diff options
Diffstat (limited to 'pkgs/os-specific/linux')
5 files changed, 61 insertions, 26 deletions
diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index 0a74554d6c6..3fd787bce6b 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -21,13 +21,13 @@ }: let - apparmor-version = "3.0.7"; + apparmor-version = "3.1.1"; apparmor-meta = component: with lib; { homepage = "https://apparmor.net/"; description = "A mandatory access control system - ${component}"; license = licenses.gpl2; - maintainers = with maintainers; [ joachifm julm thoughtpolice ]; + maintainers = with maintainers; [ julm thoughtpolice ]; platforms = platforms.linux; }; @@ -35,7 +35,7 @@ let owner = "apparmor"; repo = "apparmor"; rev = "v${apparmor-version}"; - hash = "sha256-iLZY0wZQr+YvR8JCwTeECDuqFb1sQCQtkiUksiYCvWs="; + hash = "sha256-phEHfrza0EeX2HEM5ts8wVCFlSLlnEtZd2MwbG/XbFY="; }; aa-teardown = writeShellScript "aa-teardown" '' diff --git a/pkgs/os-specific/linux/kernel-headers/default.nix b/pkgs/os-specific/linux/kernel-headers/default.nix index daa8c1ae201..7e148b9145c 100644 --- a/pkgs/os-specific/linux/kernel-headers/default.nix +++ b/pkgs/os-specific/linux/kernel-headers/default.nix @@ -84,12 +84,12 @@ let in { inherit makeLinuxHeaders; - linuxHeaders = let version = "5.19"; in + linuxHeaders = let version = "6.0"; in makeLinuxHeaders { inherit version; src = fetchurl { - url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "1a05a3hw4w3k530mxhns96xw7hag743xw5w967yazqcykdbhq97z"; + url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz"; + sha256 = "sha256-XCRDpVON5SaI77VcJ6sFOcH161jAz9FqK5+7CP2BeI4="; }; patches = [ ./no-relocs.patch # for building x86 kernel headers on non-ELF platforms diff --git a/pkgs/os-specific/linux/numactl/default.nix b/pkgs/os-specific/linux/numactl/default.nix index ac17a18273a..28157ffe167 100644 --- a/pkgs/os-specific/linux/numactl/default.nix +++ b/pkgs/os-specific/linux/numactl/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "numactl"; - version = "2.0.15"; + version = "2.0.16"; src = fetchFromGitHub { owner = pname; repo = pname; rev = "v${version}"; - sha256 = "sha256-mowDqCkAHDEV9AWCgAEWL0//sNMUk/K8w3eO7Wg+AwQ="; + sha256 = "sha256-aDKzkmvrPDzQl4n0KgeiU5LOLhQA0tmwzGiXvJDp7ZI="; }; nativeBuildInputs = [ autoreconfHook ]; diff --git a/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch b/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch new file mode 100644 index 00000000000..1cd3c2105e1 --- /dev/null +++ b/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: oxalica <oxalicc@pm.me> +Date: Tue, 4 Oct 2022 09:18:07 +0800 +Subject: [PATCH] core: don't taint on unmerged /usr + +NixOS has very different approach towards /bin and /sbin - they don't +really exist (except for /bin/sh and /usr/bin/env, because these are used +heavily in shebangs around the world). The concept of merged or unmerged +usr doesn't really apply here at all, it's neither of the two. +Users don't execute things from /bin or /sbin, there's nothing else in +there. In all cases, systemd doesn't look things up from /usr/bin or /bin, +so showing the taint isn't really helpful. + +See also: https://github.com/systemd/systemd/issues/24191 +--- + src/core/manager.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 33ded94a7c..8847479799 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -4488,10 +4488,6 @@ char* manager_taint_string(const Manager *m) { + if (m->taint_usr) + stage[n++] = "split-usr"; + +- _cleanup_free_ char *usrbin = NULL; +- if (readlink_malloc("/bin", &usrbin) < 0 || !PATH_IN_SET(usrbin, "usr/bin", "/usr/bin")) +- stage[n++] = "unmerged-usr"; +- + if (access("/proc/cgroups", F_OK) < 0) + stage[n++] = "cgroups-missing"; + diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 5b417369a55..1cde12f2022 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -92,7 +92,7 @@ , withOomd ? true , withPCRE2 ? true , withPolkit ? true -, withPortabled ? false +, withPortabled ? true , withRemote ? !stdenv.hostPlatform.isMusl , withResolved ? true , withShellCompletions ? true @@ -120,7 +120,7 @@ assert withHomed -> withCryptsetup; let wantCurl = withRemote || withImportd; wantGcrypt = withResolved || withImportd; - version = "251.4"; + version = "251.5"; # Bump this variable on every (major) version change. See below (in the meson options list) for why. # command: @@ -137,7 +137,7 @@ stdenv.mkDerivation { owner = "systemd"; repo = "systemd-stable"; rev = "v${version}"; - sha256 = "sha256-lfG6flT1k8LZBAdDK+cF9RjmJMkHMJquMjQK3MINFd8="; + sha256 = "sha256-2MEmvFT1D+9v8OazBwjnKc7i/x7i196Eoi8bODk1cM4="; }; # On major changes, or when otherwise required, you *must* reformat the patches, @@ -163,6 +163,7 @@ stdenv.mkDerivation { ./0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch ./0016-pkg-config-derive-prefix-from-prefix.patch ./0017-inherit-systemd-environment-when-calling-generators.patch + ./0018-core-don-t-taint-on-unmerged-usr.patch ] ++ lib.optional stdenv.hostPlatform.isMusl ( let oe-core = fetchzip { @@ -571,21 +572,22 @@ stdenv.mkDerivation { ]; # { replacement, search, where } -> List[str] - mkSubstitute = { replacement, search, where, ignore ? [] }: + mkSubstitute = { replacement, search, where, ignore ? [ ] }: map (path: "substituteInPlace ${path} --replace '${search}' \"${replacement}\"") where; - mkEnsureSubstituted = { replacement, search, where, ignore ? [] }: - let - ignore' = lib.concatStringsSep "|" (ignore ++ ["^test" "NEWS"]); - in '' - set +e - search=$(grep '${search}' -r | grep -v "${replacement}" | grep -Ev "${ignore'}") - set -e - if [[ -n "$search" ]]; then - echo "Not all references to '${search}' have been replaced. Found the following matches:" - echo "$search" - exit 1 - fi - ''; + mkEnsureSubstituted = { replacement, search, where, ignore ? [ ] }: + let + ignore' = lib.concatStringsSep "|" (ignore ++ [ "^test" "NEWS" ]); + in + '' + set +e + search=$(grep '${search}' -r | grep -v "${replacement}" | grep -Ev "${ignore'}") + set -e + if [[ -n "$search" ]]; then + echo "Not all references to '${search}' have been replaced. Found the following matches:" + echo "$search" + exit 1 + fi + ''; in '' mesonFlagsArray+=(-Dntp-servers="0.nixos.pool.ntp.org 1.nixos.pool.ntp.org 2.nixos.pool.ntp.org 3.nixos.pool.ntp.org") @@ -677,7 +679,7 @@ stdenv.mkDerivation { # runtime; otherwise we can't and we need to reboot. interfaceVersion = 2; - inherit withCryptsetup withHostnamed withImportd withLocaled withMachined withTimedated withUtmp util-linux kmod kbd; + inherit withCryptsetup withHostnamed withImportd withLocaled withMachined withPortabled withTimedated withUtmp util-linux kmod kbd; tests = { inherit (nixosTests) switchTest; |