+1 -1

lib/kernel.nix

reviewed

··· 14 14 freeform = x: { freeform = x; }; 15 15 16 16 /* 17 17 - Common patterns/legacy used in common-config/hardened-config.nix 17 17 + Common patterns/legacy used in common-config/hardened/config.nix 18 18 */ 19 19 whenHelpers = version: { 20 20 whenAtLeast = ver: mkIf (versionAtLeast version ver);

+2 -2

pkgs/development/python-modules/pyGithub/default.nix

reviewed

··· 12 12 13 13 buildPythonPackage rec { 14 14 pname = "PyGithub"; 15 15 - version = "1.47"; 15 15 + version = "1.51"; 16 16 disabled = !isPy3k; 17 17 18 18 src = fetchFromGitHub { 19 19 owner = "PyGithub"; 20 20 repo = "PyGithub"; 21 21 rev = "v${version}"; 22 22 - sha256 = "0zvp1gib2lryw698vxkbdv40n3lsmdlhwp7vdcg41dqqa5nfryhn"; 22 22 + hash = "sha256-8uQCFiw1ByPOX8ZRUlSLYPIibjmd19r/JtTnmQdz5cM="; 23 23 }; 24 24 25 25 checkInputs = [ httpretty parameterized pytestCheckHook ];

pkgs/os-specific/linux/kernel/anthraxx.asc pkgs/os-specific/linux/kernel/hardened/anthraxx.asc

reviewed

pkgs/os-specific/linux/kernel/hardened-config.nix pkgs/os-specific/linux/kernel/hardened/config.nix

reviewed

pkgs/os-specific/linux/kernel/hardened-patches.json pkgs/os-specific/linux/kernel/hardened/patches.json

