diff options
Diffstat (limited to 'pkgs/os-specific/linux')
41 files changed, 379 insertions, 418 deletions
diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index d661b2172b3c..afb6799fbafc 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -39,12 +39,12 @@ let patches = stdenv.lib.optionals stdenv.hostPlatform.isMusl [ (fetchpatch { - url = "https://git.alpinelinux.org/cgit/aports/plain/testing/apparmor/0003-Added-missing-typedef-definitions-on-parser.patch?id=74b8427cc21f04e32030d047ae92caa618105b53"; + url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0003-Added-missing-typedef-definitions-on-parser.patch?id=74b8427cc21f04e32030d047ae92caa618105b53"; name = "0003-Added-missing-typedef-definitions-on-parser.patch"; sha256 = "0yyaqz8jlmn1bm37arggprqz0njb4lhjni2d9c8qfqj0kll0bam0"; }) (fetchpatch { - url = "https://git.alpinelinux.org/cgit/aports/plain/testing/apparmor/0007-Do-not-build-install-vim-file-with-utils-package.patch?id=74b8427cc21f04e32030d047ae92caa618105b53"; + url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0007-Do-not-build-install-vim-file-with-utils-package.patch?id=74b8427cc21f04e32030d047ae92caa618105b53"; name = "0007-Do-not-build-install-vim-file-with-utils-package.patch"; sha256 = "1m4dx901biqgnr4w4wz8a2z9r9dxyw7wv6m6mqglqwf2lxinqmp4"; }) diff --git a/pkgs/os-specific/linux/batman-adv/alfred.nix b/pkgs/os-specific/linux/batman-adv/alfred.nix index c1fb3ef5ee1a..04217b8989bc 100644 --- a/pkgs/os-specific/linux/batman-adv/alfred.nix +++ b/pkgs/os-specific/linux/batman-adv/alfred.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ gpsd libcap libnl ]; preBuild = '' - makeFlags="PREFIX=$out PKG_CONFIG=${pkgconfig}/bin/pkg-config" + makeFlags="PREFIX=$out PKG_CONFIG=${pkgconfig}/bin/${pkgconfig.targetPrefix}pkg-config" ''; meta = { diff --git a/pkgs/os-specific/linux/batman-adv/batctl.nix b/pkgs/os-specific/linux/batman-adv/batctl.nix index 5767c4aa72c4..3b1cf183e08e 100644 --- a/pkgs/os-specific/linux/batman-adv/batctl.nix +++ b/pkgs/os-specific/linux/batman-adv/batctl.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ libnl ]; preBuild = '' - makeFlags="PREFIX=$out PKG_CONFIG=${pkgconfig}/bin/pkg-config" + makeFlags="PREFIX=$out PKG_CONFIG=${pkgconfig}/bin/${pkgconfig.targetPrefix}pkg-config" ''; meta = { diff --git a/pkgs/os-specific/linux/displaylink/udev-installer.patch b/pkgs/os-specific/linux/displaylink/udev-installer.patch index bd7d9d145c9a..880c073fbcf6 100644 --- a/pkgs/os-specific/linux/displaylink/udev-installer.patch +++ b/pkgs/os-specific/linux/displaylink/udev-installer.patch @@ -5,13 +5,13 @@ start_service() { - systemctl start displaylink-driver -+ @systemd@/bin/systemctl start --no-block dlm ++ /run/current-system/systemd/bin/systemctl start --no-block dlm } stop_service() { - systemctl stop displaylink-driver -+ @systemd@/bin/systemctl stop dlm ++ /run/current-system/systemd/bin/systemctl stop dlm } EOF diff --git a/pkgs/os-specific/linux/ena/default.nix b/pkgs/os-specific/linux/ena/default.nix index de3bc092faa3..a3935d0069e3 100644 --- a/pkgs/os-specific/linux/ena/default.nix +++ b/pkgs/os-specific/linux/ena/default.nix @@ -1,14 +1,14 @@ { stdenv, fetchFromGitHub, kernel }: stdenv.mkDerivation rec { - version = "2.1.2"; + version = "2.2.7"; name = "ena-${version}-${kernel.version}"; src = fetchFromGitHub { owner = "amzn"; repo = "amzn-drivers"; rev = "ena_linux_${version}"; - sha256 = "1dp1q99m2x8hq99his6n62yw0v1lbzrlyv67w1ndc774m2k77r5w"; + sha256 = "1ap100xh5wrdvy5h2ydcy6rqcklb4fz6xxs33ad3j9yx3h1ixj2d"; }; hardeningDisable = [ "pic" ]; diff --git a/pkgs/os-specific/linux/firmware/fwupdate/default.nix b/pkgs/os-specific/linux/firmware/fwupdate/default.nix deleted file mode 100644 index bcafa7f3376d..000000000000 --- a/pkgs/os-specific/linux/firmware/fwupdate/default.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ efivar, fetchurl, gettext, gnu-efi, libsmbios, pkgconfig, popt, stdenv }: - -let - version = "12"; - - arch = - if stdenv.hostPlatform.isx86_32 - then "ia32" - else stdenv.hostPlatform.parsed.cpu.name; - -in stdenv.mkDerivation { - pname = "fwupdate"; - inherit version; - src = fetchurl { - url = "https://github.com/rhinstaller/fwupdate/releases/download/${version}/fwupdate-${version}.tar.bz2"; - sha256 = "00w7jsg7wrlq4cpfz26m9rbv2jwyf0sansf343vfq02fy5lxars1"; - }; - - patches = [ - ./do-not-create-sharedstatedir.patch - ]; - - NIX_CFLAGS_COMPILE = builtins.toString [ - "-I${gnu-efi}/include/efi" - "-I${gnu-efi}/include/efi/${arch}" - "-Wno-error=address-of-packed-member" - ]; - - # TODO: Just apply the disable to the efi subdir - hardeningDisable = [ "stackprotector" ]; - - makeFlags = [ - "EFIDIR=nixos" - "prefix=$(out)" - "LIBDIR=$(out)/lib" - "GNUEFIDIR=${gnu-efi}/lib" - "ESPMOUNTPOINT=$(out)/boot" - ]; - - nativeBuildInputs = [ - pkgconfig - gettext - ]; - - buildInputs = [ - gnu-efi - libsmbios - popt - ]; - - propagatedBuildInputs = [ - efivar - ]; - - postInstall = '' - rm -rf $out/src - rm -rf $out/lib/debug - ''; - - meta = with stdenv.lib; { - description = "Tools for using the ESRT and UpdateCapsule() to apply firmware updates"; - maintainers = with maintainers; [ ]; - license = licenses.gpl2; - platforms = platforms.linux; - }; -} diff --git a/pkgs/os-specific/linux/firmware/fwupdate/do-not-create-sharedstatedir.patch b/pkgs/os-specific/linux/firmware/fwupdate/do-not-create-sharedstatedir.patch deleted file mode 100644 index b8588ef2b11a..000000000000 --- a/pkgs/os-specific/linux/firmware/fwupdate/do-not-create-sharedstatedir.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- a/linux/Makefile -+++ b/linux/Makefile -@@ -131,7 +131,6 @@ - ln -fs $(x) $(patsubst %.so.1.$(VERSION),%.so.1,$(DESTDIR)$(libdir)/$(x)) ;\ - ln -fs $(x) $(patsubst %.so.1.$(VERSION),%.so,$(DESTDIR)$(libdir)/$(x)) ;\ - ) -- $(INSTALL) -d -m 755 $(DESTDIR)$(sharedstatedir)/fwupdate/ - $(INSTALL) -d -m 755 $(DESTDIR)$(libexecdir)/fwupdate/ - $(INSTALL) -m 755 cleanup $(DESTDIR)$(libexecdir)/fwupdate/cleanup - $(INSTALL) -d -m 755 $(DESTDIR)$(libdatadir)/systemd/system diff --git a/pkgs/os-specific/linux/fscrypt/default.nix b/pkgs/os-specific/linux/fscrypt/default.nix index 9f734a47c29b..608a6d5fa70a 100644 --- a/pkgs/os-specific/linux/fscrypt/default.nix +++ b/pkgs/os-specific/linux/fscrypt/default.nix @@ -4,13 +4,13 @@ buildGoModule rec { pname = "fscrypt"; - version = "0.2.7"; + version = "0.2.8"; src = fetchFromGitHub { owner = "google"; repo = "fscrypt"; rev = "v${version}"; - sha256 = "0h1ssw9x37hvks8rcnsjq4nsl6djmhx53iiwrw8fw4lf3nlmdzpx"; + sha256 = "0433f9kx43842ic8dydxhz8plyyrrxvqqwg7kd5ghn599ix28avy"; }; postPatch = '' @@ -19,7 +19,7 @@ buildGoModule rec { --replace "/usr/local" "$out" ''; - modSha256 = "110b647q6ljsg5gwlciqv4cddxmk332nahcrpidrpsiqs2yjv1md"; + vendorSha256 = "0yak221mlyfacvlsaq9g3xiyk94n94vqgkbaji8d21pi8hhr38m6"; nativeBuildInputs = [ gnum4 ]; buildInputs = [ pam ]; diff --git a/pkgs/os-specific/linux/kernel-headers/default.nix b/pkgs/os-specific/linux/kernel-headers/default.nix index 52b280c30261..59656f54db28 100644 --- a/pkgs/os-specific/linux/kernel-headers/default.nix +++ b/pkgs/os-specific/linux/kernel-headers/default.nix @@ -29,8 +29,8 @@ let "cc-version:=9999" "cc-fullversion:=999999" # `$(..)` expanded by make alone - "HOSTCC:=$(BUILD_CC)" - "HOSTCXX:=$(BUILD_CXX)" + "HOSTCC:=$(CC_FOR_BUILD)" + "HOSTCXX:=$(CXX_FOR_BUILD)" ]; # Skip clean on darwin, case-sensitivity issues. diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 636d174b1551..d239455ad344 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -42,7 +42,7 @@ let TIMER_STATS = whenOlder "4.11" yes; DEBUG_NX_TEST = whenOlder "4.11" no; DEBUG_STACK_USAGE = no; - DEBUG_STACKOVERFLOW = mkIf (!features.grsecurity) no; + DEBUG_STACKOVERFLOW = mkIf (!features.grsecurity) (option no); RCU_TORTURE_TEST = no; SCHEDSTATS = no; DETECT_HUNG_TASK = yes; @@ -184,7 +184,6 @@ let # needed for ss INET_DIAG = yes; - INET_TCP_DIAG = module; INET_UDP_DIAG = module; INET_RAW_DIAG = whenAtLeast "4.14" module; INET_DIAG_DESTROY = whenAtLeast "4.9" yes; @@ -219,6 +218,7 @@ let FB_3DFX_ACCEL = yes; FB_VESA = yes; FRAMEBUFFER_CONSOLE = yes; + FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = whenAtLeast "4.19" yes; FRAMEBUFFER_CONSOLE_ROTATION = yes; FB_GEODE = mkIf (stdenv.hostPlatform.system == "i686-linux") yes; }; @@ -364,7 +364,7 @@ let CIFS_STATS = whenOlder "4.19" yes; CIFS_WEAK_PW_HASH = yes; CIFS_UPCALL = yes; - CIFS_ACL = yes; + CIFS_ACL = option yes; CIFS_DFS_UPCALL = yes; CIFS_SMB2 = whenOlder "4.13" yes; @@ -395,7 +395,7 @@ let DEBUG_SET_MODULE_RONX = { optional = true; tristate = whenOlder "4.11" "y"; }; RANDOMIZE_BASE = option yes; STRICT_DEVMEM = option yes; # Filter access to /dev/mem - SECURITY_SELINUX_BOOTPARAM_VALUE = freeform "0"; # Disable SELinux by default + SECURITY_SELINUX_BOOTPARAM_VALUE = option (freeform "0"); # Disable SELinux by default # Prevent processes from ptracing non-children processes SECURITY_YAMA = option yes; DEVKMEM = mkIf (!features.grsecurity) no; # Disable /dev/kmem @@ -708,7 +708,7 @@ let KEXEC_JUMP = option yes; # Windows Logical Disk Manager (Dynamic Disk) support - LDM_PARTITION = yes; + LDM_PARTITION = option yes; LOGIRUMBLEPAD2_FF = yes; # Logitech Rumblepad 2 force feedback LOGO = no; # not needed MEDIA_ATTACH = yes; diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix index e6e1bd842363..a9d0cf451688 100644 --- a/pkgs/os-specific/linux/kernel/generic.nix +++ b/pkgs/os-specific/linux/kernel/generic.nix @@ -158,11 +158,8 @@ let ; }).config; - # structuredConfig = moduleStructuredConfig.settings; }; - - }; # end of configfile derivation kernel = (callPackage ./manual-config.nix {}) { diff --git a/pkgs/os-specific/linux/kernel/hardened-patches.json b/pkgs/os-specific/linux/kernel/hardened-patches.json deleted file mode 100644 index 118998a605b2..000000000000 --- a/pkgs/os-specific/linux/kernel/hardened-patches.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "4.14": { - "name": "linux-hardened-4.14.179.a.patch", - "sha256": "0vdcg8713vhraqp04b6lw15qdrvg4iw646d54x6ic0421nxp9zmj", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.179.a/linux-hardened-4.14.179.a.patch" - }, - "4.19": { - "name": "linux-hardened-4.19.121.a.patch", - "sha256": "0bwjx7qbzd50607kr1abx3rd19iciry3p1y3a8sz5w3vb62j8m6z", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.121.a/linux-hardened-4.19.121.a.patch" - }, - "5.4": { - "name": "linux-hardened-5.4.39.a.patch", - "sha256": "1w9yc0j8vshjyvb2qgxjvrdgwiy5lmjn3s1rmlch649vqp97j9w7", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.39.a/linux-hardened-5.4.39.a.patch" - }, - "5.5": { - "name": "linux-hardened-5.5.19.a.patch", - "sha256": "1ya5nsfhr3nwz6qiz4pdhvm6k9mx1kr0prhdvhx3p40f1vk281sc", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.5.19.a/linux-hardened-5.5.19.a.patch" - }, - "5.6": { - "name": "linux-hardened-5.6.11.a.patch", - "sha256": "1b6cwffb2b21h9xh2acm9q9j55cay87zbv9jjayv69znry4mzsx3", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.6.11.a/linux-hardened-5.6.11.a.patch" - } -} diff --git a/pkgs/os-specific/linux/kernel/anthraxx.asc b/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc index 101ccfbf0f2b..101ccfbf0f2b 100644 --- a/pkgs/os-specific/linux/kernel/anthraxx.asc +++ b/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index 95510fe218e3..95510fe218e3 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json new file mode 100644 index 000000000000..fa3718c4ad78 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -0,0 +1,22 @@ +{ + "4.14": { + "name": "linux-hardened-4.14.181.a.patch", + "sha256": "1rssvfhz10h7sqfi0ari1rsmm4h60v6bfj8fvb0yx6sxsvg7phd7", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.181.a/linux-hardened-4.14.181.a.patch" + }, + "4.19": { + "name": "linux-hardened-4.19.124.a.patch", + "sha256": "0g4kp112iarkyjw6qfdkc7j10d60jak7rlw2c1m537mb1a3zz7qm", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.124.a/linux-hardened-4.19.124.a.patch" + }, + "5.4": { + "name": "linux-hardened-5.4.42.a.patch", + "sha256": "1i066nk101banphs9gbcbvmyrhcvf83xf449rs6vxanb0yhwvqvn", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.42.a/linux-hardened-5.4.42.a.patch" + }, + "5.6": { + "name": "linux-hardened-5.6.14.a.patch", + "sha256": "1hnlhlssa2gwmww6j17768gn2fbw2f3v8c0cs423lg14r7plkv44", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.6.14.a/linux-hardened-5.6.14.a.patch" + } +} diff --git a/pkgs/os-specific/linux/kernel/tag-hardened.patch b/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch index ff8a3a127973..ff8a3a127973 100644 --- a/pkgs/os-specific/linux/kernel/tag-hardened.patch +++ b/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py new file mode 100755 index 000000000000..d6443d2e7511 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/hardened/update.py @@ -0,0 +1,276 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i python -p "python38.withPackages (ps: [ps.PyGithub])" git gnupg + +# This is automatically called by ../update.sh. + +from __future__ import annotations + +import json +import os +import re +import subprocess +import sys +from dataclasses import dataclass +from pathlib import Path +from tempfile import TemporaryDirectory +from typing import ( + Dict, + Iterator, + List, + Optional, + Sequence, + Tuple, + TypedDict, + Union, +) + +from github import Github +from github.GitRelease import GitRelease + +VersionComponent = Union[int, str] +Version = List[VersionComponent] + + +Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str}) + + +@dataclass +class ReleaseInfo: + version: Version + release: GitRelease + + +HERE = Path(__file__).resolve().parent +NIXPKGS_KERNEL_PATH = HERE.parent +NIXPKGS_PATH = HERE.parents[4] +HARDENED_GITHUB_REPO = "anthraxx/linux-hardened" +HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc" +HARDENED_PATCHES_PATH = HERE / "patches.json" +MIN_KERNEL_VERSION: Version = [4, 14] + + +def run(*args: Union[str, Path]) -> subprocess.CompletedProcess[bytes]: + try: + return subprocess.run( + args, + check=True, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + encoding="utf-8", + ) + except subprocess.CalledProcessError as err: + print( + f"error: `{err.cmd}` failed unexpectedly\n" + f"status code: {err.returncode}\n" + f"stdout:\n{err.stdout.strip()}\n" + f"stderr:\n{err.stderr.strip()}", + file=sys.stderr, + ) + sys.exit(1) + + +def nix_prefetch_url(url: str) -> Tuple[str, Path]: + output = run("nix-prefetch-url", "--print-path", url).stdout + sha256, path = output.strip().split("\n") + return sha256, Path(path) + + +def verify_openpgp_signature( + *, name: str, trusted_key: Path, sig_path: Path, data_path: Path, +) -> bool: + with TemporaryDirectory(suffix=".nixpkgs-gnupg-home") as gnupg_home_str: + gnupg_home = Path(gnupg_home_str) + run("gpg", "--homedir", gnupg_home, "--import", trusted_key) + keyring = gnupg_home / "pubring.kbx" + try: + subprocess.run( + ("gpgv", "--keyring", keyring, sig_path, data_path), + check=True, + stderr=subprocess.PIPE, + encoding="utf-8", + ) + return True + except subprocess.CalledProcessError as err: + print( + f"error: signature for {name} failed to verify!", + file=sys.stderr, + ) + print(err.stderr, file=sys.stderr, end="") + return False + + +def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]: + def find_asset(filename: str) -> str: + try: + it: Iterator[str] = ( + asset.browser_download_url + for asset in release.get_assets() + if asset.name == filename + ) + return next(it) + except StopIteration: + raise KeyError(filename) + + patch_filename = f"{name}.patch" + try: + patch_url = find_asset(patch_filename) + sig_url = find_asset(patch_filename + ".sig") + except KeyError: + print(f"error: {patch_filename}{{,.sig}} not present", file=sys.stderr) + return None + + sha256, patch_path = nix_prefetch_url(patch_url) + _, sig_path = nix_prefetch_url(sig_url) + sig_ok = verify_openpgp_signature( + name=name, + trusted_key=HARDENED_TRUSTED_KEY, + sig_path=sig_path, + data_path=patch_path, + ) + if not sig_ok: + return None + + return Patch(name=patch_filename, url=patch_url, sha256=sha256) + + +def parse_version(version_str: str) -> Version: + version: Version = [] + for component in version_str.split("."): + try: + version.append(int(component)) + except ValueError: + version.append(component) + return version + + +def version_string(version: Version) -> str: + return ".".join(str(component) for component in version) + + +def major_kernel_version_key(kernel_version: Version) -> str: + return version_string(kernel_version[:-1]) + + +def commit_patches(*, kernel_key: str, message: str) -> None: + new_patches_path = HARDENED_PATCHES_PATH.with_suffix(".new") + with open(new_patches_path, "w") as new_patches_file: + json.dump(patches, new_patches_file, indent=4, sort_keys=True) + new_patches_file.write("\n") + os.rename(new_patches_path, HARDENED_PATCHES_PATH) + message = f"linux/hardened/patches/{kernel_key}: {message}" + print(message) + if os.environ.get("COMMIT"): + run( + "git", + "-C", + NIXPKGS_PATH, + "commit", + f"--message={message}", + HARDENED_PATCHES_PATH, + ) + + +# Load the existing patches. +patches: Dict[str, Patch] +with open(HARDENED_PATCHES_PATH) as patches_file: + patches = json.load(patches_file) + +# Get the set of currently packaged kernel versions. +kernel_versions = {} +for filename in os.listdir(NIXPKGS_KERNEL_PATH): + filename_match = re.fullmatch(r"linux-(\d+)\.(\d+)\.nix", filename) + if filename_match: + nix_version_expr = f""" + with import {NIXPKGS_PATH} {{}}; + (callPackage {NIXPKGS_KERNEL_PATH / filename} {{}}).version + """ + kernel_version_json = run( + "nix-instantiate", "--eval", "--json", "--expr", nix_version_expr, + ).stdout + kernel_version = parse_version(json.loads(kernel_version_json)) + if kernel_version < MIN_KERNEL_VERSION: + continue + kernel_key = major_kernel_version_key(kernel_version) + kernel_versions[kernel_key] = kernel_version + +# Remove patches for unpackaged kernel versions. +for kernel_key in sorted(patches.keys() - kernel_versions.keys()): + commit_patches(kernel_key=kernel_key, message="remove") + +g = Github(os.environ.get("GITHUB_TOKEN")) +repo = g.get_repo(HARDENED_GITHUB_REPO) +failures = False + +# Match each kernel version with the best patch version. +releases = {} +for release in repo.get_releases(): + version = parse_version(release.tag_name) + # needs to look like e.g. 5.6.3.a + if len(version) < 4: + continue + + kernel_version = version[:-1] + kernel_key = major_kernel_version_key(kernel_version) + try: + packaged_kernel_version = kernel_versions[kernel_key] + except KeyError: + continue + + release_info = ReleaseInfo(version=version, release=release) + + if kernel_version == packaged_kernel_version: + releases[kernel_key] = release_info + else: + # Fall back to the latest patch for this major kernel version, + # skipping patches for kernels newer than the packaged one. + if kernel_version > packaged_kernel_version: + continue + elif ( + kernel_key not in releases or releases[kernel_key].version < version + ): + releases[kernel_key] = release_info + +# Update hardened-patches.json for each release. +for kernel_key in sorted(releases.keys()): + release_info = releases[kernel_key] + release = release_info.release + version = release_info.version + version_str = release.tag_name + name = f"linux-hardened-{version_str}" + + old_version: Optional[Version] = None + old_version_str: Optional[str] = None + update: bool + try: + old_filename = patches[kernel_key]["name"] + old_version_str = old_filename.replace("linux-hardened-", "").replace( + ".patch", "" + ) + old_version = parse_version(old_version_str) + update = old_version < version + except KeyError: + update = True + + if update: + patch = fetch_patch(name=name, release=release) + if patch is None: + failures = True + else: + patches[kernel_key] = patch + if old_version: + message = f"{old_version_str} -> {version_str}" + else: + message = f"init at {version_str}" + commit_patches(kernel_key=kernel_key, message=message) + +missing_kernel_versions = kernel_versions.keys() - patches.keys() + +if missing_kernel_versions: + print( + f"warning: no patches for kernel versions " + + ", ".join(missing_kernel_versions), + file=sys.stderr, + ) + +if failures: + sys.exit(1) diff --git a/pkgs/os-specific/linux/kernel/linux-4.14.nix b/pkgs/os-specific/linux/kernel/linux-4.14.nix index b3dea589cd65..0f19efa16669 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.14.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.14.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "4.14.179"; + version = "4.14.181"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "10arrj3ppbxkn15yxqpxlz4k8yp2afzbfpp2nwfy6klhjiffp9sx"; + sha256 = "0kaasqhmg9in7pf4ldk9z4z1cjgv1c9xdr1ca0pznngygibym6xb"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.19.nix b/pkgs/os-specific/linux/kernel/linux-4.19.nix index 450c44f0aa09..c96fa330b5c0 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.19.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.19.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "4.19.121"; + version = "4.19.124"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "11bhjdaihhc42xhf4qxdkkjznc0i6igh0ahjbzr3fb8bmq9sirgv"; + sha256 = "005dznldnj1m03cbkc5pd2q2cv9jj1j6a0x2vh4p79ypg4c01nfm"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix index 81b32a932e1d..4818e7147503 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix @@ -1,11 +1,11 @@ { stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args: buildLinux (args // rec { - version = "4.4.222"; + version = "4.4.224"; extraMeta.branch = "4.4"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "02zxy5vjxgrqs0mkz5aj70v6pazhif7x5cm26rf8zh4idpmhk2zh"; + sha256 = "1lb8ypn558vk73bj4a20wq40cig9vmzjn2xzzdws78gfair6hxpg"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.9.nix b/pkgs/os-specific/linux/kernel/linux-4.9.nix index a9757aa2f10d..4cb219d1014b 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.9.