Commit Graph

625746 Commits

Author SHA1 Message Date
R. Ryantm
2d39d7708d wttrbar: 0.9.4 -> 0.10.1 2024-05-13 01:39:39 +00:00
R. Ryantm
55661b782b catppuccin-sddm-corners: unstable-2023-05-30 -> 0-unstable-2024-05-07 2024-05-13 01:34:10 +00:00
Albert Safin
d57ce05c49 katriawm: add updateScript 2024-05-13 00:52:14 +00:00
Albert Safin
868cc3f77f katriawm: format with nixfmt 2024-05-13 00:52:13 +00:00
Ryan Lahfa
a7cdcbc951
Merge pull request #311202 from emilylange/chromium-drm
chromium: remove internal widevine drv in favor of `widevine-cdm`
2024-05-13 02:29:09 +02:00
R. Ryantm
99ecfc12a0 glance: 0.3.0 -> 0.4.0 2024-05-13 00:23:34 +00:00
nicoo
e56d6f0cca
Merge #310602: init e1s at 1.0.34 2024-05-13 00:23:16 +00:00
nicoo
6432027fad
Merge pull request #310624 from Pandapip1/init-pythonpackages-optree
pythonPackages.optree: init 0.11.0
2024-05-13 00:18:45 +00:00
Moritz Sanft
a407b02ec1
python3Packages.miasm: init at 0.1.5-unstable-2024-04-28 (#310791) 2024-05-13 00:13:34 +00:00
ruby0b
5c81e2c45b pyload-ng: 0.5.0b3.dev80 -> 0.5.0b3.dev85 2024-05-13 02:07:42 +02:00
Albert Safin
82e9676428 bevelbar: 22.06 -> 23.08 2024-05-13 00:07:14 +00:00
Aaron Jheng
aa2a3f9d4f
temporal-cli, tctl-next: 0.11.0 -> 0.12.0 (#311083) 2024-05-13 00:06:44 +00:00
Albert Safin
dca280c9ca bevelbar: add updateScript 2024-05-13 00:06:36 +00:00
Albert Safin
a6326e273b bevelbar: format with nixfmt and remove with lib; 2024-05-13 00:05:43 +00:00
Franz Pletz
9bd52d8fd1
Merge pull request #311187 from leona-ya/keycloak-metrics-spi-aarch64 2024-05-13 02:02:29 +02:00
3JlOy_PYCCKUi
2f9350605a
torrentstream: 1.0.1.6 -> 1.0.1.11 (#311109) 2024-05-13 00:02:11 +00:00
R. Ryantm
eaaf17a9e0 python311Packages.py-synologydsm-api: 2.4.2 -> 2.4.3 2024-05-13 00:01:52 +00:00
Albert Safin
2d8cfea95d bevelbar: move to by-name 2024-05-13 00:00:56 +00:00
seth
fe3a605c4b
badkeys: init at 0.0.10 (#311128) 2024-05-12 23:56:56 +00:00
Fabian Affolter
acb262f8cc
python312Packages.peaqevcore: 19.9.4 -> 19.10.8 (#311132)
Changelog: https://github.com/elden1337/peaqev-core/releases/tag/19.10.8
2024-05-12 23:55:28 +00:00
nicoo
754508eab5
Merge #311152: mandown 1.7.0 -> 1.8.0, add updateScript 2024-05-12 23:54:09 +00:00
Anthony Roussel
f0703923e0
usql: 0.18.1 -> 0.19.1 (#311166)
https://github.com/xo/usql/compare/v0.18.1...v0.19.1
2024-05-12 23:50:04 +00:00
Martin Weinelt
8278bf9005
Merge pull request #311195 from mweinelt/hass-tests-update
home-assistant: update test setup
2024-05-13 01:48:09 +02:00
seth
ef91aa449e
python311Packages.apprise: adopt 2024-05-12 19:44:31 -04:00
seth
b1e8ff6178
python311Packages.apprise: modernize 2024-05-12 19:44:31 -04:00
seth
3167a2a6ef
python311Packages.apprise: disable nondeterministic tests 2024-05-12 19:44:28 -04:00
Peder Bergebakken Sundt
3f0a745165
Merge pull request #309602 from lhanson/siril-update
siril: 1.2.0 -> 1.2.1
2024-05-13 01:34:41 +02:00
Peder Bergebakken Sundt
238b3bd853
Merge pull request #309274 from james-atkins/epsonscan2-update
epsonscan2: 6.7.61.0 -> 6.7.63.0
2024-05-13 01:24:40 +02:00
Martin Weinelt
5a9b28e88b
Merge pull request #311197 from endocrimes/dani/fish-boogaloo
nixos/fish: Fix more lib references
2024-05-13 01:22:34 +02:00
emilylange
0333f6c792
chromium: remove internal widevine drv in favor of widevine-cdm
This gets rid of a lot of redundant logic that is already present in the
`widevine-cdm` package :)

