From 33e867620eb1e27d44a35fb57944ce8a5bccfdab Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 24 Apr 2021 17:22:54 +0200 Subject: [PATCH 01/17] nixos/mosquitto: harden systemd unit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It can still network, it can only access the ssl related files if ssl is enabled. ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✗ IPAddressDeny= Service does not define an IP address allow list 0.2 ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 → Overall exposure level for mosquitto.service: 1.1 OK 🙂 --- .../modules/services/networking/mosquitto.nix | 43 +++++++++++++++++-- nixos/tests/mosquitto.nix | 5 ++- 2 files changed, 43 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 10b49d9b2206..b98a717e658b 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -233,15 +233,50 @@ in ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ProtectSystem = "strict"; - ProtectHome = true; + # Hardening + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; - ReadWritePaths = "${cfg.dataDir}"; + PrivateUsers = true; + ProtectClock = true; ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; - NoNewPrivileges = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + ReadWritePaths = [ + cfg.dataDir + "/tmp" # mosquitto_passwd creates files in /tmp before moving them + ]; + ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [ + certfile + keyfile + cafile + ]; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_UNIX" # for sd_notify() call + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; }; preStart = '' rm -f ${cfg.dataDir}/passwd diff --git a/nixos/tests/mosquitto.nix b/nixos/tests/mosquitto.nix index 308c1396013d..e29bd559ed9b 100644 --- a/nixos/tests/mosquitto.nix +++ b/nixos/tests/mosquitto.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let port = 1888; @@ -30,6 +30,9 @@ in { ]; }; }; + + # disable private /tmp for this test + systemd.services.mosquitto.serviceConfig.PrivateTmp = lib.mkForce false; }; client1 = client; From a2d1d16af82b7133547353568c5af33bbfcdca28 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 29 Apr 2021 03:56:40 +0200 Subject: [PATCH 02/17] nixos/mosquitto: Migrate away from bind_address/port config keys Fixes these two deprecation warnings, by moving away from these options towards a simple listener configuration. > The 'bind_address' option is now deprecated and will be removed in a future version. The behaviour will default to true. > The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead. Fixes: #120860 --- nixos/modules/services/networking/mosquitto.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index b98a717e658b..8e814ffd0b9b 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -20,8 +20,7 @@ let acl_file ${aclFile} persistence true allow_anonymous ${boolToString cfg.allowAnonymous} - bind_address ${cfg.host} - port ${toString cfg.port} + listener ${toString cfg.port} ${cfg.host} ${passwordConf} ${listenerConf} ${cfg.extraConf} From 6f55db13eb745068766ac34f843590d39701735e Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sun, 2 May 2021 20:17:14 +0000 Subject: [PATCH 03/17] tela-icon-theme: skip patchelf and symlink rewrite steps * We don't have any ELFs to patch. * Scanning all the symlinks is slow, and jdupes already makes them relative anyway. --- pkgs/data/icons/tela-icon-theme/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/data/icons/tela-icon-theme/default.nix b/pkgs/data/icons/tela-icon-theme/default.nix index 23e56e6107cc..c3bed509ed99 100644 --- a/pkgs/data/icons/tela-icon-theme/default.nix +++ b/pkgs/data/icons/tela-icon-theme/default.nix @@ -17,6 +17,10 @@ stdenv.mkDerivation rec { dontDropIconThemeCache = true; + # These fixup steps are slow and unnecessary. + dontPatchELF = true; + dontRewriteSymlinks = true; + installPhase = '' runHook preInstall From a494e0ce56bb476ecea69c85ccdf1f6a5ccc6a92 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sun, 2 May 2021 20:17:59 +0000 Subject: [PATCH 04/17] tela-icon-theme: switch to gpl3Only Since the