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix @@ -1,11 +1,11 @@ { stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args: buildLinux (args // rec { - version = "4.9.222"; + version = "4.9.224"; extraMeta.branch = "4.9"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "0aajgflf96bj7chbd83rdmgcdwd025c6mz6li4cwbfx7xcb91kjc"; + sha256 = "0jf92cx0b3wq9fxa3169wk4wqvy58hglfk6lsynszy8kjplhfvfz"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-5.4.nix b/pkgs/os-specific/linux/kernel/linux-5.4.nix index 5ca72d8a6a5d..a27977b2bbce 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.4.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "5.4.39"; + version = "5.4.42"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "1j35yf1nilb9z7lw8w2drpww7q2zy8zfr0ip8hwcbcd7c5d9chai"; + sha256 = "0cdwazpzfrrb2y5fp87v9yihy7v8mlbqjzxpzmv7p83609y1nhsf"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-5.5.nix b/pkgs/os-specific/linux/kernel/linux-5.5.nix deleted file mode 100644 index 96a349d985c9..000000000000 --- a/pkgs/os-specific/linux/kernel/linux-5.5.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args: - -with stdenv.lib; - -buildLinux (args // rec { - version = "5.5.19"; - - # modDirVersion needs to be x.y.z, will automatically add .0 if needed - modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; - - # branchVersion needs to be x.y - extraMeta.branch = versions.majorMinor version; - - src = fetchurl { - url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "1sqiw9d25sqqzdh04dd722i7ff6kchj869jp4l8zalpvf51k6j0l"; - }; -} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-5.6.nix b/pkgs/os-specific/linux/kernel/linux-5.6.nix index 7cd3987f87c3..4ddb0c76b124 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.6.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.6.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "5.6.11"; + version = "5.6.14"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "1ahv4a3mnszqs3qcnwmhbvjgis1jg37anj5jvn70i7s2k6z6rpfn"; + sha256 = "18vyxi64i93v4qyky5q62kkasm1da7wmz91xfkx3j7ki84skyxik"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-rpi.nix b/pkgs/os-specific/linux/kernel/linux-rpi.nix index 6f5f2524276b..31a2cc2aa157 100644 --- a/pkgs/os-specific/linux/kernel/linux-rpi.nix +++ b/pkgs/os-specific/linux/kernel/linux-rpi.nix @@ -18,7 +18,7 @@ lib.overrideDerivation (buildLinux (args // { defconfig = { "1" = "bcmrpi_defconfig"; "2" = "bcm2709_defconfig"; - "3" = "bcmrpi3_defconfig"; + "3" = if stdenv.hostPlatform.isAarch64 then "bcmrpi3_defconfig" else "bcm2709_defconfig"; "4" = "bcm2711_defconfig"; }.${toString rpiVersion}; diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix index 8b5f1e58d142..f2f0fac3b7dd 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "5.7-rc4"; + version = "5.7-rc6"; extraMeta.branch = "5.7"; # modDirVersion needs to be x.y.z, will always add .0 @@ -11,7 +11,7 @@ buildLinux (args // rec { src = fetchurl { url = "https://git.kernel.org/torvalds/t/linux-${version}.tar.gz"; - sha256 = "1mnknjiax24iaj9n5k0s55vp6fvmb40s931qxj24v5p1lc5fznvb"; + sha256 = "0g04zwdxks7pa5q6shl5xl2rml1w95rxq7sqkkadj11mpk2k89w4"; }; # Should the testing kernels ever be built on Hydra? diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 1c4af8c32a6f..8ce1ac2b587c 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -35,7 +35,7 @@ tag_hardened = { name = "tag-hardened"; - patch = ./tag-hardened.patch; + patch = ./hardened/tag-hardened.patch; }; hardened = let @@ -43,7 +43,7 @@ name = lib.removeSuffix ".patch" src.name; patch = fetchurl src; }; - patches = builtins.fromJSON (builtins.readFile ./hardened-patches.json); + patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json); in lib.mapAttrs mkPatch patches; # https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6 diff --git a/pkgs/os-specific/linux/kernel/update-hardened.py b/pkgs/os-specific/linux/kernel/update-hardened.py deleted file mode 100755 index 7f6949653afc..000000000000 --- a/pkgs/os-specific/linux/kernel/update-hardened.py +++ /dev/null @@ -1,229 +0,0 @@ -#! /usr/bin/env nix-shell -#! nix-shell -i python -p "python3.withPackages (ps: [ps.PyGithub])" git gnupg - -# This is automatically called by ./update.sh. - -import re -import json -import sys -import os.path -from glob import glob -import subprocess -from tempfile import TemporaryDirectory - -from github import Github - -HERE = os.path.dirname(os.path.realpath(__file__)) -HARDENED_GITHUB_REPO = 'anthraxx/linux-hardened' -HARDENED_TRUSTED_KEY = os.path.join(HERE, 'anthraxx.asc') -HARDENED_PATCHES_PATH = os.path.join(HERE, 'hardened-patches.json') -MIN_KERNEL_VERSION = [4, 14] - -def run(*args, **kwargs): - try: - return subprocess.run( - args, **kwargs, - check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, - ) - except subprocess.CalledProcessError as err: - print( - f'error: `{err.cmd}` failed unexpectedly\n' - f'status code: {err.returncode}\n' - f'stdout:\n{err.stdout.decode("utf-8").strip()}\n' - f'stderr:\n{err.stderr.decode("utf-8").strip()}', - file=sys.stderr, - ) - sys.exit(1) - -def nix_prefetch_url(url): - output = run('nix-prefetch-url', '--print-path', url).stdout - return output.decode('utf-8').strip().split('\n') - -def verify_openpgp_signature(*, name, trusted_key, sig_path, data_path): - with