The resulting directory structure is the same and works just as well.
2024-05-13 01:21:58 +02:00
Peder Bergebakken Sundt
c5108122c9
Merge pull request #308894 from TomaSajt/redisinsight
redisinsight: 2.32 -> 2.48.0
2024-05-13 01:20:09 +02:00
Danielle Lancashire
d0e35cbd3e
nixos/fish: Fix more lib references 2024-05-13 01:18:49 +02:00
Peder Bergebakken Sundt
5e5c48fd70
Merge pull request #308574 from cimm/update-payme
payme: 1.2.0 -> 1.2.2
2024-05-13 01:18:39 +02:00
Robert Schütz
e2b27c43ac
Merge pull request #311167 from r-ryantm/auto-update/python311Packages.pygraphviz
python311Packages.pygraphviz: 1.12 -> 1.13
2024-05-12 23:18:07 +00:00
Robert Schütz
990742e1e0
Merge pull request #298959 from dotlambda/flare-signal
flare-signal: 0.13.0 -> 0.14.1
2024-05-12 23:12:34 +00:00
Florian Klink
aff6a121a3
Merge pull request #311039 from DavHau/pr_smokeping
nixos/smokeping: use nginx instead of thttpd
2024-05-13 01:11:59 +02:00
Martin Weinelt
62d8091266
Merge pull request #311194 from endocrimes/dani/fix-fish
nixos/fish: fix reference to mapAttrsFlatten
2024-05-13 01:02:27 +02:00
Muhammad Falak R Wani
91237c9b94 fd: 9.0.0 -> 10.1.0
Diff: https://github.com/sharkdp/fd/compare/v9.0.0...v10.1.0
Changelog: https://github.com/sharkdp/fd/blob/v10.1.0/CHANGELOG.md
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
2024-05-13 09:00:27 +10:00
nicoo
6a956b0d04
Merge #311075: python312Packages.language-data 1.0.1 -> 1.2.0 2024-05-12 22:59:27 +00:00
Danielle Lancashire
f26c2aa2fc
nixos/fish: fix reference to mapAttrsFlatten 2024-05-13 00:58:30 +02:00
Martin Weinelt
515cb36da2
home-assistant: update test setup
Provide the qwikswitch component dependencies and update the set of
disabled tests.
2024-05-13 00:58:24 +02:00
R. Ryantm
cbe462d072 fontbakery: 0.12.2 -> 0.12.5 2024-05-12 22:50:32 +00:00
aszlig
2bb1556bf4
Merge pull request #289593 (confinement + DynamicUser)
This adds support for the systemd ProtectSystem and DynamicUser options
in conjunction with the systemd-confinement module, which has been a
limitation in the initial implementation and so far has thrown assertion
errors whenever those options were enabled.

Thanks to @ju1m, we now no longer need to resort to static users.

Review for this work took a little bit longer since I wanted to be
absolutely sure that we don't introduce any new regressions, which would
involve increasing the attack surface.

In the end however, we even managed to even lower the attack surface
even more since now the confined filesystem root is now read-only even
for the root user.
2024-05-13 00:42:48 +02:00
aszlig
e4bd1e8f92
nixos/confinement: Use prio 100 for RootDirectory
One of the module that already supports the systemd-confinement module
is public-inbox. However with the changes to support DynamicUser and
ProtectSystem, the module will now fail at runtime if confinement is
enabled (it's optional and you'll need to override it via another
module).

The reason is that the RootDirectory is set to /var/empty in the
public-inbox module, which doesn't work well with the InaccessiblePaths
directive we now use to support DynamicUser/ProtectSystem.

To make this issue more visible, I decided to just change the priority
of the RootDirectory option definiton the default override priority so
that whenever another different option is defined, we'll get a conflict
at evaluation time.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:41 +02:00
aszlig
0a9cecc35a
nixos/systemd-confinement: Make / read-only
Our more thorough parametrised tests uncovered that with the changes for
supporting DynamicUser, we now have the situation that for static users
the root directory within the confined environment is now writable for
the user in question.

