpage files, so we don't need + # to run asciidoctor on the man sources. By avoiding asciidoctor, we make + # the bare NixOS build hash independent of changes to the ruby ecosystem, + # saving mass-rebuilds. +, rebuildMan ? false +}: stdenv.mkDerivation rec { pname = "cryptsetup"; @@ -13,6 +20,11 @@ stdenv.mkDerivation rec { sha256 = "sha256-kYSm672c5+shEVLn90GmyC8tHMDiSoTsnFKTnu4PBUI="; }; + patches = [ + # Allow reading tokens from a relative path, see #167994 + ./relative-token-path.patch + ]; + postPatch = '' patchShebangs tests @@ -28,6 +40,8 @@ stdenv.mkDerivation rec { "--enable-cryptsetup-reencrypt" "--with-crypto_backend=openssl" "--disable-ssh-token" + ] ++ lib.optionals (!rebuildMan) [ + "--disable-asciidoc" ] ++ lib.optionals stdenv.hostPlatform.isStatic [ "--disable-external-tokens" # We have to override this even though we're removing token @@ -36,7 +50,7 @@ stdenv.mkDerivation rec { "--with-luks2-external-tokens-path=/" ]; - nativeBuildInputs = [ pkg-config asciidoctor ]; + nativeBuildInputs = [ pkg-config ] ++ lib.optionals rebuildMan [ asciidoctor ]; buildInputs = [ lvm2 json_c openssl libuuid popt ]; # The test [7] header backup in compat-test fails with a mysterious @@ -44,6 +58,19 @@ stdenv.mkDerivation rec { # Issue filed upstream: https://gitlab.com/cryptsetup/cryptsetup/-/issues/763 doCheck = !stdenv.hostPlatform.isMusl; + passthru = { + tests = { + nixos = + lib.optionalAttrs stdenv.hostPlatform.isLinux ( + lib.recurseIntoAttrs ( + lib.filterAttrs + (name: _value: lib.hasPrefix "luks" name) + nixosTests.installer + ) + ); + }; + }; + meta = { homepage = "https://gitlab.com/cryptsetup/cryptsetup/"; description = "LUKS for dm-crypt"; diff --git a/pkgs/os-specific/linux/cryptsetup/relative-token-path.patch b/pkgs/os-specific/linux/cryptsetup/relative-token-path.patch new file mode 100644 index 0000000000000..dffd0ba3bb520 --- /dev/null +++ b/pkgs/os-specific/linux/cryptsetup/relative-token-path.patch @@ -0,0 +1,50 @@ +From 4f95ab1f8110a8ab9d7b0e192731ce467f6e5c26 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Janne=20He=C3=9F?= <janne@hess.ooo> +Date: Sun, 4 Sep 2022 11:15:02 -0600 +Subject: [PATCH] Allow loading token handlers from the default search path + +Since [1] landed in cryptsetup, token handlers (libcryptsetup-token-*.so) +are loaded from a fixed path defined at compile-time. This is +problematic with NixOS since it introduces a dependency cycle +between cryptsetup and systemd. + +This downstream patch [2] allows loading token plugins from the +default library search path. This approach is not accepted upstream [3] +due to security concerns, but the potential attack vectors require +root access and they are sufficiently addressed: + +* cryptsetup could be used as a setuid binary (not used in NixOS). + In this case, LD_LIBRARY_PATH is ignored because of secure-execution + mode. +* cryptsetup running as root could lead to a malicious token handler + being loaded through LD_LIBRARY_PATH. However, fixing the path + doesn't prevent the same malicious .so being loaded through LD_PRELOAD. + +[1] https://gitlab.com/cryptsetup/cryptsetup/-/commit/5b9e98f94178d3cd179d9f6e2a0a68c7d9eb6507 +[2] https://github.com/NixOS/nixpkgs/issues/167994#issuecomment-1094249369 +[3] https://gitlab.com/cryptsetup/cryptsetup/-/issues/733 +--- + lib/luks2/luks2_token.