MirrorHub/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-17 07:13:23 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'master' into staging

Browse source 
Over 11k rebuilds on master.
This commit is contained in:
Vladimír Čunát 2017-02-15 08:41:35 +01:00
commit 35b2159671
No known key found for this signature in database
GPG key ID: E747DF1F9575A3AA
133 changed files with 1837 additions and 1143 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
lib/customisation.nix
View file

@ -106,11 +106,9 @@ rec {
let
f = if builtins.isFunction fn then fn else import fn;
auto = builtins.intersectAttrs (builtins.functionArgs f) autoArgs;
finalArgs = auto // args;
pkgs = f finalArgs;
mkAttrOverridable = name: pkg: pkg // {
override = newArgs: mkAttrOverridable name (f (finalArgs // newArgs)).${name};
};
origArgs = auto // args;
pkgs = f origArgs;
mkAttrOverridable = name: pkg: makeOverridable (newArgs: (f newArgs).${name}) origArgs;
in lib.mapAttrs mkAttrOverridable pkgs;

3
lib/maintainers.nix
View file

@ -344,6 +344,7 @@
nico202 = "Nicolò Balzarotti <anothersms@gmail.com>";
NikolaMandic = "Ratko Mladic <nikola@mandic.email>";
nixy = "Andrew R. M. <andrewmiller237@gmail.com>";
nocoolnametom = "Tom Doggett <nocoolnametom@gmail.com>";
notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
@ -490,7 +491,7 @@
travisbhartwell = "Travis B. Hartwell <nafai@travishartwell.net>";
trino = "Hubert Mühlhans <muehlhans.hubert@ekodia.de>";
tstrobel = "Thomas Strobel <4ZKTUB6TEP74PYJOPWIR013S2AV29YUBW5F9ZH2F4D5UMJUJ6S@hash.domains>";
ttuegel = "Thomas Tuegel <ttuegel@gmail.com>";
ttuegel = "Thomas Tuegel <ttuegel@mailbox.org>";
tv = "Tomislav Viljetić <tv@shackspace.de>";
tvestelind = "Tomas Vestelind <tomas.vestelind@fripost.org>";
tvorog = "Marsel Zaripov <marszaripov@gmail.com>";

9
nixos/doc/manual/release-notes/rl-1703.xml
View file

@ -16,11 +16,20 @@ has the following highlights: </para>
manual</link> for more information.</para>
</listitem>
<listitem>
<para>The setuid wrapper functionality now supports setting
capabilities.</para>
</listitem>
<listitem>
<para>X.org server uses branch 1.19. Due to ABI incompatibilities,
<literal>ati_unfree</literal> keeps forcing 1.17
and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
</listitem>
<listitem>
<para>PHP now defaults to PHP 7.1</para>
</listitem>
</itemizedlist>
<para>The following new services were added since the last release:</para>

2
nixos/modules/config/shells-environment.nix
View file

@ -168,7 +168,7 @@ in
${cfg.extraInit}
# The setuid wrappers override other bin directories.
# The setuid/setcap wrappers override other bin directories.
export PATH="${config.security.wrapperDir}:$PATH"
# ~/bin if it exists overrides other bin directories.

1
nixos/modules/installer/tools/nixos-generate-config.pl
View file

@ -347,7 +347,6 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
# Skip special filesystems.
next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
next if $mountPoint eq "/var/setuid-wrappers";
# Skip the optional fields.
my $n = 6; $n++ while $fields[$n] ne "-"; $n++;

4
nixos/modules/installer/tools/nixos-install.sh
View file

@ -259,9 +259,9 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
# Ask the user to set a root password.
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/setuid-wrappers/passwd ] && [ -t 0 ]; then
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/bin/passwd ] && [ -t 0 ]; then
echo "setting root password..."
chroot $mountPoint /var/setuid-wrappers/passwd
chroot $mountPoint /run/wrappers/bin/passwd
fi

10
nixos/modules/installer/tools/nixos-rebuild.sh
View file

@ -15,6 +15,7 @@ origArgs=("$@")
extraBuildFlags=()
action=
buildNix=1
fast=
rollback=
upgrade=
repair=
@ -52,13 +53,13 @@ while [ "$#" -gt 0 ]; do
repair=1
extraBuildFlags+=("$i")
;;
--show-trace|--no-build-hook|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q)
extraBuildFlags+=("$i")
;;
--max-jobs|-j|--cores|-I)
j="$1"; shift 1
extraBuildFlags+=("$i" "$j")
;;
--show-trace|--no-build-hook|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q|-j*)
extraBuildFlags+=("$i")
;;
--option)
j="$1"; shift 1
k="$1"; shift 1
@ -66,6 +67,7 @@ while [ "$#" -gt 0 ]; do
;;
--fast)
buildNix=
fast=1
extraBuildFlags+=(--show-trace)
;;
--profile-name|-p)
@ -217,7 +219,7 @@ if [ -z "$_NIXOS_REBUILD_REEXEC" ]; then
fi
# Re-execute nixos-rebuild from the Nixpkgs tree.
if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" ]; then
if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" -a -z "$fast" ]; then
if p=$(nix-build --no-out-link --expr 'with import <nixpkgs/nixos> {}; config.system.build.nixos-rebuild' "${extraBuildFlags[@]}"); then
export _NIXOS_REBUILD_REEXEC=1
exec $p/bin/nixos-rebuild "${origArgs[@]}"

19
nixos/modules/misc/locate.nix
View file

@ -103,15 +103,16 @@ in {
config = mkIf cfg.enable {
users.extraGroups = mkIf isMLocate { mlocate = {}; };
security.setuidOwners = mkIf isMLocate
[ { group = "mlocate";
owner = "root";
permissions = "u+rx,g+x,o+x";
setgid = true;
setuid = false;
program = "locate";
}
];
security.wrappers = mkIf isMLocate {
mlocate = {
group = "mlocate";
owner = "root";
permissions = "u+rx,g+x,o+x";
setgid = true;
setuid = false;
program = "locate";
};
};
nixpkgs.config = { locate.dbfile = cfg.output; };

2
nixos/modules/module-list.nix
View file

@ -113,7 +113,7 @@
./security/prey.nix
./security/rngd.nix
./security/rtkit.nix
./security/setuid-wrappers.nix
./security/wrappers/default.nix
./security/sudo.nix
./services/amqp/activemq/default.nix
./services/amqp/rabbitmq.nix

2
nixos/modules/programs/kbdlight.nix
View file

@ -11,6 +11,6 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.kbdlight ];
security.setuidPrograms = [ "kbdlight" ];
security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight";
};
}

2
nixos/modules/programs/light.nix
View file

@ -21,6 +21,6 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.light ];
security.setuidPrograms = [ "light" ];
security.wrappers.light.source = "${pkgs.light.out}/bin/light";
};
}

16
nixos/modules/programs/shadow.nix
View file

@ -101,11 +101,15 @@ in
chpasswd = { rootOK = true; };
};
security.setuidPrograms = [ "su" "chfn" ]
++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x
++ lib.optionals config.users.mutableUsers
[ "passwd" "sg" "newgrp" ];
security.wrappers = {
su.source = "${pkgs.shadow.su}/bin/su";
chfn.source = "${pkgs.shadow.out}/bin/chfn";
newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";
newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";
} // (if config.users.mutableUsers then {
passwd.source = "${pkgs.shadow.out}/bin/passwd";
sg.source = "${pkgs.shadow.out}/bin/sg";
newgrp.source = "${pkgs.shadow.out}/bin/newgrp";
} else {});
};
}

4
nixos/modules/rename.nix
View file

@ -10,7 +10,6 @@ with lib;
(mkRenamedOptionModule [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ])
(mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ])
(mkRenamedOptionModule [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ])
(mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ])
(mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])
@ -33,6 +32,9 @@ with lib;
(mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ])
(mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")
(mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")
# Old Grub-related options.
(mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
(mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])

3
nixos/modules/security/apparmor-suid.nix
View file

@ -19,7 +19,7 @@ with lib;
config = mkIf (cfg.confineSUIDApplications) {
security.apparmor.profiles = [ (pkgs.writeText "ping" ''
#include <tunables/global>
/var/setuid-wrappers/ping {
/run/wrappers/bin/ping {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
@ -33,7 +33,6 @@ with lib;
${pkgs.attr.out}/lib/libattr.so* mr,
${pkgs.iputils}/bin/ping mixr,
/var/setuid-wrappers/ping.real r,
#/etc/modules.conf r,

2
nixos/modules/security/chromium-suid-sandbox.nix
View file

@ -27,6 +27,6 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ sandbox ];
security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];
security.wrappers."${sandbox.passthru.sandboxExecutableName}".source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
};
}

3
nixos/modules/security/duosec.nix
View file

@ -187,7 +187,8 @@ in
];
environment.systemPackages = [ pkgs.duo-unix ];
security.setuidPrograms = [ "login_duo" ];
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
environment.etc = loginCfgFile ++ pamCfgFile;
/* If PAM *and* SSH are enabled, then don't do anything special.

19
nixos/modules/security/pam.nix
View file

@ -472,19 +472,20 @@ in
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
security.setuidPrograms =
optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
security.wrappers = {
unix_chkpwd = {
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
owner = "root";
setuid = true;
};
} // (if config.security.pam.enableEcryptfs then {
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
} else {});
environment.etc =
mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
security.setuidOwners = [ {
program = "unix_chkpwd";
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
owner = "root";
setuid = true;
} ];
security.pam.services =
{ other.text =
''

8
nixos/modules/security/pam_usb.nix
View file

@ -32,10 +32,12 @@ in
config = mkIf (cfg.enable || anyUsbAuth) {
# pmount need to have a set-uid bit to make pam_usb works in user
# environment. (like su, sudo)
# Make sure pmount and pumount are setuid wrapped.
security.wrappers = {
pmount.source = "${pkgs.pmount.out}/bin/pmount";
pumount.source = "${pkgs.pmount.out}/bin/pumount";
};
security.setuidPrograms = [ "pmount" "pumount" ];
environment.systemPackages = [ pkgs.pmount ];
};

14
nixos/modules/security/polkit.nix
View file

@ -83,16 +83,10 @@ in
security.pam.services.polkit-1 = {};
security.setuidPrograms = [ "pkexec" ];
security.setuidOwners = [
{ program = "polkit-agent-helper-1";
owner = "root";
group = "root";
setuid = true;
source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
}
];
security.wrappers = {
pkexec.source = "${pkgs.polkit.out}/bin/pkexec";
"polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
};
system.activationScripts.polkit =
''

81
nixos/modules/security/setuid-wrapper.c
View file

@ -1,81 +0,0 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <dirent.h>
#include <assert.h>
#include <string.h>
#include <errno.h>
/* Make sure assertions are not compiled out. */
#undef NDEBUG
extern char **environ;
static char * wrapperDir = WRAPPER_DIR;
int main(int argc, char * * argv)
{
char self[PATH_MAX];
int len = readlink("/proc/self/exe", self, sizeof(self) - 1);
assert (len > 0);
self[len] = 0;
/* Make sure that we are being executed from the right location,
i.e., `wrapperDir'. This is to prevent someone from
creating hard link `X' from some other location, along with a
false `X.real' file, to allow arbitrary programs from being
executed setuid. */
assert ((strncmp(self, wrapperDir, strlen(wrapperDir)) == 0) &&
(self[strlen(wrapperDir)] == '/'));
/* Make *really* *really* sure that we were executed as `self',
and not, say, as some other setuid program. That is, our
effective uid/gid should match the uid/gid of `self'. */
//printf("%d %d\n", geteuid(), getegid());
struct stat st;
assert (lstat(self, &st) != -1);
//printf("%d %d\n", st.st_uid, st.st_gid);
assert ((st.st_mode & S_ISUID) == 0 ||
(st.st_uid == geteuid()));
assert ((st.st_mode & S_ISGID) == 0 ||
st.st_gid == getegid());
/* And, of course, we shouldn't be writable. */
assert (!(st.st_mode & (S_IWGRP | S_IWOTH)));
/* Read the path of the real (wrapped) program from <self>.real. */
char realFN[PATH_MAX + 10];
int realFNSize = snprintf (realFN, sizeof(realFN), "%s.real", self);
assert (realFNSize < sizeof(realFN));
int fdSelf = open(realFN, O_RDONLY);
assert (fdSelf != -1);
char real[PATH_MAX];
len = read(fdSelf, real, PATH_MAX);
assert (len != -1);
assert (len < sizeof (real));
assert (len > 0);
real[len] = 0;
close(fdSelf);
//printf("real = %s, len = %d\n", real, len);
execve(real, argv, environ);
fprintf(stderr, "%s: cannot run `%s': %s\n",
argv[0], real, strerror(errno));
exit(1);
}

146
nixos/modules/security/setuid-wrappers.nix
View file

@ -1,146 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (config.security) wrapperDir;
setuidWrapper = pkgs.stdenv.mkDerivation {
name = "setuid-wrapper";
unpackPhase = "true";
installPhase = ''
mkdir -p $out/bin
cp ${./setuid-wrapper.c} setuid-wrapper.c
gcc -Wall -O2 -DWRAPPER_DIR=\"/run/setuid-wrapper-dirs\" \
setuid-wrapper.c -o $out/bin/setuid-wrapper
'';
};
in
{
###### interface
options = {
security.setuidPrograms = mkOption {
type = types.listOf types.str;
default = [];
example = ["passwd"];
description = ''
The Nix store cannot contain setuid/setgid programs directly.
For this reason, NixOS can automatically generate wrapper
programs that have the necessary privileges. This option
lists the names of programs in the system environment for
which setuid root wrappers should be created.
'';
};
security.setuidOwners = mkOption {
type = types.listOf types.attrs;
default = [];
example =
[ { program = "sendmail";
owner = "nobody";
group = "postdrop";
setuid = false;
setgid = true;
permissions = "u+rx,g+x,o+x";
}
];
description = ''
This option allows the ownership and permissions on the setuid
wrappers for specific programs to be overridden from the
default (setuid root, but not setgid root).
'';
};
security.wrapperDir = mkOption {
internal = true;
type = types.path;
default = "/var/setuid-wrappers";
description = ''
This option defines the path to the setuid wrappers. It
should generally not be overriden. Some packages in Nixpkgs
expect that <option>wrapperDir</option> is
<filename>/var/setuid-wrappers</filename>.
'';
};
};
###### implementation
config = {
security.setuidPrograms = [ "fusermount" ];
system.activationScripts.setuid =
let
setuidPrograms =
(map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
config.security.setuidPrograms)
++ config.security.setuidOwners;
makeSetuidWrapper =
{ program
, source ? ""
, owner ? "nobody"
, group ? "nogroup"
, setuid ? false
, setgid ? false
, permissions ? "u+rx,g+x,o+x"
}:
''
if ! source=${if source != "" then source else "$(readlink -f $(PATH=$SETUID_PATH type -tP ${program}))"}; then
# If we can't find the program, fall back to the
# system profile.
source=/nix/var/nix/profiles/default/bin/${program}
fi
cp ${setuidWrapper}/bin/setuid-wrapper $wrapperDir/${program}
echo -n "$source" > $wrapperDir/${program}.real
chmod 0000 $wrapperDir/${program} # to prevent races
chown ${owner}.${group} $wrapperDir/${program}
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
'';
in stringAfter [ "users" ]
''
# Look in the system path and in the default profile for
# programs to be wrapped.
SETUID_PATH=${config.system.path}/bin:${config.system.path}/sbin
mkdir -p /run/setuid-wrapper-dirs
wrapperDir=$(mktemp --directory --tmpdir=/run/setuid-wrapper-dirs setuid-wrappers.XXXXXXXXXX)
chmod a+rx $wrapperDir
${concatMapStrings makeSetuidWrapper setuidPrograms}
if [ -L ${wrapperDir} ]; then
# Atomically replace the symlink
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
old=$(readlink ${wrapperDir})
ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
rm --force --recursive $old
elif [ -d ${wrapperDir} ]; then
# Compatibility with old state, just remove the folder and symlink
rm -f ${wrapperDir}/*
# if it happens to be a tmpfs
${pkgs.utillinux}/bin/umount ${wrapperDir} || true
rm -d ${wrapperDir}
ln -d --symbolic $wrapperDir ${wrapperDir}
else
# For initial setup
ln --symbolic $wrapperDir ${wrapperDir}
fi
'';
};
}