reviewed

+277

pkgs/os-specific/linux/kernel/hardened/update.py

reviewed

··· 1 1 + #! /usr/bin/env nix-shell 2 2 + #! nix-shell -i python -p "python38.withPackages (ps: [ps.PyGithub])" git gnupg 3 3 + 4 4 + # This is automatically called by ../update.sh. 5 5 + 6 6 + from __future__ import annotations 7 7 + 8 8 + import json 9 9 + import os 10 10 + import re 11 11 + import subprocess 12 12 + import sys 13 13 + from dataclasses import dataclass 14 14 + from pathlib import Path 15 15 + from tempfile import TemporaryDirectory 16 16 + from typing import ( 17 17 + Dict, 18 18 + Iterator, 19 19 + List, 20 20 + Optional, 21 21 + Sequence, 22 22 + Tuple, 23 23 + TypedDict, 24 24 + Union, 25 25 + ) 26 26 + 27 27 + from github import Github 28 28 + from github.GitRelease import GitRelease 29 29 + 30 30 + VersionComponent = Union[int, str] 31 31 + Version = List[VersionComponent] 32 32 + 33 33 + 34 34 + Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str}) 35 35 + 36 36 + 37 37 + @dataclass 38 38 + class ReleaseInfo: 39 39 + version: Version 40 40 + release: GitRelease 41 41 + 42 42 + 43 43 + HERE = Path(__file__).resolve().parent 44 44 + NIXPKGS_KERNEL_PATH = HERE.parent 45 45 + NIXPKGS_PATH = HERE.parents[4] 46 46 + HARDENED_GITHUB_REPO = "anthraxx/linux-hardened" 47 47 + HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc" 48 48 + HARDENED_PATCHES_PATH = HERE / "patches.json" 49 49 + MIN_KERNEL_VERSION: Version = [4, 14] 50 50 + 51 51 + 52 52 + def run(*args: Union[str, Path]) -> subprocess.CompletedProcess[bytes]: 53 53 + try: 54 54 + return subprocess.run( 55 55 + args, 56 56 + check=True, 57 57 + stdout=subprocess.PIPE, 58 58 + stderr=subprocess.PIPE, 59 59 + encoding="utf-8", 60 60 + ) 61 61 + except subprocess.CalledProcessError as err: 62 62 + print( 63 63 + f"error: `{err.cmd}` failed unexpectedly\n" 64 64 + f"status code: {err.returncode}\n" 65 65 + f"stdout:\n{err.stdout.strip()}\n" 66 66 + f"stderr:\n{err.stderr.strip()}", 67 67 + file=sys.stderr, 68 68 + ) 69 69 + sys.exit(1) 70 70 + 71 71 + 72 72 + def nix_prefetch_url(url: str) -> Tuple[str, Path]: 73 73 + output = run("nix-prefetch-url", "--print-path", url).stdout 74 74 + sha256, path = output.strip().split("\n") 75 75 + return sha256, Path(path) 76 76 + 77 77 + 78 78 + def verify_openpgp_signature( 79 79 + *, name: str, trusted_key: Path, sig_path: Path, data_path: Path, 80 80 + ) -> bool: 81 81 + with TemporaryDirectory(suffix=".nixpkgs-gnupg-home") as gnupg_home_str: 82 82 + gnupg_home = Path(gnupg_home_str) 83 83 + run("gpg", "--homedir", gnupg_home, "--import", trusted_key) 84 84 + keyring = gnupg_home / "pubring.kbx" 85 85 + try: 86 86 + subprocess.run( 87 87 + ("gpgv", "--keyring", keyring, sig_path, data_path), 88 88 + check=True, 89 89 + stderr=subprocess.PIPE, 90 90 + encoding="utf-8", 91 91 + ) 92 92 + return True 93 93 + except subprocess.CalledProcessError as err: 94 94 + print( 95 95 + f"error: signature for {name} failed to verify!", 96 96 + file=sys.stderr, 97 97 + ) 98 98 + print(err.stderr, file=sys.stderr, end="") 99 99 + return False 100 100 + 101 101 + 102 102 + def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]: 103 103 + def find_asset(filename: str) -> str: 104 104 + try: 105 105 + it: Iterator[str] = ( 106 106 + asset.browser_download_url 107 107 + for asset in release.get_assets() 108 108 + if asset.name == filename 109 109 + ) 110 110 + return next(it) 111 111 + except StopIteration: 112 112 + raise KeyError(filename) 113 113 + 114 114 + patch_filename = f"{name}.patch" 115 115 + try: 116 116 + patch_url = find_asset(patch_filename) 117 117 + sig_url = find_asset(patch_filename + ".sig") 118 118 + except KeyError: 119 119 + print(f"error: {patch_filename}{{,.sig}} not present", file=sys.stderr) 120 120 + return None 121 121 + 122 122 + sha256, patch_path = nix_prefetch_url(patch_url) 123 123 + _, sig_path = nix_prefetch_url(sig_url) 124 124 + sig_ok = verify_openpgp_signature( 125 125 + name=name, 126 126 + trusted_key=HARDENED_TRUSTED_KEY, 127 127 + sig_path=sig_path, 128 128 + data_path=patch_path, 129 129 + ) 130 130 + if not sig_ok: 131 131 + return None 132 132 + 133 133 + return Patch(name=patch_filename, url=patch_url, sha256=sha256) 134 134 + 135 135 + 136 136 + def parse_version(version_str: str) -> Version: 137 137 + version: Version = [] 138 138 + for component in version_str.split("."): 139 139 + try: 140 140 + version.append(int(component)) 141 141 + except ValueError: 142 142 + version.append(component) 143 143 + return version 144 144 + 145 145 + 146 146 + def version_string(version: Version) -> str: 147 147 + return ".".join(str(component) for component in version) 148 148 + 149 149 + 150 150 + def major_kernel_version_key(kernel_version: Version) -> str: 151 151 + return version_string(kernel_version[:-1]) 152 152 + 153 153 + 154 154 + def commit_patches(*, kernel_key: str, message: str) -> None: 155 155 + new_patches_path = HARDENED_PATCHES_PATH.with_suffix(".new") 156 156 + with open(new_patches_path, "w") as new_patches_file: 157 157 + json.dump(patches, new_patches_file, indent=4, sort_keys=True) 158 158 + new_patches_file.write("\n") 159 159 + os.rename(new_patches_path, HARDENED_PATCHES_PATH) 160 160 + message = f"linux/hardened/patches/{kernel_key}: {message}" 161 161 + print(message) 162 162 + if os.environ.get("COMMIT"): 163 163 + run( 164 164 + "git", 165 165 + "-C", 166 166 + NIXPKGS_PATH, 167 167 + "commit", 168 168 + f"--message={message}", 169 169 + HARDENED_PATCHES_PATH, 170 170 + ) 171 171 + 172 172 + 173 173 + # Load the existing patches. 174 174 + patches: Dict[str, Patch] 175 175 + with open(HARDENED_PATCHES_PATH) as patches_file: 176 176 + patches = json.load(patches_file) 177 177 + 178 178 + # Get the set of currently packaged kernel versions. 179 179 + kernel_versions = {} 180 180 + for filename in os.listdir(NIXPKGS_KERNEL_PATH): 181 181 + filename_match = re.fullmatch(r"linux-(\d+)\.(\d+)\.nix", filename) 182 182 + if filename_match: 183 183 + nix_version_expr = f""" 184 184 + with import {NIXPKGS_PATH} {{}}; 185 185 + (callPackage {NIXPKGS_KERNEL_PATH / filename} {{}}).version 186 186 + """ 187 187 + kernel_version = parse_version( 188 188 + run( 189 189 + "nix", "eval", "--impure", "--raw", "--expr", nix_version_expr, 190 190 + ).stdout 191 191 + ) 192 192 + if kernel_version < MIN_KERNEL_VERSION: 193 193 + continue 194 194 + kernel_key = major_kernel_version_key(kernel_version) 195 195 + kernel_versions[kernel_key] = kernel_version 196 196 + 197 197 + # Remove patches for unpackaged kernel versions. 