diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2019-02-01 09:42:53 +0100 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2019-02-01 09:42:53 +0100 |
| commit | 8ba516664bf367889b06b06e4122372f82f24feb (patch) | |
| tree | 01b691a7e1ad4797843b4c93d8a9d74fd16311d7 /pkgs/os-specific | |
| parent | d00ca4476cd91bae052e8ded4d94e124a353d091 (diff) | |
| parent | 5effa4e0f98b317fe4607b1a6548811017c3325d (diff) | |
| download | nixlib-8ba516664bf367889b06b06e4122372f82f24feb.tar nixlib-8ba516664bf367889b06b06e4122372f82f24feb.tar.gz nixlib-8ba516664bf367889b06b06e4122372f82f24feb.tar.bz2 nixlib-8ba516664bf367889b06b06e4122372f82f24feb.tar.lz nixlib-8ba516664bf367889b06b06e4122372f82f24feb.tar.xz nixlib-8ba516664bf367889b06b06e4122372f82f24feb.tar.zst nixlib-8ba516664bf367889b06b06e4122372f82f24feb.zip | |
Merge branch 'staging-next' into staging
Diffstat (limited to 'pkgs/os-specific')
19 files changed, 254 insertions, 229 deletions
diff --git a/pkgs/os-specific/linux/bcc/default.nix b/pkgs/os-specific/linux/bcc/default.nix index 5a40368f3ceb..d66c5dad7716 100644 --- a/pkgs/os-specific/linux/bcc/default.nix +++ b/pkgs/os-specific/linux/bcc/default.nix @@ -4,14 +4,14 @@ }: python.pkgs.buildPythonApplication rec { - version = "0.7.0"; + version = "0.8.0"; name = "bcc-${version}"; src = fetchFromGitHub { owner = "iovisor"; repo = "bcc"; rev = "v${version}"; - sha256 = "1ww7l0chx2ivw9d2ahxjyhxmh6hz3w5z69r4lz02f0361rnrvk7f"; + sha256 = "15vvybllmh9hdj801v3psd671c0qq2a1xdv73kabb9r4fzgaknxk"; }; format = "other"; diff --git a/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch b/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch index 44369dc5117f..d77053f5d397 100644 --- a/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch +++ b/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch @@ -1,4 +1,4 @@ -From 2fe9625cc6dec10531482a3947ef75009eb21489 Mon Sep 17 00:00:00 2001 +From 44887227f7f617cbf84713ec45685cb4999039ff Mon Sep 17 00:00:00 2001 From: Jan Tojnar <jtojnar@gmail.com> Date: Tue, 30 Oct 2018 22:26:30 +0100 Subject: [PATCH] build: Add option for installation sysconfdir @@ -17,17 +17,17 @@ prefix only to `make install`, but Meson does not support anything like that. Until we manage to convince Meson to support install flags, we need to create our own install flag. --- - data/meson.build | 4 ++-- - data/pki/meson.build | 8 ++++---- - data/remotes.d/meson.build | 6 +++--- - meson.build | 6 ++++++ - meson_options.txt | 1 + - plugins/redfish/meson.build | 2 +- - plugins/uefi/meson.build | 2 +- + data/meson.build | 4 ++-- + data/pki/meson.build | 8 ++++---- + data/remotes.d/meson.build | 6 +++--- + meson.build | 6 ++++++ + meson_options.txt | 1 + + plugins/redfish/meson.build | 2 +- + plugins/uefi/meson.build | 2 +- 7 files changed, 18 insertions(+), 11 deletions(-) diff --git a/data/meson.build b/data/meson.build -index 8dd2ac9ad..d4ad1cbc1 100644 +index 8dd2ac9a..d4ad1cbc 100644 --- a/data/meson.build +++ b/data/meson.build @@ -9,7 +9,7 @@ if get_option('tests') and get_option('daemon') @@ -49,7 +49,7 @@ index 8dd2ac9ad..d4ad1cbc1 100644 install_data(['metadata.xml'], diff --git a/data/pki/meson.build b/data/pki/meson.build -index eefcc9142..dc801fa18 100644 +index eefcc914..dc801fa1 100644 --- a/data/pki/meson.build +++ b/data/pki/meson.build @@ -4,14 +4,14 @@ if get_option('gpg') @@ -85,7 +85,7 @@ index eefcc9142..dc801fa18 100644 endif diff --git a/data/remotes.d/meson.build b/data/remotes.d/meson.build -index 824291fc5..d0599a00a 100644 +index 824291fc..d0599a00 100644 --- a/data/remotes.d/meson.build +++ b/data/remotes.d/meson.build @@ -3,7 +3,7 @@ if get_option('daemon') and get_option('lvfs') @@ -113,10 +113,10 @@ index 824291fc5..d0599a00a 100644 + install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'), ) diff --git a/meson.build b/meson.build -index 737841f1a..23bd7a2e3 100644 +index b6df98b3..d672ee37 100644 --- a/meson.build +++ b/meson.build -@@ -144,6 +144,12 @@ localstatedir = join_paths(prefix, get_option('localstatedir')) +@@ -145,6 +145,12 @@ localstatedir = join_paths(prefix, get_option('localstatedir')) mandir = join_paths(prefix, get_option('mandir')) localedir = join_paths(prefix, get_option('localedir')) @@ -130,7 +130,7 @@ index 737841f1a..23bd7a2e3 100644 if gio.version().version_compare ('>= 2.55.0') conf.set('HAVE_GIO_2_55_0', '1') diff --git a/meson_options.txt b/meson_options.txt -index 23ef8cdb8..db8f93b6c 100644 +index 23ef8cdb..db8f93b6 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -17,6 +17,7 @@ option('plugin_uefi', type : 'boolean', value : true, description : 'enable UEFI @@ -142,10 +142,10 @@ index 23ef8cdb8..db8f93b6c 100644 option('udevdir', type: 'string', value: '', description: 'Directory for udev rules') option('efi-cc', type : 'string', value : 'gcc', description : 'the compiler to use for EFI modules') diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build -index 288f614e4..90cfe6484 100644 +index ef07bd81..d2c7e259 100644 --- a/plugins/redfish/meson.build +++ b/plugins/redfish/meson.build -@@ -22,7 +22,7 @@ shared_module('fu_plugin_redfish', +@@ -25,7 +25,7 @@ shared_module('fu_plugin_redfish', ) install_data(['redfish.conf'], @@ -155,10 +155,10 @@ index 288f614e4..90cfe6484 100644 if get_option('tests') diff --git a/plugins/uefi/meson.build b/plugins/uefi/meson.build -index c037e1b30..a0e8cd3e6 100644 +index 09ebdf82..02fc0661 100644 --- a/plugins/uefi/meson.build +++ b/plugins/uefi/meson.build -@@ -69,7 +69,7 @@ executable( +@@ -73,7 +73,7 @@ executable( ) install_data(['uefi.conf'], @@ -167,3 +167,5 @@ index c037e1b30..a0e8cd3e6 100644 ) if get_option('tests') +-- +2.19.1 diff --git a/pkgs/os-specific/linux/firmware/fwupd/default.nix b/pkgs/os-specific/linux/firmware/fwupd/default.nix index de0a1e2ee0d7..cf6e2bf60407 100644 --- a/pkgs/os-specific/linux/firmware/fwupd/default.nix +++ b/pkgs/os-specific/linux/firmware/fwupd/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, gtk-doc, pkgconfig, gobject-introspection, intltool +{ stdenv, fetchurl, substituteAll, gtk-doc, pkgconfig, gobject-introspection, intltool , libgudev, polkit, libxmlb, gusb, sqlite, libarchive, glib-networking , libsoup, help2man, gpgme, libxslt, elfutils, libsmbios, efivar, glibcLocales , gnu-efi, libyaml, valgrind, meson, libuuid, colord, docbook_xml_dtd_43, docbook_xsl @@ -6,20 +6,23 @@ , shared-mime-info, umockdev, vala, makeFontsConf, freefont_ttf , cairo, freetype, fontconfig, pango }: + +# Updating? Keep $out/etc synchronized with passthru.filesInstalledToEtc + let - # Updating? Keep $out/etc synchronized with passthru.filesInstalledToEtc - version = "1.2.1"; python = python3.withPackages (p: with p; [ pygobject3 pycairo pillow ]); installedTestsPython = python3.withPackages (p: with p; [ pygobject3 requests ]); fontsConf = makeFontsConf { fontDirectories = [ freefont_ttf ]; }; -in stdenv.mkDerivation { - name = "fwupd-${version}"; +in stdenv.mkDerivation rec { + pname = "fwupd"; + version = "1.2.3"; + src = fetchurl { url = "https://people.freedesktop.org/~hughsient/releases/fwupd-${version}.tar.xz"; - sha256 = "126b3lsh4gkyajsqm2c8l6wqr4dd7m26krz2527khmlps0lxdhg1"; + sha256 = "11qpgincndahq96rbm2kgcy9kw5n9cmbbilsrqcqcyk7mvv464sl"; }; outputs = [ "out" "lib" "dev" "devdoc" "man" "installedTests" ]; @@ -39,15 +42,27 @@ in stdenv.mkDerivation { patches = [ ./fix-paths.patch ./add-option-for-installation-sysconfdir.patch + + # installed tests are installed to different output + # we also cannot have fwupd-tests.conf in $out/etc since it would form a cycle + (substituteAll { + src = ./installed-tests-path.patch; + # needs a different set of modules than po/make-images + inherit installedTestsPython; + }) ]; postPatch = '' - # needs a different set of modules than po/make-images - escapedInterpreterLine=$(echo "${installedTestsPython}/bin/python3" | sed 's|\\|\\\\|g') - sed -i -e "1 s|.*|#\!$escapedInterpreterLine|" data/installed-tests/hardware.py - patchShebangs . - substituteInPlace data/installed-tests/fwupdmgr.test.in --subst-var-by installedtestsdir "$installedTests/share/installed-tests/fwupd" + + # we cannot use placeholder in substituteAll + # https://github.com/NixOS/nix/issues/1846 + substituteInPlace data/installed-tests/meson.build --subst-var installedTests + + # install plug-ins to out, they are not really part of the library + substituteInPlace meson.build \ + --replace "plugin_dir = join_paths(libdir, 'fwupd-plugins-3')" \ + "plugin_dir = join_paths('${placeholder "out"}', 'fwupd_plugins-3')" ''; # /etc/os-release not available in sandbox diff --git a/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch b/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch new file mode 100644 index 000000000000..6c4b6b62a0cd --- /dev/null +++ b/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch @@ -0,0 +1,25 @@ +--- a/data/installed-tests/hardware.py ++++ b/data/installed-tests/hardware.