public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

linux-hardened: Track extra version 

Fixes #108707
This commit is contained in:
Tim Steinbach 2021-01-07 14:39:27 -05:00 committed by Tim Steinbach
parent 58514b3428
commit 4312cd74f1
4 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkgs/os-specific/linux/kernel/hardened/patches.json
View File

@ -1,25 +1,30 @@
{ {
"4.14": { "4.14": {
"extra": "",
"name": "linux-hardened-4.14.213.a.patch", "name": "linux-hardened-4.14.213.a.patch",
"sha256": "0lkjgg6cbsaiypxij7p00q3y094qf0h172hc2p7wgy39777b45a7", "sha256": "0lkjgg6cbsaiypxij7p00q3y094qf0h172hc2p7wgy39777b45a7",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.213.a/linux-hardened-4.14.213.a.patch" "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.213.a/linux-hardened-4.14.213.a.patch"
}, },
"4.19": { "4.19": {
"extra": ".a",
"name": "linux-hardened-4.19.165.a.patch", "name": "linux-hardened-4.19.165.a.patch",
"sha256": "06v34jaj4jg6f3v05wbkkfnr69ahxqyyq0gam4ma3wgm74x6cf3s", "sha256": "06v34jaj4jg6f3v05wbkkfnr69ahxqyyq0gam4ma3wgm74x6cf3s",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.165.a/linux-hardened-4.19.165.a.patch" "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.165.a/linux-hardened-4.19.165.a.patch"
}, },
"5.10": { "5.10": {
"extra": ".a",
"name": "linux-hardened-5.10.5.a.patch", "name": "linux-hardened-5.10.5.a.patch",
"sha256": "1fq2n60brhi6wjazkdgj2aqc4maskvlymbznl03hvj0x5kahjxvx", "sha256": "1fq2n60brhi6wjazkdgj2aqc4maskvlymbznl03hvj0x5kahjxvx",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.5.a/linux-hardened-5.10.5.a.patch" "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.5.a/linux-hardened-5.10.5.a.patch"
}, },
"5.4": { "5.4": {
"extra": ".a",
"name": "linux-hardened-5.4.87.a.patch", "name": "linux-hardened-5.4.87.a.patch",
"sha256": "01hpww6lm00iry8z4z86hh86x66h3xbmxknxhmmhh2zwz6ahkmfd", "sha256": "01hpww6lm00iry8z4z86hh86x66h3xbmxknxhmmhh2zwz6ahkmfd",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.87.a/linux-hardened-5.4.87.a.patch" "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.87.a/linux-hardened-5.4.87.a.patch"
}, },
"5.9": { "5.9": {
"extra": "",
"name": "linux-hardened-5.9.16.a.patch", "name": "linux-hardened-5.9.16.a.patch",
"sha256": "024wdzc9bwgr4nd4z0l6bazcl35jczhsmdl2lb26bvffjwg207rw", "sha256": "024wdzc9bwgr4nd4z0l6bazcl35jczhsmdl2lb26bvffjwg207rw",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.9.16.a/linux-hardened-5.9.16.a.patch" "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.9.16.a/linux-hardened-5.9.16.a.patch"

11
pkgs/os-specific/linux/kernel/hardened/update.py
View File

@ -31,7 +31,7 @@ VersionComponent = Union[int, str]
Version = List[VersionComponent] Version = List[VersionComponent]
Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str}) Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str, "extra": str})
@dataclass @dataclass
@ -99,7 +99,10 @@ def verify_openpgp_signature(
return False return False
def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]: def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]:
release = release_info.release
extra = f'.{release_info.version[-1]}'
def find_asset(filename: str) -> str: def find_asset(filename: str) -> str:
try: try:
it: Iterator[str] = ( it: Iterator[str] = (
@ -130,7 +133,7 @@ def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]:
if not sig_ok: if not sig_ok:
return None return None
return Patch(name=patch_filename, url=patch_url, sha256=sha256) return Patch(name=patch_filename, url=patch_url, sha256=sha256, extra=extra)
def parse_version(version_str: str) -> Version: def parse_version(version_str: str) -> Version:
@ -252,7 +255,7 @@ for kernel_key in sorted(releases.keys()):
update = True update = True
if update: if update:
patch = fetch_patch(name=name, release=release) patch = fetch_patch(name=name, release_info=release_info)
if patch is None: if patch is None:
failures = True failures = True
else: else:

3
pkgs/os-specific/linux/kernel/patches.nix
View File

@ -41,7 +41,8 @@
hardened = let hardened = let
mkPatch = kernelVersion: src: { mkPatch = kernelVersion: src: {
name = lib.removeSuffix ".patch" src.name; name = lib.removeSuffix ".patch" src.name;
patch = fetchurl src; patch = fetchurl (lib.filterAttrs (k: v: k != "extra") src);
extra = src.extra;
}; };
patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json); patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json);
in lib.mapAttrs mkPatch patches; in lib.mapAttrs mkPatch patches;

2
pkgs/top-level/all-packages.nix
View File

@ -19014,7 +19014,7 @@ in
kernelPatches.tag_hardened kernelPatches.tag_hardened
kernelPatches.hardened.${kernel.meta.branch} kernelPatches.hardened.${kernel.meta.branch}
]; ];
modDirVersionArg = kernel.modDirVersion + "-hardened"; modDirVersionArg = kernel.modDirVersion + (kernelPatches.hardened.${kernel.meta.branch}).extra + "-hardened";
isHardened = true; isHardened = true;
}); });