diff options
| author | Emily <vcs@emily.moe> | 2020-04-26 19:28:24 +0100 |
|---|---|---|
| committer | Emily <vcs@emily.moe> | 2020-05-08 15:49:35 +0100 |
| commit | 83c4ac2eb3ac2aacfc917e96b1a12091889fdfae (patch) | |
| tree | eefdaf3fe945ca2cb5a5e04037a311e87d359f57 /pkgs/os-specific | |
| parent | 4cad49dc1a7e15335e401ed39ae42c98b06391a7 (diff) | |
| download | nixlib-83c4ac2eb3ac2aacfc917e96b1a12091889fdfae.tar nixlib-83c4ac2eb3ac2aacfc917e96b1a12091889fdfae.tar.gz nixlib-83c4ac2eb3ac2aacfc917e96b1a12091889fdfae.tar.bz2 nixlib-83c4ac2eb3ac2aacfc917e96b1a12091889fdfae.tar.lz nixlib-83c4ac2eb3ac2aacfc917e96b1a12091889fdfae.tar.xz nixlib-83c4ac2eb3ac2aacfc917e96b1a12091889fdfae.tar.zst nixlib-83c4ac2eb3ac2aacfc917e96b1a12091889fdfae.zip | |
linux/update-hardened.py: reformat
$ isort --multi-line=3 --trailing-comma --force-grid-wrap=0 --use-parentheses … $ black --line-length=80 … (per the black documentation)
Diffstat (limited to 'pkgs/os-specific')
| -rwxr-xr-x | pkgs/os-specific/linux/kernel/update-hardened.py | 138 |
1 files changed, 80 insertions, 58 deletions
diff --git a/pkgs/os-specific/linux/kernel/update-hardened.py b/pkgs/os-specific/linux/kernel/update-hardened.py index 7f6949653afc..49a6228fb97a 100755 --- a/pkgs/os-specific/linux/kernel/update-hardened.py +++ b/pkgs/os-specific/linux/kernel/update-hardened.py @@ -3,60 +3,68 @@ # This is automatically called by ./update.sh. -import re import json -import sys import os.path -from glob import glob +import re import subprocess +import sys +from glob import glob from tempfile import TemporaryDirectory from github import Github HERE = os.path.dirname(os.path.realpath(__file__)) -HARDENED_GITHUB_REPO = 'anthraxx/linux-hardened' -HARDENED_TRUSTED_KEY = os.path.join(HERE, 'anthraxx.asc') -HARDENED_PATCHES_PATH = os.path.join(HERE, 'hardened-patches.json') +HARDENED_GITHUB_REPO = "anthraxx/linux-hardened" +HARDENED_TRUSTED_KEY = os.path.join(HERE, "anthraxx.asc") +HARDENED_PATCHES_PATH = os.path.join(HERE, "hardened-patches.json") MIN_KERNEL_VERSION = [4, 14] + def run(*args, **kwargs): try: return subprocess.run( - args, **kwargs, - check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, + args, + **kwargs, + check=True, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, ) except subprocess.CalledProcessError as err: print( - f'error: `{err.cmd}` failed unexpectedly\n' - f'status code: {err.returncode}\n' + f"error: `{err.cmd}` failed unexpectedly\n" + f"status code: {err.returncode}\n" f'stdout:\n{err.stdout.decode("utf-8").strip()}\n' f'stderr:\n{err.stderr.decode("utf-8").strip()}', file=sys.stderr, ) sys.exit(1) + def nix_prefetch_url(url): - output = run('nix-prefetch-url', '--print-path', url).stdout - return output.decode('utf-8').strip().split('\n') + output = run("nix-prefetch-url", "--print-path", url).stdout + return output.decode("utf-8").strip().split("\n") + def verify_openpgp_signature(*, name, trusted_key, sig_path, data_path): - with TemporaryDirectory(suffix='.nixpkgs-gnupg-home') as gnupg_home: - run('gpg', '--homedir', gnupg_home, '--import', trusted_key) - keyring = os.path.join(gnupg_home, 'pubring.kbx') + with TemporaryDirectory(suffix=".nixpkgs-gnupg-home") as gnupg_home: + run("gpg", "--homedir", gnupg_home, "--import", trusted_key) + keyring = os.path.join(gnupg_home, "pubring.kbx") try: subprocess.run( - ('gpgv', '--keyring', keyring, sig_path, data_path), - check=True, stderr=subprocess.PIPE, + ("gpgv", "--keyring", keyring, sig_path, data_path), + check=True, + stderr=subprocess.PIPE, ) return True except subprocess.CalledProcessError as err: print( - f'error: signature for {name} failed to verify!', + f"error: signature for {name} failed to verify!", file=sys.stderr, ) - print(err.stderr.decode('utf-8'), file=sys.stderr, end='') + print(err.stderr.decode("utf-8"), file=sys.stderr, end="") return False + def fetch_patch(*, name, release): def find_asset(filename): try: @@ -68,12 +76,12 @@ def fetch_patch(*, name, release): except StopIteration: raise KeyError(filename) - patch_filename = f'{name}.patch' + patch_filename = f"{name}.patch" try: patch_url = find_asset(patch_filename) - sig_url = find_asset(patch_filename + '.sig') + sig_url = find_asset(patch_filename + ".sig") except KeyError: - print(f'error: {patch_filename}{{,.sig}} not present', file=sys.stderr) + print(f"error: {patch_filename}{{,.sig}} not present", file=sys.stderr) return None sha256, patch_path = nix_prefetch_url(patch_url) @@ -88,59 +96,71 @@ def fetch_patch(*, name, release): return None return { - 'name': patch_filename, - 'url': patch_url, - 'sha256': sha256, + "name": patch_filename, + "url": patch_url, + "sha256": sha256, } + def parse_version(version_str): version = [] - for component in version_str.split('.'): + for component in version_str.split("."): try: version.append(int(component)) except ValueError: version.append(component) return version + def version_string(version): - return '.'