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c +index 26467253..6f8329f0 100644 +--- a/lib/luks2/luks2_token.c ++++ b/lib/luks2/luks2_token.c +@@ -151,12 +151,10 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp + + token = &ret->u.v2; + +- r = snprintf(buf, sizeof(buf), "%s/libcryptsetup-token-%s.so", crypt_token_external_path(), name); ++ r = snprintf(buf, sizeof(buf), "libcryptsetup-token-%s.so", name); + if (r < 0 || (size_t)r >= sizeof(buf)) + return -EINVAL; + +- assert(*buf == '/'); +- + log_dbg(cd, "Trying to load %s.", buf); + + h = dlopen(buf, RTLD_LAZY); +-- +2.37.2 + diff --git a/pkgs/os-specific/linux/exfat/default.nix b/pkgs/os-specific/linux/exfat/default.nix index d459d24084427..ee6f448112d88 100644 --- a/pkgs/os-specific/linux/exfat/default.nix +++ b/pkgs/os-specific/linux/exfat/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" "ARCH=${stdenv.hostPlatform.linuxArch}" - ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [ + ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ "CROSS_COMPILE=${stdenv.cc.targetPrefix}" ]; diff --git a/pkgs/os-specific/linux/gobi_loader/default.nix b/pkgs/os-specific/linux/gobi_loader/default.nix index b7972007719c9..2b251242119c8 100644 --- a/pkgs/os-specific/linux/gobi_loader/default.nix +++ b/pkgs/os-specific/linux/gobi_loader/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { substituteInPlace 60-gobi.rules --replace "/lib/firmware" "/run/current-system/firmware" ''; - makeFlags = "prefix=${placeholder "out"}"; + makeFlags = [ "prefix=${placeholder "out"}" ]; meta = with lib; { description = "Firmware loader for Qualcomm Gobi USB chipsets"; diff --git a/pkgs/os-specific/linux/kernel-headers/default.nix b/pkgs/os-specific/linux/kernel-headers/default.nix index daa8c1ae2019f..ebf20a015c046 100644 --- a/pkgs/os-specific/linux/kernel-headers/default.nix +++ b/pkgs/os-specific/linux/kernel-headers/default.nix @@ -27,7 +27,7 @@ let flex bison python rsync ]; - extraIncludeDirs = lib.optional (with stdenvNoCC.hostPlatform; isPower && is32bit && isBigEndian) ["ppc"]; + extraIncludeDirs = lib.optionals (with stdenvNoCC.hostPlatform; isPower && is32bit && isBigEndian) ["ppc"]; inherit patches; @@ -84,12 +84,12 @@ let in { inherit makeLinuxHeaders; - linuxHeaders = let version = "5.19"; in + linuxHeaders = let version = "6.0"; in makeLinuxHeaders { inherit version; src = fetchurl { - url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "1a05a3hw4w3k530mxhns96xw7hag743xw5w967yazqcykdbhq97z"; + url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz"; + sha256 = "sha256-XCRDpVON5SaI77VcJ6sFOcH161jAz9FqK5+7CP2BeI4="; }; patches = [ ./no-relocs.patch # for building x86 kernel headers on non-ELF platforms diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 2e07606345875..57fe7420f4818 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -411,6 +411,7 @@ let XFS_QUOTA = option yes; XFS_POSIX_ACL = option yes; XFS_RT = option yes; # XFS Realtime subvolume support + XFS_ONLINE_SCRUB = option yes; OCFS2_DEBUG_MASKLOG = option no; diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index 34d6a38748018..95ef57ece2d95 100644 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -21,42 +21,42 @@ }, "5.10": { "patch": { - "extra": "-hardened2", - "name": "linux-hardened-5.10.147-hardened2.patch", - "sha256": "0j44mfyc66vq6hncc5w3mxxw8jcpa66w4w40d3wm7ka6yr6p34sh", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.147-hardened2/linux-hardened-5.10.147-hardened2.patch" + "extra": "-hardened1", + "name": "linux-hardened-5.10.148-hardened1.patch", + "sha256": "1r4s7qpwjhhbp1phkk2dd8rbm3x9l3i3g10jz865l1vp253pmb65", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.148-hardened1/linux-hardened-5.10.148-hardened1.patch" }, - "sha256": "16pdpjmvrdml7am7s2kydrif1l7f4aq0wh4ak0xh3dby16zkl9c5", - "version": "5.10.147" + "sha256": "0mp9qs8f50hxf72b6cgh8izkyjbhrrmij6slxja701i1w9mkylhj", + "version": "5.10.148" }, "5.15": { "patch": { - "extra": "-hardened3", - "name": "linux-hardened-5.15.73-hardened3.patch", - "sha256": "1p4cm1viyryf4npbfvg72a4kpqs22vqvfqj2hl6pq5wrpgg677g0", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.73-hardened3/linux-hardened-5.15.73-hardened3.patch" + "extra": "-hardened1", + "name": "linux-hardened-5.15.74-hardened1.patch", + "sha256": "0ygfz210zz0k5fza2530vwayjz3r32973lbhfsyyc0fq6vghqhn2", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.74-hardened1/linux-hardened-5.15.74-hardened1.patch" }, - "sha256": "0pbi640llcdbx57vwwzc5axa75w0y5rixa9r752h725f4naz08m8", - "version": "5.15.73" + "sha256": "0ra2ijpw7w07gm3kjwyszlwfq2rbnmq84z50qhv5r0svz2i3j59c", + "version": "5.15.74" }, "5.19": { "patch": { - "extra": "-hardened2", - "name": "linux-hardened-5.19.15-hardened2.patch", - "sha256": "12si2gy6maxbvf252ircp94ci0ihqlxv3l9sf4xwxrs66gn3z2fa", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.19.15-hardened2/linux-hardened-5.19.15-hardened2.patch" + "extra": "-hardened1", + "name": "linux-hardened-5.19.16-hardened1.patch", + "sha256": "1y9c26pyyvifkza7anl9gphnn3jpw7jwiqwjw6i748wwxynhx596", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.19.16-hardened1/linux-hardened-5.19.16-hardened1.patch" }, - "sha256": "06zband5q6m9imyvn4y4naafdakjcj00rg23227cagnv8wwf71j6", - "version": "5.19.15" + "sha256": "13g0c6ljxk3sd0ja39ndih5vrzp2ssj78qxaf8nswn8hgrkazsx1", + "version": "5.19.16" }, "5.4": { "patch": { - "extra": "-hardened2", - "name": "linux-hardened-5.4.217-hardened2.patch", - "sha256": "16hcwjll5dkfc8sb81w3dipqx9j1np91f5gad45b0xfcnqcn70ab", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.217-hardened2/linux-hardened-5.4.217-hardened2.patch" + "extra": "-hardened1", + "name": "linux-hardened-5.4.218-hardened1.patch", + "sha256": "1ylhkhkm4vamdap0kb6vnw9w0rjaacdfgly1yin75dxxymy0x026", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.218-hardened1/linux-hardened-5.4.218-hardened1.patch" }, - "sha256": "0qrfrk0g1dky5apg8gdxczj2ir0g0z41zmdmbwwcxkxjz76jdf1b", - "version": "5.4.217" + "sha256": "0f7lm5qq763zrnwwq9jmfpgvskhzi3gwy5rbq2q7gmiphl179p9x", + "version": "5.4.218" } } diff --git a/pkgs/os-specific/linux/kernel/linux-5.10.nix b/pkgs/os-specific/linux/kernel/linux-5.10.nix index be2e09bc6a3d0..68515e2e84c3f 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.10.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.10.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "5.10.148"; + version = "5.10.149"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "0mp9qs8f50hxf72b6cgh8izkyjbhrrmij6slxja701i1w9mkylhj"; + sha256 = "1lv5q0m24ccbiqywy03s9s3wyxzm0v7f691rag89qfsn6z2k8q8g"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-5.4.nix b/pkgs/os-specific/linux/kernel/linux-5.4.nix index a39e28bfc91f6..57d4d41add947 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.4.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "5.4.218"; + version = "5.4.219"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "0f7lm5qq763zrnwwq9jmfpgvskhzi3gwy5rbq2q7gmiphl179p9x"; + sha256 = "0qd2a0cx6bq11qq2513xmm5jxzfrq6axvsc0pjbvdpv9fa9av4sj"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-6.0.nix b/pkgs/os-specific/linux/kernel/linux-6.0.nix index 27f8166ecefcb..574f04c386c45 100644 --- a/pkgs/os-specific/linux/kernel/linux-6.0.nix +++ b/pkgs/os-specific/linux/kernel/linux-6.0.