Merge remote-tracking branch 'upstream/master' into hardened-stdenv

11 files changed, 251 insertions, 29 deletions

diff --git a/nixos/modules/system/boot/coredump.nix b/nixos/modules/system/boot/coredump.nix
index 793c7515c761..b27a35b6257d 100644
--- a/nixos/modules/system/boot/coredump.nix
+++ b/nixos/modules/system/boot/coredump.nix
@@ -36,6 +36,8 @@ with lib;
   config = mkMerge [
     (mkIf config.systemd.coredump.enable {
 
+      systemd.additionalUpstreamSystemUnits = [ "systemd-coredump.socket" "systemd-coredump@.service" ];
+
       environment.etc."systemd/coredump.conf".text =
         ''
           [Coredump]
@@ -45,7 +47,7 @@ with lib;
       # Have the kernel pass core dumps to systemd's coredump helper binary.
       # From systemd's 50-coredump.conf file. See:
       # <https://github.com/systemd/systemd/blob/v218/sysctl.d/50-coredump.conf.in>
-      boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %p %u %g %s %t %e";
+      boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %P %u %g %s %t %c %e";
     })
 
     (mkIf (!config.systemd.coredump.enable) {
diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix
index 3e2805a8c341..d0a4ce51148f 100644
--- a/nixos/modules/system/boot/initrd-ssh.nix
+++ b/nixos/modules/system/boot/initrd-ssh.nix
@@ -100,9 +100,6 @@ in
     '';
 
     boot.initrd.network.postCommands = ''
-      mkdir /dev/pts
-      mount -t devpts devpts /dev/pts
-
       echo '${cfg.shell}' > /etc/shells
       echo 'root:x:0:0:root:/root:${cfg.shell}' > /etc/passwd
       echo 'passwd: files' > /etc/nsswitch.conf
diff --git a/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.nix b/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.nix
index c5c250c14cea..576a07c1d272 100644
--- a/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.nix
+++ b/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.nix
@@ -5,5 +5,4 @@ pkgs.substituteAll {
   isExecutable = true;
   path = [pkgs.coreutils pkgs.gnused pkgs.gnugrep];
   inherit (pkgs) bash;
-  kernelDTB = pkgs.stdenv.platform.kernelDTB or false;
 }
diff --git a/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh b/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh
index 78a8e8fd658c..c780a89b102c 100644
--- a/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh
+++ b/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh
@@ -75,9 +75,10 @@ addEntry() {
 
     copyToKernelsDir "$path/kernel"; kernel=$result
     copyToKernelsDir "$path/initrd"; initrd=$result
-    if [ -n "@kernelDTB@" ]; then
-        # XXX UGLY: maybe the system config should have a top-level "dtbs" entry?
-        copyToKernelsDir $(readlink -m "$path/kernel/../dtbs"); dtbs=$result
+    # XXX UGLY: maybe the system config should have a top-level "dtbs" entry?
+    dtbDir=$(readlink -m "$path/kernel/../dtbs")
+    if [ -d "$dtbDir" ]; then
+        copyToKernelsDir "$dtbDir"; dtbs=$result
     fi
 
     timestampEpoch=$(stat -L -c '%Z' $path)
@@ -95,7 +96,7 @@ addEntry() {
     fi
     echo "  LINUX ../nixos/$(basename $kernel)"
     echo "  INITRD ../nixos/$(basename $initrd)"
-    if [ -n "@kernelDTB@" ]; then
+    if [ -d "$dtbDir" ]; then
         echo "  FDTDIR ../nixos/$(basename $dtbs)"
     fi
     echo "  APPEND systemConfig=$path init=$path/init $extraParams"
diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl
index b8ef02da4bc2..94d87b436065 100644
--- a/nixos/modules/system/boot/loader/grub/install-grub.pl
+++ b/nixos/modules/system/boot/loader/grub/install-grub.pl
@@ -501,7 +501,7 @@ sub getEfiTarget {
 my @deviceTargets = getDeviceTargets();
 my $efiTarget = getEfiTarget();
 my $prevGrubState = readGrubState();
-my @prevDeviceTargets = split/:/, $prevGrubState->devices;
+my @prevDeviceTargets = split/,/, $prevGrubState->devices;
 