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 ++#!@installedTestsPython@/bin/python3 + # pylint: disable=wrong-import-position,too-many-locals,unused-argument,wrong-import-order + # + # Copyright (C) 2017 Richard Hughes <richard@hughsie.com> +--- a/data/installed-tests/meson.build ++++ b/data/installed-tests/meson.build +@@ -1,6 +1,6 @@ + con2 = configuration_data() + con2.set('installedtestsdir', +- join_paths(datadir, 'installed-tests', 'fwupd')) ++ join_paths('@installedTests@', 'share', 'installed-tests', 'fwupd')) + con2.set('bindir', bindir) + + configure_file( +@@ -52,5 +52,5 @@ + output : 'fwupd-tests.conf', + configuration : con2, + install: true, +- install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'), ++ install_dir: join_paths('@installedTests@', 'etc', 'fwupd', 'remotes.d'), + ) diff --git a/pkgs/os-specific/linux/fwts/default.nix b/pkgs/os-specific/linux/fwts/default.nix index daeda5fa8c07..fb609f4a7270 100644 --- a/pkgs/os-specific/linux/fwts/default.nix +++ b/pkgs/os-specific/linux/fwts/default.nix @@ -3,11 +3,11 @@ stdenv.mkDerivation rec { name = "fwts-${version}"; - version = "18.12.00"; + version = "19.01.00"; src = fetchzip { url = "http://fwts.ubuntu.com/release/fwts-V${version}.tar.gz"; - sha256 = "10kzn5r099i4b8m5l7s68fs885d126l9cingq9gj1g574c18hg2s"; + sha256 = "00vixb8kml5hgdqscqr9biwbvivfjwpf1fk53425kdqzyg6bqsmq"; stripRoot = false; }; diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index ddd1e9828d51..1a56e68fa4bf 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -12,23 +12,12 @@ # Configuration { stdenv, version -# to let user override values, aka converting modules to included and vice-versa -, mkValueOverride ? null - -# new extraConfig as a flattened set -, structuredExtraConfig ? {} - -# legacy extraConfig as string -, extraConfig ? "" - , features ? { grsecurity = false; xen_dom0 = false; } }: -assert (mkValueOverride == null) || (builtins.isFunction mkValueOverride); - with stdenv.lib; -with import ../../../../lib/kernel.nix { inherit (stdenv) lib; inherit version; }; + with import ../../../../lib/kernel.nix { inherit (stdenv) lib; inherit version; }; let @@ -46,7 +35,7 @@ let DEBUG_NX_TEST = whenOlder "4.11" no; CPU_NOTIFIER_ERROR_INJECT = whenOlder "4.4" (option no); DEBUG_STACK_USAGE = no; - DEBUG_STACKOVERFLOW = when (!features.grsecurity) no; + DEBUG_STACKOVERFLOW = mkIf (!features.grsecurity) no; RCU_TORTURE_TEST = no; SCHEDSTATS = no; DETECT_HUNG_TASK = yes; @@ -114,7 +103,7 @@ let IP_DCCP_CCID3 = no; # experimental CLS_U32_PERF = yes; CLS_U32_MARK = yes; - BPF_JIT = when (stdenv.hostPlatform.system == "x86_64-linux") yes; + BPF_JIT = mkIf (stdenv.hostPlatform.system == "x86_64-linux") yes; WAN = yes; # Required by systemd per-cgroup firewalling CGROUP_BPF = option yes; @@ -184,7 +173,7 @@ let FB_VESA = yes; FRAMEBUFFER_CONSOLE = yes; FRAMEBUFFER_CONSOLE_ROTATION = yes; - FB_GEODE = when (stdenv.hostPlatform.system == "i686-linux") yes; + FB_GEODE = mkIf (stdenv.hostPlatform.system == "i686-linux") yes; }; video = { @@ -239,7 +228,7 @@ let }; usb = { - USB_DEBUG = option (whenOlder "4.18" no); + USB_DEBUG = { optional = true; tristate = whenOlder "4.18" "n";}; USB_EHCI_ROOT_HUB_TT = yes; # Root Hub Transaction Translators USB_EHCI_TT_NEWSCHED = yes; # Improved transaction translator scheduling }; @@ -250,7 +239,7 @@ let FANOTIFY = yes; TMPFS = yes; TMPFS_POSIX_ACL = yes; - FS_ENCRYPTION = option (whenAtLeast "4.9" module); + FS_ENCRYPTION = { optional = true; tristate = whenAtLeast "4.9" "m"; }; EXT2_FS_XATTR = yes; EXT2_FS_POSIX_ACL = yes; @@ -262,7 +251,7 @@ let EXT4_FS_POSIX_ACL = yes; EXT4_FS_SECURITY = yes; - EXT4_ENCRYPTION = option ((if (versionOlder version "4.8") then module else yes)); + EXT4_ENCRYPTION = { optional = true; tristate = if (versionOlder version "4.8") then "m" else "y"; }; REISERFS_FS_XATTR = option yes; REISERFS_FS_POSIX_ACL = option yes; @@ -324,7 +313,7 @@ let # Native Language Support modules, needed by some filesystems NLS = yes; - NLS_DEFAULT = "utf8"; + NLS_DEFAULT = freeform "utf8"; NLS_UTF8 = module; NLS_CODEPAGE_437 = module; # VFAT default for the codepage= mount option NLS_ISO8859_1 = module; # VFAT default for the iocharset= mount option @@ -334,13 +323,13 @@ let security = { # Detect writes to read-only module pages - DEBUG_SET_MODULE_RONX = option (whenOlder "4.11" yes); + DEBUG_SET_MODULE_RONX = { optional = true; tristate = whenOlder "4.11" "y"; }; RANDOMIZE_BASE = option yes; STRICT_DEVMEM = option yes; # Filter access to /dev/mem - SECURITY_SELINUX_BOOTPARAM_VALUE = "0"; # Disable SELinux by default + SECURITY_SELINUX_BOOTPARAM_VALUE = freeform "0"; # Disable SELinux by default # Prevent processes from ptracing non-children processes SECURITY_YAMA = option yes; - DEVKMEM = when (!features.grsecurity) no; # Disable /dev/kmem + DEVKMEM = mkIf (!features.grsecurity) no; # Disable /dev/kmem USER_NS = yes; # Support for user namespaces @@ -350,7 +339,7 @@ let } // optionalAttrs (!stdenv.hostPlatform.isAarch32) { # Detect buffer overflows on the stack - CC_STACKPROTECTOR_REGULAR = option (whenOlder "4.18" yes); + CC_STACKPROTECTOR_REGULAR = {optional = true; tristate = whenOlder "4.18" "y";}; }; microcode = { @@ -407,8 +396,8 @@ let FTRACE_SYSCALLS = yes; SCHED_TRACER = yes; STACK_TRACER = yes; - UPROBE_EVENT = option (whenOlder "4.11" yes); - UPROBE_EVENTS = option (whenAtLeast "4.11" yes); + UPROBE_EVENT = { optional = true; tristate = whenOlder "4.11" "y";}; + UPROBE_EVENTS = { optional = true; tristate = whenAtLeast "4.11" "y";}; BPF_SYSCALL = whenAtLeast "4.4" yes; BPF_EVENTS = whenAtLeast "4.4" yes; FUNCTION_PROFILER = yes; @@ -418,23 +407,23 @@ let virtualisation = { PARAVIRT = option yes; - HYPERVISOR_GUEST = when (!features.grsecurity) yes; + HYPERVISOR_GUEST = mkIf (!features.grsecurity) yes; PARAVIRT_SPINLOCKS = option yes; KVM_APIC_ARCHITECTURE = whenOlder "4.8" yes; KVM_ASYNC_PF = yes; - KVM_COMPAT = option (whenBetween "4.0" "4.12" yes); - KVM_DEVICE_ASSIGNMENT = option (whenBetween "3.10" "4.12" yes); + KVM_COMPAT = { optional = true; tristate = whenBetween "4.0" "4.12" "y"; }; + KVM_DEVICE_ASSIGNMENT = { optional = true; tristate = whenBetween "3.10" "4.12" "y"; }; KVM_GENERIC_DIRTYLOG_READ_PROTECT = whenAtLeast "4.0" yes; - KVM_GUEST = when (!features.grsecurity) yes; + KVM_GUEST = mkIf (!features.grsecurity) yes; KVM_MMIO = yes; KVM_VFIO = yes; KSM = yes; VIRT_DRIVERS = yes; # We nneed 64 GB (PAE) support for Xen guest support - HIGHMEM64G = option (when (!stdenv.is64bit) yes); + HIGHMEM64G = { optional = true; tristate = mkIf (!stdenv.is64bit) "y";}; - VFIO_PCI_VGA = when stdenv.is64bit yes; + VFIO_PCI_VGA = mkIf stdenv.is64bit yes; } // optionalAttrs (stdenv.isx86_64 || stdenv.isi686) ({ XEN = option yes; @@ -542,8 +531,8 @@ let CRYPTO_TEST = option no; EFI_TEST = option no; GLOB_SELFTEST = option no; - DRM_DEBUG_MM_SELFTEST = option (whenOlder "4.18" no); - LNET_SELFTEST = option (whenOlder "4.18" no); + DRM_DEBUG_MM_SELFTEST = { optional = true; tristate = whenOlder "4.18" "n";}; + LNET_SELFTEST = { optional = true; tristate = whenOlder "4.18" "n";}; LOCK_TORTURE_TEST = option no; MTD_TESTS = option no; NOTIFIER_ERROR_INJECTION = option no; @@ -598,7 +587,7 @@ let AIC79XX_DEBUG_ENABLE = no; AIC7XXX_DEBUG_ENABLE = no; AIC94XX_DEBUG = no; - B43_PCMCIA = option (whenOlder "4.4" yes); + B43_PCMCIA = { optional=true; tristate = whenOlder "4.4" "y";}; BLK_DEV_INTEGRITY = yes; @@ -651,7 +640,7 @@ let # GPIO on Intel Bay Trail, for some Chromebook internal eMMC disks PINCTRL_BAYTRAIL = yes; # 8 is default. Modern gpt tables on eMMC may go far beyond 8. - MMC_BLOCK_MINORS = "32"; + MMC_BLOCK_MINORS = freeform "32"; REGULATOR = yes; # Voltage and Current Regulator Support RC_DEVICES = option yes; # Enable IR devices @@ -698,7 +687,8 @@ let # Bump the maximum number of CPUs to support systems like EC2 x1.