198 198 + for kernel_key in sorted(patches.keys() - kernel_versions.keys()): 199 199 + commit_patches(kernel_key=kernel_key, message="remove") 200 200 + 201 201 + g = Github(os.environ.get("GITHUB_TOKEN")) 202 202 + repo = g.get_repo(HARDENED_GITHUB_REPO) 203 203 + failures = False 204 204 + 205 205 + # Match each kernel version with the best patch version. 206 206 + releases = {} 207 207 + for release in repo.get_releases(): 208 208 + version = parse_version(release.tag_name) 209 209 + # needs to look like e.g. 5.6.3.a 210 210 + if len(version) < 4: 211 211 + continue 212 212 + 213 213 + kernel_version = version[:-1] 214 214 + kernel_key = major_kernel_version_key(kernel_version) 215 215 + try: 216 216 + packaged_kernel_version = kernel_versions[kernel_key] 217 217 + except KeyError: 218 218 + continue 219 219 + 220 220 + release_info = ReleaseInfo(version=version, release=release) 221 221 + 222 222 + if kernel_version == packaged_kernel_version: 223 223 + releases[kernel_key] = release_info 224 224 + else: 225 225 + # Fall back to the latest patch for this major kernel version, 226 226 + # skipping patches for kernels newer than the packaged one. 227 227 + if kernel_version > packaged_kernel_version: 228 228 + continue 229 229 + elif ( 230 230 + kernel_key not in releases or releases[kernel_key].version < version 231 231 + ): 232 232 + releases[kernel_key] = release_info 233 233 + 234 234 + # Update hardened-patches.json for each release. 235 235 + for kernel_key in sorted(releases.keys()): 236 236 + release_info = releases[kernel_key] 237 237 + release = release_info.release 238 238 + version = release_info.version 239 239 + version_str = release.tag_name 240 240 + name = f"linux-hardened-{version_str}" 241 241 + 242 242 + old_version: Optional[Version] = None 243 243 + old_version_str: Optional[str] = None 244 244 + update: bool 245 245 + try: 246 246 + old_filename = patches[kernel_key]["name"] 247 247 + old_version_str = old_filename.replace("linux-hardened-", "").replace( 248 248 + ".patch", "" 249 249 + ) 250 250 + old_version = parse_version(old_version_str) 251 251 + update = old_version < version 252 252 + except KeyError: 253 253 + update = True 254 254 + 255 255 + if update: 256 256 + patch = fetch_patch(name=name, release=release) 257 257 + if patch is None: 258 258 + failures = True 259 259 + else: 260 260 + patches[kernel_key] = patch 261 261 + if old_version: 262 262 + message = f"{old_version_str} -> {version_str}" 263 263 + else: 264 264 + message = f"init at {version_str}" 265 265 + commit_patches(kernel_key=kernel_key, message=message) 266 266 + 267 267 + missing_kernel_versions = kernel_versions.keys() - patches.keys() 268 268 + 269 269 + if missing_kernel_versions: 270 270 + print( 271 271 + f"warning: no patches for kernel versions " 272 272 + + ", ".join(missing_kernel_versions), 273 273 + file=sys.stderr, 274 274 + ) 275 275 + 276 276 + if failures: 277 277 + sys.exit(1)