 my $devicesDiffer = scalar (List::Compare->new( '-u', '-a', \@deviceTargets, \@prevDeviceTargets)->get_symmetric_difference());
 my $nameDiffer = get("fullName") ne $prevGrubState->name;
@@ -549,7 +549,7 @@ if ($requireNewInstall != 0) {
     print FILE get("fullName"), "\n" or die;
     print FILE get("fullVersion"), "\n" or die;
     print FILE $efiTarget, "\n" or die;
-    print FILE join( ":", @deviceTargets ), "\n" or die;
+    print FILE join( ",", @deviceTargets ), "\n" or die;
     print FILE $efiSysMountPoint, "\n" or die;
     close FILE or die;
 }
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
index 8dad09c89207..15881b6d3714 100644
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@@ -36,7 +36,7 @@ let
           ${optionalString (header != null) "--header=${header}"} \
           ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} \
           > /.luksopen_args
-        cryptsetup-askpass
+        get_password "Enter LUKS Passphrase" cryptsetup-askpass
         rm /.luksopen_args
     }
 
@@ -78,9 +78,7 @@ let
         for try in $(seq 3); do
 
             ${optionalString yubikey.twoFactor ''
-            echo -n "Enter two-factor passphrase: "
-            read -s k_user
-            echo
+            k_user="$(get_password "Enter two-factor passphrase" cat)"
             ''}
 
             if [ ! -z "$k_user" ]; then
@@ -463,6 +461,26 @@ in
       ''}
     '';
 
+    boot.initrd.preDeviceCommands = ''
+      get_password() {
+        local ret
+        local reply
+        local tty_stat
+
+        tty_stat="$(stty -g)"
+        stty -echo
+        for i in `seq 1 3`; do
+          echo -n "$1: "
+          read reply
+          echo "$reply" | "$2"
+          if [ "$?" = "0" ]; then
+            break
+          fi
+        done
+        stty "$tty_stat"
+      }
+    '';
+
     boot.initrd.preLVMCommands = concatStrings (mapAttrsToList openCommand preLVM);
     boot.initrd.postDeviceCommands = concatStrings (mapAttrsToList openCommand postLVM);
 
