Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linux: mkDefault over the common config #106395

Closed
wants to merge 1 commit into from
Closed

linux: mkDefault over the common config #106395

wants to merge 1 commit into from

Conversation

teto
Copy link
Member

@teto teto commented Dec 8, 2020

Otherwise the default merging strategy favors enabling options, which
can be detrimental in the hardened case for instance.

Partially addresses #90065
Before this PR nix-build -A linux_hardened.configfile has INET_DIAG enabled (it shouldn't) while with this PR it is indeed disabled.

Ideally I would like to have tests for this, maybe with #69013
@wizeman interested in writing one ?

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@SuperSandro2000
Copy link
Member

Please target staging.

@teto teto mentioned this pull request Dec 9, 2020
Closed
10 tasks
@teto
linux: mkDefault over the common config
cf3ed55 
Otherwise the default merging strategy favors enabling options, which
can be detrimental in the hardened case for instance.
@teto teto changed the base branch from master to staging December 9, 2020 20:58
@teto
Copy link
Member Author

teto commented Dec 9, 2020

I rebased on staging sry for the notifications. This has the potential to break some custom kernel configs or change the behavior of the system (like IDIAG not being enabled anymore etc). So if you see this, adjust your kernel config to the new (better) behavior.

@teto
Copy link
Member Author

teto commented Dec 12, 2020

dont merge yet it breaks boot :(

@teto teto mentioned this pull request Dec 12, 2020
Closed
3 tasks
@lheckemann
Copy link
Member

The merging strategy should probably complain about conflicts, not favour enabling options, so that any conflicts have to be resolved explicitly (and IMHO the best way to do that would then be to sprinkle mkDefaults on the individual relevant settings in common-config.nix).

@lheckemann
Copy link
Member

Ah sorry, just saw the PR mentioned at the beginning. So basically I agree with that approach :)

@teto teto marked this pull request as draft January 29, 2021 21:52
@teto teto mentioned this pull request Feb 18, 2021
Closed
@NeQuissimus
Copy link
Member

At the very least we can test for something like this:

      with subtest("Check CONFIG_INET_DIAG is disabled"):
          machine.succeed("zcat /proc/config.gz | grep CONFIG_INET_DIAG=n")
          machine.fail("${pkgs.iproute2}/bin/ss")

And we'll need latestKernel.hardened to pass.
Looks like virtio_scsi is missing, I think that's what you meant by "it breaks boot"?

@lheckemann
Copy link
Member

@NeQuissimus I'd favour the approach in #90065, what do you think?

@NeQuissimus
Copy link
Member

@lheckemann That approach is a bit more targeted. We can prefer that, sure.

@stale
Copy link

stale bot commented Aug 21, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Aug 21, 2021
@teto teto closed this Aug 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 10.rebuild-darwin: 0 10.rebuild-linux: 501+ 10.rebuild-linux: 1001-2500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@teto @SuperSandro2000 @lheckemann @NeQuissimus