From d6fe0a4e2dc2711480f87fe8c9fa9b66323e4c25 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 26 Apr 2020 18:19:02 +0100 Subject: [PATCH] linux/hardened: move files into directory --- lib/kernel.nix | 2 +- .../linux/kernel/{ => hardened}/anthraxx.asc | 0 .../{hardened-config.nix => hardened/config.nix} | 0 .../patches.json} | 0 .../kernel/{ => hardened}/tag-hardened.patch | 0 .../{update-hardened.py => hardened/update.py} | 16 +++++++++------- pkgs/os-specific/linux/kernel/patches.nix | 4 ++-- pkgs/os-specific/linux/kernel/update.sh | 2 +- pkgs/top-level/all-packages.nix | 2 +- 9 files changed, 14 insertions(+), 12 deletions(-) rename pkgs/os-specific/linux/kernel/{ => hardened}/anthraxx.asc (100%) rename pkgs/os-specific/linux/kernel/{hardened-config.nix => hardened/config.nix} (100%) rename pkgs/os-specific/linux/kernel/{hardened-patches.json => hardened/patches.json} (100%) rename pkgs/os-specific/linux/kernel/{ => hardened}/tag-hardened.patch (100%) rename pkgs/os-specific/linux/kernel/{update-hardened.py => hardened/update.py} (94%) diff --git a/lib/kernel.nix b/lib/kernel.nix index 2ce19f8cb68c..8045a228d05e 100644 --- a/lib/kernel.nix +++ b/lib/kernel.nix @@ -14,7 +14,7 @@ with lib; freeform = x: { freeform = x; }; /* - Common patterns/legacy used in common-config/hardened-config.nix + Common patterns/legacy used in common-config/hardened/config.nix */ whenHelpers = version: { whenAtLeast = ver: mkIf (versionAtLeast version ver); diff --git a/pkgs/os-specific/linux/kernel/anthraxx.asc b/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc similarity index 100% rename from pkgs/os-specific/linux/kernel/anthraxx.asc rename to pkgs/os-specific/linux/kernel/hardened/anthraxx.asc diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix similarity index 100% rename from pkgs/os-specific/linux/kernel/hardened-config.nix rename to pkgs/os-specific/linux/kernel/hardened/config.nix diff --git a/pkgs/os-specific/linux/kernel/hardened-patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json similarity index 100% rename from pkgs/os-specific/linux/kernel/hardened-patches.json rename to pkgs/os-specific/linux/kernel/hardened/patches.json diff --git a/pkgs/os-specific/linux/kernel/tag-hardened.patch b/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch similarity index 100% rename from pkgs/os-specific/linux/kernel/tag-hardened.patch rename to pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch diff --git a/pkgs/os-specific/linux/kernel/update-hardened.py b/pkgs/os-specific/linux/kernel/hardened/update.py similarity index 94% rename from pkgs/os-specific/linux/kernel/update-hardened.py rename to pkgs/os-specific/linux/kernel/hardened/update.py index bc9110578d68..1ef5acd3eb07 100755 --- a/pkgs/os-specific/linux/kernel/update-hardened.py +++ b/pkgs/os-specific/linux/kernel/hardened/update.py @@ -1,7 +1,7 @@ #! /usr/bin/env nix-shell #! nix-shell -i python -p "python3.withPackages (ps: [ps.PyGithub])" git gnupg -# This is automatically called by ./update.sh. +# This is automatically called by ../update.sh. import json import os @@ -14,9 +14,11 @@ from tempfile import TemporaryDirectory from github import Github HERE = Path(__file__).resolve().parent +NIXPKGS_KERNEL_PATH = HERE.parent +NIXPKGS_PATH = HERE.parents[4] HARDENED_GITHUB_REPO = "anthraxx/linux-hardened" HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc" -HARDENED_PATCHES_PATH = HERE / "hardened-patches.json" +HARDENED_PATCHES_PATH = HERE / "patches.json" MIN_KERNEL_VERSION = [4, 14] @@ -128,16 +130,16 @@ def commit_patches(*, kernel_key, message): json.dump(patches, new_patches_file, indent=4, sort_keys=True) new_patches_file.write("\n") os.rename(new_patches_path, HARDENED_PATCHES_PATH) - message = f"linux/hardened-patches/{kernel_key}: {message}" + message = f"linux/hardened/patches/{kernel_key}: {message}" print(message) if os.environ.get("COMMIT"): run( "git", "-C", - HERE, + NIXPKGS_PATH, "commit", f"--message={message}", - "hardened-patches.json", + HARDENED_PATCHES_PATH, ) @@ -156,10 +158,10 @@ NIX_VERSION_RE = re.compile( # Get the set of currently packaged kernel versions. kernel_versions = {} -for filename in os.listdir(HERE): +for filename in os.listdir(NIXPKGS_KERNEL_PATH): filename_match = re.fullmatch(r"linux-(\d+)\.(\d+)\.nix", filename) if filename_match: - with open(HERE / filename) as nix_file: + with open(NIXPKGS_KERNEL_PATH / filename) as nix_file: for nix_line in nix_file: match = NIX_VERSION_RE.fullmatch(nix_line) if match: diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 1c4af8c32a6f..8ce1ac2b587c 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -35,7 +35,7 @@ tag_hardened = { name = "tag-hardened"; - patch = ./tag-hardened.patch; + patch = ./hardened/tag-hardened.patch; }; hardened = let @@ -43,7 +43,7 @@ name = lib.removeSuffix ".patch" src.name; patch = fetchurl src; }; - patches = builtins.fromJSON (builtins.readFile ./hardened-patches.json); + patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json); in lib.mapAttrs mkPatch patches; # https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6 diff --git a/pkgs/os-specific/linux/kernel/update.sh b/pkgs/os-specific/linux/kernel/update.sh index c483661b6f5d..55fdce06c973 100755 --- a/pkgs/os-specific/linux/kernel/update.sh +++ b/pkgs/os-specific/linux/kernel/update.sh @@ -62,4 +62,4 @@ done COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh # Update linux-hardened -COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-hardened.py +COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/hardened/update.py diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 349bc242ee1d..f6419394b2da 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -17014,7 +17014,7 @@ in # Hardened linux hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override { - structuredExtraConfig = import ../os-specific/linux/kernel/hardened-config.nix { + structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix { inherit stdenv; inherit (kernel) version; };