5
nixos/modules/security/sudo.nix
View file

@ -81,7 +81,10 @@ in
${cfg.extraConfig}
'';
security.setuidPrograms = [ "sudo" "sudoedit" ];
security.wrappers = {
sudo.source = "${pkgs.sudo.out}/bin/sudo";
sudoedit.source = "${pkgs.sudo.out}/bin/sudoedit";
};
environment.systemPackages = [ sudo ];

218
nixos/modules/security/wrappers/default.nix Normal file
View file

@ -0,0 +1,218 @@
{ config, lib, pkgs, ... }:
let
inherit (config.security) wrapperDir wrappers;
programs =
(lib.mapAttrsToList
(n: v: (if v ? "program" then v else v // {program=n;}))
wrappers);
securityWrapper = pkgs.stdenv.mkDerivation {
name = "security-wrapper";
phases = [ "installPhase" "fixupPhase" ];
buildInputs = [ pkgs.libcap pkgs.libcap_ng pkgs.linuxHeaders ];
hardeningEnable = [ "pie" ];
installPhase = ''
mkdir -p $out/bin
parentWrapperDir=$(dirname ${wrapperDir})
gcc -Wall -O2 -DWRAPPER_DIR=\"$parentWrapperDir\" \
-lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper
'';
};
###### Activation script for the setcap wrappers
mkSetcapProgram =
{ program
, capabilities
, source
, owner ? "nobody"
, group ? "nogroup"
, ...
}:
assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
''
cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}
echo -n "${source}" > $wrapperDir/${program}.real
# Prevent races
chmod 0000 $wrapperDir/${program}
chown ${owner}.${group} $wrapperDir/${program}
# Set desired capabilities on the file plus cap_setpcap so
# the wrapper program can elevate the capabilities set on
# its file into the Ambient set.
${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program}
# Set the executable bit
chmod u+rx,g+x,o+x $wrapperDir/${program}
'';
###### Activation script for the setuid wrappers
mkSetuidProgram =
{ program
, source
, owner ? "nobody"
, group ? "nogroup"
, setuid ? false
, setgid ? false
, permissions ? "u+rx,g+x,o+x"
, ...
}:
''
cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}
echo -n "${source}" > $wrapperDir/${program}.real
# Prevent races
chmod 0000 $wrapperDir/${program}
chown ${owner}.${group} $wrapperDir/${program}
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
'';
mkWrappedPrograms =
builtins.map
(s: if (s ? "capabilities")
then mkSetcapProgram
({ owner = "root";
group = "root";
} // s)
else if
(s ? "setuid" && s.setuid == true) ||
(s ? "setguid" && s.setguid == true) ||
(s ? "permissions")
then mkSetuidProgram s
else mkSetuidProgram
({ owner = "root";
group = "root";
setuid = true;
setgid = false;
permissions = "u+rx,g+x,o+x";
} // s)
) programs;
in
{
###### interface
options = {
security.wrappers = lib.mkOption {
type = lib.types.attrs;
default = {};
example = {
sendmail.source = "/nix/store/.../bin/sendmail";
ping = {
source = "${pkgs.iputils.out}/bin/ping";
owner = "nobody";
group = "nogroup";
capabilities = "cap_net_raw+ep";
};
};
description = ''
This option allows the ownership and permissions on the setuid
wrappers for specific programs to be overridden from the
default (setuid root, but not setgid root).
<note>
<para>Additionally, this option can set capabilities on a
wrapper program that propagates those capabilities down to the
wrapped, real program.</para>
<para>The <literal>program</literal> attribute is the name of
the program to be wrapped. If no <literal>source</literal>
attribute is provided, specifying the absolute path to the
program, then the program will be searched for in the path
environment variable.</para>
<para>NOTE: cap_setpcap, which is required for the wrapper
program to be able to raise caps into the Ambient set is NOT
raised to the Ambient set so that the real program cannot
modify its own capabilities!! This may be too restrictive for
cases in which the real program needs cap_setpcap but it at
least leans on the side security paranoid vs. too
relaxed.</para>
</note>
'';
};
security.wrapperDir = lib.mkOption {
type = lib.types.path;
default = "/run/wrappers/bin";
internal = true;
description = ''
This option defines the path to the wrapper programs. It
should not be overriden.
'';
};
};
###### implementation
config = {
security.wrappers.fusermount.source = "${pkgs.fuse}/bin/fusermount";
# Make sure our wrapperDir exports to the PATH env variable when
# initializing the shell
environment.extraInit = ''
# Wrappers override other bin directories.
export PATH="${wrapperDir}:$PATH"
'';
###### setcap activation script
system.activationScripts.wrappers =
lib.stringAfter [ "users" ]
''
# Look in the system path and in the default profile for
# programs to be wrapped.
WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
# Remove the old /var/setuid-wrappers path from the system...
#
# TODO: this is only necessary for ugprades 16.09 => 17.x;
# this conditional removal block needs to be removed after
# the release.
if [ -d /var/setuid-wrappers ]; then
rm -rf /var/setuid-wrappers
fi
# Remove the old /run/setuid-wrappers-dir path from the
# system as well...
#
# TDOO: this is only necessary for ugprades 16.09 => 17.x;
# this conditional removal block needs to be removed after
# the release.
if [ -d /run/setuid-wrapper-dirs ]; then
rm -rf /run/setuid-wrapper-dirs
fi
# Get the "/run/wrappers" path, we want to place the tmpdirs
# for the wrappers there
parentWrapperDir="$(dirname ${wrapperDir})"
mkdir -p "$parentWrapperDir"
wrapperDir=$(mktemp --directory --tmpdir="$parentWrapperDir" wrappers.XXXXXXXXXX)
chmod a+rx $wrapperDir
${lib.concatStringsSep "\n" mkWrappedPrograms}
if [ -L ${wrapperDir} ]; then
# Atomically replace the symlink
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
old=$(readlink -f ${wrapperDir})
ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
rm --force --recursive $old
elif [ -d ${wrapperDir} ]; then
# Compatibility with old state, just remove the folder and symlink
rm -f ${wrapperDir}/*
# if it happens to be a tmpfs
${pkgs.utillinux}/bin/umount ${wrapperDir} || true
rm -d ${wrapperDir}
ln -d --symbolic $wrapperDir ${wrapperDir}
else
# For initial setup
ln --symbolic $wrapperDir ${wrapperDir}
fi
'';
};
}

239
nixos/modules/security/wrappers/wrapper.c Normal file
View file

@ -0,0 +1,239 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <dirent.h>
#include <assert.h>
#include <errno.h>
#include <linux/capability.h>
#include <sys/capability.h>
#include <linux/prctl.h>
#include <sys/prctl.h>
#include <cap-ng.h>
// Make sure assertions are not compiled out, we use them to codify
// invariants about this program and we want it to fail fast and
// loudly if they are violated.
#undef NDEBUG
extern char **environ;
// The WRAPPER_DIR macro is supplied at compile time so that it cannot
// be changed at runtime
static char * wrapperDir = WRAPPER_DIR;
// Wrapper debug variable name
static char * wrapperDebug = "WRAPPER_DEBUG";
// Update the capabilities of the running process to include the given
// capability in the Ambient set.
static void set_ambient_cap(cap_value_t cap)
{
capng_get_caps_process();
if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap))
{
perror("cannot raise the capability into the Inheritable set\n");
exit(1);
}
capng_apply(CAPNG_SELECT_CAPS);
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long) cap, 0, 0))
{
perror("cannot raise the capability into the Ambient set\n");
exit(1);
}
}
// Given the path to this program, fetch its configured capability set
// (as set by `setcap ... /path/to/file`) and raise those capabilities
// into the Ambient set.
static int make_caps_ambient(const char *selfPath)
{
cap_t caps = cap_get_file(selfPath);
if(!caps)
{
if(getenv(wrapperDebug))
fprintf(stderr, "no caps set or could not retrieve the caps for this file, not doing anything...");
return 1;
}
// We use `cap_to_text` and iteration over the tokenized result
// string because, as of libcap's current release, there is no
// facility for retrieving an array of `cap_value_t`'s that can be
// given to `prctl` in order to lift that capability into the
// Ambient set.
//
// Some discussion was had around shot-gunning all of the
// capabilities we know about into the Ambient set but that has a
// security smell and I deemed the risk of the current
// implementation crashing the program to be lower than the risk
// of a privilege escalation security hole being introduced by
// raising all capabilities, even ones we didn't intend for the
// program, into the Ambient set.
//
// `cap_t` which is returned by `cap_get_*` is an opaque type and
// even if we could retrieve the bitmasks (which, as far as I can
// tell we cannot) in order to get the `cap_value_t`
// representation for each capability we would have to take the
// total number of capabilities supported and iterate over the
// sequence of integers up-to that maximum total, testing each one
// against the bitmask ((bitmask >> n) & 1) to see if it's set and
// aggregating each "capability integer n" that is set in the
// bitmask.
//
// That, combined with the fact that we can't easily get the
// bitmask anyway seemed much more brittle than fetching the
// `cap_t`, transforming it into a textual representation,
// tokenizing the string, and using `cap_from_name` on the token
// to get the `cap_value_t` that we need for `prctl`. There is
// indeed risk involved if the output string format of
// `cap_to_text` ever changes but at this time the combination of
// factors involving the below list have led me to the conclusion
// that the best implementation at this time is reading then
// parsing with *lots of documentation* about why we're doing it
// this way.
//
// 1. No explicit API for fetching an array of `cap_value_t`'s or
// for transforming a `cap_t` into such a representation
// 2. The risk of a crash is lower than lifting all capabilities
// into the Ambient set
// 3. libcap is depended on heavily in the Linux ecosystem so
// there is a high chance that the output representation of
// `cap_to_text` will not change which reduces our risk that
// this parsing step will cause a crash
//
// The preferred method, should it ever be available in the
// future, would be to use libcap API's to transform the result
// from a `cap_get_*` into an array of `cap_value_t`'s that can
// then be given to prctl.
//
// - Parnell
ssize_t capLen;
char* capstr = cap_to_text(caps, &capLen);
cap_free(caps);
// TODO: For now, we assume that cap_to_text always starts its
// result string with " =" and that the first capability is listed
// immediately after that. We should verify this.
assert(capLen >= 2);
capstr += 2;
char* saveptr = NULL;
for(char* tok = strtok_r(capstr, ",", &saveptr); tok; tok = strtok_r(NULL, ",", &saveptr))
{
cap_value_t capnum;
if (cap_from_name(tok, &capnum))
{
if(getenv(wrapperDebug))
fprintf(stderr, "cap_from_name failed, skipping: %s", tok);
}
else if (capnum == CAP_SETPCAP)
{
// Check for the cap_setpcap capability, we set this on the
// wrapper so it can elevate the capabilities to the Ambient
// set but we do not want to propagate it down into the
// wrapped program.
//
// TODO: what happens if that's the behavior you want
// though???? I'm preferring a strict vs. loose policy here.
if(getenv(wrapperDebug))
fprintf(stderr, "cap_setpcap in set, skipping it\n");
}
else
{
set_ambient_cap(capnum);
if(getenv(wrapperDebug))
fprintf(stderr, "raised %s into the Ambient capability set\n", tok);
}
}
cap_free(capstr);
return 0;
}
int main(int argc, char * * argv)
{
// I *think* it's safe to assume that a path from a symbolic link
// should safely fit within the PATH_MAX system limit. Though I'm
// not positive it's safe...
char selfPath[PATH_MAX];
int selfPathSize = readlink("/proc/self/exe", selfPath, sizeof(selfPath));
assert(selfPathSize > 0);
// Assert we have room for the zero byte, this ensures the path
// isn't being truncated because it's too big for the buffer.
//
// A better way to handle this might be to use something like the
// whereami library (https://github.com/gpakosz/whereami) or a
// loop that resizes the buffer and re-reads the link if the
// contents are being truncated.
assert(selfPathSize < sizeof(selfPath));
// Set the zero byte since readlink doesn't do that for us.
selfPath[selfPathSize] = '\0';
// Make sure that we are being executed from the right location,
// i.e., `safeWrapperDir'. This is to prevent someone from creating
// hard link `X' from some other location, along with a false
// `X.real' file, to allow arbitrary programs from being executed
// with elevated capabilities.
int len = strlen(wrapperDir);
if (len > 0 && '/' == wrapperDir[len - 1])
--len;
assert(!strncmp(selfPath, wrapperDir, len));
assert('/' == wrapperDir[0]);
assert('/' == selfPath[len]);
// Make *really* *really* sure that we were executed as
// `selfPath', and not, say, as some other setuid program. That
// is, our effective uid/gid should match the uid/gid of
// `selfPath'.
struct stat st;
assert(lstat(selfPath, &st) != -1);
assert(!(st.st_mode & S_ISUID) || (st.st_uid == geteuid()));
assert(!(st.st_mode & S_ISGID) || (st.st_gid == getegid()));
// And, of course, we shouldn't be writable.
assert(!(st.st_mode & (S_IWGRP | S_IWOTH)));
// Read the path of the real (wrapped) program from <self>.real.
char realFN[PATH_MAX + 10];
int realFNSize = snprintf (realFN, sizeof(realFN), "%s.real", selfPath);
assert (realFNSize < sizeof(realFN));
int fdSelf = open(realFN, O_RDONLY);
assert (fdSelf != -1);
char sourceProg[PATH_MAX];
len = read(fdSelf, sourceProg, PATH_MAX);
assert (len != -1);
assert (len < sizeof(sourceProg));
assert (len > 0);
sourceProg[len] = 0;
close(fdSelf);
// Read the capabilities set on the wrapper and raise them in to
// the Ambient set so the program we're wrapping receives the
// capabilities too!
make_caps_ambient(selfPath);
execve(sourceProg, argv, environ);
fprintf(stderr, "%s: cannot run `%s': %s\n",
argv[0], sourceProg, strerror(errno));
exit(1);
}

4
nixos/modules/services/logging/logcheck.nix
View file

@ -29,8 +29,8 @@ let
};
cronJob = ''
@reboot logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
@reboot logcheck env PATH=/run/wrappers/bin:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers/bin:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
'';
writeIgnoreRule = name: {level, regex, ...}:

