linux/hardened: move files into directory

This commit is contained in:
Emily 2020-04-26 18:19:02 +01:00
parent abe4bef033
commit d6fe0a4e2d
9 changed files with 14 additions and 12 deletions

View file

@ -14,7 +14,7 @@ with lib;
freeform = x: { freeform = x; };
/*
Common patterns/legacy used in common-config/hardened-config.nix
Common patterns/legacy used in common-config/hardened/config.nix
*/
whenHelpers = version: {
whenAtLeast = ver: mkIf (versionAtLeast version ver);

View file

@ -1,7 +1,7 @@
#! /usr/bin/env nix-shell
#! nix-shell -i python -p "python3.withPackages (ps: [ps.PyGithub])" git gnupg
# This is automatically called by ./update.sh.
# This is automatically called by ../update.sh.
import json
import os
@ -14,9 +14,11 @@ from tempfile import TemporaryDirectory
from github import Github
HERE = Path(__file__).resolve().parent
NIXPKGS_KERNEL_PATH = HERE.parent
NIXPKGS_PATH = HERE.parents[4]
HARDENED_GITHUB_REPO = "anthraxx/linux-hardened"
HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc"
HARDENED_PATCHES_PATH = HERE / "hardened-patches.json"
HARDENED_PATCHES_PATH = HERE / "patches.json"
MIN_KERNEL_VERSION = [4, 14]
@ -128,16 +130,16 @@ def commit_patches(*, kernel_key, message):
json.dump(patches, new_patches_file, indent=4, sort_keys=True)
new_patches_file.write("\n")
os.rename(new_patches_path, HARDENED_PATCHES_PATH)
message = f"linux/hardened-patches/{kernel_key}: {message}"
message = f"linux/hardened/patches/{kernel_key}: {message}"
print(message)
if os.environ.get("COMMIT"):
run(
"git",
"-C",
HERE,
NIXPKGS_PATH,
"commit",
f"--message={message}",
"hardened-patches.json",
HARDENED_PATCHES_PATH,
)
@ -156,10 +158,10 @@ NIX_VERSION_RE = re.compile(
# Get the set of currently packaged kernel versions.
kernel_versions = {}
for filename in os.listdir(HERE):
for filename in os.listdir(NIXPKGS_KERNEL_PATH):
filename_match = re.fullmatch(r"linux-(\d+)\.(\d+)\.nix", filename)
if filename_match:
with open(HERE / filename) as nix_file:
with open(NIXPKGS_KERNEL_PATH / filename) as nix_file:
for nix_line in nix_file:
match = NIX_VERSION_RE.fullmatch(nix_line)
if match:

View file

@ -35,7 +35,7 @@
tag_hardened = {
name = "tag-hardened";
patch = ./tag-hardened.patch;
patch = ./hardened/tag-hardened.patch;
};
hardened = let
@ -43,7 +43,7 @@
name = lib.removeSuffix ".patch" src.name;
patch = fetchurl src;
};
patches = builtins.fromJSON (builtins.readFile ./hardened-patches.json);
patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json);
in lib.mapAttrs mkPatch patches;
# https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6

View file

@ -62,4 +62,4 @@ done
COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh
# Update linux-hardened
COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-hardened.py
COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/hardened/update.py

View file

@ -17014,7 +17014,7 @@ in
# Hardened linux
hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override {
structuredExtraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
inherit stdenv;
inherit (kernel) version;
};