This is obviously not what we want and I'd consider that a regression.
However while discussing this with @ju1m and my suggestion being to
set TemporaryFileSystem to "/" (as we had previously), they had an even
better idea[1]:

> The goal is to deny write access to / to non-root users,
>
>   * TemporaryFileSystem=/ gives us that through the ownership of / by
>     root (instead of the service's user inherited from
>     RuntimeDirectory=).
>   * ProtectSystem=strict gives us that by mounting / read-only (while
>     keeping its ownership to the service's user).
>
> To avoid the incompatibilities of TemporaryFileSystem=/ mentioned
> above, I suggest to mount / read-only in all cases with
> ReadOnlyPaths = [ "+/" ]:
>
>   ...
>
> I guess this would require at least two changes to the current tests:
>
>   1. to no longer expect root to be able to write to some paths (like
>      /bin) (at least not without first remounting / in read-write
>      mode).
>   2. to no longer expect non-root users to fail to write to certain
>      paths with a "permission denied" error code, but with a
>      "read-only file system" error code.

I like the solution with ReadOnlyPaths even more because it further
reduces the attack surface if the user is root. In chroot-only mode this
is especially useful, since if there are no other bind-mounted paths
involved in the unit configuration, the whole file system within the
confined environment is read-only.

[1]: https://github.com/NixOS/nixpkgs/pull/289593#discussion_r1586794215

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:40 +02:00
aszlig
27f36b5e57
nixos/tests/confinement: Parametrise subtests
This is to make sure that we test all of the DynamicUser/User/Group and
PrivateTmp options in a uniform way. The reason why we need to do this
is because we recently introduced support for the DynamicUser option and
since there are some corner cases where we might end up with more
elevated privileges (eg. writable directories in some cases), we want to
make sure that the environment is as restrictive as with a static
User/Group assignment.

I also removed various checks that try to os.chown(), since with our new
recursive checker those are redundant.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:38 +02:00
aszlig
51d3f3475c
nixos/tests/confinement: Run test probes in Python
So far the architecture for the tests was that we would use a systemd
socket unit using the Accept option to start a small shell process where
we can pipe commands into by connecting to the socket created by the
socket unit.

This is unnecessary since we can directly use the code snippets from the
individual subtests and systemd will take care of checking the return
code in case we get any assertions[^1].

Another advantage of this is that tests now run in parallel, so we can
do rather expensive things such as looking in /nix to see whether
anything is writable.

The new assert_permissions() function is the main driver behind this and
allows for a more fine-grained way to check whether we got the right
permissions whilst also ignoring irrelevant things such as read-only
empty directories.

Our previous approach also just did a read-only check, which might be
fine in full-apivfs mode where the attack surface already is large, but
in chroot-only mode we really want to make sure nothing is every
writable.

A downside of the new approach is that currently the unit names are
numbered via lib.imap1, which makes it annoying to track its definition.

[^1]: Speaking of assertions, I wrapped the code to be run with pytest's
      assertion rewriting, so that we get more useful AssertionErrors.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:36 +02:00
aszlig
f7d026b431
nixos/tests/confinement: Move to dedicated dir
When experimenting on ways how to refactor the test, I wrote a
significant enough amount of Python to warrant a dedicated Python file.

This commit is mainly to prepare for that and make it easier to track
renames.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:34 +02:00
aszlig
ba31b3753e
nixos/tests/confinement: Re-add description attr
The reason why I originally used the "description" attribute was that it
can be easily used to parametrise the tests so that we can specify
common constraints and apply it across a number of different
configurations.

When porting the tests to Python, the description attribute was replaced
by inlining it into the Python code, most probably because it was easier
to do in bulk since using Nix to generate the subtest parts would be
very complicated to do since we also had to please Black (a Python code
formatter that we no longer use in test scripts).

Since we now also want to support DynamicUser in systemd-confinement,
the need to parametrise the tests became apparent again because it's now
easier to refactor our subtests to run both with *and* without
DynamicUser set to true.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:32 +02:00
Julien Moutinho
0a5542c766
nixos/systemd-confinement: support ProtectSystem=/DynamicUser=
See https://discourse.nixos.org/t/hardening-systemd-services/17147/14
2024-05-13 00:40:25 +02:00