+2 -2

pkgs/os-specific/linux/kernel/patches.nix

reviewed

··· 35 35 36 36 tag_hardened = { 37 37 name = "tag-hardened"; 38 38 - patch = ./tag-hardened.patch; 38 38 + patch = ./hardened/tag-hardened.patch; 39 39 }; 40 40 41 41 hardened = let ··· 43 43 name = lib.removeSuffix ".patch" src.name; 44 44 patch = fetchurl src; 45 45 }; 46 46 - patches = builtins.fromJSON (builtins.readFile ./hardened-patches.json); 46 46 + patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json); 47 47 in lib.mapAttrs mkPatch patches; 48 48 49 49 # https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6

pkgs/os-specific/linux/kernel/tag-hardened.patch pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch

reviewed

-229

pkgs/os-specific/linux/kernel/update-hardened.py

reviewed

··· 1 1 - #! /usr/bin/env nix-shell 2 2 - #! nix-shell -i python -p "python3.withPackages (ps: [ps.PyGithub])" git gnupg 3 3 - 4 4 - # This is automatically called by ./update.sh. 5 5 - 6 6 - import re 7 7 - import json 8 8 - import sys 9 9 - import os.path 10 10 - from glob import glob 11 11 - import subprocess 12 12 - from tempfile import TemporaryDirectory 13 13 - 14 14 - from github import Github 15 15 - 16 16 - HERE = os.path.dirname(os.path.realpath(__file__)) 17 17 - HARDENED_GITHUB_REPO = 'anthraxx/linux-hardened' 18 18 - HARDENED_TRUSTED_KEY = os.path.join(HERE, 'anthraxx.asc') 19 19 - HARDENED_PATCHES_PATH = os.path.join(HERE, 'hardened-patches.json') 20 20 - MIN_KERNEL_VERSION = [4, 14] 21 21 - 22 22 - def run(*args, **kwargs): 23 23 - try: 24 24 - return subprocess.run( 25 25 - args, **kwargs, 26 26 - check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, 27 27 - ) 28 28 - except subprocess.CalledProcessError as err: 29 29 - print( 30 30 - f'error: `{err.cmd}` failed unexpectedly\n' 31 31 - f'status code: {err.returncode}\n' 32 32 - f'stdout:\n{err.stdout.decode("utf-8").strip()}\n' 33 33 - f'stderr:\n{err.stderr.decode("utf-8").strip()}', 34 34 - file=sys.stderr, 35 35 - ) 36 36 - sys.exit(1) 37 37 - 38 38 - def nix_prefetch_url(url): 39 39 - output = run('nix-prefetch-url', '--print-path', url).stdout 40 40 - return output.decode('utf-8').strip().split('\n') 41 41 - 42 42 - def verify_openpgp_signature(*, name, trusted_key, sig_path, data_path): 43 43 - with TemporaryDirectory(suffix='.nixpkgs-gnupg-home') as gnupg_home: 44 44 - run('gpg', '--homedir', gnupg_home, '--import', trusted_key) 45 45 - keyring = os.path.join(gnupg_home, 'pubring.kbx') 46 46 - try: 47 47 - subprocess.run( 48 48 - ('gpgv', '--keyring', keyring, sig_path, data_path), 49 49 - check=True, stderr=subprocess.PIPE, 50 50 - ) 51 51 - return True 52 52 - except subprocess.CalledProcessError as err: 53 53 - print( 54 54 - f'error: signature for {name} failed to verify!', 55 55 - file=sys.stderr, 56 56 - ) 57 57 - print(err.stderr.decode('utf-8'), file=sys.stderr, end='') 58 58 - return False 59 59 - 60 60 - def fetch_patch(*, name, release): 61 61 - def find_asset(filename): 62 62 - try: 63 63 - return next( 64 64 - asset.browser_download_url 65 65 - for asset in release.get_assets() 66 66 - if asset.name == filename 67 67 - ) 68 68 - except StopIteration: 69 69 - raise KeyError(filename) 70 70 - 71 71 - patch_filename = f'{name}.patch' 72 72 - try: 73 73 - patch_url = find_asset(patch_filename) 74 74 - sig_url = find_asset(patch_filename + '.sig') 75 75 - except KeyError: 76 76 - print(f'error: {patch_filename}{{,.sig}} not present', file=sys.stderr) 77 77 - return None 78 78 - 79 79 - sha256, patch_path = nix_prefetch_url(patch_url) 80 80 - _, sig_path = nix_prefetch_url(sig_url) 81 81 - sig_ok = verify_openpgp_signature( 82 82 - name=name, 83 83 - trusted_key=HARDENED_TRUSTED_KEY, 84 84 - sig_path=sig_path, 85 85 - data_path=patch_path, 86 86 - ) 87 87 - if not sig_ok: 88 88 - return None 89 89 - 90 90 - return { 91 91 - 'name': patch_filename, 92 92 - 'url': patch_url, 93 93 - 'sha256': sha256, 94 94 - } 95 95 - 96 96 - def parse_version(version_str): 97 97 - version = [] 98 98 - for component in version_str.split('.'): 99 99 - try: 100 100 - version.append(int(component)) 101 101 - except ValueError: 102 102 - version.append(component) 103 103 - return version 104 104 - 105 105 - def version_string(version): 106 106 - return '.'.join(str(component) for component in version) 107 107 - 108 108 - def major_kernel_version_key(kernel_version): 109 109 - return version_string(kernel_version[:-1]) 110 110 - 111 111 - def commit_patches(*, kernel_key, message): 112 112 - with open(HARDENED_PATCHES_PATH + '.new', 'w') as new_patches_file: 113 113 - json.dump(patches, new_patches_file, indent=4, sort_keys=True) 114 114 - new_patches_file.write('\n') 115 115 - os.rename(HARDENED_PATCHES_PATH + '.new', HARDENED_PATCHES_PATH) 116 116 - message = f'linux/hardened-patches/{kernel_key}: {message}' 117 117 - print(message) 118 118 - if os.environ.get('COMMIT'): 119 119 - run( 120 120 - 'git', '-C', HERE, 'commit', f'--message={message}', 121 121 - 'hardened-patches.json', 122 122 - ) 123 123 - 124 124 - # Load the existing patches. 