Skip to content

Commit

Permalink
linux-hardened: Track extra version
Browse files Browse the repository at this point in the history 
Fixes #108707
  • Loading branch information
@NeQuissimus
NeQuissimus committed Jan 7, 2021
1 parent 29aefd4 commit a669491
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 6 deletions.
5 changes: 5 additions & 0 deletions pkgs/os-specific/linux/kernel/hardened/patches.json
View file
@@ -1,25 +1,30 @@
{
"4.14": {
"extra": "",
"name": "linux-hardened-4.14.213.a.patch",
"sha256": "0lkjgg6cbsaiypxij7p00q3y094qf0h172hc2p7wgy39777b45a7",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.213.a/linux-hardened-4.14.213.a.patch"
},
"4.19": {
"extra": ".a",
"name": "linux-hardened-4.19.165.a.patch",
"sha256": "06v34jaj4jg6f3v05wbkkfnr69ahxqyyq0gam4ma3wgm74x6cf3s",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.165.a/linux-hardened-4.19.165.a.patch"
},
"5.10": {
"extra": ".a",
"name": "linux-hardened-5.10.5.a.patch",
"sha256": "1fq2n60brhi6wjazkdgj2aqc4maskvlymbznl03hvj0x5kahjxvx",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.5.a/linux-hardened-5.10.5.a.patch"
},
"5.4": {
"extra": ".a",
"name": "linux-hardened-5.4.87.a.patch",
"sha256": "01hpww6lm00iry8z4z86hh86x66h3xbmxknxhmmhh2zwz6ahkmfd",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.87.a/linux-hardened-5.4.87.a.patch"
},
"5.9": {
"extra": "",
"name": "linux-hardened-5.9.16.a.patch",
"sha256": "024wdzc9bwgr4nd4z0l6bazcl35jczhsmdl2lb26bvffjwg207rw",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.9.16.a/linux-hardened-5.9.16.a.patch"
Expand Down
11 changes: 7 additions & 4 deletions pkgs/os-specific/linux/kernel/hardened/update.py
View file
Expand Up @@ -31,7 +31,7 @@
Version = List[VersionComponent]


Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str})
Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str, "extra": str})


@dataclass
Expand Down Expand Up @@ -99,7 +99,10 @@ def verify_openpgp_signature(
return False


def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]:
def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]:
release = release_info.release
extra = f'.{release_info.version[-1]}'

def find_asset(filename: str) -> str:
try:
it: Iterator[str] = (
Expand Down Expand Up @@ -130,7 +133,7 @@ def find_asset(filename: str) -> str:
if not sig_ok:
return None

return Patch(name=patch_filename, url=patch_url, sha256=sha256)
return Patch(name=patch_filename, url=patch_url, sha256=sha256, extra=extra)


def parse_version(version_str: str) -> Version:
Expand Down Expand Up @@ -252,7 +255,7 @@ def commit_patches(*, kernel_key: str, message: str) -> None:
update = True

if update:
patch = fetch_patch(name=name, release=release)
patch = fetch_patch(name=name, release_info=release_info)
if patch is None:
failures = True
else:
Expand Down
3 changes: 2 additions & 1 deletion pkgs/os-specific/linux/kernel/patches.nix
View file
Expand Up @@ -41,7 +41,8 @@
hardened = let
mkPatch = kernelVersion: src: {
name = lib.removeSuffix ".patch" src.name;
patch = fetchurl src;
patch = fetchurl (lib.filterAttrs (k: v: k != "extra") src);
extra = src.extra;
};
patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json);
in lib.mapAttrs mkPatch patches;
Expand Down
2 changes: 1 addition & 1 deletion pkgs/top-level/all-packages.nix
View file
Expand Up @@ -18998,7 +18998,7 @@ in
kernelPatches.tag_hardened
kernelPatches.hardened.${kernel.meta.branch}
];
modDirVersionArg = kernel.modDirVersion + "-hardened";
modDirVersionArg = kernel.modDirVersion + (kernelPatches.hardened.${kernel.meta.branch}).extra + "-hardened";
isHardened = true;
});

Expand Down

0 comments on commit a669491

Please sign in to comment.