TemporaryDirectory(suffix='.nixpkgs-gnupg-home') as gnupg_home: - run('gpg', '--homedir', gnupg_home, '--import', trusted_key) - keyring = os.path.join(gnupg_home, 'pubring.kbx') - try: - subprocess.run( - ('gpgv', '--keyring', keyring, sig_path, data_path), - check=True, stderr=subprocess.PIPE, - ) - return True - except subprocess.CalledProcessError as err: - print( - f'error: signature for {name} failed to verify!', - file=sys.stderr, - ) - print(err.stderr.decode('utf-8'), file=sys.stderr, end='') - return False - -def fetch_patch(*, name, release): - def find_asset(filename): - try: - return next( - asset.browser_download_url - for asset in release.get_assets() - if asset.name == filename - ) - except StopIteration: - raise KeyError(filename) - - patch_filename = f'{name}.patch' - try: - patch_url = find_asset(patch_filename) - sig_url = find_asset(patch_filename + '.sig') - except KeyError: - print(f'error: {patch_filename}{{,.sig}} not present', file=sys.stderr) - return None - - sha256, patch_path = nix_prefetch_url(patch_url) - _, sig_path = nix_prefetch_url(sig_url) - sig_ok = verify_openpgp_signature( - name=name, - trusted_key=HARDENED_TRUSTED_KEY, - sig_path=sig_path, - data_path=patch_path, - ) - if not sig_ok: - return None - - return { - 'name': patch_filename, - 'url': patch_url, - 'sha256': sha256, - } - -def parse_version(version_str): - version = [] - for component in version_str.split('.'): - try: - version.append(int(component)) - except ValueError: - version.append(component) - return version - -def version_string(version): - return '.'.join(str(component) for component in version) - -def major_kernel_version_key(kernel_version): - return version_string(kernel_version[:-1]) - -def commit_patches(*, kernel_key, message): - with open(HARDENED_PATCHES_PATH + '.new', 'w') as new_patches_file: - json.dump(patches, new_patches_file, indent=4, sort_keys=True) - new_patches_file.write('\n') - os.rename(HARDENED_PATCHES_PATH + '.new', HARDENED_PATCHES_PATH) - message = f'linux/hardened-patches/{kernel_key}: {message}' - print(message) - if os.environ.get('COMMIT'): - run( - 'git', '-C', HERE, 'commit', f'--message={message}', - 'hardened-patches.json', - ) - -# Load the existing patches. -with open(HARDENED_PATCHES_PATH) as patches_file: - patches = json.load(patches_file) - -NIX_VERSION_RE = re.compile(r''' - \s* version \s* = - \s* " (?P<version> [^"]*) " - \s* ; \s* \n -''', re.VERBOSE) - -# Get the set of currently packaged kernel versions. -kernel_versions = {} -for filename in os.listdir(HERE): - filename_match = re.fullmatch(r'linux-(\d+)\.(\d+)\.nix', filename) - if filename_match: - with open(os.path.join(HERE, filename)) as nix_file: - for nix_line in nix_file: - match = NIX_VERSION_RE.fullmatch(nix_line) - if match: - kernel_version = parse_version(match.group('version')) - if kernel_version < MIN_KERNEL_VERSION: - continue - kernel_key = major_kernel_version_key(kernel_version) - kernel_versions[kernel_key] = kernel_version - -# Remove patches for unpackaged kernel versions. -for kernel_key in sorted(patches.keys() - kernel_versions.keys()): - commit_patches(kernel_key=kernel_key, message='remove') - -g = Github(os.environ.get('GITHUB_TOKEN')) -repo = g.get_repo(HARDENED_GITHUB_REPO) - -failures = False - -# Match each kernel version with the best patch version. -releases = {} -for release in repo.get_releases(): - version = parse_version(release.tag_name) - # needs to look like e.g. 5.6.3.a - if len(version) < 4: - continue - - kernel_version = version[:-1] - kernel_key = major_kernel_version_key(kernel_version) - try: - packaged_kernel_version = kernel_versions[kernel_key] - except KeyError: - continue - - release_info = { - 'version': version, - 'release': release, - } - - if kernel_version == packaged_kernel_version: - releases[kernel_key] = release_info - else: - # Fall back to the latest patch for this major kernel version, - # skipping patches for kernels newer than the packaged one. - if kernel_version > packaged_kernel_version: - continue - elif (kernel_key not in releases or - releases[kernel_key]['version'] < version): - releases[kernel_key] = release_info - -# Update hardened-patches.json for each release. -for kernel_key, release_info in releases.items(): - release = release_info['release'] - version = release_info['version'] - version_str = release.tag_name - name = f'linux-hardened-{version_str}' - - try: - old_filename = patches[kernel_key]['name'] - old_version_str = (old_filename - .replace('linux-hardened-', '') - .replace('.patch', '')) - old_version = parse_version(old_version_str) - update = old_version < version - except KeyError: - update = True - old_version = None - - if update: - patch = fetch_patch(name=name, release=release) - if patch is None: - failures = True - else: - patches[kernel_key] = patch - if old_version: - message = f'{old_version_str} -> {version_str}' - else: - message = f'init at {version_str}' - commit_patches(kernel_key=kernel_key, message=message) - -missing_kernel_versions = kernel_versions.keys() - patches.keys() - -if missing_kernel_versions: - print( - f'warning: no patches for kernel versions ' + - ', '.join(missing_kernel_versions), - file=sys.stderr, - ) - -if failures: - sys.exit(1) diff --git a/pkgs/os-specific/linux/kernel/update.sh b/pkgs/os-specific/linux/kernel/update.sh index c483661b6f5d..55fdce06c973 100755 --- a/pkgs/os-specific/linux/kernel/update.sh +++ b/pkgs/os-specific/linux/kernel/update.sh @@ -62,4 +62,4 @@ done COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh # Update linux-hardened -COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-hardened.py +COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/hardened/update.py diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index b1abf50f5f1f..a70cb2e087fc 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -14,6 +14,9 @@ stdenv.mkDerivation rec { hardeningDisable = [ "format" "pic" "relro" "pie" ]; + # Prevent kexec-tools from using uname to detect target, which is wrong in + # cases like compiling for aarch32 on aarch64 + configurePlatforms = [ "build" "host" ]; configureFlags = [ "BUILD_CC=${buildPackages.stdenv.cc.targetPrefix}cc" ]; depsBuildBuild = [ buildPackages.stdenv.cc ]; buildInputs = [ zlib ]; diff --git a/pkgs/os-specific/linux/lvm2/default.nix b/pkgs/os-specific/linux/lvm2/default.nix index c7925bae5581..8db4be94e4ed 100644 --- a/pkgs/os-specific/linux/lvm2/default.nix +++ b/pkgs/os-specific/linux/lvm2/default.nix @@ -47,17 +47,17 @@ stdenv.mkDerivation { patches = stdenv.lib.optionals stdenv.hostPlatform.isMusl [ (fetchpatch { name = "fix-stdio-usage.patch"; - url = "https://git.alpinelinux.org/cgit/aports/plain/main/lvm2/fix-stdio-usage.patch?h=3.7-stable&id=31bd4a8c2dc00ae79a821f6fe0ad2f23e1534f50"; + url = "https://git.alpinelinux.org/aports/plain/main/lvm2/fix-stdio-usage.patch?h=3.7-stable&id=31bd4a8c2dc00ae79a821f6fe0ad2f23e1534f50"; sha256 = "0m6wr6qrvxqi2d2h054cnv974jq1v65lqxy05g1znz946ga73k3p"; }) (fetchpatch { name = "mallinfo.patch"; - url = "https://git.alpinelinux.org/cgit/aports/plain/main/lvm2/mallinfo.patch?h=3.7-stable&id=31bd4a8c2dc00ae79a821f6fe0ad2f23e1534f50"; + url = "https://git.alpinelinux.org/aports/plain/main/lvm2/mallinfo.patch?h=3.7-stable&id=31bd4a8c2dc00ae79a821f6fe0ad2f23e1534f50"; sha256 = "0g6wlqi215i5s30bnbkn8w7axrs27y3bnygbpbnf64wwx7rxxlj0"; }) (fetchpatch { name = "mlockall-default-config.patch"; - url = "https://git.alpinelinux.org/cgit/aports/plain/main/lvm2/mlockall-default-config.patch?h=3.7-stable&id=31bd4a8c2dc00ae79a821f6fe0ad2f23e1534f50"; + url = "https://git.alpinelinux.org/aports/plain/main/lvm2/mlockall-default-config.patch?h=3.7-stable&id=31bd4a8c2dc00ae79a821f6fe0ad2f23e1534f50"; sha256 = "1ivbj3sphgf8n1ykfiv5rbw7s8dgnj5jcr9jl2v8cwf28lkacw5l"; }) ]; diff --git a/pkgs/os-specific/linux/microcode/intel.nix b/pkgs/os-specific/linux/microcode/intel.nix index b57c97c99e53..c0201fb01fd4 100644 --- a/pkgs/os-specific/linux/microcode/intel.nix +++ b/pkgs/os-specific/linux/microcode/intel.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { pname = "microcode-intel"; - version = "20200508"; + version = "20200520"; src = fetchFromGitHub { owner = "intel"; diff --git a/pkgs/os-specific/linux/musl/default.nix b/pkgs/os-specific/linux/musl/default.nix index d31a75fbba0b..51dcf4cfca33 100644 --- a/pkgs/os-specific/linux/musl/default.nix +++ b/pkgs/os-specific/linux/musl/default.nix @@ -19,10 +19,10 @@ let # iconv tool, implemented by musl author. # Original: http://git.etalabs.net/cgit/noxcuse/plain/src/iconv.c?id=02d288d89683e99fd18fe9f54d4e731a6c474a4f # We use copy from Alpine which fixes error messages, see: - # https://git.alpinelinux.org/cgit/aports/commit/main/musl/iconv.c?id=a3d97e95f766c9c378194ee49361b375f093b26f + # https://git.alpinelinux.org/aports/commit/main/musl/iconv.c?id=a3d97e95f766c9c378194ee49361b375f093b26f iconv_c = fetchurl { name = "iconv.c"; - url = "https://git.alpinelinux.org/cgit/aports/plain/main/musl/iconv.c?id=a3d97e95f766c9c378194ee49361b375f093b26f"; + url = "https://git.alpinelinux.org/aports/plain/main/musl/iconv.c?id=a3d97e95f766c9c378194ee49361b375f093b26f"; sha256 = "1mzxnc2ncq8lw9x6n7p00fvfklc9p3wfv28m68j0dfz5l8q2k6pp"; }; diff --git a/pkgs/os-specific/linux/nvidia-x11/builder.sh b/pkgs/os-specific/linux/nvidia-x11/builder.sh index 30e5d16b60f3..dbe18ace40a2 100755 --- a/pkgs/os-specific/linux/nvidia-x11/builder.sh +++ b/pkgs/os-specific/linux/nvidia-x11/builder.sh @@ -45,6 +45,17 @@ installPhase() { cp -prd tls "$out/lib/" fi + # Install systemd power management executables + if [ -e nvidia-sleep.sh ]; then + sed -E 's#(PATH=).*#\1"$PATH"#' nvidia-sleep.sh > nvidia-sleep.sh.fixed + install -Dm755 nvidia-sleep.sh.fixed $out/bin/nvidia-sleep.sh + fi + + if [ -e nvidia ]; then + sed -E "s#/usr(/bin/nvidia-sleep.sh)#$out\\1#" nvidia > nvidia.fixed + install -Dm755 nvidia.fixed $out/lib/systemd/system-sleep/nvidia + fi + for i in $lib32 $out; do rm -f $i/lib/lib{glx,nvidia-wfb}.so.* # handled separately rm -f $i/lib/libnvidia-gtk* # built from source @@ -91,7 +102,6 @@ installPhase() { done - if [ -n "$bin" ]; then # Install the X drivers. mkdir -p $bin/lib/xorg/modules @@ -167,5 +177,4 @@ installPhase() { fi } - genericBuild diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix index 2e44a887d69a..fb969d7574a0 100644 --- a/pkgs/os-specific/linux/pam/default.nix +++ b/pkgs/os-specific/linux/pam/default.nix @@ -11,11 +11,11 @@ stdenv.mkDerivation rec { patches = stdenv.lib.optionals (stdenv.hostPlatform.libc == "musl") [ (fetchpatch { - url = "https://git.alpinelinux.org/cgit/aports/plain/main/linux-pam/fix-compat.patch?id=05a62bda8ec255d7049a2bd4cf0fdc4b32bdb2cc"; + url = "https://git.alpinelinux.org/aports/plain/main/linux-pam/fix-compat.patch?id=05a62bda8ec255d7049a2bd4cf0fdc4b32bdb2cc"; sha256 = "1h5yp5h2mqp1fcwiwwklyfpa69a3i03ya32pivs60fd7g5bqa7sf"; }) (fetchpatch { - url = "https://git.alpinelinux.org/cgit/aports/plain/main/linux-pam/libpam-fix-build-with-eglibc-2.16.patch?id=05a62bda8ec255d7049a2bd4cf0fdc4b32bdb2cc"; + url = "https://git.alpinelinux.org/aports/plain/main/linux-pam/libpam-fix-build-with-eglibc-2.16.patch?id=05a62bda8ec255d7049a2bd4cf0fdc4b32bdb2cc"; sha256 = "1ib6shhvgzinjsc603k2x1lxh9dic6qq449fnk110gc359m23j81"; }) # From adelie's package repo, using local copy since it seems to be currently offline. diff --git a/pkgs/os-specific/linux/powerstat/default.nix b/pkgs/os-specific/linux/powerstat/default.nix index f5b54769f003..dd3b24dd19a2 100644 --- a/pkgs/os-specific/linux/powerstat/default.nix +++ b/pkgs/os-specific/linux/powerstat/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "powerstat"; - version = "0.02.22"; + version = "0.02.23"; src = fetchurl { url = "https://kernel.ubuntu.com/~cking/tarballs/${pname}/${pname}-${version}.tar.gz"; - sha256 = "0r355b9syqa2nhfy8ksvxyy5d58v0isf983842js091s6liy0x7g"; + sha256 = "1yj8ja0hw92wscazxh9vr3qdz24wpw2fgd3w7w088srfzg2aqf3a"; }; installFlags = [ "DESTDIR=${placeholder "out"}" ]; diff --git a/pkgs/os-specific/linux/powertop/default.nix b/pkgs/os-specific/linux/powertop/default.nix index d57b511af346..bcac7ab63c0a 100644 --- a/pkgs/os-specific/linux/powertop/default.nix +++ b/pkgs/os-specific/linux/powertop/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { patches = stdenv.lib.optional stdenv.hostPlatform.isMusl ( fetchpatch { name = "strerror_r.patch"; - url = "https://git.alpinelinux.org/cgit/aports/plain/main/powertop/strerror_r.patch?id=3b9214d436f1611f297b01f72469d66bfe729d6e"; + url = "https://git.alpinelinux.org/aports/plain/main/powertop/strerror_r.patch?id=3b9214d436f1611f297b01f72469d66bfe729d6e"; sha256 = "1kzddhcrb0n2iah4lhgxwwy4mkhq09ch25jjngyq6pdj6pmfkpfw"; } ) ++ [ diff --git a/pkgs/os-specific/linux/sysstat/default.nix b/pkgs/os-specific/linux/sysstat/default.nix index a27f65852023..258da07c40b6 100644 --- a/pkgs/os-specific/linux/sysstat/default.nix +++ b/pkgs/os-specific/linux/sysstat/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, gettext, bzip2 }: stdenv.mkDerivation rec { - name = "sysstat-12.3.1"; + name = "sysstat-12.3.2"; src = fetchurl { url = "http://pagesperso-orange.fr/sebastien.godard/${name}.tar.xz"; - sha256 = "1hf1sy7akribmgavadqccxpy49yv0zfb3m81d2bj6jf8pyzwcrbq"; + sha256 = "0gaas16q2f7qmrv4sbqk2l2mrc7yr64s33bzw4094p59fkylm7k4"; }; buildInputs = [ gettext ]; diff --git a/pkgs/os-specific/linux/uclibc/default.nix b/pkgs/os-specific/linux/uclibc/default.nix index 5f4014110747..c9da86b7898a 100644 --- a/pkgs/os-specific/linux/uclibc/default.nix +++ b/pkgs/os-specific/linux/uclibc/default.nix @@ -48,7 +48,7 @@ let UCLIBC_HAS_FPU n ''; - version = "1.0.32"; + version = "1.0.33"; in stdenv.mkDerivation { @@ -58,7 +58,7 @@ stdenv.mkDerivation { src = fetchurl { url = "https://downloads.uclibc-ng.org/releases/${version}/uClibc-ng-${version}.tar.bz2"; # from "${url}.sha256"; - sha256 = "0cp4xf3k0ib76xaz6n6i7yybw7s92s607ak8svq1kakwk0d1jjbv"; + sha256 = "0qy9xsqacrhhrxd16azm26pqb2ks6c43wbrlq3i8xmq2917kw3xi"; }; # 'ftw' needed to build acl, a coreutils dependency diff --git a/pkgs/os-specific/linux/wpa_supplicant/gui.nix b/pkgs/os-specific/linux/wpa_supplicant/gui.nix index d60ff7f364c5..911b0331f4cd 100644 --- a/pkgs/os-specific/linux/wpa_supplicant/gui.nix +++ b/pkgs/os-specific/linux/wpa_supplicant/gui.nix @@ -1,14 +1,23 @@ -{ stdenv, mkDerivation, qtbase, qmake, inkscape, imagemagick, wpa_supplicant }: +{ stdenv, mkDerivation, fetchpatch, qtbase, qmake, inkscape, imagemagick, wpa_supplicant }: mkDerivation { name = "wpa_gui-${wpa_supplicant.version}"; inherit (wpa_supplicant) src; + patches = [ + # Fix build with Inkscape 1.0 + # https://github.com/NixOS/nixpkgs/issues/86930 + (fetchpatch { + url = "https://w1.fi/cgit/hostap/patch/?id=0388992905a5c2be5cba9497504eaea346474754"; + sha256 = "YDSY7l/qEco+aZYcYHLf/rxCKvPw35ibGoMorjA5GhY="; + }) + ]; + buildInputs = [ qtbase ]; nativeBuildInputs = [ qmake inkscape imagemagick ]; - prePatch = '' + postPatch = '' cd wpa_supplicant/wpa_gui-qt4 ''; diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index 563735deeeb4..581316dc74db 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -42,12 +42,7 @@ let inherit rev sha256; }; - patches = [ (fetchpatch { - # https://github.com/openzfs/zfs/pull/9961#issuecomment-585827288 - # will be included in zfs 0.5.4 as well - url = "https://gist.githubusercontent.com/satmandu/67cbae9c4d461be0e64428a1707aef1c/raw/ba0fb65f17ccce5b710e4ce86a095de577f7dfe1/k5.6.3.patch"; - sha256 = "0zay7cz078v7wcnk7xl96blp7j6y64q1migb91c7h66zkpikqvgb"; - }) ] ++ extraPatches; + patches = [ ] ++ extraPatches; postPatch = optionalString buildKernel '' patchShebangs scripts @@ -192,9 +187,9 @@ in { # incompatibleKernelVersion = "4.20"; # this package should point to the latest release. - version = "0.8.3"; + version = "0.8.4"; - sha256 = "0viql8rnqr32diapkpdsrwm6xj8vw5vi4dk2x2m7s7g0q2zdkahw"; + sha256 = "1hl4n900d24gl4vd65qdzq4m62b7bpvckldazcbd1xqcn8xhi6wp"; }; zfsUnstable = common { @@ -202,9 +197,9 @@ in { # incompatibleKernelVersion = "4.19"; # this package should point to a version / git revision compatible with the latest kernel release - version = "0.8.3"; + version = "0.8.4"; - sha256 = "0viql8rnqr32diapkpdsrwm6xj8vw5vi4dk2x2m7s7g0q2zdkahw"; + sha256 = "1hl4n900d24gl4vd65qdzq4m62b7bpvckldazcbd1xqcn8xhi6wp"; isUnstable = true; }; } |