diff --git a/nixos/modules/system/boot/plymouth.nix b/nixos/modules/system/boot/plymouth.nix
new file mode 100644
index 000000000000..82c1032937c6
--- /dev/null
+++ b/nixos/modules/system/boot/plymouth.nix
@@ -0,0 +1,129 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  inherit (pkgs) plymouth;
+
+  cfg = config.boot.plymouth;
+
+  themesEnv = pkgs.buildEnv {
+    name = "plymouth-themes";
+    paths = [ plymouth ] ++ cfg.themePackages;
+  };
+
+  configFile = pkgs.writeText "plymouthd.conf" ''
+    [Daemon]
+    ShowDelay=0
+    Theme=${cfg.theme}
+  '';
+
+in
+
+{
+
+  options = {
+
+    boot.plymouth = {
+
+      enable = mkEnableOption "Plymouth boot splash screen";
+
+      themePackages = mkOption {
+        default = [];
+        type = types.listOf types.package;
+        description = ''
+          Extra theme packages for plymouth.
+        '';
+      };
+
+      theme = mkOption {
+        default = "fade-in";
+        type = types.str;
+        description = ''
+          Splash screen theme.
+        '';
+      };
+
+      logo = mkOption {
+        type = types.path;
+        default = pkgs.fetchurl {
+          url = "https://nixos.org/logo/nixos-hires.png";
+          sha256 = "1ivzgd7iz0i06y36p8m5w48fd8pjqwxhdaavc0pxs7w1g7mcy5si";
+        };
+        description = ''
+          Logo which is displayed on the splash screen.
+        '';
+      };
+
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    boot.kernelParams = [ "splash" ];
+
+    # To be discoverable by systemd.
+    environment.systemPackages = [ plymouth ];
+
+    environment.etc."plymouth/plymouthd.conf".source = configFile;
+    environment.etc."plymouth/plymouthd.defaults".source = "${plymouth}/share/plymouth/plymouth.defaults";
+    environment.etc."plymouth/logo.png".source = cfg.logo;
+    environment.etc."plymouth/themes".source = "${themesEnv}/share/plymouth/themes";
+    # XXX: Needed because we supply a different set of plugins in initrd.
+    environment.etc."plymouth/plugins".source = "${plymouth}/lib/plymouth";
+
+    systemd.packages = [ plymouth ];
+
+    systemd.services.plymouth-kexec.wantedBy = [ "kexec.target" ];
+    systemd.services.plymouth-halt.wantedBy = [ "halt.target" ];
+    systemd.services.plymouth-quit = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "display-manager.service" "multi-user.target" ];
+    };
+    systemd.services.plymouth-poweroff.wantedBy = [ "poweroff.target" ];
+    systemd.services.plymouth-reboot.wantedBy = [ "reboot.target" ];
+    systemd.services.plymouth-read-write.wantedBy = [ "sysinit.target" ];
+
+    boot.initrd.extraUtilsCommands = ''
+      copy_bin_and_libs ${pkgs.plymouth}/bin/plymouthd
+      copy_bin_and_libs ${pkgs.plymouth}/bin/plymouth
+
+      moduleName="$(sed -n 's,ModuleName *= *,,p' ${themesEnv}/share/plymouth/themes/${cfg.theme}/${cfg.theme}.plymouth)"
+
+      mkdir -p $out/lib/plymouth/renderers
+      cp ${plymouth}/lib/plymouth/{text,details,$moduleName}.so $out/lib/plymouth
+      cp ${plymouth}/lib/plymouth/renderers/{drm,frame-buffer}.so $out/lib/plymouth/renderers
+
+      mkdir -p $out/share/plymouth/themes
+      cp ${plymouth}/share/plymouth/plymouthd.defaults $out/share/plymouth
+      cp -r ${themesEnv}/share/plymouth/themes/{text,details,${cfg.theme}} $out/share/plymouth/themes
+      cp ${cfg.logo} $out/share/plymouth/logo.png
+    '';
+
+    boot.initrd.extraUtilsCommandsTest = ''
+      $out/bin/plymouthd --help >/dev/null
+      $out/bin/plymouth --help >/dev/null
+    '';
+
+    boot.initrd.extraUdevRulesCommands = ''
+      cp ${config.systemd.package}/lib/udev/rules.d/{70-uaccess,71-seat}.rules $out
+      sed -i '/loginctl/d' $out/71-seat.rules
+    '';
+
+    boot.initrd.preLVMCommands = mkAfter ''
+      mkdir -p /etc/plymouth
+      ln -s ${configFile} /etc/plymouth/plymouthd.conf
+      ln -s $extraUtils/share/plymouth/plymouthd.defaults /etc/plymouth/plymouthd.defaults
+      ln -s $extraUtils/share/plymouth/logo.png /etc/plymouth/logo.png
+      ln -s $extraUtils/share/plymouth/themes /etc/plymouth/themes
+      ln -s $extraUtils/lib/plymouth /etc/plymouth/plugins
+
+      plymouthd --mode=boot --pid-file=/run/plymouth/pid --attach-to-session
+      plymouth --show-splash
+    '';
+
+  };
+
+}
diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix
index 5a98b9b6d480..4b7c545dcc0d 100644
--- a/nixos/modules/system/boot/resolved.nix
+++ b/nixos/modules/system/boot/resolved.nix
@@ -1,7 +1,9 @@
 { config, lib, pkgs, ... }:
 
 with lib;
-
+let
+  cfg = config.services.resolved;
+in
 {
 
   options = {
@@ -14,9 +16,60 @@ with lib;
       '';
     };
 