* # instances and Xeon Phi. - NR_CPUS = "384"; + NR_CPUS = freeform "384"; }; }; -in (generateNixKConf ((flattenKConf options) // structuredExtraConfig) mkValueOverride) + extraConfig +in + flattenKConf options diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix index 30878d1b96c6..df9a628f83da 100644 --- a/pkgs/os-specific/linux/kernel/generic.nix +++ b/pkgs/os-specific/linux/kernel/generic.nix @@ -47,7 +47,6 @@ , preferBuiltin ? stdenv.hostPlatform.platform.kernelPreferBuiltin or false , kernelArch ? stdenv.hostPlatform.platform.kernelArch -, mkValueOverride ? null , ... }: @@ -68,20 +67,26 @@ let ia32Emulation = true; } // features) kernelPatches; - intermediateNixConfig = import ./common-config.nix { - inherit stdenv version structuredExtraConfig mkValueOverride; - - # append extraConfig for backwards compatibility but also means the user can't override the kernelExtraConfig part - extraConfig = extraConfig + lib.optionalString (stdenv.hostPlatform.platform ? kernelExtraConfig) stdenv.hostPlatform.platform.kernelExtraConfig; + commonStructuredConfig = import ./common-config.nix { + inherit stdenv version ; features = kernelFeatures; # Ensure we know of all extra patches, etc. }; - kernelConfigFun = baseConfig: + intermediateNixConfig = configfile.moduleStructuredConfig.intermediateNixConfig + # extra config in legacy string format + + extraConfig + + lib.optionalString (stdenv.hostPlatform.platform ? kernelExtraConfig) stdenv.hostPlatform.platform.kernelExtraConfig; + + structuredConfigFromPatches = + map ({extraStructuredConfig ? {}, ...}: {settings=extraStructuredConfig;}) kernelPatches; + + # appends kernel patches extraConfig + kernelConfigFun = baseConfigStr: let configFromPatches = map ({extraConfig ? "", ...}: extraConfig) kernelPatches; - in lib.concatStringsSep "\n" ([baseConfig] ++ configFromPatches); + in lib.concatStringsSep "\n" ([baseConfigStr] ++ configFromPatches); configfile = stdenv.mkDerivation { inherit ignoreConfigErrors autoModules preferBuiltin kernelArch; @@ -131,7 +136,30 @@ let installPhase = "mv $buildRoot/.config $out"; enableParallelBuilding = true; - }; + + passthru = rec { + + module = import ../../../../nixos/modules/system/boot/kernel_config.nix; + # used also in apache + # { modules = [ { options = res.options; config = svc.config or svc; } ]; + # check = false; + # The result is a set of two attributes + moduleStructuredConfig = (lib.evalModules { + modules = [ + module + { settings = commonStructuredConfig; } + { settings = structuredExtraConfig; } + ] + ++ structuredConfigFromPatches + ; + }).config; + + # + structuredConfig = moduleStructuredConfig.settings; + }; + + + }; # end of configfile derivation kernel = (callPackage ./manual-config.nix {}) { inherit version modDirVersion src kernelPatches stdenv extraMeta configfile; @@ -141,6 +169,7 @@ let passthru = { features = kernelFeatures; + inherit commonStructuredConfig; passthru = kernel.passthru // (removeAttrs passthru [ "passthru" ]); }; diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index ed540a9e7518..f1f18c64130c 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -11,138 +11,110 @@ { stdenv, version }: with stdenv.lib; +with import ../../../../lib/kernel.nix { inherit (stdenv) lib; inherit version; }; assert (versionAtLeast version "4.9"); -'' -# Report BUG() conditions and kill the offending process. -BUG y - -${optionalString (versionAtLeast version "4.10") '' - BUG_ON_DATA_CORRUPTION y -''} - -${optionalString (stdenv.hostPlatform.platform.kernelArch == "x86_64") '' - DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory +optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") { + DEFAULT_MMAP_MIN_ADDR = freeform "65536"; # Prevent allocation of first 64K of memory # Reduce attack surface by disabling various emulations - IA32_EMULATION n - X86_X32 n + IA32_EMULATION = no; + X86_X32 = no; # Note: this config depends on EXPERT y and so will not take effect, hence # it is left "optional" for now. - MODIFY_LDT_SYSCALL? n - - VMAP_STACK y # Catch kernel stack overflows + MODIFY_LDT_SYSCALL = option no; + VMAP_STACK = yes; # Catch kernel stack overflows # Randomize position of kernel and memory. - RANDOMIZE_BASE y - RANDOMIZE_MEMORY y + RANDOMIZE_BASE = yes; + RANDOMIZE_MEMORY = yes; # Disable legacy virtual syscalls by default (modern glibc use vDSO instead). # # Note that the vanilla