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "6.0.2"; + version = "6.0.3"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz"; - sha256 = "17awx4c5fz7f656ig5bydccci052jsai0lczrn2bdk5cihw2cg51"; + sha256 = "1krx3kp7ivgp91fkcvgvqsb698b3l0dk6zd6yf54sy8530j25mdh"; }; } // (args.argsOverride or { })) diff --git a/pkgs/os-specific/linux/kexec-tools/default.nix b/pkgs/os-specific/linux/kexec-tools/default.nix index 6faa401eccc56..e10f3e4defb85 100644 --- a/pkgs/os-specific/linux/kexec-tools/default.nix +++ b/pkgs/os-specific/linux/kexec-tools/default.nix @@ -2,14 +2,14 @@ stdenv.mkDerivation rec { pname = "kexec-tools"; - version = "2.0.23"; + version = "2.0.25"; src = fetchurl { urls = [ "mirror://kernel/linux/utils/kernel/kexec/${pname}-${version}.tar.xz" "http://horms.net/projects/kexec/kexec-tools/${pname}-${version}.tar.xz" ]; - sha256 = "qmPNbH3ZWwbOumJAp/3GeSeJytp1plXmcUmHF1IkJBs="; + sha256 = "sha256-fOLl3vOOwE95/rEH0CJD3VhvvGhWnszwL0S606E+wH0="; }; patches = [ diff --git a/pkgs/os-specific/linux/numactl/default.nix b/pkgs/os-specific/linux/numactl/default.nix index ac17a18273a77..28157ffe1677a 100644 --- a/pkgs/os-specific/linux/numactl/default.nix +++ b/pkgs/os-specific/linux/numactl/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "numactl"; - version = "2.0.15"; + version = "2.0.16"; src = fetchFromGitHub { owner = pname; repo = pname; rev = "v${version}"; - sha256 = "sha256-mowDqCkAHDEV9AWCgAEWL0//sNMUk/K8w3eO7Wg+AwQ="; + sha256 = "sha256-aDKzkmvrPDzQl4n0KgeiU5LOLhQA0tmwzGiXvJDp7ZI="; }; nativeBuildInputs = [ autoreconfHook ]; diff --git a/pkgs/os-specific/linux/nvidia-x11/generic.nix b/pkgs/os-specific/linux/nvidia-x11/generic.nix index 351d71ab8e2d4..ea9dbcabd0e90 100644 --- a/pkgs/os-specific/linux/nvidia-x11/generic.nix +++ b/pkgs/os-specific/linux/nvidia-x11/generic.nix @@ -101,7 +101,7 @@ let nativeBuildInputs = [ perl nukeReferences ] ++ optionals (!libsOnly) kernel.moduleBuildDependencies; - disallowedReferences = optional (!libsOnly) [ kernel.dev ]; + disallowedReferences = optionals (!libsOnly) [ kernel.dev ]; passthru = { open = mapNullable (hash: callPackage ./open.nix { diff --git a/pkgs/os-specific/linux/otpw/default.nix b/pkgs/os-specific/linux/otpw/default.nix index 14381ac68c164..6c53bf16efc19 100644 --- a/pkgs/os-specific/linux/otpw/default.nix +++ b/pkgs/os-specific/linux/otpw/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, pam }: +{ lib, stdenv, fetchurl, pam, libxcrypt }: stdenv.mkDerivation rec { pname = "otpw"; @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { cp *.8 $out/share/man/man8 ''; - buildInputs = [ pam ]; + buildInputs = [ pam libxcrypt ]; hardeningDisable = [ "stackprotector" ]; diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix index 72f91e89c7454..22e7057e343f7 100644 --- a/pkgs/os-specific/linux/pam/default.nix +++ b/pkgs/os-specific/linux/pam/default.nix @@ -1,6 +1,6 @@ { lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit , nixosTests -, withLibxcrypt ? false, libxcrypt +, withLibxcrypt ? true, libxcrypt }: stdenv.mkDerivation rec { diff --git a/pkgs/os-specific/linux/pam_mysql/default.nix b/pkgs/os-specific/linux/pam_mysql/default.nix index 807899cf2b28c..036d4b20cb4c5 100644 --- a/pkgs/os-specific/linux/pam_mysql/default.nix +++ b/pkgs/os-specific/linux/pam_mysql/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchFromGitHub, meson, ninja, pam, pkg-config, libmysqlclient, mariadb }: +{ lib, stdenv, fetchFromGitHub, meson, ninja, pam, pkg-config, libmysqlclient, mariadb, libxcrypt }: stdenv.mkDerivation rec { pname = "pam_mysql"; @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { }; nativeBuildInputs = [ meson pkg-config ninja ]; - buildInputs = [ pam libmysqlclient mariadb ]; + buildInputs = [ pam libmysqlclient mariadb libxcrypt ]; meta = with lib; { description = "PAM authentication module against a MySQL database"; diff --git a/pkgs/os-specific/linux/pam_pgsql/default.nix b/pkgs/os-specific/linux/pam_pgsql/default.nix index 3cfa6733efa84..2eabcefe584c6 100644 --- a/pkgs/os-specific/linux/pam_pgsql/default.nix +++ b/pkgs/os-specific/linux/pam_pgsql/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, postgresql, libgcrypt, pam }: +{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, postgresql, libgcrypt, pam, libxcrypt }: stdenv.mkDerivation rec { pname = "pam_pgsql"; @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { }; nativeBuildInputs = [ autoreconfHook pkg-config ]; - buildInputs = [ libgcrypt pam postgresql ]; + buildInputs = [ libgcrypt pam postgresql libxcrypt ]; meta = with lib; { description = "Support to authenticate against PostgreSQL for PAM-enabled appliations"; diff --git a/pkgs/os-specific/linux/policycoreutils/default.nix b/pkgs/os-specific/linux/policycoreutils/default.nix index c066dd4c4c5c5..33875049747dd 100644 --- a/pkgs/os-specific/linux/policycoreutils/default.nix +++ b/pkgs/os-specific/linux/policycoreutils/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage }: +{ lib, stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage, libxcrypt }: stdenv.mkDerivation rec { pname = "policycoreutils"; @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { ''; nativeBuildInputs = [ gettext ]; - buildInputs = [ libsepol libselinux libsemanage ]; + buildInputs = [ libsepol libselinux libsemanage libxcrypt ]; makeFlags = [ "PREFIX=$(out)" diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix index 03a5c0f4aeb41..6a1c4fc80daeb 100644 --- a/pkgs/os-specific/linux/rtl8812au/default.nix +++ b/pkgs/os-specific/linux/rtl8812au/default.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ("CONFIG_PLATFORM_I386_PC=" + (if stdenv.hostPlatform.isx86 then "y" else "n")) ("CONFIG_PLATFORM_ARM_RPI=" + (if stdenv.hostPlatform.isAarch then "y" else "n")) - ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [ + ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ "CROSS_COMPILE=${stdenv.cc.targetPrefix}" ]; diff --git a/pkgs/os-specific/linux/shadow/default.nix b/pkgs/os-specific/linux/shadow/default.nix index 5537f9f6aacb0..c6fd417d0d6fa 100644 --- a/pkgs/os-specific/linux/shadow/default.nix +++ b/pkgs/os-specific/linux/shadow/default.nix @@ -1,6 +1,6 @@ { lib, stdenv, nixosTests, fetchpatch, fetchFromGitHub, autoreconfHook, libxslt , libxml2 , docbook_xml_dtd_45, docbook_xsl, itstool, flex, bison, runtimeShell -, pam ? null, glibcCross ? null +, libxcrypt, pam ? null, glibcCross ? null }: let @@ -28,7 +28,8 @@ stdenv.mkDerivation rec { sha256 = "sha256-PxLX5V0t18JftT5wT41krNv18Ew7Kz3MfZkOi/80ODA="; }; - buildInputs = lib.optional (pam != null && stdenv.isLinux) pam; + buildInputs = [ libxcrypt ] + ++ lib.optional (pam != null && stdenv.isLinux) pam; nativeBuildInputs = [autoreconfHook libxslt libxml2 docbook_xml_dtd_45 docbook_xsl flex bison itstool ]; @@ -62,6 +63,8 @@ stdenv.mkDerivation rec { configureFlags = [ "--enable-man" "--with-group-name-max-length=32" + "--with-bcrypt" + "--with-yescrypt" ] ++ lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd"; preBuild = lib.optionalString (stdenv.hostPlatform.libc == "glibc") diff --git a/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch b/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch new file mode 100644 index 0000000000000..1cd3c2105e1a2 --- /dev/null +++ b/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: oxalica <oxalicc@pm.me> +Date: Tue, 4 Oct 2022 09:18:07 +0800 +Subject: [PATCH] core: don't taint on