2
nixos/modules/services/mail/dovecot.nix
View file

@ -13,7 +13,7 @@ let
''
base_dir = ${baseDir}
protocols = ${concatStringsSep " " cfg.protocols}
sendmail_path = /var/setuid-wrappers/sendmail
sendmail_path = /run/wrappers/bin/sendmail
''
(if isNull cfg.sslServerCert then ''

4
nixos/modules/services/mail/exim.nix
View file

@ -70,7 +70,7 @@ in
etc."exim.conf".text = ''
exim_user = ${cfg.user}
exim_group = ${cfg.group}
exim_path = /var/setuid-wrappers/exim
exim_path = /run/wrappers/bin/exim
spool_directory = ${cfg.spoolDir}
${cfg.config}
'';
@ -89,7 +89,7 @@ in
gid = config.ids.gids.exim;
};
security.setuidPrograms = [ "exim" ];
security.wrappers.exim.source = "${exim}/bin/exim";
systemd.services.exim = {
description = "Exim Mail Daemon";

2
nixos/modules/services/mail/mail.nix
View file

@ -26,7 +26,7 @@ with lib;
config = mkIf (config.services.mail.sendmailSetuidWrapper != null) {
security.setuidOwners = [ config.services.mail.sendmailSetuidWrapper ];
security.wrappers.sendmail = config.services.mail.sendmailSetuidWrapper;
};

9
nixos/modules/services/monitoring/grafana.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ options, config, lib, pkgs, ... }:
with lib;
@ -232,9 +232,10 @@ in {
};
config = mkIf cfg.enable {
warnings = [
"Grafana passwords will be stored as plaintext in the Nix store!"
];
warnings = optional (
cfg.database.password != options.services.grafana.database.password.default ||
cfg.security.adminPassword != options.services.grafana.security.adminPassword.default
) "Grafana passwords will be stored as plaintext in the Nix store!";
environment.systemPackages = [ cfg.package ];

4
nixos/modules/services/monitoring/munin.nix
View file

@ -34,7 +34,7 @@ let
cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file)
wrapProgram $file \
--set PATH "/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
--set PATH "/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/bin" \
--set MUNIN_LIBDIR "${pkgs.munin}/lib" \
--set MUNIN_PLUGSTATE "/var/run/munin"
@ -183,7 +183,7 @@ in
mkdir -p /etc/munin/plugins
rm -rf /etc/munin/plugins/*
PATH="/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
PATH="/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
'';
serviceConfig = {
ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";

2
nixos/modules/services/monitoring/smartd.nix
View file

@ -124,7 +124,7 @@ in
};
mailer = mkOption {
default = "/var/setuid-wrappers/sendmail";
default = "/run/wrappers/bin/sendmail";
type = types.path;
description = ''
Sendmail-compatible binary to be used to send the messages.

2
nixos/modules/services/network-filesystems/samba.nix
View file

@ -30,7 +30,7 @@ let
''
[ global ]
security = ${cfg.securityType}
passwd program = /var/setuid-wrappers/passwd %u
passwd program = /run/wrappers/bin/passwd %u
pam password change = ${smbToString cfg.syncPasswordsByPam}
invalid users = ${smbToString cfg.invalidUsers}

2
nixos/modules/services/networking/gale.nix
View file

@ -141,7 +141,7 @@ in
setgid = false;
};
security.setuidOwners = [ cfg.setuidWrapper ];
security.wrappers.gksign = cfg.setuidWrapper;
systemd.services.gale-galed = {
description = "Gale messaging daemon";

2
nixos/modules/services/networking/prayer.nix
View file

@ -18,7 +18,7 @@ let
var_prefix = "${stateDir}"
prayer_user = "${prayerUser}"
prayer_group = "${prayerGroup}"
sendmail_path = "/var/setuid-wrappers/sendmail"
sendmail_path = "/run/wrappers/bin/sendmail"
use_http_port ${cfg.port}

7
nixos/modules/services/networking/smokeping.nix
View file

@ -226,7 +226,7 @@ in
sendmail = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/setuid-wrappers/sendmail";
example = "/run/wrappers/bin/sendmail";
description = "Use this sendmail compatible script to deliver alerts";
};
smokeMailTemplate = mkOption {
@ -273,7 +273,10 @@ in
message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
}
];
security.setuidPrograms = [ "fping" "fping6" ];
security.wrappers = {
fping.source = "${pkgs.fping}/bin/fping";
"fping6".source = "${pkgs.fping}/bin/fping6";
};
environment.systemPackages = [ pkgs.fping ];
users.extraUsers = singleton {
name = cfg.user;

6
nixos/modules/services/scheduling/atd.nix
View file

@ -42,13 +42,13 @@ in
config = mkIf cfg.enable {
security.setuidOwners = map (program: {
inherit program;
security.wrappers = map (program: {"${program}" = {
source = "${pkgs.atd}/bin/${program}";
owner = "atd";
group = "atd";
setuid = true;
setgid = true;
}) [ "at" "atq" "atrm" "batch" ];
};}) [ "at" "atq" "atrm" "batch" ];
environment.systemPackages = [ at ];

10
nixos/modules/services/scheduling/cron.nix
View file

@ -20,7 +20,7 @@ let
cronNixosPkg = pkgs.cron.override {
# The mail.nix nixos module, if there is any local mail system enabled,
# should have sendmail in this path.
sendmailPath = "/var/setuid-wrappers/sendmail";
sendmailPath = "/run/wrappers/bin/sendmail";
};
allFiles =
@ -61,7 +61,7 @@ in
A list of Cron jobs to be appended to the system-wide
crontab. See the manual page for crontab for the expected
format. If you want to get the results mailed you must setuid
sendmail. See <option>security.setuidOwners</option>
sendmail. See <option>security.wrappers</option>
If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
will is allowed to have its own crontab file. The /var/cron/cron.deny file
@ -92,13 +92,9 @@ in
config = mkMerge [
{ services.cron.enable = mkDefault (allFiles != []); }
(mkIf (config.services.cron.enable) {
security.setuidPrograms = [ "crontab" ];
security.wrappers.crontab.source = "${pkgs.cronNixosPkg.out}/bin/crontab";
environment.systemPackages = [ cronNixosPkg ];
environment.etc.crontab =
{ source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }
''

5
nixos/modules/services/scheduling/fcron.nix
View file

@ -96,7 +96,7 @@ in
fcronallow = /etc/fcron.allow
fcrondeny = /etc/fcron.deny
shell = /bin/sh
sendmail = /var/setuid-wrappers/sendmail
sendmail = /run/wrappers/bin/sendmail
editor = /run/current-system/sw/bin/vi
'';
target = "fcron.conf";
@ -106,8 +106,7 @@ in
environment.systemPackages = [ pkgs.fcron ];
security.setuidPrograms = [ "fcrontab" ];
security.wrappers.fcrontab.source = "${pkgs.fcron.out}/bin/fcrontab";
systemd.services.fcron = {
description = "fcron daemon";
after = [ "local-fs.target" ];

17
nixos/modules/services/system/dbus.nix
View file

@ -104,15 +104,14 @@ in
systemd.packages = [ pkgs.dbus.daemon ];
security.setuidOwners = singleton
{ program = "dbus-daemon-launch-helper";
source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper";
owner = "root";
group = "messagebus";
setuid = true;
setgid = false;
permissions = "u+rx,g+rx,o-rx";
};
security.wrappers.dbus-daemon-launch-helper = {
source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper";
owner = "root";
group = "messagebus";
setuid = true;
setgid = false;
permissions = "u+rx,g+rx,o-rx";
};
services.dbus.packages = [
pkgs.dbus.out

2
nixos/modules/services/x11/desktop-managers/enlightenment.nix
View file

@ -62,7 +62,7 @@ in
'';
}];
security.setuidPrograms = [ "e_freqset" ];
security.wrappers.e_freqset.source = "${e.enlightenment.out}/bin/e_freqset";
environment.etc = singleton
{ source = "${pkgs.xkeyboard_config}/etc/X11/xkb";

19
nixos/modules/services/x11/desktop-managers/kde5.nix
View file

@ -61,24 +61,13 @@ in
''}
exec "${kde5.startkde}"
'';
};
security.setuidOwners = [
{
program = "kcheckpass";
source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass";
owner = "root";
setuid = true;
}
{
program = "start_kdeinit";
source = "${kde5.kinit.out}/lib/libexec/kf5/start_kdeinit";
owner = "root";
setuid = true;
}
];
security.wrappers = {
kcheckpass.source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass";
"start_kdeinit".source = "${kde5.kinit.out}/lib/libexec/kf5/start_kdeinit";
};
environment.systemPackages =
[

19
nixos/modules/tasks/network-interfaces.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, utils, ... }:
{ config, lib, pkgs, utils, stdenv, ... }:
with lib;
with utils;
@ -933,7 +933,22 @@ in
(i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))
));
security.setuidPrograms = [ "ping" "ping6" ];
# Capabilities won't work unless we have at-least a 4.3 Linux
# kernel because we need the ambient capability
security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then {
ping = {
source = "${pkgs.iputils.out}/bin/ping";
capabilities = "cap_net_raw+p";
};
ping6 = {
source = "${pkgs.iputils.out}/bin/ping6";
capabilities = "cap_net_raw+p";
};
} else {
ping.source = "${pkgs.iputils.out}/bin/ping";
"ping6".source = "${pkgs.iputils.out}/bin/ping6";
};
# Set the host and domain names in the activation script. Don't
# clear it if it's not configured in the NixOS configuration,

47
nixos/modules/virtualisation/containers.nix
View file

@ -89,6 +89,15 @@ let
if [ -n "$HOST_BRIDGE" ]; then
extraFlags+=" --network-bridge=$HOST_BRIDGE"
fi
if [ -n "$HOST_PORT" ]; then
OIFS=$IFS
IFS=","
for i in $HOST_PORT
do
extraFlags+=" --port=$i"
done
IFS=$OIFS
fi
fi
extraFlags+=" ${concatStringsSep " " (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)}"
@ -128,6 +137,7 @@ let
--setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \
--setenv HOST_ADDRESS6="$HOST_ADDRESS6" \
--setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \
--setenv HOST_PORT="$HOST_PORT" \
--setenv PATH="$PATH" \
${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then
''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else ""
@ -315,6 +325,36 @@ let
'';
};
forwardPorts = mkOption {
type = types.listOf (types.submodule {
options = {
protocol = mkOption {
type = types.str;
default = "tcp";
description = "The protocol specifier for port forwarding between host and container";
};
hostPort = mkOption {
type = types.int;
description = "Source port of the external interface on host";
};
containerPort = mkOption {
type = types.nullOr types.int;
default = null;
description = "Target port of container";
};
};
});
default = [];
example = [ { protocol = "tcp"; hostPort = 8080; containerPort = 80; } ];
description = ''
List of forwarded ports from host to container. Each forwarded port
is specified by protocol, hostPort and containerPort. By default,
protocol is tcp and hostPort and containerPort are assumed to be
the same if containerPort is not explicitly given.
'';
};
hostAddress = mkOption {
type = types.nullOr types.str;
default = null;
@ -642,7 +682,9 @@ in
# Generate a configuration file in /etc/containers for each
# container so that container@.target can get the container
# configuration.
environment.etc = mapAttrs' (name: cfg: nameValuePair "containers/${name}.conf"
environment.etc =
let mkPortStr = p: p.protocol + ":" + (toString p.hostPort) + ":" + (if p.containerPort == null then toString p.hostPort else toString p.containerPort);
in mapAttrs' (name: cfg: nameValuePair "containers/${name}.conf"
{ text =
''
SYSTEM_PATH=${cfg.path}
@ -651,6 +693,9 @@ in
${optionalString (cfg.hostBridge != null) ''
HOST_BRIDGE=${cfg.hostBridge}
''}
${optionalString (length cfg.forwardPorts > 0) ''
HOST_PORT=${concatStringsSep "," (map mkPortStr cfg.forwardPorts)}
''}
${optionalString (cfg.hostAddress != null) ''
HOST_ADDRESS=${cfg.hostAddress}
''}

10
nixos/modules/virtualisation/virtualbox-host.nix
View file

@ -68,15 +68,15 @@ in
boot.extraModulePackages = [ kernelModules ];
environment.systemPackages = [ virtualbox ];
security.setuidOwners = let
security.wrappers = let
mkSuid = program: {
inherit program;
source = "${virtualbox}/libexec/virtualbox/${program}";
owner = "root";
group = "vboxusers";
setuid = true;
};
in mkIf cfg.enableHardening (map mkSuid [
in mkIf cfg.enableHardening
(builtins.listToAttrs (map (x: { name = x; value = mkSuid x; }) [
"VBoxHeadless"
"VBoxNetAdpCtl"
"VBoxNetDHCP"
@ -84,7 +84,7 @@ in
"VBoxSDL"
"VBoxVolInfo"
"VirtualBox"
]);
]));
users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
@ -99,7 +99,7 @@ in
SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
'';
# Since we lack the right setuid binaries, set up a host-only network by default.
# Since we lack the right setuid/setcap binaries, set up a host-only network by default.
} (mkIf cfg.addNetworkInterface {
systemd.services."vboxnet0" =
{ description = "VirtualBox vboxnet0 Interface";

63
nixos/tests/containers-portforward.nix Normal file
View file

@ -0,0 +1,63 @@
# Test for NixOS' container support.
let
hostIp = "192.168.0.1";
hostPort = 10080;
containerIp = "192.168.0.100";
containerPort = 80;
in
import ./make-test.nix ({ pkgs, ...} : {
name = "containers-portforward";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ aristid aszlig eelco chaoflow kampfschlaefer ianwookim ];
};
machine =
{ config, pkgs, ... }:
{ imports = [ ../modules/installer/cd-dvd/channel.nix ];
virtualisation.writableStore = true;
virtualisation.memorySize = 768;
containers.webserver =
{ privateNetwork = true;
hostAddress = hostIp;
localAddress = containerIp;
forwardPorts = [ { protocol = "tcp"; hostPort = hostPort; containerPort = containerPort; } ];
config =
{ services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org";
networking.firewall.allowedTCPPorts = [ 80 ];
networking.firewall.allowPing = true;
};
};
virtualisation.pathsInNixDB = [ pkgs.stdenv ];
};
testScript =
''
$machine->succeed("nixos-container list") =~ /webserver/ or die;
# Start the webserver container.
$machine->succeed("nixos-container start webserver");
# wait two seconds for the container to start and the network to be up
sleep 2;
# Since "start" returns after the container has reached
# multi-user.target, we should now be able to access it.
#my $ip = $machine->succeed("nixos-container show-ip webserver");
#chomp $ip;
$machine->succeed("ping -n -c1 ${hostIp}");
$machine->succeed("curl --fail http://${hostIp}:${toString hostPort}/ > /dev/null");
# Stop the container.
$machine->succeed("nixos-container stop webserver");
$machine->fail("curl --fail --connect-timeout 2 http://${hostIp}:${toString hostPort}/ > /dev/null");
# Destroying a declarative container should fail.
$machine->fail("nixos-container destroy webserver");
'';
})

2
nixos/tests/smokeping.nix
View file

@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : {
mailHost = "127.0.0.2";
probeConfig = ''
+ FPing
binary = /var/setuid-wrappers/fping
binary = /run/wrappers/bin/fping
offset = 0%
'';
};

4
pkgs/applications/audio/picard/default.nix
View file

@ -1,7 +1,7 @@
{ stdenv, python2Packages, fetchurl, gettext, chromaprint }:
let
version = "1.3.2";
version = "1.4";
pythonPackages = python2Packages;
in pythonPackages.buildPythonApplication {
name = "picard-${version}";
@ -9,7 +9,7 @@ in pythonPackages.buildPythonApplication {
src = fetchurl {
url = "http://ftp.musicbrainz.org/pub/musicbrainz/picard/picard-${version}.tar.gz";
sha256 = "0821xb7gyg0rhch8s3qkzmak90wjpcxkv9a364yv6bmqc12j6a77";
sha256 = "0gi7f1h7jcg7n18cx8iw38sd868viv3w377xmi7cq98f1g76d4h6";
};
buildInputs = [ gettext ];

8
pkgs/applications/editors/eclipse/plugins.nix
View file

@ -341,12 +341,12 @@ rec {
jdt = buildEclipseUpdateSite rec {
name = "jdt-${version}";
version = "4.6";
version = "4.6.2";
src = fetchzip {
stripRoot = false;
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.6-201606061100/org.eclipse.jdt-4.6.zip";
sha256 = "0raz8d09fnnx19l012l5frca97qavfivvygn3mvsllcyskhqc5hg";
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.6.2-201611241400/org.eclipse.jdt-4.6.2.zip";
sha256 = "1nnlrl05lh1hcsh14dlisnx0vwmj21agm4wia98rv0gl2gkp19n1";
};
meta = with stdenv.lib; {
@ -388,7 +388,7 @@ rec {
version = "4.4.1.201605041056";
src = fetchzip {
url = "http://download.scala-ide.org/sdk/lithium/e44/scala211/stable/update-site.zip";
url = "http://download.scala-ide.org/sdk/lithium/e44/scala211/stable/base-20160504-1321.zip";
sha256 = "13xgx2rwlll0l4bs0g6gyvrx5gcc0125vzn501fdj0wv2fqxn5lw";
};

12
pkgs/applications/editors/emacs-modes/elpa-generated.nix
View file

@ -725,10 +725,10 @@
}) {};
exwm = callPackage ({ elpaBuild, fetchurl, lib, xelb }: elpaBuild {
pname = "exwm";
version = "0.12";
version = "0.13";
src = fetchurl {
url = "https://elpa.gnu.org/packages/exwm-0.12.tar";
sha256 = "1h964w9ir8plam45c194af74g5q1wdvgwrldlmlcplcswlsn3n4z";
url = "https://elpa.gnu.org/packages/exwm-0.13.tar";
sha256 = "0n1wzy6chh024r0yaywjbf7mdsrxs6hrfycv5v0ps0drf6q3zldc";
};
packageRequires = [ xelb ];
meta = {
@ -1377,10 +1377,10 @@
}) {};
org = callPackage ({ elpaBuild, fetchurl, lib }: elpaBuild {
pname = "org";
version = "20170124";
version = "20170210";
src = fetchurl {
url = "https://elpa.gnu.org/packages/org-20170124.tar";
sha256 = "0mcnjwvily0xv1xl11dj18lg38llvrxja2j9mwn6vql8n5y1srxi";
url = "https://elpa.gnu.org/packages/org-20170210.tar";
sha256 = "15415wh3w8d4c8hd7qfrfdjnjb1zppmrkg8cdp7hw2ilyr90c0bn";
};
packageRequires = [];
meta = {

899
pkgs/applications/editors/emacs-modes/melpa-generated.nix
View file

File diff suppressed because it is too large Load diff

171
pkgs/applications/editors/emacs-modes/melpa-stable-generated.nix
View file

@ -2578,12 +2578,12 @@
bing-dict = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
melpaBuild {
pname = "bing-dict";
version = "0.2.2";
version = "0.2.3";
src = fetchFromGitHub {
owner = "cute-jumper";
repo = "bing-dict.el";
rev = "e94975ac63ba87225b56eec13a153ce169e4ec94";
sha256 = "0pmpg54faq0l886f2cmnmwm28d2yfg8adk7gp7623gx0ifggn332";
rev = "7c067b7a3a1a4797476f03a65f4a0b4a269a70c7";
sha256 = "1cw8zxcj7ygj73dc8xf6b4sdjrwxfl6h07mrwym8anllqs2v0fa6";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/5653d2b6c2a9b33cfed867e7f6e552d4ed90b181/recipes/bing-dict";
@ -7763,12 +7763,12 @@
el-patch = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
melpaBuild {
pname = "el-patch";
version = "1.0";
version = "1.1";
src = fetchFromGitHub {
owner = "raxod502";
repo = "el-patch";
rev = "4775dfb0957605308985ce2d2cf73550704137ae";
sha256 = "0xdb3l9184lmsabq9ajm7xj47pcg1rn743f24j7vp8r93ac21x5x";
rev = "5fe9ff42e2651013ae8ff6bb8a1691d3f7b7225c";
sha256 = "1d6n1w049wziphkx9vc2ijg70qj8zflwmn4xgzf3k09hzbgk4n46";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/2f4f57e0edbae35597aa4a7744d22d2f971d5de5/recipes/el-patch";
@ -13548,22 +13548,22 @@
license = lib.licenses.free;
};
}) {};
go-eldoc = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, go-mode, lib, melpaBuild }:
go-eldoc = callPackage ({ emacs, fetchFromGitHub, fetchurl, go-mode, lib, melpaBuild }:
melpaBuild {
pname = "go-eldoc";
version = "0.27";
version = "0.30";
src = fetchFromGitHub {
owner = "syohex";
repo = "emacs-go-eldoc";
rev = "ebf17e486bb64af494278f851f674303c954432c";
sha256 = "1n5fnlfq9cy9rbn2hizqqsy0iryw5g2blaa7nd75ya03gxm10p8j";
rev = "f1ad302ec4073354801e613293be2f55ba770618";
sha256 = "0hkwhmgjyn5jxrd0k1nakrvy4d7cz7sxb1nw4hb1rqmz4yd14c8i";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/6ce1190db06cc214746215dd27648eded5fe5140/recipes/go-eldoc";
sha256 = "1k115dirfqxdnb6hdzlw41xdy2dxp38g3vq5wlvslqggha7gzhkk";
name = "go-eldoc";
};
packageRequires = [ cl-lib go-mode ];
packageRequires = [ emacs go-mode ];
meta = {
homepage = "https://melpa.org/#/go-eldoc";
license = lib.licenses.free;
@ -15782,6 +15782,27 @@
license = lib.licenses.free;
};
}) {};
helm-perspeen = callPackage ({ fetchFromGitHub, fetchurl, helm-projectile, lib, melpaBuild, perspeen }:
melpaBuild {
pname = "helm-perspeen";
version = "0.1.0";
src = fetchFromGitHub {
owner = "jimo1001";
repo = "helm-perspeen";
rev = "28c91e4e8a43921457f047a548366dd799c07f69";
sha256 = "1zn7k0v734d9qcp79p3ajz6kr4hdxqiwi82i2rplg7y4ylikq0jq";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/1ee26a57aacbd571da0cfaca2c31eec6ea86a543/recipes/helm-perspeen";
sha256 = "07cnsfhph807fqyai3by2c5ml9a40gxkq280f27disf8sc45rg1y";
name = "helm-perspeen";
};
packageRequires = [ helm-projectile perspeen ];
meta = {
homepage = "https://melpa.org/#/helm-perspeen";
license = lib.licenses.free;
};
}) {};
helm-proc = callPackage ({ fetchFromGitHub, fetchurl, helm, lib, melpaBuild }:
melpaBuild {
pname = "helm-proc";
@ -18299,6 +18320,27 @@
license = lib.licenses.free;
};
}) {};
jdecomp = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
melpaBuild {
pname = "jdecomp";
version = "0.2.0";
src = fetchFromGitHub {
owner = "xiongtx";
repo = "jdecomp";
rev = "1590b06f139f036c1041e1ce5c0acccaa24b31a7";
sha256 = "0sb9vzn6cycys31r98kxwgpn7v9aw5ck86nkskmn9hhhkrfsabii";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/d7725a5b3e2aa065cc6f9bac55575151cfdc7791/recipes/jdecomp";
sha256 = "1s8y7q361300i7f6pany1phxzr42j8gcdv9vpin05xx15p2nr3qz";
name = "jdecomp";
};
packageRequires = [ emacs ];
meta = {
homepage = "https://melpa.org/#/jdecomp";
license = lib.licenses.free;
};
}) {};
jedi = callPackage ({ auto-complete, emacs, fetchFromGitHub, fetchurl, jedi-core, lib, melpaBuild }:
melpaBuild {
pname = "jedi";
@ -19977,14 +20019,14 @@
pname = "magit-filenotify";
version = "0.1";
src = fetchFromGitHub {
owner = "emacsorphanage";
owner = "ruediger";
repo = "magit-filenotify";
rev = "575c4321f61fb8f25e4779f9ffd4514ac086ae96";
sha256 = "1vn6x53kpwv3zf2b5xjswyz6v853r8b9dg88qhwd2h480hrx6kal";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/41aeebef8ed914fb378fef13ba47572accee332c/recipes/magit-filenotify";
sha256 = "0bbw6ay3csbc5zc6wa9p9nxpbxl3k35xz9jwqlw8mgz2b1xq083d";
url = "https://raw.githubusercontent.com/milkypostman/melpa/ca5541d2ce3553e9ade2c1ec1c0d78103dfd0c4d/recipes/magit-filenotify";
sha256 = "1ihk5yi6psqkccpi2bq2h70kn7k874zl7wcinjaq21lirk4z7bvn";
name = "magit-filenotify";
};
packageRequires = [ emacs magit ];
@ -20143,12 +20185,12 @@
magit-svn = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, magit, melpaBuild }:
melpaBuild {
pname = "magit-svn";
version = "2.2.0";
version = "2.2.1";
src = fetchFromGitHub {
owner = "magit";
repo = "magit-svn";
rev = "d9e61effc55480694014e5422e8f74f0f17a757a";
sha256 = "128ra3habdqk1rsnmy87m0aw2pqi033dqmmjmgsmfblnfvi987p9";
rev = "c833903732a14478f5c4cfc561bae7c50671b36c";
sha256 = "01kcsc53q3mbhgjssjpby7ypnhqsr48rkl1xz3ahaypmlp929gl9";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/cec5af50ae7634cc566adfbfdf0f95c3e2951c0c/recipes/magit-svn";
@ -20182,22 +20224,22 @@
license = lib.licenses.free;
};
}) {};
magithub = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, magit, melpaBuild }:
magithub = callPackage ({ emacs, fetchFromGitHub, fetchurl, git-commit, lib, magit, melpaBuild, s, with-editor }:
melpaBuild {
pname = "magithub";
version = "0.1";
version = "0.1.2";
src = fetchFromGitHub {
owner = "vermiculus";
repo = "magithub";
rev = "c94ff69749dd14200956e0b59a3757618c594730";
sha256 = "12z9gl5lrvdfvhvk213phhgddvvr3y3hpigpzzcq0jla65db367b";
rev = "283bde94b3fe5cd8f4634887812c58eaf55aef60";
sha256 = "0nd9q3x60pydigyrp7b00xgnw7pgb0plh6mry7pj1532z3xxz1d7";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/4605012c9d43403e968609710375e34f1b010235/recipes/magithub";
sha256 = "1c3rbav13rw16ngjhjwnz80v653k8df63fkw0kayd80xrkxhrkxw";
name = "magithub";
};
packageRequires = [ emacs magit ];
packageRequires = [ emacs git-commit magit s with-editor ];
meta = {
homepage = "https://melpa.org/#/magithub";
license = lib.licenses.free;
@ -20434,22 +20476,29 @@
license = lib.licenses.free;
};
}) {};
markdown-preview-mode = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, markdown-mode, melpaBuild, websocket }:
markdown-preview-mode = callPackage ({ cl-lib ? null, emacs, fetchFromGitHub, fetchurl, lib, markdown-mode, melpaBuild, uuidgen, web-server, websocket }:
melpaBuild {
pname = "markdown-preview-mode";
version = "0.7";
version = "0.8";
src = fetchFromGitHub {
owner = "ancane";
repo = "markdown-preview-mode";
rev = "2fc9f06fdf8489a2d5661b794941abb6f863f194";
sha256 = "0grljxihip0xyfm47ljwz6hy4kn30vw69bv4w5dw8kr33d51y5ym";
rev = "65f48df07c87d37275cc6a135741df4b585f1836";
sha256 = "0gkfwm7zxwdi7x7xd6m9sl9q1p5f2q8mxryq6cd4xldbvbcki71f";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/d3c5d222cf0d7eca6a4e3eb914907f8ca58e40f0/recipes/markdown-preview-mode";
sha256 = "1cam5wfxca91q3i1kl0qbdvnfy62hr5ksargi4430kgaz34bcbyn";
name = "markdown-preview-mode";
};
packageRequires = [ cl-lib markdown-mode websocket ];
packageRequires = [
cl-lib
emacs
markdown-mode
uuidgen
web-server
websocket
];
meta = {
homepage = "https://melpa.org/#/markdown-preview-mode";
license = lib.licenses.free;
@ -20689,12 +20738,12 @@
meghanada = callPackage ({ company, emacs, fetchFromGitHub, fetchurl, flycheck, lib, melpaBuild, yasnippet }:
melpaBuild {
pname = "meghanada";
version = "0.5.0";
version = "0.6.0";
src = fetchFromGitHub {
owner = "mopemope";
repo = "meghanada-emacs";
rev = "6b1b514ca3424c08301325f99608510130365cd1";
sha256 = "1pl65186k696mx6lm6lnn2jm86kwky780rph97cqb1dy506qpqxf";
rev = "9f73f1b0656a6a2ea55bbacf7659ffd3b35cdd9d";
sha256 = "0hnhzkkggv035x0qkxmw64migq6v6jpg8m6ayfc95avimyf1j67r";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/4c75c69b2f00be9a93144f632738272c1e375785/recipes/meghanada";
@ -21990,12 +22039,12 @@
nginx-mode = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
melpaBuild {
pname = "nginx-mode";
version = "1.1.6";
version = "1.1.7";
src = fetchFromGitHub {
owner = "ajc";
repo = "nginx-mode";
rev = "304c9e2dbe884645661e3f133c11217a2b4d4274";
sha256 = "1i9yh55zi7ml4i9nfjgvyz62y7id3c9fszs0h41skdzjfs9x5p6j";
rev = "b58708d15a6659577945c0aa3a63983eebff2e67";
sha256 = "0y2wwgvm3495h6hms425gzgi3qx2wn33xq6b7clrvj4amfy29qix";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/a6da3640b72496e2b32e6ed21aa39df87af9f7f3/recipes/nginx-mode";
@ -25282,12 +25331,12 @@
phpunit = callPackage ({ cl-lib ? null, emacs, f, fetchFromGitHub, fetchurl, lib, melpaBuild, pkg-info, s }:
melpaBuild {
pname = "phpunit";
version = "0.14.0";
version = "0.15.0";
src = fetchFromGitHub {
owner = "nlamirault";
repo = "phpunit.el";
rev = "791d1b33b63887cdeaf287fa657b8109f9d1dd18";
sha256 = "0j9ym19pz17wsjh1ky65x9mz8aiiryxbw1nsygvy9isbdzjx591k";
rev = "5ca5ee53e16b2cf0939dbeacbf1dffa13b41b48f";
sha256 = "0gmb5fxnllkjg45cmqpr2gy2k6qhg1r6j2w67qbpir0x4h3q2x6x";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/0670b42c0c998daa7bf01080757976ac3589ec06/recipes/phpunit";
@ -26095,22 +26144,22 @@
license = lib.licenses.free;
};
}) {};
projectile-ripgrep = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
projectile-ripgrep = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild, projectile, ripgrep }:
melpaBuild {
pname = "projectile-ripgrep";
version = "0.3.0";
version = "0.4.0";
src = fetchFromGitHub {
owner = "nlamirault";
repo = "ripgrep.el";
rev = "1d579c5dc820b9a2c58261d362ffb95a02a8a752";
sha256 = "0ayq3h0mfqyn695r3qp31yamsyy6hcgj9fxsmlrsm615axvmki9g";
rev = "73595f1364f2117db49e1e4a49290bd6d430e345";
sha256 = "1a5rdpmvsgsjlc9sywism9pq7jd6n9qbcdsvpbfkq1npwhpifkbj";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/195f340855b403128645b59c8adce1b45e90cd18/recipes/projectile-ripgrep";
sha256 = "1iczizyayql40wcljvpc1mvfvn9r28b1dkrkcmdxif732gd01jjg";
name = "projectile-ripgrep";
};
packageRequires = [];
packageRequires = [ projectile ripgrep ];
meta = {
homepage = "https://melpa.org/#/projectile-ripgrep";
license = lib.licenses.free;
@ -27400,12 +27449,12 @@
repo = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
melpaBuild {
pname = "repo";
version = "0.1.2";
version = "0.1.3";
src = fetchFromGitHub {
owner = "canatella";
repo = "repo-el";
rev = "98bde6fdc840d42a24c5784ee440cad39e8264d9";
sha256 = "0hs80g3npgb6qfcaivdfkpsc9mss1kdmyp5j7s922qcy2k4yxmgl";
rev = "d7b87cd515bad8a67d3a892a46a23f5fe81e08de";
sha256 = "0rbvcvm7bfr6ncji7cllfxyyr6x7n9fx863byp243phsj3n93adz";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/1729d4ea9498549fff3594b971fcde5f81592f84/recipes/repo";
@ -27610,12 +27659,12 @@
rg = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, melpaBuild, s }:
melpaBuild {
pname = "rg";
version = "1.1.0";
version = "1.1.1";
src = fetchFromGitHub {
owner = "dajva";
repo = "rg.el";
rev = "ec9eb5240191612debf0392ee7a7f491c7dae27e";
sha256 = "0773d0n5jq42yr5p1xbbfji027j0kw4msv1p8b7zk82ij1yc7hyr";
rev = "fd0f056a5912caeeb2d4f668969d9df81c9e22db";
sha256 = "1lig93lj5mnm2fjvwac42kfw8bhq8ggs4jfc73fmclm6s5dg8661";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/9ce1f721867383a841957370946f283f996fa76f/recipes/rg";
@ -27694,12 +27743,12 @@
ripgrep = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
melpaBuild {
pname = "ripgrep";
version = "0.3.0";
version = "0.4.0";
src = fetchFromGitHub {
owner = "nlamirault";
repo = "ripgrep.el";
rev = "1d579c5dc820b9a2c58261d362ffb95a02a8a752";
sha256 = "0ayq3h0mfqyn695r3qp31yamsyy6hcgj9fxsmlrsm615axvmki9g";
rev = "73595f1364f2117db49e1e4a49290bd6d430e345";
sha256 = "1a5rdpmvsgsjlc9sywism9pq7jd6n9qbcdsvpbfkq1npwhpifkbj";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/e8d789818876e959a1a59690f1dd7d4efa6d608b/recipes/ripgrep";
@ -28427,12 +28476,12 @@
selectric-mode = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
melpaBuild {
pname = "selectric-mode";
version = "1.2";
version = "1.4";
src = fetchFromGitHub {
owner = "rbanffy";
repo = "selectric-mode";
rev = "a8e8c8899c749bd36bdd161e161cdc51301defc6";
sha256 = "1dj8vccdk1s0ynl5znpg02xp182srn3s8cqcxqrxjllp7wbgab31";
rev = "e60703d9a6c9944270d77bc829dae3a8b092346f";
sha256 = "04i5rrn93hzcf8zzfli2ams927lm83hl4q6w2azcg24lhldaqf8p";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/08922071b9854142eab726302e75f1db2d326ec5/recipes/selectric-mode";
@ -28553,12 +28602,12 @@
shackle = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, melpaBuild }:
melpaBuild {
pname = "shackle";
version = "0.9.0";
version = "0.9.2";
src = fetchFromGitHub {
owner = "wasamasa";
repo = "shackle";
rev = "4069e0cbff0d172de2cd7d588de971d8b02915c6";
sha256 = "0yy162sz7vwj0i9w687a5x1c2fq31vc3i6gqhbywspviczdp4q1y";
rev = "979b021077655ca38749a60c9752c0817e8fd93e";
sha256 = "11qp4gqxfi5d6krvxlqxfn58b1kcgsnldpi54r8lx6mis8l0f4wl";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/806e7d00f763f3fc4e3b8ebd483070ac6c5d0f21/recipes/shackle";
@ -29537,22 +29586,22 @@
license = lib.licenses.free;
};
}) {};
socyl = callPackage ({ dash, fetchFromGitHub, fetchurl, lib, melpaBuild, pkg-info, s }:
socyl = callPackage ({ cl-lib ? null, dash, fetchFromGitHub, fetchurl, lib, melpaBuild, pkg-info, s }:
melpaBuild {
pname = "socyl";
version = "0.2.0";
version = "0.3.0";
src = fetchFromGitHub {
owner = "nlamirault";
repo = "socyl";
rev = "09ea9d1ea02060ccdb17b80ad88f912c08045c5b";
sha256 = "09zdknrg4ar38nbhvz4407x78i3lngmnrcijr7a4x1ybs5x61zis";
rev = "fcc0deda5b6c39d25e48e7da2a0ae73295193ea8";
sha256 = "1a8qd9hcmp4xl6hyvlq116nr9cn392bmrrda8vqkvjpd8rm8i776";
};
recipeFile = fetchurl {
url = "https://raw.githubusercontent.com/milkypostman/melpa/774b3006f5b6b781594257f1d9819068becbbcc1/recipes/socyl";
sha256 = "00b7x247cyjh4gci101fq1j6708vbcz1g9ls3845w863wjf6m5sz";
name = "socyl";
};
packageRequires = [ dash pkg-info s ];
packageRequires = [ cl-lib dash pkg-info s ];
meta = {
homepage = "https://melpa.org/#/socyl";
license = lib.licenses.free;

12
pkgs/applications/editors/emacs-modes/org-generated.nix
View file

@ -1,10 +1,10 @@
{ callPackage }: {
org = callPackage ({ elpaBuild, fetchurl, lib }: elpaBuild {
pname = "org";
version = "20170124";
version = "20170210";
src = fetchurl {
url = "http://orgmode.org/elpa/org-20170124.tar";
sha256 = "0zlqb31fkwv74wszfz914agnprnh6jlr60v9dw62y9jyivaxg99k";
url = "http://orgmode.org/elpa/org-20170210.tar";
sha256 = "1v8adjz3rv429is8m7xx2v8hvc20dxl4hcdhdf2vhcx44bgbvyjb";
};
packageRequires = [];
meta = {
@ -14,10 +14,10 @@
}) {};
org-plus-contrib = callPackage ({ elpaBuild, fetchurl, lib }: elpaBuild {
pname = "org-plus-contrib";
version = "20170124";
version = "20170210";
src = fetchurl {
url = "http://orgmode.org/elpa/org-plus-contrib-20170124.tar";
sha256 = "1vgiw9xbh7zcr7gywb021h46idm0k69ifgkmwb9f9wb4snar4yq8";
url = "http://orgmode.org/elpa/org-plus-contrib-20170210.tar";
sha256 = "1h0lwf1sw7n1df865ip5mp0pdmdi2md6hz6fq53r4zhali041ifx";
};
packageRequires = [];
meta = {

2
pkgs/applications/editors/sublime3/default.nix
View file

@ -1,5 +1,5 @@
{ fetchurl, stdenv, glib, xorg, cairo, gtk2, pango, makeWrapper, openssl, bzip2,
pkexecPath ? "/var/setuid-wrappers/pkexec", libredirect,
pkexecPath ? "/run/wrappers/bin/pkexec", libredirect,
gksuSupport ? false, gksu}:
assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux";

14
pkgs/applications/graphics/digikam/default.nix
View file

@ -1,5 +1,5 @@
{ stdenv, fetchurl, automoc4, boost, shared_desktop_ontologies, cmake
, eigen, lcms, gettext, jasper, kdelibs, kdepimlibs, lensfun
{ stdenv, fetchurl, fetchpatch, automoc4, boost, shared_desktop_ontologies
, cmake, eigen, lcms, gettext, jasper, kdelibs, kdepimlibs, lensfun
, libgphoto2, libjpeg, libkdcraw, libkexiv2, libkipi, libpgf, libtiff
, libusb1, liblqr1, marble, mysql, opencv, perl, phonon, pkgconfig
, qca2, qimageblitz, qjson, qt4, soprano
@ -36,6 +36,16 @@ let
sha256 = "081ldsaf3frf5khznjd3sxkjmi4dyp6w6nqnc2a0agkk0kxkl10m";
};
patches = [
(fetchpatch {
# Fix compilation against Lensfun 0.3.2
url = "http://cgit.kde.org/digikam.git/patch/?id=0f159981176faa6da701f112bfe557b79804d468";
sha256 = "1c8bg7s84vg4v620gbs16cjcbpml749018gy5dpvfacx5vl24wza";
})
];
patchFlags = ["-p1" "-dcore"];
nativeBuildInputs = [
automoc4 cmake gettext perl pkgconfig
] ++ [

4
pkgs/applications/graphics/shotwell/default.nix
View file

@ -8,12 +8,12 @@
stdenv.mkDerivation rec {
version = "${major}.${minor}";
major = "0.25";
minor = "2";
minor = "5";
name = "shotwell-${version}";
src = fetchurl {
url = "mirror://gnome/sources/shotwell/${major}/${name}.tar.xz";
sha256 = "1bih5hr3pvpkx3fck55bnhngn4fl92ryjizc34wb8pwigbkxnaj1";
sha256 = "10pv3v789hky8h7ladqzzmgvkmgy3c41n4xz0nnyjmpycwl26g29";
};
NIX_CFLAGS_COMPILE = "-I${glib.dev}/include/glib-2.0 -I${glib.out}/lib/glib-2.0/include";

3
pkgs/applications/misc/gcalcli/default.nix
View file

@ -1,4 +1,4 @@
{ stdenv, fetchFromGitHub, pkgs, lib, python, pythonPackages }:
{ fetchFromGitHub, lib, pythonPackages }:
pythonPackages.buildPythonApplication rec {
version = "3.4.0";
@ -26,5 +26,6 @@ pythonPackages.buildPythonApplication rec {
homepage = https://github.com/insanum/gcalcli;
description = "CLI for Google Calendar";
license = licenses.mit;
maintainers = [ maintainers.nocoolnametom ];
};
}

9
pkgs/applications/misc/sweethome3d/default.nix
View file

@ -6,9 +6,8 @@ let
getDesktopFileName = drvName: (builtins.parseDrvName drvName).name;
# TODO: Should we move this to `lib`? Seems like its would be useful in many cases.
extensionOf = filePath:
lib.concatStringsSep "." (lib.tail (lib.splitString "."
(builtins.baseNameOf filePath)));
extensionOf = filePath:
lib.concatStringsSep "." (lib.tail (lib.splitString "." (builtins.baseNameOf filePath)));
installIcons = iconName: icons: lib.concatStringsSep "\n" (lib.mapAttrsToList (size: iconFile: ''
mkdir -p "$out/share/icons/hicolor/${size}/apps"
@ -68,14 +67,14 @@ let
in rec {
application = mkSweetHome3D rec {
version = "5.2";
version = "5.4";
module = "SweetHome3D";
name = stdenv.lib.toLower module + "-application-" + version;
description = "Design and visualize your future home";
license = stdenv.lib.licenses.gpl2Plus;
src = fetchcvs {
cvsRoot = ":pserver:anonymous@sweethome3d.cvs.sourceforge.net:/cvsroot/sweethome3d";
sha256 = "0vws3lj5lgix5fz2hpqvz6p79py5gbfpkhmqpfb1knx1a12310bb";
sha256 = "09sk4svmaiw8dabcya3407iq5yjwxbss8pik1rzalrlds2428vyw";
module = module;
tag = "V_" + d2u version;
};

1
pkgs/applications/misc/sweethome3d/editors.nix
View file

@ -30,6 +30,7 @@ let
patchPhase = ''
sed -i -e 's,../SweetHome3D,${application.src},g' build.xml
sed -i -e 's,lib/macosx/java3d-1.6/jogl-all.jar,lib/java3d-1.6/jogl-all.jar,g' build.xml
'';
buildPhase = ''

25
pkgs/applications/misc/urh/default.nix Normal file
View file

@ -0,0 +1,25 @@
{ stdenv, fetchFromGitHub, python3Packages }:
python3Packages.buildPythonApplication rec {
name = "urh-${version}";
version = "1.3.3";
src = fetchFromGitHub {
owner = "jopohl";
repo = "urh";
rev = "v${version}";
sha256 = "137dsxs4i0lmxwp31g8fzwpwv1i8rsiir9gxvs5cmnwsrbcrdvxh";
};
propagatedBuildInputs = with python3Packages; [ pyqt5 numpy psutil cython ];
doCheck = false;
meta = with stdenv.lib; {
inherit (src.meta) homepage;
description = "Universal Radio Hacker: investigate wireless protocols like a boss";
license = licenses.asl20;
platform = platforms.all;
maintainers = with maintainers; [ fpletz ];
};
}

4
pkgs/applications/networking/browsers/chromium/default.nix
View file

@ -83,9 +83,9 @@ in stdenv.mkDerivation {
ed -v -s "$out/bin/chromium" << EOF
2i
if [ -x "/var/setuid-wrappers/${sandboxExecutableName}" ]
if [ -x "/run/wrappers/bin/${sandboxExecutableName}" ]
then
export CHROME_DEVEL_SANDBOX="/var/setuid-wrappers/${sandboxExecutableName}"
export CHROME_DEVEL_SANDBOX="/run/wrappers/bin/${sandboxExecutableName}"
else
export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}"
fi

10
pkgs/applications/networking/browsers/mozilla-plugins/flashplayer/default.nix
View file

@ -73,7 +73,7 @@ let
in
stdenv.mkDerivation rec {
name = "flashplayer-${version}";
version = "24.0.0.194";
version = "24.0.0.221";
src = fetchurl {
url =
@ -84,14 +84,14 @@ stdenv.mkDerivation rec {
sha256 =
if debug then
if arch == "x86_64" then
"197s3ksx6h3dkfx8q7v9c8mf8ai9s1jpqnaczjdkmzcyp5jd29w9"
"10f8m5zc8p4xbhihbl785lws1kpv6smnbhx4ydzf8ai3mlv3y241"
else
"0ll0ddss3gkzngmm96pyvnf4a6mf8axraxlqpjdl63ghrndd1gkc"
"1rz9rkbvln8wdkfmsnnq936xs6969qma141jc4qx408419q7v3hg"
else
if arch == "x86_64" then
"0bri8kjqy9g929ix4qx4whmxz5rzbgjff253kvs6dlr8vyglz0gx"
"1cb4mvslphj3bcchgr7lcswz8kk8si0s60rl5266mi53byplhw08"
else
"1lrfwwhl18411bk9qsizhch8n3ilcvhmj4i7sak5zjv5r6mwnqgl";
"1vcyp9041171xkcnz05dlk3n7bnbcb9qbh4sy5wfgjkqsyd6i5bl";
};
nativeBuildInputs = [ unzip ];

6
pkgs/applications/networking/browsers/mozilla-plugins/flashplayer/standalone.nix
View file

@ -57,7 +57,7 @@ let
in
stdenv.mkDerivation rec {
name = "flashplayer-standalone-${version}";
version = "24.0.0.194";
version = "24.0.0.221";
src = fetchurl {
url =
@ -67,9 +67,9 @@ stdenv.mkDerivation rec {
"https://fpdownload.macromedia.com/pub/flashplayer/updaters/24/flash_player_sa_linux.x86_64.tar.gz";
sha256 =
if debug then
"0yiln97l8b27s5c6nv9m09cdgwa4c47idnf2p6y6i0slfcqj1cxv"
"0cy81cml72ayx2wa0fd9vgp2wzny866jasahndg01v0jfxcxw5rz"
else
"1f34qm8grj3141p6kym6y2pqisrmn9l6nkhbfmfhsd472g5q85v1";
"0xgiycd47mzmwvmhbi0ig3rd7prksfdpcd4h62as1m9gs1ax4d7l";
};
nativeBuildInputs = [ unzip ];

8
pkgs/applications/networking/browsers/qutebrowser/default.nix
View file

@ -7,11 +7,11 @@
let
pdfjs = stdenv.mkDerivation rec {
name = "pdfjs-${version}";
version = "1.5.188";
version = "1.7.225";
src = fetchurl {
url = "https://github.com/mozilla/pdf.js/releases/download/v${version}/${name}-dist.zip";
sha256 = "1y3yaqfgjj96qzvbm5200x68j5hy1qs7l2mqm3kbbj2b58z9f1qv";
sha256 = "1n8ylmv60r0qbw2vilp640a87l4lgnrsi15z3iihcs6dj1n1yy67";
};
nativeBuildInputs = [ unzip ];
@ -24,12 +24,12 @@ let
in buildPythonApplication rec {
name = "qutebrowser-${version}";
version = "0.9.0";
version = "0.9.1";
namePrefix = "";
src = fetchurl {
url = "https://github.com/The-Compiler/qutebrowser/releases/download/v${version}/${name}.tar.gz";
sha256 = "1fp7yddx8xmy6hx01gg4z3vnw8b9qa5ixam7150i3xaalx0gjzfq";
sha256 = "0pf91nc0xcykahc3x7ww525c9czm8zpg80nxl8n2mrzc4ilgvass";
};
# Needs tox

2
pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
View file

@ -26,7 +26,7 @@ index 50e8ad8..eec0ed2 100644
+ is_nixos=no
+fi
+
+if [ -u /var/setuid-wrappers/gksign ]; then
+if [ -u /run/wrappers/bin/gksign ]; then
+ cat <<EOM
+
+Gale appears to have already been set up via the NixOS module system (check

34
pkgs/applications/networking/irc/epic5/default.nix Normal file
View file

@ -0,0 +1,34 @@
{ stdenv, fetchurl, openssl, ncurses, libiconv, tcl }:
stdenv.mkDerivation rec {
name = "epic5-${version}";
version = "2.0.1";
src = fetchurl {
url = "http://ftp.epicsol.org/pub/epic/EPIC5-PRODUCTION/${name}.tar.xz";
sha256 = "1ap73d5f4vccxjaaq249zh981z85106vvqmxfm4plvy76b40y9jm";
};
# Darwin needs libiconv, tcl; while Linux build don't
buildInputs = [ openssl ncurses ]
++ stdenv.lib.optionals stdenv.isDarwin [ libiconv tcl ];
configureFlags = [ "--disable-debug" "--with-ipv6" ];
postConfigure = ''
substituteInPlace bsdinstall \
--replace /bin/cp cp \
--replace /bin/rm rm \
--replace /bin/chmod chmod
'';
meta = with stdenv.lib; {
homepage = "http://epicsol.org/";
description = "a IRC client that offers a great ircII interface";
license = licenses.bsd3;
maintainers = [ maintainers.ndowens ];
};
}

1
pkgs/applications/networking/mailreaders/notmuch/default.nix
View file

@ -95,6 +95,7 @@ stdenv.mkDerivation rec {
postInstall = ''
make install-man
'';
dontGzipMan = true; # already compressed
meta = {
description = "Mail indexer";

4
pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch
View file

@ -4,7 +4,7 @@ Date: Thu, 26 Nov 2015 21:03:35 +0100
Subject: [PATCH] Lookup dumpcap in PATH
NixOS patch: Look for dumpcap in PATH first, because there may be a
dumpcap setuid-wrapper that we want to use instead of the default
dumpcap wrapper that we want to use instead of the default
non-setuid dumpcap binary.
Also change execv() to execvp() because we've set argv[0] to "dumpcap"
@ -27,7 +27,7 @@ index 970688e..49914d5 100644
- exename = g_strdup_printf("%s/dumpcap", progfile_dir);
+ /*
+ * NixOS patch: Look for dumpcap in PATH first, because there may be a
+ * dumpcap setuid-wrapper that we want to use instead of the default
+ * dumpcap wrapper that we want to use instead of the default
+ * non-setuid dumpcap binary.
+ */
+ if (system("command -v dumpcap >/dev/null") == 0) {

4
pkgs/applications/networking/spideroak/default.nix
View file

@ -40,6 +40,8 @@ in stdenv.mkDerivation {
cp -r "./"* "$out"
mkdir "$out/bin"
rm "$out/usr/bin/SpiderOakONE"
rmdir $out/usr/bin || true
mv $out/usr/share $out/
patchelf --set-interpreter ${stdenv.glibc.out}/lib/${interpreter} \
"$out/opt/SpiderOakONE/lib/SpiderOakONE"
@ -48,6 +50,8 @@ in stdenv.mkDerivation {
makeWrapper $out/opt/SpiderOakONE/lib/SpiderOakONE $out/bin/spideroak --set LD_LIBRARY_PATH $RPATH \
--set QT_PLUGIN_PATH $out/opt/SpiderOakONE/lib/plugins/ \
--set SpiderOak_EXEC_SCRIPT $out/bin/spideroak
sed -i 's/^Exec=.*/Exec=spideroak/' $out/share/applications/SpiderOakONE.desktop
'';
buildInputs = [ patchelf makeWrapper ];

6
pkgs/applications/science/electronics/ngspice/default.nix
View file

@ -1,4 +1,4 @@
{stdenv, fetchurl, readline, bison, libX11, libICE, libXaw, libXext}:
{stdenv, fetchurl, readline, bison, flex, libX11, libICE, libXaw, libXext}:
stdenv.mkDerivation {
name = "ngspice-26";
@ -8,9 +8,9 @@ stdenv.mkDerivation {
sha256 = "51e230c8b720802d93747bc580c0a29d1fb530f3dd06f213b6a700ca9a4d0108";
};
buildInputs = [ readline libX11 bison libICE libXaw libXext ];
buildInputs = [ readline libX11 flex bison libICE libXaw libXext ];
configureFlags = [ "--enable-x" "--with-x" "--with-readline" ];
configureFlags = [ "--enable-x" "--with-x" "--with-readline" "--enable-xspice" "--enable-cider" ];
meta = with stdenv.lib; {
description = "The Next Generation Spice (Electronic Circuit Simulator)";

4
pkgs/applications/science/math/geogebra/default.nix
View file

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
name = "geogebra-${version}";
version = "5-0-320-0";
version = "5-0-328-0";
preferLocalBuild = true;
src = fetchurl {
url = "http://download.geogebra.org/installers/5.0/GeoGebra-Linux-Portable-${version}.tar.bz2";
sha256 = "039mrjwgkj3z51zq4xpchzr4msz5xgscgmp36dr1wms1kl42vibk";
sha256 = "1bzmnw5410fv9s29ji8f4naa6m6ykvv8h88mmxhiygr3rfsc7050";
};
srcIcon = fetchurl {

4
pkgs/applications/version-management/gitlab/default.nix
View file

@ -22,7 +22,7 @@ in
stdenv.mkDerivation rec {
name = "gitlab-${version}";
version = "8.16.3";
version = "8.16.4";
buildInputs = [ env ruby bundler tzdata git nodejs procps ];
@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
owner = "gitlabhq";
repo = "gitlabhq";
rev = "v${version}";
sha256 = "0fdm92w97ggnpiqlpr5aia6x8j09v8id7n6pks134hq3pkdiz6mv";
sha256 = "118p3c9i9r2acc0yv5jzw9p7hql5pbp37k54qzrfgrs8vjjxi14i";
};
patches = [

2
pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
View file

@ -11,7 +11,7 @@ index a9d8ac4..85f13f5 100644
- # # arguments: '-i -t'
- # # }
+ config.action_mailer.sendmail_settings = {
+ location: '/var/setuid-wrappers/sendmail',
+ location: '/run/wrappers/bin/sendmail',
+ arguments: '-i -t'
+ }
config.action_mailer.perform_deliveries = true

14
pkgs/applications/virtualization/docker/default.nix
View file

@ -11,14 +11,14 @@ with lib;
stdenv.mkDerivation rec {
name = "docker-${version}";
version = "1.13.0";
rev = "49bf474"; # should match the version commit
version = "1.13.1";
rev = "092cba3"; # should match the version commit
src = fetchFromGitHub {
owner = "docker";
repo = "docker";
rev = "v${version}";
sha256 = "03b181xiqgnwanc567w9p6rbdgdvrfv0lk4r7b604ksm0fr4cz23";
sha256 = "0l9kjibnpwcgk844sibxk9ppyqniw9r0np1mzp95f8f461jb0iar";
};
docker-runc = runc.overrideAttrs (oldAttrs: rec {
@ -26,8 +26,8 @@ stdenv.mkDerivation rec {
src = fetchFromGitHub {
owner = "docker";
repo = "runc";
rev = "2f7393a47307a16f8cee44a37b262e8b81021e3e";
sha256 = "1s5nfnbinzmcnm8avhvsniz0ihxyva4w5qz1hzzyqdyr0w2scnbj";
rev = "9df8b306d01f59d3a8029be411de015b7304dd8f";
sha256 = "1yvrk1w2409b90gk55k72z7l3jlkj682x4h3b7004mkl9bhscqd9";
};
# docker/runc already include these patches / are not applicable
patches = [];
@ -37,8 +37,8 @@ stdenv.mkDerivation rec {
src = fetchFromGitHub {
owner = "docker";
repo = "containerd";
rev = "03e5862ec0d8d3b3f750e19fca3ee367e13c090e";
sha256 = "184sd9dwkcba3zhxnz9grw8p81x05977p36cif2dgkhjdhv12map";
rev = "aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1";
sha256 = "0vidbsgyn77m98kisrqnbykva0zmk1ljprgqhbfp5lw16ac6qj8c";
};
});
docker-tini = tini.overrideAttrs (oldAttrs: rec {

6
pkgs/applications/virtualization/virtualbox/hardened.patch
View file

@ -96,7 +96,7 @@ index 95dc9a7..39170bc 100644
/* get the path to the executable */
char szPath[RTPATH_MAX];
- RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);
+ RTStrCopy(szPath, sizeof(szPath) - 1, "/var/setuid-wrappers");
+ RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers/bin");
size_t cchBufLeft = strlen(szPath);
szPath[cchBufLeft++] = RTPATH_DELIMITER;
szPath[cchBufLeft] = 0;
@ -154,7 +154,7 @@ index be2ad8f..7ddf105 100644
+RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath)
+{
+ return RTStrCopy(pszPath, cchPath, "/var/setuid-wrappers");
+ return RTStrCopy(pszPath, cchPath, "/run/wrappers/bin");
+}
+
+
@ -174,7 +174,7 @@ index 7bde6af..2656cae 100644
+ * will cut off everything after the rightmost / as this function is analogous
+ * to RTProcGetExecutablePath().
+ */
+#define SUIDDIR "/var/setuid-wrappers/"
+#define SUIDDIR "/run/wrappers/bin/"
+
+RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath)
+{

2
pkgs/build-support/build-fhs-userenv/env.nix
View file

@ -51,7 +51,7 @@ let
export PS1='${name}-chrootenv:\u@\h:\w\$ '
export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive'
export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32'
export PATH='/var/setuid-wrappers:/usr/bin:/usr/sbin'
export PATH='/run/wrappers/bin:/usr/bin:/usr/sbin'
export PKG_CONFIG_PATH=/usr/lib/pkgconfig
# Force compilers to look in default search paths

6
pkgs/desktops/enlightenment/enlightenment.nix
View file

@ -42,13 +42,13 @@ stdenv.mkDerivation rec {
# this is a hack and without this cpufreq module is not working. does the following:
# 1. moves the "freqset" binary to "e_freqset",
# 2. linkes "e_freqset" to enlightenment/bin so that,
# 3. setuidPrograms detects it and makes appropriate stuff to /var/setuid-wrappers/e_freqset,
# 4. and finaly, linkes /var/setuid-wrappers/e_freqset to original destination where enlightenment wants it
# 3. wrappers.setuid detects it and places wrappers in /run/wrappers/bin/e_freqset,
# 4. and finally, links /run/wrappers/bin/e_freqset to original destination where enlightenment wants it
postInstall = ''
export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`;
mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset
ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset
ln -sv /var/setuid-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
ln -sv /run/wrappers/bin/e_freqset $CPUFREQ_DIRPATH/freqset
'';
meta = with stdenv.lib; {

2
pkgs/development/compilers/mozart/binary.nix
View file

@ -9,6 +9,8 @@ let
in stdenv.mkDerivation {
name = "mozart-binary-${version}";
preferLocalBuild = true;
src = fetchurl {
url = "mirror://sourceforge/project/mozart-oz/v${version}-alpha.0/mozart2-${version}-alpha.0+build.4105.5c06ced-x86_64-linux.tar.gz";
sha256 = "0rsfrjimjxqbwprpzzlmydl3z3aiwg5qkb052jixdxjyad7gyh5z";

10
pkgs/development/haskell-modules/configuration-common.nix
View file

@ -752,11 +752,7 @@ self: super: {
servant-server = dontCheck super.servant-server;
# Fix build for latest versions of servant and servant-client.
servant_0_10 = super.servant_0_10.overrideScope (self: super: {
http-api-data = self.http-api-data_0_3_5;
});
servant-client_0_10 = super.servant-client_0_10.overrideScope (self: super: {
http-api-data = self.http-api-data_0_3_5;
servant-server = self.servant-server_0_10;
servant = self.servant_0_10;
});
@ -857,4 +853,10 @@ self: super: {
# https://github.com/ekmett/lens/issues/713
lens = disableCabalFlag super.lens "test-doctests";
# https://github.com/haskell/fgl/issues/60
fgl = doJailbreak super.fgl;
fgl-arbitrary = doJailbreak super.fgl-arbitrary;
# https://github.com/Gabriel439/Haskell-DirStream-Library/issues/8
dirstream = doJailbreak super.dirstream;
}

6
pkgs/development/haskell-modules/configuration-ghc-8.0.x.nix
View file

@ -60,12 +60,6 @@ self: super: {
sha256 = "026vv2k3ks73jngwifszv8l59clg88pcdr4mz0wr0gamivkfa1zy";
});
# https://github.com/christian-marie/xxhash/issues/3
xxhash = doJailbreak super.xxhash;
# https://github.com/Deewiant/glob/issues/8
Glob = doJailbreak super.Glob;
## GHC 8.0.2
# http://hub.darcs.net/dolio/vector-algorithms/issue/9#comment-20170112T145715

63
pkgs/development/haskell-modules/patches/xmonad-nix.patch
View file

@ -1,31 +1,33 @@
diff --git a/src/XMonad/Core.hs b/src/XMonad/Core.hs
index 138d735..65b5a84 100644
--- a/src/XMonad/Core.hs
+++ b/src/XMonad/Core.hs
@@ -48,6 +48,7 @@ import System.Posix.Types (ProcessID)
@@ -51,6 +51,7 @@ import System.Posix.Types (ProcessID)
import System.Process
import System.Directory
import System.Exit
+import System.Environment (lookupEnv)
import Graphics.X11.Xlib
import Graphics.X11.Xlib.Extras (Event)
import Graphics.X11.Xlib.Extras (getWindowAttributes, WindowAttributes, Event)
import Data.Typeable
@@ -463,6 +464,7 @@ recompile force = io $ do
err = base ++ ".errors"
src = base ++ ".hs"
lib = dir </> "lib"
@@ -571,6 +572,7 @@ recompile force = io $ do
lib = cfgdir </> "lib"
buildscript = cfgdir </> "build"
+ ghc <- fromMaybe "ghc" <$> liftIO (lookupEnv "NIX_GHC")
libTs <- mapM getModTime . Prelude.filter isSource =<< allFiles lib
srcT <- getModTime src
binT <- getModTime bin
@@ -471,7 +473,7 @@ recompile force = io $ do
-- temporarily disable SIGCHLD ignoring:
uninstallSignalHandlers
status <- bracket (openFile err WriteMode) hClose $ \h ->
- waitForProcess =<< runProcess "ghc" ["--make", "xmonad.hs", "-i", "-ilib", "-fforce-recomp", "-main-is", "main", "-v0", "-o",binn] (Just dir)
+ waitForProcess =<< runProcess ghc ["--make", "xmonad.hs", "-i", "-ilib", "-fforce-recomp", "-main-is", "main", "-v0", "-o",binn] (Just dir)
Nothing Nothing Nothing (Just h)
@@ -586,7 +588,7 @@ recompile force = io $ do
status <- bracket (openFile err WriteMode) hClose $ \errHandle ->
waitForProcess =<< if useBuildscript
then compileScript bin cfgdir buildscript errHandle
- else compileGHC bin cfgdir errHandle
+ else compileGHC ghc bin cfgdir errHandle
-- re-enable SIGCHLD:
@@ -480,6 +482,7 @@ recompile force = io $ do
installSignalHandlers
@@ -594,6 +596,7 @@ recompile force = io $ do
-- now, if it fails, run xmessage to let the user know:
when (status /= ExitSuccess) $ do
ghcErr <- readFile err
@ -33,12 +35,39 @@
let msg = unlines $
["Error detected while loading xmonad configuration file: " ++ src]
++ lines (if null ghcErr then show status else ghcErr)
@@ -487,7 +490,7 @@ recompile force = io $ do
@@ -601,7 +604,7 @@ recompile force = io $ do
-- nb, the ordering of printing, then forking, is crucial due to
-- lazy evaluation
hPutStrLn stderr msg
- forkProcess $ executeFile "xmessage" True ["-default", "okay", msg] Nothing
+ forkProcess $ executeFile xmessage True ["-default", "okay", msg] Nothing
- forkProcess $ executeFile "xmessage" True ["-default", "okay", replaceUnicode msg] Nothing
+ forkProcess $ executeFile xmessage True ["-default", "okay", replaceUnicode msg] Nothing
return ()
return (status == ExitSuccess)
else return True
@@ -619,16 +622,16 @@ recompile force = io $ do
'\8216' -> '`' --
'\8217' -> '`' --
_ -> c
- compileGHC bin dir errHandle =
- runProcess "ghc" ["--make"
- , "xmonad.hs"
- , "-i"
- , "-ilib"
- , "-fforce-recomp"
- , "-main-is", "main"
- , "-v0"
- , "-o", bin
- ] (Just dir) Nothing Nothing Nothing (Just errHandle)
+ compileGHC ghc bin dir errHandle =
+ runProcess ghc ["--make"
+ , "xmonad.hs"
+ , "-i"
+ , "-ilib"
+ , "-fforce-recomp"
+ , "-main-is", "main"
+ , "-v0"
+ , "-o", bin
+ ] (Just dir) Nothing Nothing Nothing (Just errHandle)
compileScript bin dir script errHandle =
runProcess script [bin] (Just dir) Nothing Nothing Nothing (Just errHandle)

2
pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
View file

@ -7,7 +7,7 @@ Index: kinit-5.24.0/src/start_kdeinit/start_kdeinit_wrapper.c
#include <unistd.h>
-#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit"
+#define EXECUTE "/var/setuid-wrappers/start_kdeinit"
+#define EXECUTE "/run/wrappers/bin/start_kdeinit"
#if KDEINIT_OOM_PROTECT

4
pkgs/development/libraries/libgksu/default.nix
View file

@ -57,8 +57,8 @@ stdenv.mkDerivation rec {
# Fix some binary paths
sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c
sed -i -e 's|/usr/bin/sudo|/var/setuid-wrappers/sudo|g' libgksu/libgksu.c
sed -i -e 's|/bin/su\([^d]\)|/var/setuid-wrappers/su\1|g' libgksu/libgksu.c
sed -i -e 's|/usr/bin/sudo|/run/wrappers/bin/sudo|g' libgksu/libgksu.c
sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/bin/su\1|g' libgksu/libgksu.c
touch NEWS README
'';

6
pkgs/development/libraries/lmdb/default.nix
View file

@ -25,6 +25,12 @@ in stdenv.mkDerivation rec {
moveToOutput bin "$bin"
moveToOutput "lib/*.a" REMOVE # until someone needs it
''
# fix bogus library name
+ stdenv.lib.optionalString stdenv.isDarwin ''
mv "$out"/lib/liblmdb.{so,dylib}
''
# add lmdb.pc (dynamic only)
+ ''
mkdir -p "$dev/lib/pkgconfig"

2
pkgs/development/libraries/polkit/default.nix
View file

@ -5,7 +5,7 @@
let
system = "/var/run/current-system/sw";
setuid = "/var/setuid-wrappers"; #TODO: from <nixos> config.security.wrapperDir;
setuid = "/run/wrappers/bin"; #TODO: from <nixos> config.security.wrapperDir;
foolVars = {
SYSCONF = "/etc";

16
pkgs/development/tools/build-managers/bazel/default.nix
View file

@ -1,9 +1,9 @@
{ stdenv, fetchFromGitHub, buildFHSUserEnv, writeScript, jdk, zip, unzip,
{ stdenv, fetchurl, buildFHSUserEnv, writeScript, jdk, zip, unzip,
which, makeWrapper, binutils }:
let
version = "0.3.2";
version = "0.4.4";
meta = with stdenv.lib; {
homepage = http://github.com/bazelbuild/bazel/;
@ -22,14 +22,16 @@ let
};
bazelBinary = stdenv.mkDerivation rec {
name = "bazel-${version}";
src = fetchFromGitHub {
owner = "bazelbuild";
repo = "bazel";
rev = version;
sha256 = "085cjz0qhm4a12jmhkjd9w3ic4a67035j01q111h387iklvgn6xg";
src = fetchurl {
url = "https://github.com/bazelbuild/bazel/releases/download/${version}/bazel-${version}-dist.zip";
sha256 = "1fwfahkqi680zyxmdriqj603lpacyh6cg6ff25bn9bkilbfj2anm";
};
sourceRoot = ".";
patches = [ ./java_stub_template.patch ];
packagesNotFromEnv = [

30
pkgs/development/tools/misc/grafana/default.nix
View file

@ -1,30 +0,0 @@
{ stdenv, fetchurl, unzip, conf ? null }:
with stdenv.lib;
stdenv.mkDerivation rec {
name = "grafana-${version}";
version = "1.9.1";
src = fetchurl {
url = "http://grafanarel.s3.amazonaws.com/${name}.zip";
sha256 = "1zyzsbspxrzaf2kk6fysp6c3y025s6nd75rc2p9qq9q95dv8fj23";
};
buildInputs = [ unzip ];
phases = ["unpackPhase" "installPhase"];
installPhase = ''
mkdir -p $out && cp -R * $out
${optionalString (conf!=null) ''cp ${conf} $out/config.js''}
'';
meta = {
description = "A Graphite & InfluxDB Dashboard and Graph Editor";
homepage = http://grafana.org/;
license = licenses.asl20;
maintainers = [ maintainers.offline ];
platforms = stdenv.lib.platforms.unix;
};
}

27
pkgs/development/tools/misc/stlink/default.nix
View file

@ -1,30 +1,33 @@
{ stdenv, fetchurl, autoconf, automake, libtool, pkgconfig, libusb1 }:
{ stdenv, fetchurl, cmake, libusb1 }:
# IMPORTANT: You need permissions to access the stlink usb devices. Here are
# example udev rules for stlink v1 and v2 so you don't need to have root
# permissions (copied from <stlink>/49-stlink*.rules):
#
# SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3744", MODE:="0666", SYMLINK+="stlinkv1_%n"
# SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3748", MODE:="0666", SYMLINK+="stlinkv2_%n"
# IMPORTANT: You need permissions to access the stlink usb devices.
# Add services.udev.pkgs = [ pkgs.stlink ] to your configuration.nix
let
version = "1.1.0";
version = "1.3.0";
in
stdenv.mkDerivation {
name = "stlink-${version}";
src = fetchurl {
url = "https://github.com/texane/stlink/archive/${version}.tar.gz";
sha256 = "0b38a32ids9dpnz5h892l279fz8y1zzqk1qsnyhl1nm03p7xzi1s";
sha256 = "3e8cba21744d2c38a0557f6835a05189e1b98202931bb0183d22efc462c893dd";
};
buildInputs = [ autoconf automake libtool pkgconfig libusb1 ];
preConfigure = "./autogen.sh";
buildInputs = [ cmake libusb1 ];
patchPhase = ''
sed -i 's@/etc/udev/rules.d@$ENV{out}/etc/udev/rules.d@' CMakeLists.txt
sed -i 's@/etc/modprobe.d@$ENV{out}/etc/modprobe.d@' CMakeLists.txt
'';
preInstall = ''
mkdir -p $out/etc/udev/rules.d
mkdir -p $out/etc/modprobe.d
'';
meta = with stdenv.lib; {
description = "In-circuit debug and programming for ST-Link devices";
license = licenses.bsd3;
platforms = platforms.linux;
maintainers = [ maintainers.bjornfor ];
maintainers = [ maintainers.bjornfor maintainers.rongcuid ];
};
}

41
pkgs/development/tools/misc/ycmd/2-ycm-cmake.patch
View file

@ -2,30 +2,19 @@ diff --git a/cpp/ycm/CMakeLists.txt b/cpp/ycm/CMakeLists.txt
index 2074c58e..9ecd6e57 100644
--- a/cpp/ycm/CMakeLists.txt
+++ b/cpp/ycm/CMakeLists.txt
@@ -366,35 +366,6 @@ if( LIBCLANG_TARGET )
POST_BUILD
@@ -335,7 +335,7 @@
COMMAND ${CMAKE_COMMAND} -E copy "${LIBCLANG_TARGET}" "$<TARGET_FILE_DIR:${PROJECT_NAME}>"
)
-
- if( APPLE )
- # In OS X El Capitan, Apple introduced System Integrity Protection.
- # Amongst other things, this introduces features to the dynamic loader
- # (dyld) which cause it to "sanitise" (and complain about) embedded
- # LC_RPATH entries which contain @executable_path when then are loaded
- # into "restricted" binaries. For our purposes, "restricted" here means
- # "supplied by Apple" and includes the system versions of python. For
- # unknown reasons, the libclang.dylib that comes from llvm.org includes an
- # LC_RPATH entry '@executable_path/../lib' which causes the OS X dynamic
- # loader to print a cryptic warning to stderr of the form:
- #
- # dyld: warning, LC_RPATH @executable_path/../lib in
- # /path/to/ycmd/libclang.dylib being ignored in restricted program
- # because of @executable_path
- #
- # In order to prevent this harmless and annoying message appearing, we
- # simply strip the rpath entry from the dylib. There's no way any
- # @executable_path that python might have could be in any way useful to
- # libclang.dylib, so this seems perfectly safe.
+ #if( APPLE )
# In OS X El Capitan, Apple introduced System Integrity Protection.
# Amongst other things, this introduces features to the dynamic loader
# (dyld) which cause it to "sanitise" (and complain about) embedded
@@ -354,15 +354,15 @@
# simply strip the rpath entry from the dylib. There's no way any
# @executable_path that python might have could be in any way useful to
# libclang.dylib, so this seems perfectly safe.
- get_filename_component( LIBCLANG_TAIL ${LIBCLANG_TARGET} NAME )
- add_custom_command( TARGET ${PROJECT_NAME}
- POST_BUILD
@ -35,6 +24,14 @@ index 2074c58e..9ecd6e57 100644
- "$<TARGET_FILE_DIR:${PROJECT_NAME}>/${LIBCLANG_TAIL}"
- )
- endif()
+ # get_filename_component( LIBCLANG_TAIL ${LIBCLANG_TARGET} NAME )
+ #add_custom_command( TARGET ${PROJECT_NAME}
+ # POST_BUILD
+ # COMMAND install_name_tool
+ # "-delete_rpath"
+ # "@executable_path/../lib"
+ # "$<TARGET_FILE_DIR:${PROJECT_NAME}>/${LIBCLANG_TAIL}"
+ # )
+ # endif()
endif()
endif()

