diff options
| -rw-r--r-- | lib/kernel.nix | 2 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/kernel/hardened/anthraxx.asc (renamed from pkgs/os-specific/linux/kernel/anthraxx.asc) | 0 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/kernel/hardened/config.nix (renamed from pkgs/os-specific/linux/kernel/hardened-config.nix) | 0 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/kernel/hardened/patches.json (renamed from pkgs/os-specific/linux/kernel/hardened-patches.json) | 0 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch (renamed from pkgs/os-specific/linux/kernel/tag-hardened.patch) | 0 | ||||
| -rwxr-xr-x | pkgs/os-specific/linux/kernel/hardened/update.py (renamed from pkgs/os-specific/linux/kernel/update-hardened.py) | 16 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/kernel/patches.nix | 4 | ||||
| -rwxr-xr-x | pkgs/os-specific/linux/kernel/update.sh | 2 | ||||
| -rw-r--r-- | pkgs/top-level/all-packages.nix | 2 |
9 files changed, 14 insertions, 12 deletions
diff --git a/lib/kernel.nix b/lib/kernel.nix index 2ce19f8cb68..8045a228d05 100644 --- a/lib/kernel.nix +++ b/lib/kernel.nix @@ -14,7 +14,7 @@ with lib; freeform = x: { freeform = x; }; /* - Common patterns/legacy used in common-config/hardened-config.nix + Common patterns/legacy used in common-config/hardened/config.nix */ whenHelpers = version: { whenAtLeast = ver: mkIf (versionAtLeast version ver); diff --git a/pkgs/os-specific/linux/kernel/anthraxx.asc b/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc index 101ccfbf0f2..101ccfbf0f2 100644 --- a/pkgs/os-specific/linux/kernel/anthraxx.asc +++ b/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index 95510fe218e..95510fe218e 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix diff --git a/pkgs/os-specific/linux/kernel/hardened-patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index 118998a605b..118998a605b 100644 --- a/pkgs/os-specific/linux/kernel/hardened-patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json diff --git a/pkgs/os-specific/linux/kernel/tag-hardened.patch b/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch index ff8a3a12797..ff8a3a12797 100644 --- a/pkgs/os-specific/linux/kernel/tag-hardened.patch +++ b/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch diff --git a/pkgs/os-specific/linux/kernel/update-hardened.py b/pkgs/os-specific/linux/kernel/hardened/update.py index bc9110578d6..1ef5acd3eb0 100755 --- a/pkgs/os-specific/linux/kernel/update-hardened.py +++ b/pkgs/os-specific/linux/kernel/hardened/update.py @@ -1,7 +1,7 @@ #! /usr/bin/env nix-shell #! nix-shell -i python -p "python3.withPackages (ps: [ps.PyGithub])" git gnupg -# This is automatically called by ./update.sh. +# This is automatically called by ../update.sh. import json import os @@ -14,9 +14,11 @@ from tempfile import TemporaryDirectory from github import Github HERE = Path(__file__).resolve().parent +NIXPKGS_KERNEL_PATH = HERE.parent +NIXPKGS_PATH = HERE.parents[4] HARDENED_GITHUB_REPO = "anthraxx/linux-hardened" HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc" -HARDENED_PATCHES_PATH = HERE / "hardened-patches.json" +HARDENED_PATCHES_PATH = HERE / "patches.json" MIN_KERNEL_VERSION = [4, 14] @@ -128,16 +130,16 @@ def commit_patches(*, kernel_key, message): json.dump(patches, new_patches_file, indent=4, sort_keys=True) new_patches_file.write("\n") os.rename(new_patches_path, HARDENED_PATCHES_PATH) - message = f"linux/hardened-patches/{kernel_key}: {message}" + message = f"linux/hardened/patches/{kernel_key}: {message}" print(message) if os.environ.get("COMMIT"): run( "git", "-C", - HERE, + NIXPKGS_PATH, "commit", f"--message={message}", - "hardened-patches.json", + HARDENED_PATCHES_PATH, ) @@ -156,10 +158,10 @@ NIX_VERSION_RE = re.compile( # Get the set of currently packaged kernel versions. kernel_versions = {} -for filename in os.listdir(HERE): +for filename in os.listdir(NIXPKGS_KERNEL_PATH): filename_match = re.fullmatch(r"linux-(\d+)\.(\d+)\.nix", filename) if filename_match: - with open(HERE / filename) as nix_file: + with open(NIXPKGS_KERNEL_PATH / filename) as nix_file: for nix_line in nix_file: match = NIX_VERSION_RE.fullmatch(nix_line) if match: diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 1c4af8c32a6..8ce1ac2b587 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -35,7 +35,7 @@ tag_hardened = { name = "tag-hardened"; - patch = ./tag-hardened.patch; + patch = ./hardened/tag-hardened.patch; }; hardened = let @@ -43,7 +43,7 @@ name = lib.removeSuffix ".patch" src.name; patch = fetchurl src; }; - patches = builtins.fromJSON (builtins.readFile ./hardened-patches.json); + patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json); in lib.mapAttrs mkPatch patches; # https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6 diff --git a/pkgs/os-specific/linux/kernel/update.sh b/pkgs/os-specific/linux/kernel/update.sh index c483661b6f5..55fdce06c97 100755 --- a/pkgs/os-specific/linux/kernel/update.sh +++ b/pkgs/os-specific/linux/kernel/update.sh @@ -62,4 +62,4 @@ done COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh # Update linux-hardened -COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-hardened.py +COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/hardened/update.py diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 349bc242ee1..f6419394b2d 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -17014,7 +17014,7 @@ in # Hardened linux hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override { - structuredExtraConfig = import ../os-specific/linux/kernel/hardened-config.nix { + structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix { inherit stdenv; inherit (kernel) version; }; |