license isn't documented anywhere other than COPYING, it must be assumed that the intent was to license only under the included license, without any extra clauses such as the "(at your option) any later version" clause. --- pkgs/data/icons/tela-icon-theme/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/data/icons/tela-icon-theme/default.nix b/pkgs/data/icons/tela-icon-theme/default.nix index c3bed509ed99..557ea99b34f6 100644 --- a/pkgs/data/icons/tela-icon-theme/default.nix +++ b/pkgs/data/icons/tela-icon-theme/default.nix @@ -35,7 +35,7 @@ stdenv.mkDerivation rec { meta = with lib; { description = "A flat colorful Design icon theme"; homepage = "https://github.com/vinceliuice/tela-icon-theme"; - license = licenses.gpl3Plus; + license = licenses.gpl3Only; platforms = platforms.unix; maintainers = with maintainers; [ figsoda ]; }; From 134c68a411fb8b52cf761ee799d5b242c9b87e18 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sun, 2 May 2021 20:18:48 +0000 Subject: [PATCH 05/17] tela-icon-theme: use stdenvNoCC This doesn't use any of the compilers tools, so it may as well use the compilerless version of the stdenv. --- pkgs/data/icons/tela-icon-theme/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/data/icons/tela-icon-theme/default.nix b/pkgs/data/icons/tela-icon-theme/default.nix index 557ea99b34f6..aaf32fdf16dc 100644 --- a/pkgs/data/icons/tela-icon-theme/default.nix +++ b/pkgs/data/icons/tela-icon-theme/default.nix @@ -1,6 +1,6 @@ -{ fetchFromGitHub, gtk3, hicolor-icon-theme, jdupes, lib, stdenv }: +{ fetchFromGitHub, gtk3, hicolor-icon-theme, jdupes, lib, stdenvNoCC }: -stdenv.mkDerivation rec { +stdenvNoCC.mkDerivation rec { pname = "tela-icon-theme"; version = "2021-01-21"; From 6c022654f6925c94fc11294fa6e11a9f5d148697 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 2 May 2021 21:33:48 +0200 Subject: [PATCH 06/17] python3Packages.csvw: 1.10.1 -> 1.10.2 --- pkgs/development/python-modules/csvw/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/csvw/default.nix b/pkgs/development/python-modules/csvw/default.nix index e4bd7ab2b624..cf388409c578 100644 --- a/pkgs/development/python-modules/csvw/default.nix +++ b/pkgs/development/python-modules/csvw/default.nix @@ -14,14 +14,14 @@ buildPythonPackage rec { pname = "csvw"; - version = "1.10.1"; + version = "1.10.2"; disabled = isPy27; src = fetchFromGitHub { owner = "cldf"; repo = "csvw"; rev = "v${version}"; - sha256 = "1764nfa4frjdd7v6wj35y7prnciaqz57wwygy5zfavl4laxn4nxd"; + sha256 = "0z0qxlsfxwz1qapxb4d0mz3wkj99d7zi9yrg1cbd2xp7giagb6d4"; }; patchPhase = '' From 73a0b6c8262314a1d5d5bf3a68b634a85ab07e98 Mon Sep 17 00:00:00 2001 From: Jonathan Ringer Date: Wed, 7 Apr 2021 22:16:30 -0700 Subject: [PATCH 07/17] buildFHSUserEnvBubblewrap: add dieWithParent option, and /etc/nix Allows for processes which fork to not be immediately killed when the parent process dies. --- .../build-fhs-userenv-bubblewrap/default.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix index 1911d08d2a1c..868686bd5c01 100644 --- a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix +++ b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix @@ -14,6 +14,7 @@ args @ { , unshareNet ? false , unshareUts ? true , unshareCgroup ? true +, dieWithParent ? true , ... }: @@ -22,7 +23,7 @@ let buildFHSEnv = callPackage ./env.nix { }; env = buildFHSEnv (removeAttrs args [ - "runScript" "extraInstallCommands" "meta" "passthru" + "runScript" "extraInstallCommands" "meta" "passthru" "dieWithParent" "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc" ]); @@ -30,6 +31,13 @@ let files = [ # NixOS Compatibility "static" + "nix" # mainly for nixUnstable users, but also for access to nix/netrc + # Shells + "bashrc" + "zshenv" + "zshrc" + "zinputrc" + "zprofile" # Users, Groups, NSS "passwd" "group" @@ -136,7 +144,7 @@ let ${lib.optionalString unshareNet "--unshare-net"} ${lib.optionalString unshareUts "--unshare-uts"} ${lib.optionalString unshareCgroup "--unshare-cgroup"} - --die-with-parent + ${lib.optionalString dieWithParent "--die-with-parent"} --ro-bind /nix /nix # Our glibc will look for the cache in its own path in `/nix/store`. # As such, we need a cache to exist there, because pressure-vessel From 9bd292c9291abf6ca53980f9316d55c83d5753b4 Mon Sep 17 00:00:00 2001 From: Jonathan Ringer Date: Thu, 8 Apr 2021 00:05:37 -0700 Subject: [PATCH 08/17] vscod{e,ium}: Add fhs passthru --- pkgs/applications/editors/vscode/generic.nix | 65 ++++++++++++++++++-- 1 file changed, 61 insertions(+), 4 deletions(-) diff --git a/pkgs/applications/editors/vscode/generic.nix b/pkgs/applications/editors/vscode/generic.nix index 060078cd57b6..f47e31a32e77 100644 --- a/pkgs/applications/editors/vscode/generic.nix +++ b/pkgs/applications/editors/vscode/generic.nix @@ -1,7 +1,8 @@ { stdenv, lib, makeDesktopItem , unzip, libsecret, libXScrnSaver, libxshmfence, wrapGAppsHook , gtk2, atomEnv, at-spi2-atk, autoPatchelfHook -, systemd, fontconfig, libdbusmenu +, systemd, fontconfig, libdbusmenu, buildFHSUserEnvBubblewrap +, writeShellScriptBin # Populate passthru.tests , tests @@ -13,13 +14,14 @@ let inherit (stdenv.hostPlatform) system; -in - stdenv.mkDerivation { + unwrapped = stdenv.mkDerivation { inherit pname version src sourceRoot; passthru = { inherit executableName tests; + fhs = fhs {}; + fhsWithPackages = f: fhs { additionalPkgs = f; }; }; desktopItem = makeDesktopItem { @@ -97,4 +99,59 @@ in ''; inherit meta; - } + }; + + # Vscode and variants allow for users to download and use extensions + # which often include the usage of pre-built binaries. + # This has been an on-going painpoint for many users, as + # a full extension update cycle has to be done through nixpkgs + # in order to create or update extensions. + # See: #83288 #91179 #73810 #41189 + # + # buildFHSUserEnv allows for users to use the existing vscode + # extension tooling without significant pain. + fhs = { additionalPkgs ? pkgs: [] }: buildFHSUserEnvBubblewrap { + # also determines the name of the wrapped command + name = executableName; + + # additional libraries which are commonly needed for extensions + targetPkgs = pkgs: (with pkgs; [ + # ld-linux-x86-64-linux.so.2 and others + glibc + + # dotnet + curl + icu + libunwind + libuuid + openssl + zlib + + # mono + krb5 + ]) ++ additionalPkgs pkgs; + + # restore desktop item icons + extraInstallCommands = '' + mkdir -p $out/share/applications + for item in ${unwrapped}/share/applications/*.desktop; do + ln -s $item $out/share/applications/ + done + ''; + + runScript = "${unwrapped}/bin/${executableName}"; + + # vscode likes to kill the parent so that the + # gui application isn't attached to the terminal session + dieWithParent = false; + + passthru = { + inherit executableName; + inherit (unwrapped) pname version; # for home-manager module + }; + + inherit meta; + }; +in + unwrapped + From a060b84b3276420abffe2ac4699d4fef66905aad Mon Sep 17 00:00:00 2001 From: Jonathan Ringer Date: Sat, 24 Apr 2021 12:42:38 -0700 Subject: [PATCH 09/17] vscod{e,ium}-fhs: add top-level aliases, add description --- pkgs/applications/editors/vscode/generic.nix | 7 ++++++- pkgs/top-level/all-packages.nix | 4 ++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/editors/vscode/generic.nix b/pkgs/applications/editors/vscode/generic.nix index f47e31a32e77..2d8f639a0c61 100644 --- a/pkgs/applications/editors/vscode/generic.nix +++ b/pkgs/applications/editors/vscode/generic.nix @@ -150,7 +150,12 @@ let inherit (unwrapped) pname version; # for home-manager module }; - inherit meta; + meta = meta // { + description = '' + Wrapped variant of ${pname} which launches in a FHS compatible envrionment. + Should allow for easy usage of extensions without nix-specific modifications. + ''; + }; }; in unwrapped diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 9d370bd80f83..61b5050bc95a 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -26744,6 +26744,8 @@ in }; vscode = callPackage ../applications/editors/vscode/vscode.nix { }; + vscode-fhs = vscode.fhs; + vscode-fhsWithPackages = vscode.fhsWithPackages; vscode-with-extensions = callPackage ../applications/editors/vscode/with-extensions.nix {}; @@ -26752,6 +26754,8 @@ in vscode-extensions = recurseIntoAttrs (callPackage ../misc/vscode-extensions {}); vscodium = callPackage ../applications/editors/vscode/vscodium.nix { }; + vscodium-fhs = vscodium.fhs; + vscodium-fhsWithPackages = vscodium.fhsWithPackages; code-server = callPackage ../servers/code-server { inherit (darwin.apple_sdk.frameworks) AppKit Cocoa Security; From f5e695bf3ac63a5a3b2d2cf4f2427e232534915a Mon Sep 17 00:00:00 2001 From: "R. RyanTM" Date: Sun, 2 May 2021 13:39:45 -0700 Subject: [PATCH 10/17] kubelogin-oidc: 1.23.0 -> 1.23.1 (#121440) --- .../networking/cluster/kubelogin-oidc/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/applications/networking/cluster/kubelogin-oidc/default.nix b/pkgs/applications/networking/cluster/kubelogin-oidc/default.nix index 7cbe55585336..a51230d5ff46 100644 --- a/pkgs/applications/networking/cluster/kubelogin-oidc/default.nix +++ b/pkgs/applications/networking/cluster/kubelogin-oidc/default.nix @@ -2,18 +2,18 @@ buildGoModule rec { pname = "kubelogin"; - version = "1.23.0"; + version = "1.23.1"; src = fetchFromGitHub { owner = "int128"; repo = pname; rev = "v${version}"; - sha256 = "0n94nx17c6ln2nd6d9yr93vc251y1xphq1wj2vzs4j2l8dqfyjpn"; + sha256 = "sha256-YK/QGx6QzSeyeZ61KgdYO3POJQFK1F6yJayd2gcRWS4="; }; subPackages = ["."]; - vendorSha256 = "1dvrk6z6k66wawgb50n8hbgdd8fly399mlbgnvxi671vfi7lkz09"; + vendorSha256 = "sha256-tnjgs8Ziqdo1ciVOWtL0D8puv2SZGqSHgo2SV7N8F0M="; # Rename the binary instead of symlinking to avoid conflict with the # Azure version of kubelogin From d942d4473d1165cf9d8a1171bbad154f77239ba0 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 1 May 2021 02:29:59 +0200 Subject: [PATCH 11/17] neovim, neovimUtils, neovim-qt: drop python2 support In 2a00e53bd pynvim support for python2 was disabled, this broke the neovim build. I really think it is time to let go of python2 support in neovim. --- nixos/doc/manual/release-notes/rl-2105.xml | 2 +- pkgs/applications/editors/neovim/default.nix | 4 ++-- .../applications/editors/neovim/neovim-qt.nix | 4 ++-- .../editors/neovim/neovim-remote.nix | 23 +++++++++++++++---- pkgs/applications/editors/neovim/qt.nix | 3 +-- pkgs/applications/editors/neovim/utils.nix | 17 ++++---------- pkgs/applications/editors/neovim/wrapper.nix | 8 +++---- pkgs/top-level/all-packages.nix | 2 +- 8 files changed, 34 insertions(+), 29 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml index b45c19fa9af9..0fe0b28cd91e 100644 --- a/nixos/doc/manual/release-notes/rl-2105.xml +++ b/nixos/doc/manual/release-notes/rl-2105.xml @@ -330,7 +330,7 @@ - vim switched to Python 3, dropping all Python 2 support. + vim and neovim switched to Python 3, dropping all Python 2 support. diff --git a/pkgs/applications/editors/neovim/default.nix b/pkgs/applications/editors/neovim/default.nix index 3e5de3d5fc15..1b4835064f96 100644 --- a/pkgs/applications/editors/neovim/default.nix +++ b/pkgs/applications/editors/neovim/default.nix @@ -6,7 +6,7 @@ # now defaults to false because some tests can be flaky (clipboard etc) , doCheck ? false -, nodejs ? null, fish ? null, python ? null +, nodejs ? null, fish ? null, python3 ? null }: with lib; @@ -19,7 +19,7 @@ let ] )); - pyEnv = python.withPackages(ps: [ ps.pynvim ps.msgpack ]); + pyEnv = python3.withPackages(ps: with ps; [ pynvim msgpack ]); # FIXME: this is verry messy and strange. # see https://github.com/NixOS/nixpkgs/pull/80528 diff --git a/pkgs/applications/editors/neovim/neovim-qt.nix b/pkgs/applications/editors/neovim/neovim-qt.nix index d925ddd2a528..0a4d17d997b5 100644 --- a/pkgs/applications/editors/neovim/neovim-qt.nix +++ b/pkgs/applications/editors/neovim/neovim-qt.nix @@ -1,5 +1,5 @@ { lib, mkDerivation, fetchFromGitHub, cmake, doxygen, makeWrapper -, msgpack, neovim, pythonPackages, qtbase }: +, msgpack, neovim, python3Packages, qtbase }: mkDerivation rec { pname = "neovim-qt-unwrapped"; @@ -20,7 +20,7 @@ mkDerivation rec { buildInputs = [ neovim.unwrapped # only used to generate help tags at build time qtbase - ] ++ (with pythonPackages; [ + ] ++ (with python3Packages; [ jinja2 python msgpack ]); diff --git a/pkgs/applications/editors/neovim/neovim-remote.nix b/pkgs/applications/editors/neovim/neovim-remote.nix index 867e22751284..2b1281ae21be 100644 --- a/pkgs/applications/editors/neovim/neovim-remote.nix +++ b/pkgs/applications/editors/neovim/neovim-remote.nix @@ -1,11 +1,14 @@ -{ lib, fetchFromGitHub, pythonPackages }: +{ lib +, fetchFromGitHub +, python3 +, neovim +}: with lib; -pythonPackages.buildPythonApplication rec { +with python3.pkgs; buildPythonApplication rec { pname = "neovim-remote"; version = "2.4.0"; - disabled = !pythonPackages.isPy3k; src = fetchFromGitHub { owner = "mhinz"; @@ -14,12 +17,24 @@ pythonPackages.buildPythonApplication rec { sha256 = "0jlw0qksak4bdzddpsj74pm2f2bgpj3cwrlspdjjy0j9qzg0mpl9"; }; - propagatedBuildInputs = with pythonPackages; [ + propagatedBuildInputs = [ pynvim psutil setuptools ]; + checkInputs = [ + neovim + pytestCheckHook + ]; + + disabledTests = [ + # these tests get stuck and never return + "test_escape_filenames_properly" + "test_escape_single_quotes_in_filenames" + "test_escape_double_quotes_in_filenames" + ]; + meta = { description = "A tool that helps controlling nvim processes from a terminal"; homepage = "https://github.com/mhinz/neovim-remote/"; diff --git a/pkgs/applications/editors/neovim/qt.nix b/pkgs/applications/editors/neovim/qt.nix index 5210b6b67c8b..1da7e7e966e3 100644 --- a/pkgs/applications/editors/neovim/qt.nix +++ b/pkgs/applications/editors/neovim/qt.nix @@ -1,5 +1,4 @@ -{ lib, stdenv, mkDerivation, fetchFromGitHub, cmake, doxygen, makeWrapper -, msgpack, neovim, pythonPackages, qtbase, neovim-qt-unwrapped }: +{ stdenv, makeWrapper, neovim, neovim-qt-unwrapped }: let unwrapped = neovim-qt-unwrapped; diff --git a/pkgs/applications/editors/neovim/utils.nix b/pkgs/applications/editors/neovim/utils.nix index d992ccd3f6a4..6d04fa6851a6 100644 --- a/pkgs/applications/editors/neovim/utils.nix +++ b/pkgs/applications/editors/neovim/utils.nix @@ -4,7 +4,6 @@ , neovim-unwrapped , bundlerEnv , ruby -, pythonPackages , python3Packages , writeText , wrapNeovimUnstable @@ -48,12 +47,6 @@ let requiredPlugins = vimUtils.requiredPlugins configure; getDeps = attrname: map (plugin: plugin.${attrname} or (_: [ ])); - pluginPython2Packages = getDeps "pythonDependencies" requiredPlugins; - python2Env = pythonPackages.python.withPackages (ps: - [ ps.pynvim ] - ++ (extraPython2Packages ps) - ++ (lib.concatMap (f: f ps) pluginPython2Packages)); - pluginPython3Packages = getDeps "python3Dependencies" requiredPlugins; python3Env = python3Packages.python.withPackages (ps: [ ps.pynvim ] @@ -69,7 +62,6 @@ let # While the latter tells nvim that this provider is not available hostprog_check_table = { node = withNodeJs; - python = withPython2; python3 = withPython3; ruby = withRuby; }; @@ -99,11 +91,12 @@ let manifestRc = vimUtils.vimrcContent (configure // { customRC = ""; }); neovimRcContent = vimUtils.vimrcContent configure; in + assert withPython2 -> throw "Python2 support has been removed from neovim, please remove withPython2 and extraPython2Packages."; + args // { wrapperArgs = makeWrapperArgs; inherit neovimRcContent; inherit manifestRc; - inherit python2Env; inherit python3Env; inherit withNodeJs; } // lib.optionalAttrs withRuby { @@ -120,7 +113,7 @@ let # to keep backwards compatibility legacyWrapper = neovim: { extraMakeWrapperArgs ? "" - , withPython ? true + , withPython ? false /* the function you would have passed to python.withPackages */ , extraPythonPackages ? (_: []) /* the function you would have passed to python.withPackages */ @@ -138,14 +131,14 @@ let else funOrList); res = makeNeovimConfig { - withPython2 = withPython; - extraPythonPackages = compatFun extraPythonPackages; inherit withPython3; extraPython3Packages = compatFun extraPython3Packages; inherit withNodeJs withRuby viAlias vimAlias; inherit configure; }; in + assert withPython -> throw "Python2 support has been removed from neovim, please remove withPython and extraPythonPackages."; + wrapNeovimUnstable neovim (res // { wrapperArgs = lib.escapeShellArgs ( res.wrapperArgs ++ lib.optionals (configure != {}) [ diff --git a/pkgs/applications/editors/neovim/wrapper.nix b/pkgs/applications/editors/neovim/wrapper.nix index 66127980bf67..db30832d2398 100644 --- a/pkgs/applications/editors/neovim/wrapper.nix +++ b/pkgs/applications/editors/neovim/wrapper.nix @@ -3,7 +3,6 @@ , bundlerEnv, ruby , nodejs , nodePackages -, pythonPackages , python3Packages }: with lib; @@ -15,7 +14,7 @@ let # should contain all args but the binary wrapperArgs ? "" , manifestRc ? null - , withPython2 ? true, python2Env ? null + , withPython2 ? false , withPython3 ? true, python3Env ? null , withNodeJs ? false , rubyEnv ? null @@ -35,6 +34,8 @@ let [ "${neovim}/bin/nvim" "${placeholder "out"}/bin/nvim" ] ++ [ "--set" "NVIM_SYSTEM_RPLUGIN_MANIFEST" "${placeholder "out"}/rplugin.vim" ]; in + assert withPython2 -> throw "Python2 support has been removed from the neovim wrapper, please remove withPython2 and python2Env."; + symlinkJoin { name = "neovim-${lib.getVersion neovim}"; # Remove the symlinks created by symlinkJoin which we need to perform @@ -44,9 +45,6 @@ let substitute ${neovim}/share/applications/nvim.desktop $out/share/applications/nvim.desktop \ --replace 'Name=Neovim' 'Name=WrappedNeovim' '' - + optionalString withPython2 '' - makeWrapper ${python2Env}/bin/python $out/bin/nvim-python --unset PYTHONPATH - '' + optionalString withPython3 '' makeWrapper ${python3Env}/bin/python3 $out/bin/nvim-python3 --unset PYTHONPATH '' diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 61b5050bc95a..029495618b09 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -26626,7 +26626,7 @@ in gnvim = callPackage ../applications/editors/neovim/gnvim/wrapper.nix { }; - neovim-remote = callPackage ../applications/editors/neovim/neovim-remote.nix { pythonPackages = python3Packages; }; + neovim-remote = callPackage ../applications/editors/neovim/neovim-remote.nix { }; vis = callPackage ../applications/editors/vis { inherit (lua52Packages) lpeg; From 8b0515eb9ae070855d670c4638ef7618a7fb3418 Mon Sep 17 00:00:00 2001 From: Mario Rodas Date: Sun, 2 May 2021 16:59:08 -0500 Subject: [PATCH 12/17] pngquant: 2.12.5 -> 2.14.1 (#121470) --- pkgs/tools/graphics/pngquant/default.nix | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pkgs/tools/graphics/pngquant/default.nix b/pkgs/tools/graphics/pngquant/default.nix index b3b1773faf15..7463e2a45e03 100644 --- a/pkgs/tools/graphics/pngquant/default.nix +++ b/pkgs/tools/graphics/pngquant/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "pngquant"; - version = "2.12.5"; + version = "2.14.1"; src = fetchFromGitHub { - owner = "pornel"; + owner = "kornelski"; repo = "pngquant"; rev = version; - sha256 = "0sq398iv5cacblz6pb4j2hn16cnszsbkahikdpfq84rb9bj0ya40"; + sha256 = "054hi33qp3jc7hv0141wi8drwdg24v5zfp8znwjmz4mcdls8vxbb"; fetchSubmodules = true; }; @@ -17,11 +17,14 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkg-config ]; buildInputs = [ libpng zlib lcms2 ]; + doCheck = true; + meta = with lib; { homepage = "https://pngquant.org/"; description = "A tool to convert 24/32-bit RGBA PNGs to 8-bit palette with alpha channel preserved"; + changelog = "https://github.com/kornelski/pngquant/raw/${version}/CHANGELOG"; platforms = platforms.unix; - license = licenses.gpl3; + license = with licenses; [ gpl3Plus hpnd bsd2 ]; maintainers = [ maintainers.volth ]; }; } From 7d09d7f5713dac972ce9d72624d20635899c876d Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 24 Apr 2021 14:52:14 +0200 Subject: [PATCH 13/17] nixos/home-assistant: harden systemd service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is what is still exposed, and it should still allow things to work as usual. ✗ PrivateNetwork= Service has access to the host's … 0.5 ✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc… 0.3 ✗ DeviceAllow= Service has a device ACL with