.join(str(component) for component in version) + return ".".join(str(component) for component in version) + def major_kernel_version_key(kernel_version): return version_string(kernel_version[:-1]) + def commit_patches(*, kernel_key, message): - with open(HARDENED_PATCHES_PATH + '.new', 'w') as new_patches_file: + with open(HARDENED_PATCHES_PATH + ".new", "w") as new_patches_file: json.dump(patches, new_patches_file, indent=4, sort_keys=True) - new_patches_file.write('\n') - os.rename(HARDENED_PATCHES_PATH + '.new', HARDENED_PATCHES_PATH) - message = f'linux/hardened-patches/{kernel_key}: {message}' + new_patches_file.write("\n") + os.rename(HARDENED_PATCHES_PATH + ".new", HARDENED_PATCHES_PATH) + message = f"linux/hardened-patches/{kernel_key}: {message}" print(message) - if os.environ.get('COMMIT'): + if os.environ.get("COMMIT"): run( - 'git', '-C', HERE, 'commit', f'--message={message}', - 'hardened-patches.json', + "git", + "-C", + HERE, + "commit", + f"--message={message}", + "hardened-patches.json", ) + # Load the existing patches. with open(HARDENED_PATCHES_PATH) as patches_file: patches = json.load(patches_file) -NIX_VERSION_RE = re.compile(r''' - \s* version \s* = - \s* " (?P<version> [^"]*) " - \s* ; \s* \n -''', re.VERBOSE) +NIX_VERSION_RE = re.compile( + r""" + \s* version \s* = + \s* " (?P<version> [^"]*) " + \s* ; \s* \n + """, + re.VERBOSE, +) # Get the set of currently packaged kernel versions. kernel_versions = {} for filename in os.listdir(HERE): - filename_match = re.fullmatch(r'linux-(\d+)\.(\d+)\.nix', filename) + filename_match = re.fullmatch(r"linux-(\d+)\.(\d+)\.nix", filename) if filename_match: with open(os.path.join(HERE, filename)) as nix_file: for nix_line in nix_file: match = NIX_VERSION_RE.fullmatch(nix_line) if match: - kernel_version = parse_version(match.group('version')) + kernel_version = parse_version(match.group("version")) if kernel_version < MIN_KERNEL_VERSION: continue kernel_key = major_kernel_version_key(kernel_version) @@ -148,9 +168,9 @@ for filename in os.listdir(HERE): # Remove patches for unpackaged kernel versions. for kernel_key in sorted(patches.keys() - kernel_versions.keys()): - commit_patches(kernel_key=kernel_key, message='remove') + commit_patches(kernel_key=kernel_key, message="remove") -g = Github(os.environ.get('GITHUB_TOKEN')) +g = Github(os.environ.get("GITHUB_TOKEN")) repo = g.get_repo(HARDENED_GITHUB_REPO) failures = False @@ -171,8 +191,8 @@ for release in repo.get_releases(): continue release_info = { - 'version': version, - 'release': release, + "version": version, + "release": release, } if kernel_version == packaged_kernel_version: @@ -182,22 +202,24 @@ for release in repo.get_releases(): # skipping patches for kernels newer than the packaged one. if kernel_version > packaged_kernel_version: continue - elif (kernel_key not in releases or - releases[kernel_key]['version'] < version): + elif ( + kernel_key not in releases + or releases[kernel_key]["version"] < version + ): releases[kernel_key] = release_info # Update hardened-patches.json for each release. for kernel_key, release_info in releases.items(): - release = release_info['release'] - version = release_info['version'] + release = release_info["release"] + version = release_info["version"] version_str = release.tag_name - name = f'linux-hardened-{version_str}' + name = f"linux-hardened-{version_str}" try: - old_filename = patches[kernel_key]['name'] - old_version_str = (old_filename - .replace('linux-hardened-', '') - .replace('.patch', '')) + old_filename = patches[kernel_key]["name"] + old_version_str = old_filename.replace("linux-hardened-", "").replace( + ".patch", "" + ) old_version = parse_version(old_version_str) update = old_version < version except KeyError: @@ -211,17 +233,17 @@ for kernel_key, release_info in releases.items(): else: patches[kernel_key] = patch if old_version: - message = f'{old_version_str} -> {version_str}' + message = f"{old_version_str} -> {version_str}" else: - message = f'init at {version_str}' + message = f"init at {version_str}" commit_patches(kernel_key=kernel_key, message=message) missing_kernel_versions = kernel_versions.keys() - patches.keys() if missing_kernel_versions: print( - f'warning: no patches for kernel versions ' + - ', '.join(missing_kernel_versions), + f"warning: no patches for kernel versions " + + ", ".join(missing_kernel_versions), file=sys.stderr, ) |