default is to *emulate* the legacy vsyscall mechanism, # which is supposed to be safer than the native variant (wrt. ret2libc), so # disabling it mainly helps reduce surface. - LEGACY_VSYSCALL_NONE y -''} - -# Safer page access permissions (wrt. code injection). Default on >=4.11. -${optionalString (versionOlder version "4.11") '' - DEBUG_RODATA y - DEBUG_SET_MODULE_RONX y -''} - -# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n -# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter -# implicitly marks LSM hooks read-only after init. -# -# SELinux can only be disabled at boot via selinux=0 -# -# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the -# config builder fails to detect that it has indeed been unset. -${optionalString (versionAtLeast version "4.12") '' - SECURITY_SELINUX_DISABLE n - SECURITY_WRITABLE_HOOKS? n -''} - -DEBUG_WX y # boot-time warning on RWX mappings -${optionalString (versionAtLeast version "4.11") '' - STRICT_KERNEL_RWX y -''} - -# Stricter /dev/mem -STRICT_DEVMEM? y -IO_STRICT_DEVMEM? y - -# Perform additional validation of commonly targeted structures. -DEBUG_CREDENTIALS y -DEBUG_NOTIFIERS y -DEBUG_LIST y -DEBUG_PI_LIST y # doesn't BUG() -DEBUG_SG y -SCHED_STACK_END_CHECK y - -${optionalString (versionAtLeast version "4.13") '' - REFCOUNT_FULL y -''} - -# Perform usercopy bounds checking. -HARDENED_USERCOPY y -${optionalString (versionAtLeast version "4.16") '' - HARDENED_USERCOPY_FALLBACK n # for full whitelist enforcement -''} - -# Randomize allocator freelists. -SLAB_FREELIST_RANDOM y - -${optionalString (versionAtLeast version "4.14") '' - SLAB_FREELIST_HARDENED y -''} - -# Allow enabling slub/slab free poisoning with slub_debug=P -SLUB_DEBUG y - -# Wipe higher-level memory allocations on free() with page_poison=1 -PAGE_POISONING y -PAGE_POISONING_NO_SANITY y -PAGE_POISONING_ZERO y - -# Reboot devices immediately if kernel experiences an Oops. -PANIC_ON_OOPS y -PANIC_TIMEOUT -1 - -GCC_PLUGINS y # Enable gcc plugin options -# Gather additional entropy at boot time for systems that may not have appropriate entropy sources. -GCC_PLUGIN_LATENT_ENTROPY y - -${optionalString (versionAtLeast version "4.11") '' - GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin -''} -${optionalString (versionAtLeast version "4.14") '' - GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address -''} -${optionalString (versionAtLeast version "4.20") '' - GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin -''} - -${optionalString (versionAtLeast version "4.13") '' - GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin - GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y -''} - -# Disable various dangerous settings -ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory -PROC_KCORE n # Exposes kernel text image layout -INET_DIAG n # Has been used for heap based attacks in the past - -# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. -${optionalString (versionOlder version "4.18") '' - CC_STACKPROTECTOR_REGULAR n - CC_STACKPROTECTOR_STRONG y -''} - -# Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE -${optionalString (versionAtLeast version "4.13") '' - FORTIFY_SOURCE y -''} -'' + LEGACY_VSYSCALL_NONE = yes; +} // { + # Report BUG() conditions and kill the offending process. + BUG = yes; + + BUG_ON_DATA_CORRUPTION = whenAtLeast "4.10" yes; + + # Safer page access permissions (wrt. code injection). Default on >=4.11. + DEBUG_RODATA = whenOlder "4.11" yes; + DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes; + + # Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n + # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter + # implicitly marks LSM hooks read-only after init. + # + # SELinux can only be disabled at boot via selinux=0 + # + # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the + # config builder fails to detect that it has indeed been unset. + SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no; + SECURITY_WRITABLE_HOOKS = whenAtLeast "4.12" (option no); + + DEBUG_WX = yes; # boot-time warning on RWX mappings + STRICT_KERNEL_RWX = whenAtLeast "4.11" yes; + + # Stricter /dev/mem + STRICT_DEVMEM = option yes; + IO_STRICT_DEVMEM = option yes; + + # Perform additional validation