Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 42c85f251da7
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 2b51171fb6ea
Choose a head ref
  • 18 commits
  • 14 files changed
  • 12 contributors

Commits on Apr 6, 2020

  1. Lutris using Proton 5 depends on libselinux 

    fixes:
    ImportError: libselinux.so.1
    @RohanHart
    RohanHart committed Apr 6, 2020
    Copy the full SHA
    2d05e15 View commit details

Commits on May 12, 2020

  1. cri-o: drop flavor

    @zowoq
    zowoq committed May 12, 2020
    Copy the full SHA
    1d909f5 View commit details

  2. nixos/nginx: enable sandboxing

    @Izorkin
    Izorkin committed May 12, 2020
    Copy the full SHA
    628354c View commit details

  3. nixos/nginx: add release notes

    @Izorkin
    Izorkin committed May 12, 2020
    Copy the full SHA
    97a0928 View commit details

  4. nixos/tests: fix nginx-pubhtml test

    @Izorkin
    Izorkin committed May 12, 2020
    Copy the full SHA
    af6d009 View commit details

  5. nixos/tests: add nginx-sandbox test

    @Izorkin
    Izorkin committed May 12, 2020
    Copy the full SHA
    c710661 View commit details

  6. nginxModules: add option allowMemoryWriteExecute 

    The allowMemoryWriteExecute option is required to checking enabled nginxModules
and disable the nginx sandbox mode MemoryDenyWriteExecute.
    @Izorkin
    Izorkin committed May 12, 2020
    Copy the full SHA
    aa12fb8 View commit details

  7. nixos/nginx: add option enableSandbox

    @Izorkin
    Izorkin committed May 12, 2020
    Copy the full SHA
    94391fc View commit details

  8. zoom-us: 5.0.399860.0429 -> 5.0.403652.0509

    @lovesegfault
    lovesegfault committed May 12, 2020
    Copy the full SHA
    4e4f5cb View commit details

  9. visidata: add darwin to supported platforms

    @badmutex
    badmutex authored and Badi Abdul-Wahid committed May 12, 2020
    Copy the full SHA
    b332947 View commit details

Commits on May 13, 2020

  1. Merge pull request #85567 from Izorkin/nginx-sandbox

    @Mic92
    Mic92 authored May 13, 2020
    Copy the full SHA
    6c437ef View commit details

  2. Merge pull request #84420 from RohanHart/lutris/proton-depends-on-sec… 

    …urity-libs

Lutris/proton depends on security lib
    @DamienCassou
    DamienCassou authored May 13, 2020
    Copy the full SHA
    47ea746 View commit details

  3. Merge pull request #87692 from badmutex/patch-1 

    visidata: add darwin to supported platforms
    @7c6f434c
    7c6f434c authored May 13, 2020
    Copy the full SHA
    a1f68b7 View commit details

  4. emacsPackages.hol_light_mode: Remove unmaintained & broken package

    @adisbladis
    adisbladis committed May 13, 2020
    Copy the full SHA
    097eba0 View commit details

  5. emacsPackages.melpaPackages: Ignore Git SSL certs 

    There are a number of derivations failing because we are lacking the
required certs.

fetchurl is already ignoring certs so I figured we'd do the same.
    @adisbladis
    adisbladis committed May 13, 2020
    Copy the full SHA
    88974f9 View commit details

  6. Merge pull request #87660 from zowoq/crio-flavor 

    cri-o: drop flavor
    @marsam
    marsam authored May 13, 2020
    Copy the full SHA
    8ec4b8b View commit details

  7. almanah: fix build

    @jtojnar
    jtojnar committed May 13, 2020
    Copy the full SHA
    7498858 View commit details

  8. Merge pull request #87686 from lovesegfault/zoom-us-5.0.4 

    zoom-us: 5.0.399860.0429 -> 5.0.403652.0509
    @garbas
    garbas authored May 13, 2020
    Copy the full SHA
    2b51171 View commit details
11 changes: 10 additions & 1 deletion nixos/doc/manual/release-notes/rl-2009.xml
View file
Original file line number Diff line number Diff line change
@@ -235,7 +235,16 @@ php.override {
Be aware that backwards state migrations are not supported by Deluge.
</para>
</listitem>

<listitem>
<para>
Add option <literal>services.nginx.enableSandbox</literal> to starting Nginx web server with additional sandbox/hardening options.
By default, write access to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders,
use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal>
<programlisting>
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
</programlisting>
</para>
</listitem>
<listitem>
<para>
The NixOS options <literal>nesting.clone</literal> and
29 changes: 29 additions & 0 deletions nixos/modules/services/web-servers/nginx/default.nix
View file
Original file line number Diff line number Diff line change
@@ -463,6 +463,14 @@ in
'';
};

enableSandbox = mkOption {
default = false;
type = types.bool;
description = ''
Starting Nginx web server with additional sandbox/hardening options.
'';
};

user = mkOption {
type = types.str;
default = "nginx";
@@ -710,6 +718,27 @@ in
LogsDirectoryMode = "0750";
# Capabilities
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
# Security
NoNewPrivileges = true;
} // optionalAttrs cfg.enableSandbox {
# Sandboxing
ProtectSystem = "strict";
ProtectHome = mkDefault true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
LockPersonality = true;
MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules);
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
};
};

1 change: 1 addition & 0 deletions nixos/tests/all-tests.nix
View file
Original file line number Diff line number Diff line change
@@ -225,6 +225,7 @@ in
nginx = handleTest ./nginx.nix {};
nginx-etag = handleTest ./nginx-etag.nix {};
nginx-pubhtml = handleTest ./nginx-pubhtml.nix {};
nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
nginx-sso = handleTest ./nginx-sso.nix {};
nix-ssh-serve = handleTest ./nix-ssh-serve.nix {};
nixos-generate-config = handleTest ./nixos-generate-config.nix {};
1 change: 1 addition & 0 deletions nixos/tests/nginx-pubhtml.nix
View file
Original file line number Diff line number Diff line change
@@ -2,6 +2,7 @@ import ./make-test-python.nix {
name = "nginx-pubhtml";

machine = { pkgs, ... }: {
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
services.nginx.enable = true;
services.nginx.virtualHosts.localhost = {
locations."~ ^/\\~([a-z0-9_]+)(/.*)?$".alias = "/home/$1/public_html$2";
66 changes: 66 additions & 0 deletions nixos/tests/nginx-sandbox.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "nginx-sandbox";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ izorkin ];
};

# This test checks the creation and reading of a file in sandbox mode. Used simple lua script.

machine = { pkgs, ... }: {
nixpkgs.overlays = [
(self: super: {
nginx-lua = super.nginx.override {
modules = [
pkgs.nginxModules.lua
];
};
})
];
services.nginx.enable = true;
services.nginx.package = pkgs.nginx-lua;
services.nginx.enableSandbox = true;
services.nginx.virtualHosts.localhost = {
extraConfig = ''
location /test1-write {
content_by_lua_block {
local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read')
local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt')
local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt')
}
}
location /test1-read {
root /tmp;
}
location /test2-write {
content_by_lua_block {
local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read')
local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt')
local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt')
}
}
location /test2-read {
root /var/web;
}
'';
};
users.users.foo.isNormalUser = true;
};

testScript = ''
machine.wait_for_unit("nginx")
machine.wait_for_open_port(80)
# Checking write in temporary folder
machine.succeed("$(curl -vvv http://localhost/test1-write)")
machine.succeed('test "$(curl -fvvv http://localhost/test1-read/foo.txt)" = worked')
# Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted
# in read-only mode.
machine.succeed("mkdir -p /var/web")
machine.succeed("chown nginx:nginx /var/web")
machine.succeed("$(curl -vvv http://localhost/test2-write)")
assert "404 Not Found" in machine.succeed(
"curl -vvv -s http://localhost/test2-read/bar.txt"
)
'';
})
29 changes: 0 additions & 29 deletions pkgs/applications/editors/emacs-modes/hol_light/default.nix
View file

This file was deleted.

6 changes: 4 additions & 2 deletions pkgs/applications/editors/emacs-modes/libgenerated.nix
View file
Original file line number Diff line number Diff line change
@@ -25,10 +25,12 @@ let
}
) {};
git = self.callPackage ({ fetchgit }:
fetchgit {
(fetchgit {
rev = commit;
inherit sha256 url;
}
}).overrideAttrs(_: {
GIT_SSL_NO_VERIFY = true;
})
) {};
bitbucket = self.callPackage ({ fetchhg }:
fetchhg {
1 change: 0 additions & 1 deletion pkgs/applications/editors/emacs-modes/manual-packages.nix
View file
Original file line number Diff line number Diff line change
@@ -135,7 +135,6 @@
colorThemeSolarized = callPackage ./color-theme-solarized { };
emacsSessionManagement = callPackage ./session-management-for-emacs { };
hsc3-mode = callPackage ./hsc3 { };
hol_light_mode = callPackage ./hol_light { };
ido-ubiquitous = callPackage ./ido-ubiquitous { };
ocaml-mode = callPackage ./ocaml { };
prolog-mode = callPackage ./prolog { };
10 changes: 10 additions & 0 deletions pkgs/applications/misc/almanah/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{ stdenv
, fetchurl
, fetchpatch
, atk
, cairo
, desktop-file-utils
@@ -30,6 +31,15 @@ stdenv.mkDerivation rec {
sha256 = "09rxx4s4c34d1axza6ayss33v78p44r9bpx058shllh1sf5avpcb";
};

patches = [
# Fix gpgme detection
# https://gitlab.gnome.org/GNOME/almanah/merge_requests/7
(fetchpatch {
url = "https://gitlab.gnome.org/GNOME/almanah/commit/4b979c4145ef2fbceebb3849a70df1d0ceb1bb93.patch";
sha256 = "q3M+osNWz7AsDQtFju5S7P4wH3cAdzKOPKnEXTJ+k3M=";
})
];

nativeBuildInputs = [
desktop-file-utils
gettext
3 changes: 3 additions & 0 deletions pkgs/applications/misc/lutris/chrootenv.nix
View file
Original file line number Diff line number Diff line change
@@ -105,6 +105,9 @@ in buildFHSUserEnv {
cups lcms2 mpg123 cairo unixODBC samba4 sane-backends openldap
ocl-icd utillinux libkrb5

# Proton
libselinux

# Winetricks
fribidi
] ++ xorgDeps pkgs;
2 changes: 1 addition & 1 deletion pkgs/applications/misc/visidata/default.nix
View file
Original file line number Diff line number Diff line change
@@ -43,7 +43,7 @@ buildPythonApplication rec {
description = "Interactive terminal multitool for tabular data";
license = lib.licenses.gpl3;
maintainers = [ lib.maintainers.raskin ];
platforms = lib.platforms.linux;
platforms = with lib.platforms; linux ++ darwin;
homepage = "http://visidata.org/";
};
}
4 changes: 2 additions & 2 deletions pkgs/applications/networking/instant-messengers/zoom-us/default.nix
View file
Original file line number Diff line number Diff line change
@@ -15,11 +15,11 @@ assert pulseaudioSupport -> libpulseaudio != null;
let
inherit (stdenv.lib) concatStringsSep makeBinPath optional;

version = "5.0.399860.0429";
version = "5.0.403652.0509";
srcs = {
x86_64-linux = fetchurl {
url = "https://zoom.us/client/${version}/zoom_x86_64.tar.xz";
sha256 = "1jid8rs403b709scz8vpqsi1dxdmssn5426wa3d16p45blnxk16k";
sha256 = "00bprrfc7mmf3yg6jddqm2qr73m2zycr8hy19dxqpzld9gbvyzik";
};
};

8 changes: 2 additions & 6 deletions pkgs/applications/virtualization/cri-o/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
{ flavor ? ""
, stdenv
{ stdenv
, btrfs-progs
, buildGoPackage
, fetchFromGitHub
@@ -18,7 +17,6 @@
buildGoPackage rec {
pname = "cri-o";
version = "1.18.0";
name = "${pname}-${version}${flavor}";

goPackagePath = "github.com/cri-o/cri-o";

@@ -54,9 +52,7 @@ buildGoPackage rec {
'';

installPhase = ''
install -Dm755 bin/crio $out/bin/crio${flavor}
install -Dm755 bin/crio-status $out/bin/crio-status${flavor}
install -Dm755 bin/pinns $out/bin/pinns${flavor}
install -Dm755 bin/* -t $out/bin
for shell in bash fish zsh; do
installShellCompletion --$shell completions/$shell/*
3 changes: 3 additions & 0 deletions pkgs/servers/http/nginx/modules.nix
View file
Original file line number Diff line number Diff line change
@@ -140,6 +140,7 @@ in
export LUAJIT_LIB="${pkgs.luajit}/lib"
export LUAJIT_INC="${pkgs.luajit}/include/luajit-2.0"
'';
allowMemoryWriteExecute = true;
};

lua-upstream = {
@@ -150,6 +151,7 @@ in
sha256 = "1gqccg8airli3i9103zv1zfwbjm27h235qjabfbfqk503rjamkpk";
};
inputs = [ pkgs.luajit ];
allowMemoryWriteExecute = true;
};

modsecurity = {
@@ -246,6 +248,7 @@ in
in {
src = ngx_pagespeed;
inputs = [ pkgs.zlib pkgs.libuuid ]; # psol deps
allowMemoryWriteExecute = true;
};

pam = {