nixpkgs/pkgs/os-specific/linux/kernel/patches.nix
Joachim Fasting e38b74ba89
grsecurity: work around for #20490
In `scripts/Makefile.modinst`, the code that generates the list of
modules to install passes file names via the command line.  When
installing a grsecurity kernel, this list appears to exceed the
shell's argument list limit, as in

    make[2]: execvp: /nix/store/[...]-bash-4.3-p46/bin/bash: Argument list too long

The build does not fail, however, but the list of modules to be installed ends
up being empty.  Thus, the resulting kernel package output contains no modules,
rendering it useless.

We work around this by patching the makefile to use `find -exec` to
process files.  Why this would occur for grsecurity and not other
kernels is unknown, most likely there's something *else* that is
actually causing this behaviour, so this is a temporary fix until that
cause is found.

Fixes https://github.com/NixOS/nixpkgs/issues/20490
2016-11-18 16:14:26 +01:00

160 lines
4.4 KiB
Nix

{ stdenv, fetchurl, fetchpatch, pkgs }:
let
makeTuxonicePatch = { version, kernelVersion, sha256,
url ? "http://tuxonice.nigelcunningham.com.au/downloads/all/tuxonice-for-linux-${kernelVersion}-${version}.patch.bz2" }:
{ name = "tuxonice-${kernelVersion}";
patch = stdenv.mkDerivation {
name = "tuxonice-${version}-for-${kernelVersion}.patch";
src = fetchurl {
inherit url sha256;
};
phases = [ "installPhase" ];
installPhase = ''
source $stdenv/setup
bunzip2 -c $src > $out
'';
};
};
grsecPatch = { grbranch ? "test", grver ? "3.1", kver, grrev, sha256 }: rec {
name = "grsecurity-${grver}-${kver}-${grrev}";
# Pass these along to allow the caller to determine compatibility
inherit grver kver grrev;
patch = fetchurl {
# When updating versions/hashes, ALWAYS use the official version; we use
# this mirror only because upstream removes sources files immediately upon
# releasing a new version ...
url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch";
inherit sha256;
};
features.grsecurity = true;
};
in
rec {
bridge_stp_helper =
{ name = "bridge-stp-helper";
patch = ./bridge-stp-helper.patch;
};
no_xsave =
{ name = "no-xsave";
patch = ./no-xsave.patch;
features.noXsave = true;
};
mips_fpureg_emu =
{ name = "mips-fpureg-emulation";
patch = ./mips-fpureg-emulation.patch;
};
mips_fpu_sigill =
{ name = "mips-fpu-sigill";
patch = ./mips-fpu-sigill.patch;
};
mips_ext3_n32 =
{ name = "mips-ext3-n32";
patch = ./mips-ext3-n32.patch;
};
modinst_arg_list_too_long =
{ name = "modinst-arglist-too-long";
patch = ./modinst-arg-list-too-long.patch;
};
ubuntu_fan_4_4 =
{ name = "ubuntu-fan";
patch = ./ubuntu-fan-4.4.patch;
};
ubuntu_unprivileged_overlayfs =
{ name = "ubuntu-unprivileged-overlayfs";
patch = ./ubuntu-unprivileged-overlayfs.patch;
};
tuxonice_3_10 = makeTuxonicePatch {
version = "2013-11-07";
kernelVersion = "3.10.18";
sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
};
grsecurity_testing = grsecPatch
{ kver = "4.8.8";
grrev = "201611150756";
sha256 = "04sankbjlrji3hrhgwfvmgkrh5ypblb706i0hch4sn3vcc0dq87b";
};
# This patch relaxes grsec constraints on the location of usermode helpers,
# e.g., modprobe, to allow calling into the Nix store.
grsecurity_nixos_kmod =
{
name = "grsecurity-nixos-kmod";
patch = ./grsecurity-nixos-kmod.patch;
};
# A temporary work-around for execvp: arglist too long error during
# module_install. Without this, no modules are installed into the
# resulting output.
grsecurity_modinst =
{ name = "grsecurity-modinst";
patch = ./grsecurity-modinst.patch;
};
crc_regression =
{ name = "crc-backport-regression";
patch = ./crc-regression.patch;
};
genksyms_fix_segfault =
{ name = "genksyms-fix-segfault";
patch = ./genksyms-fix-segfault.patch;
};
chromiumos_Kconfig_fix_entries_3_14 =
{ name = "Kconfig_fix_entries_3_14";
patch = ./chromiumos-patches/fix-double-Kconfig-entry-3.14.patch;
};
chromiumos_Kconfig_fix_entries_3_18 =
{ name = "Kconfig_fix_entries_3_18";
patch = ./chromiumos-patches/fix-double-Kconfig-entry-3.18.patch;
};
chromiumos_no_link_restrictions =
{ name = "chromium-no-link-restrictions";
patch = ./chromiumos-patches/no-link-restrictions.patch;
};
chromiumos_mfd_fix_dependency =
{ name = "mfd_fix_dependency";
patch = ./chromiumos-patches/mfd-fix-dependency.patch;
};
hiddev_CVE_2016_5829 =
{ name = "hiddev_CVE_2016_5829";
patch = fetchpatch {
url = "https://sources.debian.net/data/main/l/linux/4.6.3-1/debian/patches/bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch";
sha256 = "14rm1qr87p7a5prz8g5fwbpxzdp3ighj095x8rvhm8csm20wspyy";
};
};
cpu-cgroup-v2 = import ./cpu-cgroup-v2-patches;
lguest_entry-linkage =
{ name = "lguest-asmlinkage.patch";
patch = fetchpatch {
url = "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git"
+ "/patch/drivers/lguest/x86/core.c?id=cdd77e87eae52";
sha256 = "04xlx6al10cw039av6jkby7gx64zayj8m1k9iza40sw0fydcfqhc";
};
};
}