unmerged /usr + +NixOS has very different approach towards /bin and /sbin - they don't +really exist (except for /bin/sh and /usr/bin/env, because these are used +heavily in shebangs around the world). The concept of merged or unmerged +usr doesn't really apply here at all, it's neither of the two. +Users don't execute things from /bin or /sbin, there's nothing else in +there. In all cases, systemd doesn't look things up from /usr/bin or /bin, +so showing the taint isn't really helpful. + +See also: https://github.com/systemd/systemd/issues/24191 +--- + src/core/manager.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 33ded94a7c..8847479799 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -4488,10 +4488,6 @@ char* manager_taint_string(const Manager *m) { + if (m->taint_usr) + stage[n++] = "split-usr"; + +- _cleanup_free_ char *usrbin = NULL; +- if (readlink_malloc("/bin", &usrbin) < 0 || !PATH_IN_SET(usrbin, "usr/bin", "/usr/bin")) +- stage[n++] = "unmerged-usr"; +- + if (access("/proc/cgroups", F_OK) < 0) + stage[n++] = "cgroups-missing"; + diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 5b417369a5584..9ccebdff2e063 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -7,6 +7,7 @@ , fetchpatch , fetchzip , buildPackages +, makeBinaryWrapper , ninja , meson , m4 @@ -27,6 +28,7 @@ , util-linux , kbd , kmod +, libxcrypt # Optional dependencies , pam @@ -92,7 +94,7 @@ , withOomd ? true , withPCRE2 ? true , withPolkit ? true -, withPortabled ? false +, withPortabled ? !stdenv.hostPlatform.isMusl , withRemote ? !stdenv.hostPlatform.isMusl , withResolved ? true , withShellCompletions ? true @@ -120,7 +122,7 @@ assert withHomed -> withCryptsetup; let wantCurl = withRemote || withImportd; wantGcrypt = withResolved || withImportd; - version = "251.4"; + version = "251.5"; # Bump this variable on every (major) version change. See below (in the meson options list) for why. # command: @@ -137,7 +139,7 @@ stdenv.mkDerivation { owner = "systemd"; repo = "systemd-stable"; rev = "v${version}"; - sha256 = "sha256-lfG6flT1k8LZBAdDK+cF9RjmJMkHMJquMjQK3MINFd8="; + sha256 = "sha256-2MEmvFT1D+9v8OazBwjnKc7i/x7i196Eoi8bODk1cM4="; }; # On major changes, or when otherwise required, you *must* reformat the patches, @@ -163,6 +165,7 @@ stdenv.mkDerivation { ./0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch ./0016-pkg-config-derive-prefix-from-prefix.patch ./0017-inherit-systemd-environment-when-calling-generators.patch + ./0018-core-don-t-taint-on-unmerged-usr.patch ] ++ lib.optional stdenv.hostPlatform.isMusl ( let oe-core = fetchzip { @@ -331,6 +334,7 @@ stdenv.mkDerivation { nativeBuildInputs = [ pkg-config + makeBinaryWrapper gperf ninja meson @@ -359,6 +363,7 @@ stdenv.mkDerivation { acl audit kmod + libxcrypt libcap libidn2 libuuid @@ -571,21 +576,22 @@ stdenv.mkDerivation { ]; # { replacement, search, where } -> List[str] - mkSubstitute = { replacement, search, where, ignore ? [] }: + mkSubstitute = { replacement, search, where, ignore ? [ ] }: map (path: "substituteInPlace ${path} --replace '${search}' \"${replacement}\"") where; - mkEnsureSubstituted = { replacement, search, where, ignore ? [] }: - let - ignore' = lib.concatStringsSep "|" (ignore ++ ["^test" "NEWS"]); - in '' - set +e - search=$(grep '${search}' -r | grep -v "${replacement}" | grep -Ev "${ignore'}") - set -e - if [[ -n "$search" ]]; then - echo "Not all references to '${search}' have been replaced. Found the following matches:" - echo "$search" - exit 1 - fi - ''; + mkEnsureSubstituted = { replacement, search, where, ignore ? [ ] }: + let + ignore' = lib.concatStringsSep "|" (ignore ++ [ "^test" "NEWS" ]); + in + '' + set +e + search=$(grep '${search}' -r | grep -v "${replacement}" | grep -Ev "${ignore'}") + set -e + if [[ -n "$search" ]]; then + echo "Not all references to '${search}' have been replaced. Found the following matches:" + echo "$search" + exit 1 + fi + ''; in '' mesonFlagsArray+=(-Dntp-servers="0.nixos.pool.ntp.org 1.nixos.pool.ntp.org 2.nixos.pool.ntp.org 3.nixos.pool.ntp.org") @@ -664,7 +670,14 @@ stdenv.mkDerivation { preFixup = lib.optionalString withEfi '' mv $out/lib/systemd/boot/efi $out/dont-strip-me ''; - postFixup = lib.optionalString withEfi '' + + # Wrap in the correct path for LUKS2 tokens. + postFixup = lib.optionalString withCryptsetup '' + for f in lib/systemd/systemd-cryptsetup bin/systemd-cryptenroll; do + # This needs to be in LD_LIBRARY_PATH because rpath on a binary is not propagated to libraries using dlopen, in this case `libcryptsetup.so` + wrapProgram $out/$f --prefix LD_LIBRARY_PATH : ${placeholder "out"}/lib/cryptsetup + done + '' + lib.optionalString withEfi '' mv $out/dont-strip-me $out/lib/systemd/boot/efi ''; @@ -677,7 +690,7 @@ stdenv.mkDerivation { # runtime; otherwise we can't and we need to reboot. interfaceVersion = 2; - inherit withCryptsetup withHostnamed withImportd withLocaled withMachined withTimedated withUtmp util-linux kmod kbd; + inherit withCryptsetup withHostnamed withImportd withLocaled withMachined withPortabled withTimedated withUtmp util-linux kmod kbd; tests = { inherit (nixosTests) switchTest; diff --git a/pkgs/os-specific/linux/sysvinit/default.nix b/pkgs/os-specific/linux/sysvinit/default.nix index 87b5b81066c20..c8ba3164ab09d 100644 --- a/pkgs/os-specific/linux/sysvinit/default.nix +++ b/pkgs/os-specific/linux/sysvinit/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, withoutInitTools ? false }: +{ lib, stdenv, fetchurl, libxcrypt, withoutInitTools ? false }: stdenv.mkDerivation rec { pname = if withoutInitTools then "sysvtools" else "sysvinit"; @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { sed -i -e "s,/sbin/,$out/sbin/," src/halt.c src/init.c src/paths.h ''; + buildInputs = [ libxcrypt ]; + makeFlags = [ "SULOGINLIBS=-lcrypt" "ROOT=$(out)" "MANDIR=/share/man" ]; preInstall = diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index d57fdba7310be..8df231c961e22 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -1,6 +1,7 @@ { lib, stdenv, fetchurl, pkg-config, zlib, shadow , capabilitiesSupport ? true , libcap_ng +, libxcrypt , ncursesSupport ? true , ncurses , pamSupport ? true @@ -68,7 +69,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkg-config ] ++ lib.optionals translateManpages [ po4a ]; - buildInputs = [ zlib ] + buildInputs = [ zlib libxcrypt ] ++ lib.optionals pamSupport [ pam ] ++ lib.optionals capabilitiesSupport [ libcap_ng ] ++ lib.optionals ncursesSupport [ ncurses ] diff --git a/pkgs/os-specific/linux/wiringpi/default.nix b/pkgs/os-specific/linux/wiringpi/default.nix index a06e25b9eb8eb..eed71188eb075 100644 --- a/pkgs/os-specific/linux/wiringpi/default.nix +++ b/pkgs/os-specific/linux/wiringpi/default.nix @@ -2,6 +2,7 @@ , stdenv , symlinkJoin , fetchFromGitHub +, libxcrypt }: let @@ -35,6 +36,9 @@ let inherit mkSubProject; wiringPi = mkSubProject { subprj = "wiringPi"; + buildInputs = [ + libxcrypt + ]; }; devLib = mkSubProject { subprj = "devLib"; @@ -45,6 +49,7 @@ let wiringPiD = mkSubProject { subprj = "wiringPiD"; buildInputs = [ + libxcrypt passthru.wiringPi passthru.devLib ]; @@ -52,6 +57,7 @@ let gpio = mkSubProject { subprj = "gpio"; buildInputs = [ + libxcrypt passthru.wiringPi passthru.devLib ]; |