linux/hardened: move files into directory
This commit is contained in:
parent
abe4bef033
commit
d6fe0a4e2d
9 changed files with 14 additions and 12 deletions
|
@ -14,7 +14,7 @@ with lib;
|
||||||
freeform = x: { freeform = x; };
|
freeform = x: { freeform = x; };
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Common patterns/legacy used in common-config/hardened-config.nix
|
Common patterns/legacy used in common-config/hardened/config.nix
|
||||||
*/
|
*/
|
||||||
whenHelpers = version: {
|
whenHelpers = version: {
|
||||||
whenAtLeast = ver: mkIf (versionAtLeast version ver);
|
whenAtLeast = ver: mkIf (versionAtLeast version ver);
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
#! /usr/bin/env nix-shell
|
#! /usr/bin/env nix-shell
|
||||||
#! nix-shell -i python -p "python3.withPackages (ps: [ps.PyGithub])" git gnupg
|
#! nix-shell -i python -p "python3.withPackages (ps: [ps.PyGithub])" git gnupg
|
||||||
|
|
||||||
# This is automatically called by ./update.sh.
|
# This is automatically called by ../update.sh.
|
||||||
|
|
||||||
import json
|
import json
|
||||||
import os
|
import os
|
||||||
|
@ -14,9 +14,11 @@ from tempfile import TemporaryDirectory
|
||||||
from github import Github
|
from github import Github
|
||||||
|
|
||||||
HERE = Path(__file__).resolve().parent
|
HERE = Path(__file__).resolve().parent
|
||||||
|
NIXPKGS_KERNEL_PATH = HERE.parent
|
||||||
|
NIXPKGS_PATH = HERE.parents[4]
|
||||||
HARDENED_GITHUB_REPO = "anthraxx/linux-hardened"
|
HARDENED_GITHUB_REPO = "anthraxx/linux-hardened"
|
||||||
HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc"
|
HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc"
|
||||||
HARDENED_PATCHES_PATH = HERE / "hardened-patches.json"
|
HARDENED_PATCHES_PATH = HERE / "patches.json"
|
||||||
MIN_KERNEL_VERSION = [4, 14]
|
MIN_KERNEL_VERSION = [4, 14]
|
||||||
|
|
||||||
|
|
||||||
|
@ -128,16 +130,16 @@ def commit_patches(*, kernel_key, message):
|
||||||
json.dump(patches, new_patches_file, indent=4, sort_keys=True)
|
json.dump(patches, new_patches_file, indent=4, sort_keys=True)
|
||||||
new_patches_file.write("\n")
|
new_patches_file.write("\n")
|
||||||
os.rename(new_patches_path, HARDENED_PATCHES_PATH)
|
os.rename(new_patches_path, HARDENED_PATCHES_PATH)
|
||||||
message = f"linux/hardened-patches/{kernel_key}: {message}"
|
message = f"linux/hardened/patches/{kernel_key}: {message}"
|
||||||
print(message)
|
print(message)
|
||||||
if os.environ.get("COMMIT"):
|
if os.environ.get("COMMIT"):
|
||||||
run(
|
run(
|
||||||
"git",
|
"git",
|
||||||
"-C",
|
"-C",
|
||||||
HERE,
|
NIXPKGS_PATH,
|
||||||
"commit",
|
"commit",
|
||||||
f"--message={message}",
|
f"--message={message}",
|
||||||
"hardened-patches.json",
|
HARDENED_PATCHES_PATH,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@ -156,10 +158,10 @@ NIX_VERSION_RE = re.compile(
|
||||||
|
|
||||||
# Get the set of currently packaged kernel versions.
|
# Get the set of currently packaged kernel versions.
|
||||||
kernel_versions = {}
|
kernel_versions = {}
|
||||||
for filename in os.listdir(HERE):
|
for filename in os.listdir(NIXPKGS_KERNEL_PATH):
|
||||||
filename_match = re.fullmatch(r"linux-(\d+)\.(\d+)\.nix", filename)
|
filename_match = re.fullmatch(r"linux-(\d+)\.(\d+)\.nix", filename)
|
||||||
if filename_match:
|
if filename_match:
|
||||||
with open(HERE / filename) as nix_file:
|
with open(NIXPKGS_KERNEL_PATH / filename) as nix_file:
|
||||||
for nix_line in nix_file:
|
for nix_line in nix_file:
|
||||||
match = NIX_VERSION_RE.fullmatch(nix_line)
|
match = NIX_VERSION_RE.fullmatch(nix_line)
|
||||||
if match:
|
if match:
|
|
@ -35,7 +35,7 @@
|
||||||
|
|
||||||
tag_hardened = {
|
tag_hardened = {
|
||||||
name = "tag-hardened";
|
name = "tag-hardened";
|
||||||
patch = ./tag-hardened.patch;
|
patch = ./hardened/tag-hardened.patch;
|
||||||
};
|
};
|
||||||
|
|
||||||
hardened = let
|
hardened = let
|
||||||
|
@ -43,7 +43,7 @@
|
||||||
name = lib.removeSuffix ".patch" src.name;
|
name = lib.removeSuffix ".patch" src.name;
|
||||||
patch = fetchurl src;
|
patch = fetchurl src;
|
||||||
};
|
};
|
||||||
patches = builtins.fromJSON (builtins.readFile ./hardened-patches.json);
|
patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json);
|
||||||
in lib.mapAttrs mkPatch patches;
|
in lib.mapAttrs mkPatch patches;
|
||||||
|
|
||||||
# https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6
|
# https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6
|
||||||
|
|
|
@ -62,4 +62,4 @@ done
|
||||||
COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh
|
COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh
|
||||||
|
|
||||||
# Update linux-hardened
|
# Update linux-hardened
|
||||||
COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-hardened.py
|
COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/hardened/update.py
|
||||||
|
|
|
@ -17014,7 +17014,7 @@ in
|
||||||
|
|
||||||
# Hardened linux
|
# Hardened linux
|
||||||
hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override {
|
hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override {
|
||||||
structuredExtraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
|
structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
|
||||||
inherit stdenv;
|
inherit stdenv;
|
||||||
inherit (kernel) version;
|
inherit (kernel) version;
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue