e38b74ba89
In `scripts/Makefile.modinst`, the code that generates the list of modules to install passes file names via the command line. When installing a grsecurity kernel, this list appears to exceed the shell's argument list limit, as in make[2]: execvp: /nix/store/[...]-bash-4.3-p46/bin/bash: Argument list too long The build does not fail, however, but the list of modules to be installed ends up being empty. Thus, the resulting kernel package output contains no modules, rendering it useless. We work around this by patching the makefile to use `find -exec` to process files. Why this would occur for grsecurity and not other kernels is unknown, most likely there's something *else* that is actually causing this behaviour, so this is a temporary fix until that cause is found. Fixes https://github.com/NixOS/nixpkgs/issues/20490
160 lines
4.4 KiB
Nix
160 lines
4.4 KiB
Nix
{ stdenv, fetchurl, fetchpatch, pkgs }:
|
|
|
|
let
|
|
|
|
makeTuxonicePatch = { version, kernelVersion, sha256,
|
|
url ? "http://tuxonice.nigelcunningham.com.au/downloads/all/tuxonice-for-linux-${kernelVersion}-${version}.patch.bz2" }:
|
|
{ name = "tuxonice-${kernelVersion}";
|
|
patch = stdenv.mkDerivation {
|
|
name = "tuxonice-${version}-for-${kernelVersion}.patch";
|
|
src = fetchurl {
|
|
inherit url sha256;
|
|
};
|
|
phases = [ "installPhase" ];
|
|
installPhase = ''
|
|
source $stdenv/setup
|
|
bunzip2 -c $src > $out
|
|
'';
|
|
};
|
|
};
|
|
|
|
grsecPatch = { grbranch ? "test", grver ? "3.1", kver, grrev, sha256 }: rec {
|
|
name = "grsecurity-${grver}-${kver}-${grrev}";
|
|
|
|
# Pass these along to allow the caller to determine compatibility
|
|
inherit grver kver grrev;
|
|
|
|
patch = fetchurl {
|
|
# When updating versions/hashes, ALWAYS use the official version; we use
|
|
# this mirror only because upstream removes sources files immediately upon
|
|
# releasing a new version ...
|
|
url = "https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/master/${grbranch}/${name}.patch";
|
|
inherit sha256;
|
|
};
|
|
|
|
features.grsecurity = true;
|
|
};
|
|
in
|
|
|
|
rec {
|
|
|
|
bridge_stp_helper =
|
|
{ name = "bridge-stp-helper";
|
|
patch = ./bridge-stp-helper.patch;
|
|
};
|
|
|
|
no_xsave =
|
|
{ name = "no-xsave";
|
|
patch = ./no-xsave.patch;
|
|
features.noXsave = true;
|
|
};
|
|
|
|
mips_fpureg_emu =
|
|
{ name = "mips-fpureg-emulation";
|
|
patch = ./mips-fpureg-emulation.patch;
|
|
};
|
|
|
|
mips_fpu_sigill =
|
|
{ name = "mips-fpu-sigill";
|
|
patch = ./mips-fpu-sigill.patch;
|
|
};
|
|
|
|
mips_ext3_n32 =
|
|
{ name = "mips-ext3-n32";
|
|
patch = ./mips-ext3-n32.patch;
|
|
};
|
|
|
|
modinst_arg_list_too_long =
|
|
{ name = "modinst-arglist-too-long";
|
|
patch = ./modinst-arg-list-too-long.patch;
|
|
};
|
|
|
|
ubuntu_fan_4_4 =
|
|
{ name = "ubuntu-fan";
|
|
patch = ./ubuntu-fan-4.4.patch;
|
|
};
|
|
|
|
ubuntu_unprivileged_overlayfs =
|
|
{ name = "ubuntu-unprivileged-overlayfs";
|
|
patch = ./ubuntu-unprivileged-overlayfs.patch;
|
|
};
|
|
|
|
tuxonice_3_10 = makeTuxonicePatch {
|
|
version = "2013-11-07";
|
|
kernelVersion = "3.10.18";
|
|
sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j";
|
|
};
|
|
|
|
grsecurity_testing = grsecPatch
|
|
{ kver = "4.8.8";
|
|
grrev = "201611150756";
|
|
sha256 = "04sankbjlrji3hrhgwfvmgkrh5ypblb706i0hch4sn3vcc0dq87b";
|
|
};
|
|
|
|
# This patch relaxes grsec constraints on the location of usermode helpers,
|
|
# e.g., modprobe, to allow calling into the Nix store.
|
|
grsecurity_nixos_kmod =
|
|
{
|
|
name = "grsecurity-nixos-kmod";
|
|
patch = ./grsecurity-nixos-kmod.patch;
|
|
};
|
|
|
|
# A temporary work-around for execvp: arglist too long error during
|
|
# module_install. Without this, no modules are installed into the
|
|
# resulting output.
|
|
grsecurity_modinst =
|
|
{ name = "grsecurity-modinst";
|
|
patch = ./grsecurity-modinst.patch;
|
|
};
|
|
|
|
crc_regression =
|
|
{ name = "crc-backport-regression";
|
|
patch = ./crc-regression.patch;
|
|
};
|
|
|
|
genksyms_fix_segfault =
|
|
{ name = "genksyms-fix-segfault";
|
|
patch = ./genksyms-fix-segfault.patch;
|
|
};
|
|
|
|
|
|
chromiumos_Kconfig_fix_entries_3_14 =
|
|
{ name = "Kconfig_fix_entries_3_14";
|
|
patch = ./chromiumos-patches/fix-double-Kconfig-entry-3.14.patch;
|
|
};
|
|
|
|
chromiumos_Kconfig_fix_entries_3_18 =
|
|
{ name = "Kconfig_fix_entries_3_18";
|
|
patch = ./chromiumos-patches/fix-double-Kconfig-entry-3.18.patch;
|
|
};
|
|
|
|
chromiumos_no_link_restrictions =
|
|
{ name = "chromium-no-link-restrictions";
|
|
patch = ./chromiumos-patches/no-link-restrictions.patch;
|
|
};
|
|
|
|
chromiumos_mfd_fix_dependency =
|
|
{ name = "mfd_fix_dependency";
|
|
patch = ./chromiumos-patches/mfd-fix-dependency.patch;
|
|
};
|
|
|
|
hiddev_CVE_2016_5829 =
|
|
{ name = "hiddev_CVE_2016_5829";
|
|
patch = fetchpatch {
|
|
url = "https://sources.debian.net/data/main/l/linux/4.6.3-1/debian/patches/bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch";
|
|
sha256 = "14rm1qr87p7a5prz8g5fwbpxzdp3ighj095x8rvhm8csm20wspyy";
|
|
};
|
|
};
|
|
|
|
cpu-cgroup-v2 = import ./cpu-cgroup-v2-patches;
|
|
|
|
lguest_entry-linkage =
|
|
{ name = "lguest-asmlinkage.patch";
|
|
patch = fetchpatch {
|
|
url = "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git"
|
|
+ "/patch/drivers/lguest/x86/core.c?id=cdd77e87eae52";
|
|
sha256 = "04xlx6al10cw039av6jkby7gx64zayj8m1k9iza40sw0fydcfqhc";
|
|
};
|
|
};
|
|
}
|