som… 0.1 ✗ IPAddressDeny= Service does not define an IP add… 0.2 ✗ PrivateDevices= Service potentially has access to… 0.2 ✗ PrivateUsers= Service has access to other users 0.2 ✗ SystemCallFilter=~@resources System call allow list defined fo… 0.2 ✗ RootDirectory=/RootImage= Service runs within the host's ro… 0.1 ✗ SupplementaryGroups= Service runs with supplementary g… 0.1 ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 → Overall exposure level for home-assistant.service: 1.6 OK :-) This can grow to as much as ~1.9 if you use one of the bluetooth or nmap trackers or the emulated_hue component, all of which required elevated permisssions. --- .../modules/services/misc/home-assistant.nix | 72 +++++++++++++++++-- 1 file changed, 66 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index 0590f54ae60e..9ae86af08750 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -245,22 +245,83 @@ in { rm -f "${cfg.configDir}/ui-lovelace.yaml" ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml" ''); - serviceConfig = { + serviceConfig = let + # List of capabilities to equip home-assistant with, depending on configured components + capabilities = [ + # Empty string first, so we will never accidentally have an empty capability bounding set + # https://github.com/NixOS/nixpkgs/issues/120617#issuecomment-830685115 + "" + ] ++ (unique (optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ + # Required for interaction with hci devices and bluetooth sockets + # https://www.home-assistant.io/integrations/bluetooth_le_tracker/#rootless-setup-on-core-installs + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ] ++ lib.optionals (useComponent "emulated_hue") [ + # Alexa looks for the service on port 80 + # https://www.home-assistant.io/integrations/emulated_hue + "CAP_NET_BIND_SERVICE" + ] ++ lib.optionals (useComponent "nmap_tracker") [ + # https://www.home-assistant.io/integrations/nmap_tracker#linux-capabilities + "CAP_NET_ADMIN" + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ])); + in { ExecStart = "${package}/bin/hass --config '${cfg.configDir}'"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "hass"; Group = "hass"; Restart = "on-failure"; + KillSignal = "SIGINT"; + + # Hardening + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + DeviceAllow = [ + "char-ttyACM rw" + "char-ttyAMA rw" + "char-ttyUSB rw" + ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateTmp = true; + PrivateUsers = false; # prevents gaining capabilities in the host namespace + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; ProtectSystem = "strict"; + RemoveIPC = true; ReadWritePaths = let + # Allow rw access to explicitly configured paths cfgPath = [ "config" "homeassistant" "allowlist_external_dirs" ]; value = attrByPath cfgPath [] cfg; allowPaths = if isList value then value else singleton value; in [ "${cfg.configDir}" ] ++ allowPaths; - KillSignal = "SIGINT"; - PrivateTmp = true; - RemoveIPC = true; - AmbientCapabilities = "cap_net_raw,cap_net_admin+eip"; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ + "AF_BLUETOOTH" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SupplementaryGroups = [ "dialout" ]; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; }; path = [ "/run/wrappers" # needed for ping @@ -278,7 +339,6 @@ in { home = cfg.configDir; createHome = true; group = "hass"; - extraGroups = [ "dialout" ]; uid = config.ids.uids.hass; }; From 8ab7fc11076373fee3e5cc842176e6fb8c5705b3 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 25 Apr 2021 14:44:51 +0200 Subject: [PATCH 14/17] nixos/tests/home-assistant: test capability passing Configures the emulated_hue component and expects CAP_NET_BIND_SERVICE to be passed in order to be able to bind to 80/tcp. Also print the systemd security analysis, so we can spot changes more quickly. --- nixos/tests/home-assistant.