of commonly targeted structures. + DEBUG_CREDENTIALS = yes; + DEBUG_NOTIFIERS = yes; + DEBUG_LIST = yes; + DEBUG_PI_LIST = yes; # doesn't BUG() + DEBUG_SG = yes; + SCHED_STACK_END_CHECK = yes; + + REFCOUNT_FULL = whenAtLeast "4.13" yes; + + # Perform usercopy bounds checking. + HARDENED_USERCOPY = yes; + HARDENED_USERCOPY_FALLBACK = whenAtLeast "4.16" no; # for full whitelist enforcement + + # Randomize allocator freelists. + SLAB_FREELIST_RANDOM = yes; + + SLAB_FREELIST_HARDENED = whenAtLeast "4.14" yes; + + # Allow enabling slub/slab free poisoning with slub_debug=P + SLUB_DEBUG = yes; + + # Wipe higher-level memory allocations on free() with page_poison=1 + PAGE_POISONING = yes; + PAGE_POISONING_NO_SANITY = yes; + PAGE_POISONING_ZERO = yes; + + # Reboot devices immediately if kernel experiences an Oops. + PANIC_ON_OOPS = yes; + PANIC_TIMEOUT = freeform "-1"; + + GCC_PLUGINS = yes; # Enable gcc plugin options + # Gather additional entropy at boot time for systems that may = no;ot have appropriate entropy sources. + GCC_PLUGIN_LATENT_ENTROPY = yes; + + GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin + GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address + GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin + GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes; + + # Disable various dangerous settings + ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory + PROC_KCORE = no; # Exposes kernel text image layout + INET_DIAG = no; # Has been used for heap based attacks in the past + + # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. + CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no; + CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes; + + # Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE + FORTIFY_SOURCE = whenAtLeast "4.13" yes; + +} diff --git a/pkgs/os-specific/linux/kernel/linux-4.14.nix b/pkgs/os-specific/linux/kernel/linux-4.14.nix index 883c9868b05b..a63dd96a7b62 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.14.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.14.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "4.14.95"; + version = "4.14.97"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "1r2qrgwp3dfsrqshp765jjfh3frdhn9pkwml7h7544m3zkijjryf"; + sha256 = "1x25x6scd81npiald8i5ybb5yy3n0dh6x56avm0n5z5bvlqwilld"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.19.nix b/pkgs/os-specific/linux/kernel/linux-4.19.nix index 08cee977da5d..05cfbb781734 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.19.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.19.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "4.19.17"; + version = "4.19.19"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "0nfb5ipr6ay7ymvjm0nbk7mwxsvyyv43nl1lcg6jq99dgahr4bc7"; + sha256 = "1gb98s14w8gzbgd9r6hmppal92lqfjhf1s1rn1p6k7a7f3vcmbwr"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.20.nix b/pkgs/os-specific/linux/kernel/linux-4.20.nix index 6d267d098920..9f2c3719f9fc 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.20.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.20.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "4.20.4"; + version = "4.20.6"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "1l9lzpn5hp4y8xvc039xjc6ah8h4fb9db6337a0s754gzgmdfzyx"; + sha256 = "09fzspfs1hhbqgb3fh54q1i5jmakmxb1y180m5dn1zqwsxayx1a1"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix index 58cbd8fe4f22..335abe645beb 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix @@ -1,11 +1,11 @@ { stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args: buildLinux (args // rec { - version = "4.4.171"; + version = "4.4.172"; extraMeta.branch = "4.4"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "187g9x2zd738s1ric8zl205b7xipvr0l5i045clnhqwl5bd78h7x"; + sha256 = "1yrrwvj260sqnn8qh7a2b31d31jjnap6qh2f6jhdy275q6rickgv"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.9.nix b/pkgs/os-specific/linux/kernel/linux-4.9.nix index 0ce7536f8602..c63fa6189eff 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.9.