+    services.resolved.fallbackDns = mkOption {
+      default = [ ];
+      example = [ "8.8.8.8" "2001:4860:4860::8844" ];
+      type = types.listOf types.str;
+      description = ''
+        A list of IPv4 and IPv6 addresses to use as the fallback DNS servers.
+        If this option is empty, a compiled-in list of DNS servers is used instead.
+      '';
+    };
+
+    services.resolved.domains = mkOption {
+      default = config.networking.search;
+      example = [ "example.com" ];
+      type = types.listOf types.str;
+      description = ''
+        A list of domains. These domains are used as search suffixes when resolving single-label host names (domain names which contain no dot), in order to qualify them into fully-qualified domain names (FQDNs).
+        For compatibility reasons, if this setting is not specified, the search domains listed in /etc/resolv.conf are used instead, if that file exists and any domains are configured in it.
+      '';
+    };
+
+    services.resolved.llmnr = mkOption {
+      default = "true";
+      example = "false";
+      type = types.enum [ "true" "resolve" "false" ];
+      description = ''
+        Controls Link-Local Multicast Name Resolution support (RFC 4794) on the local host.
+        If true, enables full LLMNR responder and resolver support.
+        If false, disables both.
+        If set to "resolve", only resolution support is enabled, but responding is disabled.
+      '';
+    };
+
+    services.resolved.dnssec = mkOption {
+      default = "allow-downgrade";
+      example = "true";
+      type = types.enum [ "true" "allow-downgrade" "false" ];
+      description = ''
+        If true all DNS lookups are DNSSEC-validated locally (excluding LLMNR and Multicast DNS). Note that this mode requires a DNS server that supports DNSSEC. If the DNS server does not properly support DNSSEC all validations will fail.
+        If set to "allow-downgrade" DNSSEC validation is attempted, but if the server does not support DNSSEC properly, DNSSEC mode is automatically disabled. Note that this mode makes DNSSEC validation vulnerable to "downgrade" attacks, where an attacker might be able to trigger a downgrade to non-DNSSEC mode by synthesizing a DNS response that suggests DNSSEC was not supported.
+        If set to false, DNS lookups are not DNSSEC validated.
+      '';
+    };
+
+    services.resolved.extraConfig = mkOption {
+      default = "";
+      type = types.lines;
+      description = ''
+        Extra config to append to resolved.conf.
+      '';
+    };
+
   };
 
-  config = mkIf config.services.resolved.enable {
+  config = mkIf cfg.enable {
 
     systemd.additionalUpstreamSystemUnits = [ "systemd-resolved.service" ];
 
@@ -27,7 +80,15 @@ with lib;
 
     environment.etc."systemd/resolved.conf".text = ''
       [Resolve]
-      DNS=${concatStringsSep " " config.networking.nameservers}
+      ${optionalString (config.networking.nameservers != [])
+        "DNS=${concatStringsSep " " config.networking.nameservers}"}
+      ${optionalString (cfg.fallbackDns != [])
+        "FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"}
+      ${optionalString (cfg.domains != [])
+        "Domains=${concatStringsSep " " cfg.domains}"}
+      LLMNR=${cfg.llmnr}
+      DNSSEC=${cfg.dnssec}
+      ${config.services.resolved.extraConfig}
     '';
 
   };
diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh
index 9bffcd31b9b4..6b1bf0b3e028 100644
--- a/nixos/modules/system/boot/stage-1-init.sh
+++ b/nixos/modules/system/boot/stage-1-init.sh
@@ -3,6 +3,7 @@
 targetRoot=/mnt-root
 console=tty1
 
+extraUtils="@extraUtils@"
 export LD_LIBRARY_PATH=@extraUtils@/lib
 export PATH=@extraUtils@/bin
 ln -s @extraUtils@/bin /bin
@@ -13,6 +14,9 @@ export LVM_SUPPRESS_FD_WARNINGS=true
 fail() {
     if [ -n "$panicOnFail" ]; then exit 1; fi
 
+    # If we have a splash screen started, quit it.
+    command -v plymouth >/dev/null 2>&1 && plymouth quit
+
     # If starting stage 2 failed, allow the user to repair the problem
     # in an interactive shell.
     cat <<EOF
@@ -70,6 +74,8 @@ mount -t sysfs sysfs /sys
 mount -t devtmpfs -o "size=@devSize@" devtmpfs /dev
 mkdir -p /run
 mount -t tmpfs -o "mode=0755,size=@runSize@" tmpfs /run
+mkdir /dev/pts
+mount -t devpts devpts /dev/pts
 