26
pkgs/development/tools/profiling/heaptrack/default.nix Normal file
View file

@ -0,0 +1,26 @@
{ stdenv, fetchFromGitHub, cmake, zlib, boost162, libunwind,
elfutils, qt5, kde5, sparsehash }:
stdenv.mkDerivation rec {
name = "heaptrack-${version}";
version = "2017-02-14";
src = fetchFromGitHub {
owner = "KDE";
repo = "heaptrack";
rev = "2469003b3172874e1df7e1f81c56e469b80febdb";
sha256 = "0dqchd2r4khv9gzj4n0qjii2nqygkj5jclkji8jbvivx5qwsqznc";
};
buildInputs = [ cmake zlib boost162 libunwind elfutils sparsehash
qt5.ecm qt5.qtbase kde5.kio kde5.kitemmodels
kde5.threadweaver kde5.kconfigwidgets kde5.kcoreaddons ];
meta = with stdenv.lib; {
description = "Heap memory profiler for Linux";
homepage = https://github.com/KDE/heaptrack;
license = licenses.lgpl21Plus;
maintainers = with maintainers; [ gebner ];
platforms = platforms.linux;
};
}

2
pkgs/development/tools/unity3d/default.nix
View file

@ -94,7 +94,7 @@ in stdenv.mkDerivation rec {
unitydir="$out/opt/Unity/Editor"
mkdir -p $unitydir
mv Editor/* $unitydir
ln -sf /var/setuid-wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
ln -sf /run/wrappers/bin/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
mkdir -p $out/share/applications
sed "/^Exec=/c\Exec=$out/bin/unity-editor" \

24
pkgs/games/amoeba/data.nix Normal file
View file

@ -0,0 +1,24 @@
{ stdenv, fetchurl }:
stdenv.mkDerivation rec {
name = "amoeba-data-${version}";
version = "1.1";
src = fetchurl {
url = "http://http.debian.net/debian/pool/non-free/a/amoeba-data/amoeba-data_${version}.orig.tar.gz";
sha256 = "1bgclr1v63n14bj9nwzm5zxg48nm0cla9bq1rbd5ylxra18k0jbg";
};
installPhase = ''
mkdir -p $out/share/amoeba
cp demo.dat $out/share/amoeba/
'';
meta = with stdenv.lib; {
description = "Fast-paced, polished OpenGL demonstration by Excess (data files)";
homepage = https://packages.qa.debian.org/a/amoeba-data.html;
license = licenses.unfree;
maintainers = [ maintainers.dezgeg ];
platforms = platforms.all;
};
}

45
pkgs/games/amoeba/default.nix Normal file
View file

@ -0,0 +1,45 @@
{ stdenv, fetchurl, amoeba-data, alsaLib, expat, freetype, gtk2, libvorbis, mesa_glu, pkgconfig }:
stdenv.mkDerivation rec {
name = "amoeba-${version}-${debver}";
version = "1.1";
debver = "29.1";
srcs = [
(fetchurl {
url = "http://http.debian.net/debian/pool/contrib/a/amoeba/amoeba_${version}.orig.tar.gz";
sha256 = "1hyycw4r36ryka2gab9vzkgs8gq4gqhk08vn29cwak95w0rahgim";
})
(fetchurl {
url = "http://http.debian.net/debian/pool/contrib/a/amoeba/amoeba_${version}-${debver}.debian.tar.xz";
sha256 = "1xgi2sqzq97w6hd3dcyq6cka8xmp6nr25qymzhk52cwqh7qb75p3";
})
];
sourceRoot = "amoeba-1.1.orig";
prePatch = ''
patches="${./include-string-h.patch} $(echo ../debian/patches/*.diff)"
'';
postPatch = ''
sed -i packer/pakfile.cpp -e 's|/usr/share/amoeba|${amoeba-data}/share/amoeba|'
sed -i main/linux-config/linux-config.cpp -e 's|libgdk-x11-2.0.so.0|${gtk2}/lib/&|'
sed -i main/linux-config/linux-config.cpp -e 's|libgtk-x11-2.0.so.0|${gtk2}/lib/&|'
'';
nativeBuildInputs = [ pkgconfig ];
buildInputs = [ alsaLib expat freetype gtk2 libvorbis mesa_glu ];
installPhase = ''
mkdir -p $out/bin $out/share/man/man1/
cp amoeba $out/bin/
cp ../debian/amoeba.1 $out/share/man/man1/
'';
meta = with stdenv.lib; {
description = "Fast-paced, polished OpenGL demonstration by Excess";
homepage = https://packages.qa.debian.org/a/amoeba.html;
license = licenses.gpl2; # Engine is GPLv2, data files in amoeba-data nonfree
maintainers = [ maintainers.dezgeg ];
platforms = platforms.linux;
};
}

12
pkgs/games/amoeba/include-string-h.patch Normal file
View file

@ -0,0 +1,12 @@
diff --git a/image/png_image.cpp b/image/png_image.cpp
index 37875fc..1531d6f 100644
--- a/image/png_image.cpp
+++ b/image/png_image.cpp
@@ -4,6 +4,7 @@
#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
#include <png.h>
#include "png_image.h"

5
pkgs/games/mnemosyne/default.nix
View file

@ -20,6 +20,11 @@ in pythonPackages.buildPythonApplication rec {
substituteInPlace setup.py --replace /usr $out
find . -type f -exec grep -H sys.exec_prefix {} ';' | cut -d: -f1 | xargs sed -i s,sys.exec_prefix,\"$out\",
'';
postInstall = ''
mkdir -p $out/share
mv $out/lib/python2.7/site-packages/$out/share/locale $out/share
rm -r $out/lib/python2.7/site-packages/nix
'';
meta = {
homepage = http://mnemosyne-proj.org/;
description = "Spaced-repetition software";

21
pkgs/games/widelands/bincmake.patch Normal file
View file

@ -0,0 +1,21 @@
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -25,6 +25,8 @@
# Packagers (or people using make install) have to set this variable to an absolute path.
wl_set_if_unset(WL_INSTALL_DATADIR "./data")
+wl_set_if_unset(WL_INSTALL_BINARY "./bin")
+
if("${CMAKE_CXX_COMPILER_ID}" STREQUAL "GNU")
if (CMAKE_CXX_COMPILER_VERSION VERSION_LESS 4.7)
message(FATAL_ERROR "Widelands needs GCC >= 4.7 to compile.")
--- a/cmake/WlFunctions.cmake
+++ b/cmake/WlFunctions.cmake
@@ -276,5 +276,5 @@
#Quoting the CMake documentation on DESTINATION:
#"If a relative path is given it is interpreted relative to the value of CMAKE_INSTALL_PREFIX"
- install(TARGETS ${NAME} DESTINATION "." COMPONENT ExecutableFiles)
+ install(TARGETS ${NAME} DESTINATION ${WL_INSTALL_BINARY} COMPONENT ExecutableFiles)
endfunction()

37
pkgs/games/widelands/default.nix
View file

@ -1,10 +1,11 @@
{ stdenv, fetchurl, cmake, python, gettext
, boost, libpng, zlib, glew, lua
, SDL, SDL_image, SDL_mixer, SDL_net, SDL_ttf, SDL_gfx
, boost, libpng, zlib, glew, lua, doxygen, icu
, SDL2, SDL2_image, SDL2_mixer, SDL2_net, SDL2_ttf, SDL2_gfx
}:
stdenv.mkDerivation {
name = "widelands-18";
stdenv.mkDerivation rec {
name = "widelands-${version}";
version = "19";
meta = with stdenv.lib; {
description = "RTS with multiple-goods economy";
@ -20,27 +21,39 @@ stdenv.mkDerivation {
hydraPlatforms = [];
};
patches = [
./bincmake.patch
];
src = fetchurl {
url = "https://launchpad.net/widelands/build18/build-18/+download/"
+ "widelands-build18-src.tar.bz2";
sha256 = "1qvx1cwkf61iwq0qkngvg460dsxqsfvk36qc7jf7mzwkiwbxkzvd";
url = "https://launchpad.net/widelands/build${version}/build${version}/+download/"
+ "widelands-build${version}-src.tar.bz2";
sha256 = "19h1gina7k1ai2mn2fd75lxm8iz8wrs6dz6dchdvg8i8d39gj4g5";
};
preConfigure = ''
cmakeFlags="
-DWL_INSTALL_PREFIX=$out
-DWL_INSTALL_BINDIR=bin
-DWL_INSTALL_DATADIR=share/widelands
-DWL_INSTALL_BASEDIR=$out
-DWL_INSTALL_DATADIR=$out/share/widelands
-DWL_INSTALL_BINARY=$out/bin
"
'';
nativeBuildInputs = [ cmake python gettext ];
buildInputs = [
boost libpng zlib glew lua
SDL SDL_image SDL_mixer SDL_net SDL_ttf SDL_gfx
boost libpng zlib glew lua doxygen icu
SDL2 SDL2_image SDL2_mixer SDL2_net SDL2_ttf
];
prePatch = ''
substituteInPlace ./debian/widelands.desktop --replace "/usr/share/games/widelands/data/" "$out/share/widelands/"
'';
postInstall = ''
mkdir -p "$out/share/applications/"
cp -v "../debian/widelands.desktop" "$out/share/applications/"
'';
enableParallelBuilding = true;
}

28
pkgs/misc/vim-plugins/default.nix
View file

@ -3,6 +3,7 @@
, which, fetchgit, llvmPackages
, xkb_switch, rustracerd, fzf
, python3, boost, icu
, ycmd
, Cocoa ? null
}:
@ -1451,32 +1452,13 @@ rec {
sha256 = "12xz019jrvr6wgjbp0w052awpmhwbpkwy6j7v0f0ldx242rv9sr8";
};
dependencies = [];
buildInputs = [
python go cmake
] ++ stdenv.lib.optional stdenv.isDarwin Cocoa;
propagatedBuildInputs = stdenv.lib.optional (!stdenv.isDarwin) rustracerd;
patches = [
./patches/youcompleteme/2-ycm-cmake.patch
];
# YCM requires path to external libclang 3.9
# For explicit use and as env variable for ../third_party/ycmd/build.py
EXTRA_CMAKE_ARGS="-DEXTERNAL_LIBCLANG_PATH=${llvmPackages.clang.cc}/lib/libclang.${if stdenv.isDarwin then "dylib" else "so"}";
buildPhase = ''
patchShebangs .
substituteInPlace plugin/youcompleteme.vim \
--replace "'ycm_path_to_python_interpreter', '''" "'ycm_path_to_python_interpreter', '${python}/bin/python'"
--replace "'ycm_path_to_python_interpreter', '''" \
"'ycm_path_to_python_interpreter', '${python}/bin/python'"
mkdir build
pushd build
cmake -G "Unix Makefiles" . ../third_party/ycmd/cpp -DPYTHON_LIBRARIES:PATH=${python}/lib/libpython2.7.so -DPYTHON_INCLUDE_DIR:PATH=${python}/include/python2.7 -DUSE_CLANG_COMPLETER=ON \
$EXTRA_CMAKE_ARGS
make ycm_core -j''${NIX_BUILD_CORES} -l''${NIX_BUILD_CORES}}
${python}/bin/python ../third_party/ycmd/build.py --gocode-completer --clang-completer
popd
rm -r third_party/ycmd
ln -s ${ycmd}/lib/ycmd third_party
'';
meta = {

36
pkgs/misc/vim-plugins/patches/youcompleteme/2-ycm-cmake.patch
View file

@ -1,36 +0,0 @@
--- ./third_party/ycmd/cpp/ycm/CMakeLists.txt
+++ ./third_party/ycmd/cpp/ycm/CMakeLists.txt
@@ -335,7 +335,7 @@
COMMAND ${CMAKE_COMMAND} -E copy "${LIBCLANG_TARGET}" "$<TARGET_FILE_DIR:${PROJECT_NAME}>"
)
- if( APPLE )
+ #if( APPLE )
# In OS X El Capitan, Apple introduced System Integrity Protection.
# Amongst other things, this introduces features to the dynamic loader
# (dyld) which cause it to "sanitise" (and complain about) embedded
@@ -354,15 +354,15 @@
# simply strip the rpath entry from the dylib. There's no way any
# @executable_path that python might have could be in any way useful to
# libclang.dylib, so this seems perfectly safe.
- get_filename_component( LIBCLANG_TAIL ${LIBCLANG_TARGET} NAME )
- add_custom_command( TARGET ${PROJECT_NAME}
- POST_BUILD
- COMMAND install_name_tool
- "-delete_rpath"
- "@executable_path/../lib"
- "$<TARGET_FILE_DIR:${PROJECT_NAME}>/${LIBCLANG_TAIL}"
- )
- endif()
+ # get_filename_component( LIBCLANG_TAIL ${LIBCLANG_TARGET} NAME )
+ #add_custom_command( TARGET ${PROJECT_NAME}
+ # POST_BUILD
+ # COMMAND install_name_tool
+ # "-delete_rpath"
+ # "@executable_path/../lib"
+ # "$<TARGET_FILE_DIR:${PROJECT_NAME}>/${LIBCLANG_TAIL}"
+ # )
+ # endif()
endif()
endif()

27
pkgs/misc/vim-plugins/vim2nix/additional-nix-code/youcompleteme
View file

@ -1,29 +1,10 @@
buildInputs = [
python go cmake
] ++ stdenv.lib.optional stdenv.isDarwin Cocoa;
propagatedBuildInputs = stdenv.lib.optional (!stdenv.isDarwin) rustracerd;
patches = [
./patches/youcompleteme/2-ycm-cmake.patch
];
# YCM requires path to external libclang 3.9
# For explicit use and as env variable for ../third_party/ycmd/build.py
EXTRA_CMAKE_ARGS="-DEXTERNAL_LIBCLANG_PATH=${llvmPackages.clang.cc}/lib/libclang.${if stdenv.isDarwin then "dylib" else "so"}";
buildPhase = ''
patchShebangs .
substituteInPlace plugin/youcompleteme.vim \
--replace "'ycm_path_to_python_interpreter', '''" "'ycm_path_to_python_interpreter', '${python}/bin/python'"
--replace "'ycm_path_to_python_interpreter', '''" \
"'ycm_path_to_python_interpreter', '${python}/bin/python'"
mkdir build
pushd build
cmake -G "Unix Makefiles" . ../third_party/ycmd/cpp -DPYTHON_LIBRARIES:PATH=${python}/lib/libpython2.7.so -DPYTHON_INCLUDE_DIR:PATH=${python}/include/python2.7 -DUSE_CLANG_COMPLETER=ON \
$EXTRA_CMAKE_ARGS
make ycm_core -j''${NIX_BUILD_CORES} -l''${NIX_BUILD_CORES}}
${python}/bin/python ../third_party/ycmd/build.py --gocode-completer --clang-completer
popd
rm -r third_party/ycmd
ln -s ${ycmd}/lib/ycmd third_party
'';
meta = {

2
pkgs/os-specific/linux/fuse/default.nix
View file

@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
# Ensure that FUSE calls the setuid wrapper, not
# $out/bin/fusermount. It falls back to calling fusermount in
# $PATH, so it should also work on non-NixOS systems.
export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/var/setuid-wrappers\""
export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers/bin\""
sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c
sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh

Some files were not shown because too many files have changed in this diff Show more