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix @@ -1,11 +1,11 @@ { stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args: buildLinux (args // rec { - version = "4.9.152"; + version = "4.9.154"; extraMeta.branch = "4.9"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "0fcff0v488x0rylscl061dj8ylriwxg6hlg8mzppxx4sq22ppr4h"; + sha256 = "15jnkpf6kg061970cwh2z0l6nscffl63y1d0rq5f2y3gq4d4ycav"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix index c3f3d3ce0cbc..22e31f2aec1c 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing.nix @@ -1,13 +1,13 @@ { stdenv, buildPackages, fetchurl, perl, buildLinux, libelf, utillinux, ... } @ args: buildLinux (args // rec { - version = "5.0-rc3"; - modDirVersion = "5.0.0-rc3"; + version = "5.0-rc4"; + modDirVersion = "5.0.0-rc4"; extraMeta.branch = "5.0"; src = fetchurl { url = "https://git.kernel.org/torvalds/t/linux-${version}.tar.gz"; - sha256 = "03xw2zfa6cxy5vdfrfh536mh3gcm8hvj69ggpqixm8d1gqg0nln6"; + sha256 = "061afxv1d29w5kkb1rxrz3ax7pc5x8yhx5yjf9p1dbh7lw64rglh"; }; # Should the testing kernels ever be built on Hydra? diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 7aecea25625b..2ff0d5d26205 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -68,12 +68,4 @@ rec { sha256 = "0bp4jryihg1y2sl8zlj6w7vvnxj0kmb6xdy42hpvdv43kb6ngiaq"; }; }; - - raspberry_pi_wifi_fix = rec { - name = "raspberry-pi-wifi-fix"; - patch = fetchpatch { - url = https://raw.githubusercontent.com/archlinuxarm/PKGBUILDs/730522ae76aa57b89fa317c5084613d3d50cf3b8/core/linux-aarch64/0005-mmc-sdhci-iproc-handle-mmc_of_parse-errors-during-pr.patch; - sha256 = "0gbfycky28vbdjgys1z71wl5q073dmbrkvbnr6693jsda3qhp6za"; - }; - }; } diff --git a/pkgs/os-specific/linux/libratbag/default.nix b/pkgs/os-specific/linux/libratbag/default.nix index c614b39255d6..edba8b090df8 100644 --- a/pkgs/os-specific/linux/libratbag/default.nix +++ b/pkgs/os-specific/linux/libratbag/default.nix @@ -3,13 +3,13 @@ stdenv.mkDerivation rec { name = "libratbag-${version}"; - version = "0.9.903"; + version = "0.9.904"; src = fetchFromGitHub { owner = "libratbag"; repo = "libratbag"; rev = "v${version}"; - sha256 = "0cr5skrb7a5mgj7dkm647ib8336hb88bf11blaf6xldafi8b0jlj"; + sha256 = "0d2gw4bviy6zf1q9a18chlsbqylhppbby336fznh6nkpdl3jckfd"; }; nativeBuildInputs = [ diff --git a/pkgs/os-specific/linux/rdma-core/default.nix b/pkgs/os-specific/linux/rdma-core/default.nix index 8f2c834672f5..1316775775ee 100644 --- a/pkgs/os-specific/linux/rdma-core/default.nix +++ b/pkgs/os-specific/linux/rdma-core/default.nix @@ -3,7 +3,7 @@ } : let - version = "21"; + version = "22"; in stdenv.mkDerivation { name = "rdma-core-${version}"; @@ -12,7 +12,7 @@ in stdenv.mkDerivation { owner = "linux-rdma"; repo = "rdma-core"; rev = "v${version}"; - sha256 = "0q4hdm14f1xz2h0m5d821fdyp7i917rvmkas5axmfr1myv5422fl"; + sha256 = "1xkd51bz6p85gahsw18knrvirn404ca98lqmp1assyn4irs7khx8"; }; nativeBuildInputs = [ cmake pkgconfig pandoc ]; diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index 822361ece15b..73be13e17afe 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -93,6 +93,7 @@ let configureFlags = [ "--with-config=${configFile}" + "--with-python=${python3.interpreter}" ] ++ optionals buildUser [ "--with-dracutdir=$(out)/lib/dracut" "--with-udevdir=$(out)/lib/udev" @@ -180,15 +181,14 @@ in { # incompatibleKernelVersion = "4.19"; # this package should point to a version / git revision compatible with the latest kernel release - version = "0.8.0-rc2"; + version = "0.8.0-rc3"; - rev = "af2e8411dacbc694b1aaf9074e68a9d12270e74c"; - sha256 = "0wm7x9dwrw30jnjlnz6a224h88qd6a5794pzbjsih50lqb10g2gy"; + sha256 = "0wmkis0q2gbj7sgx3ipxngbgzjcf7ay353v3mglf2ay50q4da5i7"; isUnstable = true; extraPatches = [ (fetchpatch { - url = "https://github.com/Mic92/zfs/compare/${rev}...nixos-zfs-2018-08-13.patch"; + url = "https://github.com/Mic92/zfs/commit/bc29b5783da0af2c80c85126a1831ce1d52bfb69.patch"; sha256 = "1sdcr1w2jp3djpwlf1f91hrxxmc34q0jl388smdkxh5n5bpw5gzw"; }) ]; diff --git a/pkgs/os-specific/windows/mingw-w64/default.nix b/pkgs/os-specific/windows/mingw-w64/default.nix index 61a7fb149427..a7d4f09b90e9 100644 --- a/pkgs/os-specific/windows/mingw-w64/default.nix +++ b/pkgs/os-specific/windows/mingw-w64/default.nix @@ -21,6 +21,6 @@ in stdenv.mkDerivation { patches = [ ./osvi.patch ]; meta = { - platforms = stdenv.lib.platforms.all; + platforms = stdenv.lib.platforms.windows; }; } |