 # Log the script output to /dev/kmsg or /run/log/stage-1-init.log.
 mkdir -p /tmp
diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix
index 5e6554324ca4..56a9c38b8f2b 100644
--- a/nixos/modules/system/boot/stage-1.nix
+++ b/nixos/modules/system/boot/stage-1.nix
@@ -81,9 +81,9 @@ let
       # Copy ld manually since it isn't detected correctly
       cp -pv ${pkgs.glibc.out}/lib/ld*.so.? $out/lib
 
-      # Copy all of the needed libraries for the binaries
-      for BIN in $(find $out/{bin,sbin} -type f); do
-        echo "Copying libs for bin $BIN"
+      # Copy all of the needed libraries
+      find $out/bin $out/lib -type f | while read BIN; do
+        echo "Copying libs for executable $BIN"
         LDD="$(ldd $BIN)" || continue
         LIBS="$(echo "$LDD" | awk '{print $3}' | sed '/^$/d')"
         for LIB in $LIBS; do
@@ -104,13 +104,17 @@ let
       stripDirs "lib bin" "-s"
 
       # Run patchelf to make the programs refer to the copied libraries.
-      for i in $out/bin/* $out/lib/*; do if ! test -L $i; then nuke-refs -e $out $i; fi; done
+      find $out/bin $out/lib -type f | while read i; do
+        if ! test -L $i; then
+          nuke-refs -e $out $i
+        fi
+      done
 
-      for i in $out/bin/*; do
-          if ! test -L $i; then
-              echo "patching $i..."
-              patchelf --set-interpreter $out/lib/ld*.so.? --set-rpath $out/lib $i || true
-          fi
+      find $out/bin -type f | while read i; do
+        if ! test -L $i; then
+          echo "patching $i..."
+          patchelf --set-interpreter $out/lib/ld*.so.? --set-rpath $out/lib $i || true
+        fi
       done
 
       # Make sure that the patchelf'ed binaries still work.
@@ -138,6 +142,7 @@ let
 
   udevRules = pkgs.stdenv.mkDerivation {
     name = "udev-rules";
+    allowedReferences = [ extraUtils ];
     buildCommand = ''
       mkdir -p $out
 
@@ -160,7 +165,8 @@ let
             --replace /sbin/mdadm ${extraUtils}/bin/mdadm \
             --replace /bin/sh ${extraUtils}/bin/sh \
             --replace /usr/bin/readlink ${extraUtils}/bin/readlink \
-            --replace /usr/bin/basename ${extraUtils}/bin/basename
+            --replace /usr/bin/basename ${extraUtils}/bin/basename \
+            --replace ${udev}/bin/udevadm ${extraUtils}/bin/udevadm
       done
 
       # Work around a bug in QEMU, which doesn't implement the "READ
diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix
index 076bbca850d9..5c8cce5066af 100644
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@@ -669,6 +669,7 @@ in
 
       "systemd/logind.conf".text = ''
         [Login]
+        KillUserProcesses=no
         ${config.services.logind.extraConfig}
       '';
 
@@ -763,7 +764,7 @@ in
         { wantedBy = [ "timers.target" ];
           timerConfig.OnCalendar = service.startAt;
         })
-        (filterAttrs (name: service: service.startAt != "") cfg.services);
+        (filterAttrs (name: service: service.enable && service.startAt != "") cfg.services);
 
     # Generate timer units for all services that have a ‘startAt’ value.
     systemd.user.timers =
@@ -793,6 +794,8 @@ in
     systemd.services.systemd-remount-fs.restartIfChanged = false;
     systemd.services.systemd-update-utmp.restartIfChanged = false;
     systemd.services.systemd-user-sessions.restartIfChanged = false; # Restart kills all active sessions.
+    systemd.services.systemd-logind.restartTriggers = [ config.environment.etc."systemd/logind.conf".source ];
+    systemd.services.systemd-logind.stopIfChanged = false;
     systemd.targets.local-fs.unitConfig.X-StopOnReconfiguration = true;
     systemd.targets.remote-fs.unitConfig.X-StopOnReconfiguration = true;
     systemd.services.systemd-binfmt.wants = [ "proc-sys-fs-binfmt_misc.automount" ];