125 125 - with open(HARDENED_PATCHES_PATH) as patches_file: 126 126 - patches = json.load(patches_file) 127 127 - 128 128 - NIX_VERSION_RE = re.compile(r''' 129 129 - \s* version \s* = 130 130 - \s* " (?P<version> [^"]*) " 131 131 - \s* ; \s* \n 132 132 - ''', re.VERBOSE) 133 133 - 134 134 - # Get the set of currently packaged kernel versions. 135 135 - kernel_versions = {} 136 136 - for filename in os.listdir(HERE): 137 137 - filename_match = re.fullmatch(r'linux-(\d+)\.(\d+)\.nix', filename) 138 138 - if filename_match: 139 139 - with open(os.path.join(HERE, filename)) as nix_file: 140 140 - for nix_line in nix_file: 141 141 - match = NIX_VERSION_RE.fullmatch(nix_line) 142 142 - if match: 143 143 - kernel_version = parse_version(match.group('version')) 144 144 - if kernel_version < MIN_KERNEL_VERSION: 145 145 - continue 146 146 - kernel_key = major_kernel_version_key(kernel_version) 147 147 - kernel_versions[kernel_key] = kernel_version 148 148 - 149 149 - # Remove patches for unpackaged kernel versions. 150 150 - for kernel_key in sorted(patches.keys() - kernel_versions.keys()): 151 151 - commit_patches(kernel_key=kernel_key, message='remove') 152 152 - 153 153 - g = Github(os.environ.get('GITHUB_TOKEN')) 154 154 - repo = g.get_repo(HARDENED_GITHUB_REPO) 155 155 - 156 156 - failures = False 157 157 - 158 158 - # Match each kernel version with the best patch version. 159 159 - releases = {} 160 160 - for release in repo.get_releases(): 161 161 - version = parse_version(release.tag_name) 162 162 - # needs to look like e.g. 5.6.3.a 163 163 - if len(version) < 4: 164 164 - continue 165 165 - 166 166 - kernel_version = version[:-1] 167 167 - kernel_key = major_kernel_version_key(kernel_version) 168 168 - try: 169 169 - packaged_kernel_version = kernel_versions[kernel_key] 170 170 - except KeyError: 171 171 - continue 172 172 - 173 173 - release_info = { 174 174 - 'version': version, 175 175 - 'release': release, 176 176 - } 177 177 - 178 178 - if kernel_version == packaged_kernel_version: 179 179 - releases[kernel_key] = release_info 180 180 - else: 181 181 - # Fall back to the latest patch for this major kernel version, 182 182 - # skipping patches for kernels newer than the packaged one. 183 183 - if kernel_version > packaged_kernel_version: 184 184 - continue 185 185 - elif (kernel_key not in releases or 186 186 - releases[kernel_key]['version'] < version): 187 187 - releases[kernel_key] = release_info 188 188 - 189 189 - # Update hardened-patches.json for each release. 190 190 - for kernel_key, release_info in releases.items(): 191 191 - release = release_info['release'] 192 192 - version = release_info['version'] 193 193 - version_str = release.tag_name 194 194 - name = f'linux-hardened-{version_str}' 195 195 - 196 196 - try: 197 197 - old_filename = patches[kernel_key]['name'] 198 198 - old_version_str = (old_filename 199 199 - .replace('linux-hardened-', '') 200 200 - .replace('.patch', '')) 201 201 - old_version = parse_version(old_version_str) 202 202 - update = old_version < version 203 203 - except KeyError: 204 204 - update = True 205 205 - old_version = None 206 206 - 207 207 - if update: 208 208 - patch = fetch_patch(name=name, release=release) 209 209 - if patch is None: 210 210 - failures = True 211 211 - else: 212 212 - patches[kernel_key] = patch 213 213 - if old_version: 214 214 - message = f'{old_version_str} -> {version_str}' 215 215 - else: 216 216 - message = f'init at {version_str}' 217 217 - commit_patches(kernel_key=kernel_key, message=message) 218 218 - 219 219 - missing_kernel_versions = kernel_versions.keys() - patches.keys() 220 220 - 221 221 - if missing_kernel_versions: 222 222 - print( 223 223 - f'warning: no patches for kernel versions ' + 224 224 - ', '.join(missing_kernel_versions), 225 225 - file=sys.stderr, 226 226 - ) 227 227 - 228 228 - if failures: 229 229 - sys.exit(1)

+1 -1

pkgs/os-specific/linux/kernel/update.sh

reviewed

··· 62 62 COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh 63 63 64 64 # Update linux-hardened 65 65 - COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-hardened.py 65 65 + COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/hardened/update.py

+1 -1

pkgs/top-level/all-packages.nix

reviewed

··· 17065 17065 17066 17066 # Hardened linux 17067 17067 hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override { 17068 17068 - structuredExtraConfig = import ../os-specific/linux/kernel/hardened-config.nix { 17068 17068 + structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix { 17069 17069 inherit stdenv; 17070 17070 inherit (kernel) version; 17071 17071 };