linux/hardened: move files into directory
This commit is contained in:
parent
abe4bef033
commit
d6fe0a4e2d
9 changed files with 14 additions and 12 deletions
|
@ -14,7 +14,7 @@ with lib;
|
|||
freeform = x: { freeform = x; };
|
||||
|
||||
/*
|
||||
Common patterns/legacy used in common-config/hardened-config.nix
|
||||
Common patterns/legacy used in common-config/hardened/config.nix
|
||||
*/
|
||||
whenHelpers = version: {
|
||||
whenAtLeast = ver: mkIf (versionAtLeast version ver);
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#! /usr/bin/env nix-shell
|
||||
#! nix-shell -i python -p "python3.withPackages (ps: [ps.PyGithub])" git gnupg
|
||||
|
||||
# This is automatically called by ./update.sh.
|
||||
# This is automatically called by ../update.sh.
|
||||
|
||||
import json
|
||||
import os
|
||||
|
@ -14,9 +14,11 @@ from tempfile import TemporaryDirectory
|
|||
from github import Github
|
||||
|
||||
HERE = Path(__file__).resolve().parent
|
||||
NIXPKGS_KERNEL_PATH = HERE.parent
|
||||
NIXPKGS_PATH = HERE.parents[4]
|
||||
HARDENED_GITHUB_REPO = "anthraxx/linux-hardened"
|
||||
HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc"
|
||||
HARDENED_PATCHES_PATH = HERE / "hardened-patches.json"
|
||||
HARDENED_PATCHES_PATH = HERE / "patches.json"
|
||||
MIN_KERNEL_VERSION = [4, 14]
|
||||
|
||||
|
||||
|
@ -128,16 +130,16 @@ def commit_patches(*, kernel_key, message):
|
|||
json.dump(patches, new_patches_file, indent=4, sort_keys=True)
|
||||
new_patches_file.write("\n")
|
||||
os.rename(new_patches_path, HARDENED_PATCHES_PATH)
|
||||
message = f"linux/hardened-patches/{kernel_key}: {message}"
|
||||
message = f"linux/hardened/patches/{kernel_key}: {message}"
|
||||
print(message)
|
||||
if os.environ.get("COMMIT"):
|
||||
run(
|
||||
"git",
|
||||
"-C",
|
||||
HERE,
|
||||
NIXPKGS_PATH,
|
||||
"commit",
|
||||
f"--message={message}",
|
||||
"hardened-patches.json",
|
||||
HARDENED_PATCHES_PATH,
|
||||
)
|
||||
|
||||
|
||||
|
@ -156,10 +158,10 @@ NIX_VERSION_RE = re.compile(
|
|||
|
||||
# Get the set of currently packaged kernel versions.
|
||||
kernel_versions = {}
|
||||
for filename in os.listdir(HERE):
|
||||
for filename in os.listdir(NIXPKGS_KERNEL_PATH):
|
||||
filename_match = re.fullmatch(r"linux-(\d+)\.(\d+)\.nix", filename)
|
||||
if filename_match:
|
||||
with open(HERE / filename) as nix_file:
|
||||
with open(NIXPKGS_KERNEL_PATH / filename) as nix_file:
|
||||
for nix_line in nix_file:
|
||||
match = NIX_VERSION_RE.fullmatch(nix_line)
|
||||
if match:
|
|
@ -35,7 +35,7 @@
|
|||
|
||||
tag_hardened = {
|
||||
name = "tag-hardened";
|
||||
patch = ./tag-hardened.patch;
|
||||
patch = ./hardened/tag-hardened.patch;
|
||||
};
|
||||
|
||||
hardened = let
|
||||
|
@ -43,7 +43,7 @@
|
|||
name = lib.removeSuffix ".patch" src.name;
|
||||
patch = fetchurl src;
|
||||
};
|
||||
patches = builtins.fromJSON (builtins.readFile ./hardened-patches.json);
|
||||
patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json);
|
||||
in lib.mapAttrs mkPatch patches;
|
||||
|
||||
# https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6
|
||||
|
|
|
@ -62,4 +62,4 @@ done
|
|||
COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh
|
||||
|
||||
# Update linux-hardened
|
||||
COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-hardened.py
|
||||
COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/hardened/update.py
|
||||
|
|
|
@ -17014,7 +17014,7 @@ in
|
|||
|
||||
# Hardened linux
|
||||
hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override {
|
||||
structuredExtraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
|
||||
structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
|
||||
inherit stdenv;
|
||||
inherit (kernel) version;
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue