Merge master into staging-next

nixos/modules/programs/firejail.nix

@@ -11,10 +11,20 @@ let
     }
     ''
       mkdir -p $out/bin
-      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: ''
+      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value:
+      let
+        opts = if builtins.isAttrs value
+        then value
+        else { executable = value; profile = null; extraArgs = []; };
+        args = lib.escapeShellArgs (
+          (optional (opts.profile != null) "--profile=${toString opts.profile}")
+          ++ opts.extraArgs
+          );
+      in
+      ''
         cat <<_EOF >$out/bin/${command}
         #! ${pkgs.runtimeShell} -e
-        exec /run/wrappers/bin/firejail ${binary} "\$@"
+        exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@"
         _EOF
         chmod 0755 $out/bin/${command}
       '') cfg.wrappedBinaries)}
@@ -25,12 +35,38 @@ in {
     enable = mkEnableOption "firejail";
 
     wrappedBinaries = mkOption {
-      type = types.attrsOf types.path;
+      type = types.attrsOf (types.either types.path (types.submodule {
+        options = {
+          executable = mkOption {
+            type = types.path;
+            description = "Executable to run sandboxed";
+            example = literalExample "''${lib.getBin pkgs.firefox}/bin/firefox";
+          };
+          profile = mkOption {
+            type = types.nullOr types.path;
+            default = null;
+            description = "Profile to use";
+            example = literalExample "''${pkgs.firejail}/etc/firejail/firefox.profile";
+          };
+          extraArgs = mkOption {
+            type = types.listOf types.str;
+            default = [];
+            description = "Extra arguments to pass to firejail";
+            example = [ "--private=~/.firejail_home" ];
+          };
+        };
+      }));
       default = {};
       example = literalExample ''
         {
-          firefox = "''${lib.getBin pkgs.firefox}/bin/firefox";
-          mpv = "''${lib.getBin pkgs.mpv}/bin/mpv";
+          firefox = {
+            executable = "''${lib.getBin pkgs.firefox}/bin/firefox";
+            profile = "''${pkgs.firejail}/etc/firejail/firefox.profile";
+          };
+          mpv = {
+            executable = "''${lib.getBin pkgs.mpv}/bin/mpv";
+            profile = "''${pkgs.firejail}/etc/firejail/mpv.profile";
+          };
         }
       '';
       description = ''

nixos/tests/firejail.nix

@@ -11,6 +11,10 @@ import ./make-test-python.nix ({ pkgs, ...} : {
       enable = true;
       wrappedBinaries = {
         bash-jailed  = "${pkgs.bash}/bin/bash";
+        bash-jailed2  = {
+          executable = "${pkgs.bash}/bin/bash";
+          extraArgs = [ "--private=~/firejail-home" ];
+        };
       };
     };
 
@@ -53,6 +57,11 @@ import ./make-test-python.nix ({ pkgs, ...} : {
     )
     machine.fail("sudo -u alice bash-jailed -c 'cat ~/my-secrets/secret' | grep -q s3cret")
 
+    # Test extraArgs
+    machine.succeed("sudo -u alice mkdir /home/alice/firejail-home")
+    machine.succeed("sudo -u alice bash-jailed2 -c 'echo test > /home/alice/foo'")
+    machine.fail("sudo -u alice cat /home/alice/foo")
+    machine.succeed("sudo -u alice cat /home/alice/firejail-home/foo | grep test")
 
     # Test path acl with firejail executable
     machine.succeed("sudo -u alice firejail -- bash -c 'cat ~/public' | grep -q publ1c")

pkgs/applications/virtualization/dumb-init/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "dumb-init";
-  version = "1.2.2";
+  version = "1.2.3";
 
   src = fetchFromGitHub {
     owner = "Yelp";
     repo = pname;
     rev = "v${version}";
-    sha256 = "15hgl8rz5dmrl5gx21sq5269l1hq539qn68xghjx0bv9hgbx0g20";
+    sha256 = "1ws944y8gch6h7iqvznfwlh9hnmdn36aqh9w6cbc7am8vbyq0ffa";
   };
 
   buildInputs = [ glibc.static ];

pkgs/development/libraries/libopenaptx/default.nix

@@ -2,16 +2,22 @@
 
 stdenv.mkDerivation rec {
   pname = "libopenaptx";
-  version = "0.1.0";
+  version = "0.2.0";
 
   src = fetchFromGitHub {
     owner = "pali";
     repo = "libopenaptx";
     rev = version;
-    sha256 = "0996qmkmbax7ccknxrd3bx8xibs79a1ffms69scsj59f3kgj6854";
+    sha256 = "nTpw4vWgJ765FM6Es3SzaaaZr0YDydXglb0RWLbiigI=";
   };
 
-  makeFlags = [ "PREFIX=$(out)" ];
+  makeFlags = [
+    "PREFIX=${placeholder "out"}"
+    # disable static builds
+    "ANAME="
+    "AOBJECTS="
+    "STATIC_UTILITIES="
+  ];
 
   enableParallelBuilding = true;
 

pkgs/development/python-modules/class-registry/default.nix

@@ -4,6 +4,8 @@
   lib,
   nose,
   six,
+  typing,
+  isPy27,
 }:
 
 buildPythonPackage rec {
@@ -15,7 +17,7 @@ buildPythonPackage rec {
     sha256 = "0zjf9nczl1ifzj07bgs6mwxsfd5xck9l0lchv2j0fv2n481xp2v7";
   };
 
-  propagatedBuildInputs = [ six ];
+  propagatedBuildInputs = [ six ] ++ lib.optional isPy27 typing;
   checkInputs = [ nose ];
 
   # Tests currently failing.

pkgs/development/python-modules/cryptography/2.9.nix

@@ -29,6 +29,8 @@ buildPythonPackage rec {
     sha256 = "0af25w5mkd6vwns3r6ai1w5ip9xp0ms9s261zzssbpadzdr05hx0";
   };
 
+  patches = [ ./CVE-2020-25659.patch ];
+
   outputs = [ "out" "dev" ];
 
   buildInputs = [ openssl ]
@@ -70,6 +72,5 @@ buildPythonPackage rec {
       + replaceStrings [ "." ] [ "-" ] version;
     license = with licenses; [ asl20 bsd3 psfl ];
     maintainers = with maintainers; [ primeos ];
-    knownVulnerabilities = [ "CVE-2020-25659" "https://github.com/advisories/GHSA-hggm-jpg3-v476" ];
   };
 }

pkgs/development/python-modules/cryptography/CVE-2020-25659.patch

@@ -0,0 +1,76 @@
+Backported of:
+
+From 58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Sun, 25 Oct 2020 21:16:42 -0400
+Subject: [PATCH] Attempt to mitigate Bleichenbacher attacks on RSA decryption
+ (#5507)
+
+diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
+index 6e4675d..ce66c28 100644
+--- a/docs/spelling_wordlist.txt
++++ b/docs/spelling_wordlist.txt
+@@ -6,6 +6,7 @@ backend
+ Backends
+ backends
+ bcrypt
++Bleichenbacher
+ Blowfish
+ boolean
+ Botan
+diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
+index 3e4c2fd..6303f95 100644
+--- a/src/cryptography/hazmat/backends/openssl/rsa.py
++++ b/src/cryptography/hazmat/backends/openssl/rsa.py
+@@ -117,40 +117,19 @@ def _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding):
+ 
+     outlen = backend._ffi.new("size_t *", buf_size)
+     buf = backend._ffi.new("unsigned char[]", buf_size)
++    # Everything from this line onwards is written with the goal of being as
++    # constant-time as is practical given the constraints of Python and our
++    # API. See Bleichenbacher's '98 attack on RSA, and its many many variants.
++    # As such, you should not attempt to change this (particularly to "clean it
++    # up") without understanding why it was written this way (see
++    # Chesterton's Fence), and without measuring to verify you have not
++    # introduced observable time differences.
+     res = crypt(pkey_ctx, buf, outlen, data, len(data))
++    resbuf = backend._ffi.buffer(buf)[: outlen[0]]
++    backend._lib.ERR_clear_error()
+     if res <= 0:
+-        _handle_rsa_enc_dec_error(backend, key)
+-
+-    return backend._ffi.buffer(buf)[:outlen[0]]
+-
+-
+-def _handle_rsa_enc_dec_error(backend, key):
+-    errors = backend._consume_errors()
+-    backend.openssl_assert(errors)
+-    backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA)
+-    if isinstance(key, _RSAPublicKey):
+-        backend.openssl_assert(
+-            errors[0].reason == backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
+-        )
+-        raise ValueError(
+-            "Data too long for key size. Encrypt less data or use a "
+-            "larger key size."
+-        )
+-    else:
+-        decoding_errors = [
+-            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01,
+-            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02,
+-            backend._lib.RSA_R_OAEP_DECODING_ERROR,
+-            # Though this error looks similar to the
+-            # RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE, this occurs on decrypts,
+-            # rather than on encrypts
+-            backend._lib.RSA_R_DATA_TOO_LARGE_FOR_MODULUS,
+-        ]
+-        if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR:
+-            decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR)
+-
+-        backend.openssl_assert(errors[0].reason in decoding_errors)
+-        raise ValueError("Decryption failed.")
++        raise ValueError("Encryption/decryption failed.")
++    return resbuf
+ 
+ 
+ def _rsa_sig_determine_padding(backend, key, padding, algorithm):

pkgs/development/tools/apktool/default.nix

@@ -2,14 +2,14 @@
 
 stdenv.mkDerivation rec {
   pname = "apktool";
-  version = "2.4.1";
+  version = "2.5.0";
 
   src = fetchurl {
     urls = [
       "https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_${version}.jar"
       "https://github.com/iBotPeaches/Apktool/releases/download/v${version}/apktool_${version}.jar"
     ];
-    sha256 = "0ljsh8nx065isnyzzrwddypikkfhyqsww0w02cgwgh8x3lhndsxx";
+    sha256 = "1r4z0z2c1drjd4ynpf36dklxs3hq1wdnzh63mk2yk4mmk75xg4mk";
   };
 
   phases = [ "installPhase" ];

pkgs/tools/misc/direnv/default.nix

@@ -2,7 +2,7 @@
 
 buildGoModule rec {
   pname = "direnv";
-  version = "2.24.0";
+  version = "2.25.0";
 
   vendorSha256 = null;
 
@@ -10,7 +10,7 @@ buildGoModule rec {
     owner = "direnv";
     repo = "direnv";
     rev = "v${version}";
-    sha256 = "1hgivmz6f5knpchkyi3njj1h81hixm77ad5g2v0m9bid09b97nh8";
+    sha256 = "00bvznswmz08s2jqpz5xxmkqggd06h6g8cwk242aaih6qajxfpsn";
   };
 
   # we have no bash at the moment for windows

pkgs/tools/security/sudo/default.nix

@@ -6,11 +6,11 @@
 
 stdenv.mkDerivation rec {
   pname = "sudo";
-  version = "1.9.3p1";
+  version = "1.9.4";
 
   src = fetchurl {
     url = "https://www.sudo.ws/dist/${pname}-${version}.tar.gz";
-    sha256 = "17mldsg5d08s23cskmjxfa81ibnqw3slgf3l4023j72ywi9xxffw";
+    sha256 = "1w03257akspgkkl757vmpq3p30sb2n6y61hll038mw9sqwnbv4cb";
   };
 
   prePatch = ''