nixpkgs/pkgs/applications/virtualization/xen/generic.nix
Martin Weinelt 39341ed38b
xen: mark unsupported versions as vulnerable
Our support for Xen lacks maintenance and since Xen has monthly security
advisories it is reasonable to assume our version is affected by a
multitude of security problems that are fixed upstream.

How many advisories? Browsing oss-security shows the following number of
advisories in each of the following years:

2022: 3
2021: 53
2020: 54
2019: 46 <-- we are *here*

https://xenbits.xen.org/docs/unstable/support-matrix.html
2022-01-25 13:55:59 +01:00

263 lines
8.0 KiB
Nix

config:
{ lib, stdenv, cmake, pkg-config, which
# Xen
, bison, bzip2, checkpolicy, dev86, figlet, flex, gettext, glib
, acpica-tools, libaio, libiconv, libuuid, ncurses, openssl, perl
, python2Packages
# python2Packages.python
, xz, yajl, zlib
# Xen Optional
, ocamlPackages
# Scripts
, coreutils, gawk, gnused, gnugrep, diffutils, multipath-tools
, iproute2, inetutils, iptables, bridge-utils, openvswitch, nbd, drbd
, lvm2, util-linux, procps, systemd
# Documentation
# python2Packages.markdown
, transfig, ghostscript, texinfo, pandoc
, binutils-unwrapped
, ...} @ args:
with lib;
let
#TODO: fix paths instead
scriptEnvPath = concatMapStringsSep ":" (x: "${x}/bin") [
which perl
coreutils gawk gnused gnugrep diffutils util-linux multipath-tools
iproute2 inetutils iptables bridge-utils openvswitch nbd drbd
];
withXenfiles = f: concatStringsSep "\n" (mapAttrsToList f config.xenfiles);
withTools = a: f: withXenfiles (name: x: optionalString (hasAttr a x) ''
echo "processing ${name}"
__do() {
cd "tools/${name}"
${f name x}
}
( __do )
'');
# We don't want to use the wrapped version, because this version of ld is
# only used for linking the Xen EFI binary, and the build process really
# needs control over the LDFLAGS used
efiBinutils = binutils-unwrapped.overrideAttrs (oldAttrs: {
name = "efi-binutils";
configureFlags = oldAttrs.configureFlags ++ [
"--enable-targets=x86_64-pep"
];
doInstallCheck = false; # We get a spurious failure otherwise, due to host/target mis-match
});
in
stdenv.mkDerivation (rec {
inherit (config) version;
name = "xen-${version}";
dontUseCmakeConfigure = true;
hardeningDisable = [ "stackprotector" "fortify" "pic" ];
nativeBuildInputs = [ pkg-config ];
buildInputs = [
cmake which
# Xen
bison bzip2 checkpolicy dev86 figlet flex gettext glib acpica-tools libaio
libiconv libuuid ncurses openssl perl python2Packages.python xz yajl zlib
# oxenstored
ocamlPackages.findlib ocamlPackages.ocaml systemd
# Python fixes
python2Packages.wrapPython
# Documentation
python2Packages.markdown transfig ghostscript texinfo pandoc
# Others
] ++ (concatMap (x: x.buildInputs or []) (attrValues config.xenfiles))
++ (config.buildInputs or []);
prePatch = ''
### Generic fixes
# Xen's stubdoms, tools and firmwares need various sources that
# are usually fetched at build time using wget and git. We can't
# have that, so we prefetch them in nix-expression and setup
# fake wget and git for debugging purposes.
mkdir fake-bin
# Fake git: just print what it wants and die
cat > fake-bin/wget << EOF
#!${stdenv.shell} -e
echo ===== FAKE WGET: Not fetching \$*
[ -e \$3 ]
EOF
# Fake git: just print what it wants and die
cat > fake-bin/git << EOF
#!${stdenv.shell}
echo ===== FAKE GIT: Not cloning \$*
[ -e \$3 ]
EOF
chmod +x fake-bin/*
export PATH=$PATH:$PWD/fake-bin
# Remove in-tree qemu stuff in case we build from a tar-ball
rm -rf tools/qemu-xen tools/qemu-xen-traditional
# Fix shebangs, mainly for build-scipts
# We want to do this before getting prefetched stuff to speed things up
# (prefetched stuff has lots of files)
find . -type f | xargs sed -i 's@/usr/bin/\(python\|perl\)@/usr/bin/env \1@g'
find . -type f -not -path "./tools/hotplug/Linux/xendomains.in" \
| xargs sed -i 's@/bin/bash@${stdenv.shell}@g'
# Get prefetched stuff
${withXenfiles (name: x: ''
echo "${x.src} -> tools/${name}"
cp -r ${x.src} tools/${name}
chmod -R +w tools/${name}
'')}
'';
patches = [
./0000-fix-ipxe-src.patch
./0000-fix-install-python.patch
./0004-makefile-use-efi-ld.patch
./0005-makefile-fix-efi-mountdir-use.patch
] ++ (config.patches or []);
postPatch = ''
### Hacks
# Work around a bug in our GCC wrapper: `gcc -MF foo -v' doesn't
# print the GCC version number properly.
substituteInPlace xen/Makefile \
--replace '$(CC) $(CFLAGS) -v' '$(CC) -v'
# Hack to get `gcc -m32' to work without having 32-bit Glibc headers.
mkdir -p tools/include/gnu
touch tools/include/gnu/stubs-32.h
### Fixing everything else
substituteInPlace tools/libfsimage/common/fsimage_plugin.c \
--replace /usr $out
substituteInPlace tools/blktap2/lvm/lvm-util.c \
--replace /usr/sbin/vgs ${lvm2}/bin/vgs \
--replace /usr/sbin/lvs ${lvm2}/bin/lvs
substituteInPlace tools/misc/xenpvnetboot \
--replace /usr/sbin/mount ${util-linux}/bin/mount \
--replace /usr/sbin/umount ${util-linux}/bin/umount
substituteInPlace tools/xenmon/xenmon.py \
--replace /usr/bin/pkill ${procps}/bin/pkill
substituteInPlace tools/xenstat/Makefile \
--replace /usr/include/curses.h ${ncurses.dev}/include/curses.h
${optionalString (builtins.compareVersions config.version "4.8" >= 0) ''
substituteInPlace tools/hotplug/Linux/launch-xenstore.in \
--replace /bin/mkdir mkdir
''}
${optionalString (builtins.compareVersions config.version "4.6" < 0) ''
# TODO: use this as a template and support our own if-up scripts instead?
substituteInPlace tools/hotplug/Linux/xen-backend.rules.in \
--replace "@XEN_SCRIPT_DIR@" $out/etc/xen/scripts
# blktap is not provided by xen, but by xapi
sed -i '/blktap/d' tools/hotplug/Linux/xen-backend.rules.in
''}
${withTools "patches" (name: x: ''
${concatMapStringsSep "\n" (p: ''
echo "# Patching with ${p}"
patch -p1 < ${p}
'') x.patches}
'')}
${withTools "postPatch" (name: x: x.postPatch)}
${config.postPatch or ""}
'';
postConfigure = ''
substituteInPlace tools/hotplug/Linux/xendomains \
--replace /bin/ls ls
'';
EFI_LD = "${efiBinutils}/bin/ld";
EFI_VENDOR = "nixos";
# TODO: Flask needs more testing before enabling it by default.
#makeFlags = [ "XSM_ENABLE=y" "FLASK_ENABLE=y" "PREFIX=$(out)" "CONFIG_DIR=/etc" "XEN_EXTFILES_URL=\\$(XEN_ROOT)/xen_ext_files" ];
makeFlags = [ "PREFIX=$(out) CONFIG_DIR=/etc" "XEN_SCRIPT_DIR=/etc/xen/scripts" ]
++ (config.makeFlags or []);
buildFlags = [ "xen" "tools" ];
postBuild = ''
make -C docs man-pages
${withTools "buildPhase" (name: x: x.buildPhase)}
'';
installPhase = ''
mkdir -p $out $out/share $out/share/man
cp -prvd dist/install/nix/store/*/* $out/
cp -prvd dist/install/boot $out/boot
cp -prvd dist/install/etc $out
cp -dR docs/man1 docs/man5 $out/share/man/
${withTools "installPhase" (name: x: x.installPhase)}
# Hack
substituteInPlace $out/etc/xen/scripts/hotplugpath.sh \
--replace SBINDIR=\"$out/sbin\" SBINDIR=\"$out/bin\"
wrapPythonPrograms
# We also need to wrap pygrub, which lies in lib
wrapPythonProgramsIn "$out/lib" "$out $pythonPath"
shopt -s extglob
for i in $out/etc/xen/scripts/!(*.sh); do
sed -i "2s@^@export PATH=$out/bin:${scriptEnvPath}\n@" $i
done
'';
enableParallelBuilding = true;
# TODO(@oxij): Stop referencing args here
meta = {
homepage = "http://www.xen.org/";
description = "Xen hypervisor and related components"
+ optionalString (args ? meta && args.meta ? description)
" (${args.meta.description})";
longDescription = (args.meta.longDescription or "")
+ "\nIncludes:\n"
+ withXenfiles (name: x: "* ${name}: ${x.meta.description or "(No description)"}.");
platforms = [ "x86_64-linux" ];
maintainers = with lib.maintainers; [ eelco tstrobel oxij ];
license = lib.licenses.gpl2;
# https://xenbits.xen.org/docs/unstable/support-matrix.html
knownVulnerabilities = lib.optionals (lib.versionOlder version "4.13") [
"This version of Xen has reached its end of life. See https://xenbits.xen.org/docs/unstable/support-matrix.html"
];
} // (config.meta or {});
} // removeAttrs config [ "xenfiles" "buildInputs" "patches" "postPatch" "meta" ])