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix index 3b7295324a18..2224403961e2 100644 --- a/nixos/tests/home-assistant.nix +++ b/nixos/tests/home-assistant.nix @@ -47,6 +47,10 @@ in { payload_on = "let_there_be_light"; payload_off = "off"; }]; + emulated_hue = { + host_ip = "127.0.0.1"; + listen_port = 80; + }; logger = { default = "info"; logs."homeassistant.components.mqtt" = "debug"; @@ -82,6 +86,9 @@ in { hass.succeed( "mosquitto_pub -V mqttv5 -t home-assistant/test -u ${mqttUsername} -P '${mqttPassword}' -m let_there_be_light" ) + with subtest("Check that capabilities are passed for emulated_hue to bind to port 80"): + hass.wait_for_open_port(80) + hass.succeed("curl --fail http://localhost:80/description.xml") with subtest("Print log to ease debugging"): output_log = hass.succeed("cat ${configDir}/home-assistant.log") print("\n### home-assistant.log ###\n") @@ -93,5 +100,8 @@ in { # example line: 2020-06-20 10:01:32 DEBUG (MainThread) [homeassistant.components.mqtt] Received message on home-assistant/test: b'let_there_be_light' with subtest("Check we received the mosquitto message"): assert "let_there_be_light" in output_log + + with subtest("Check systemd unit hardening"): + hass.log(hass.succeed("systemd-analyze security home-assistant.service")) ''; }) From 1dbb60f562f73cfa46d2e5ef21f9d2a98ecba565 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 26 Apr 2021 02:17:48 +0200 Subject: [PATCH 15/17] nixos/tests/home-assistant: update maintainership to home-assistant team --- nixos/tests/home-assistant.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix index 2224403961e2..c75dd248ecb3 100644 --- a/nixos/tests/home-assistant.nix +++ b/nixos/tests/home-assistant.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let configDir = "/var/lib/foobar"; @@ -6,9 +6,7 @@ let mqttPassword = "secret"; in { name = "home-assistant"; - meta = with pkgs.lib; { - maintainers = with maintainers; [ dotlambda ]; - }; + meta.maintainers = lib.teams.home-assistant.members; nodes.hass = { pkgs, ... }: { environment.systemPackages = with pkgs; [ mosquitto ]; From f41349d30d5e1cc72c8041616ecb8c36d56f3682 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 26 Apr 2021 02:39:09 +0200 Subject: [PATCH 16/17] nixos/home-assistant: Restart systemd unit on restart service Home-assistant through its `--runner` commandline flag supports sending exit code 100 when the `homeassistant.restart` service is called. With `RestartForceExitStatus` we can listen for that specific exit code and restart the whole systemd unit, providing an actual clean restart with fresh processes. Additional treat exit code 100 as a successful termination. --- nixos/modules/services/misc/home-assistant.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index 9ae86af08750..1985f1308811 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -267,11 +267,13 @@ in { "CAP_NET_RAW" ])); in { - ExecStart = "${package}/bin/hass --config '${cfg.configDir}'"; + ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "hass"; Group = "hass"; Restart = "on-failure"; + RestartForceExitStatus = "100"; + SuccessExitStatus = "100"; KillSignal = "SIGINT"; # Hardening From 280c8cf540342414661b89158c707fb9ef74a91e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Mon, 3 May 2021 02:04:29 +0200 Subject: [PATCH 17/17] py3c: fix build with darwin (#121447) --- pkgs/development/libraries/py3c/default.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/py3c/default.nix b/pkgs/development/libraries/py3c/default.nix index 2a89161ef389..eec051f0cc1c 100644 --- a/pkgs/development/libraries/py3c/default.nix +++ b/pkgs/development/libraries/py3c/default.nix @@ -11,6 +11,11 @@ stdenv.mkDerivation rec { sha256 = "04i2z7hrig78clc59q3i1z2hh24g7z1bfvxznlzxv00d4s57nhpi"; }; + postPatch = lib.optionalString stdenv.cc.isClang '' + substituteInPlace test/setup.py \ + --replace "'-Werror', " "" + ''; + makeFlags = [ "prefix=${placeholder "out"}" ]; @@ -26,6 +31,6 @@ stdenv.mkDerivation rec { homepage = "https://github.com/encukou/py3c"; description = "Python 2/3 compatibility layer for C extensions"; license = licenses.mit; - maintainers = with maintainers; [ ajs124 ]; + maintainers = with maintainers; [ ajs124 dotlambda ]; }; }