lkrg: 0.9.5 -> 0.9.7, switch to finalAttrs#263950
lkrg: 0.9.5 -> 0.9.7, switch to finalAttrs#263950surfaceflinger wants to merge 2 commits intoNixOS:masterfrom
Conversation
surfaceflinger
changed the title
ofborg
bot
added
10.rebuild-darwin: 0
There was a problem hiding this comment.
Result of nixpkgs-review pr 263950 run on x86_64-linux 1
11 packages marked as broken and skipped:
- linuxKernel.packages.linux_4_19.lkrg
- linuxKernel.packages.linux_4_19_hardened.lkrg
- linuxKernel.packages.linux_5_4.lkrg
- linuxKernel.packages.linux_5_4_hardened.lkrg
- linuxKernel.packages.linux_latest_libre.lkrg
- linuxKernel.packages.linux_zen.lkrg
- linuxPackages_4_19_hardened.lkrg
- linuxPackages_5_4_hardened.lkrg
- linuxPackages_latest-libre.lkrg
- linuxPackages_latest.lkrg
- linuxPackages_zen.lkrg
13 packages built:
- linuxKernel.packages.linux_5_10.lkrg
- linuxPackages_5_10_hardened.lkrg (linuxKernel.packages.linux_5_10_hardened.lkrg)
- linuxKernel.packages.linux_5_15.lkrg
- linuxPackages_5_15_hardened.lkrg (linuxKernel.packages.linux_5_15_hardened.lkrg)
- linuxPackages.lkrg (linuxKernel.packages.linux_6_1.lkrg)
- linuxPackages_hardened.lkrg (linuxPackages_6_1_hardened.lkrg)
- linuxKernel.packages.linux_6_5.lkrg
- linuxPackages_6_5_hardened.lkrg (linuxKernel.packages.linux_6_5_hardened.lkrg)
- linuxPackages-libre.lkrg (linuxKernel.packages.linux_libre.lkrg)
- linuxPackages_lqx.lkrg (linuxKernel.packages.linux_lqx.lkrg)
- linuxPackages_testing_bcachefs.lkrg (linuxKernel.packages.linux_testing_bcachefs.lkrg)
- linuxPackages_xanmod.lkrg (linuxKernel.packages.linux_xanmod.lkrg)
- linuxPackages_xanmod_latest.lkrg (linuxKernel.packages.linux_xanmod_latest.lkrg ,linuxPackages_xanmod_stable.lkrg)
All builds pass and changes look okay, but I'm not a user of this kmod so can't comment on the module working correctly, nor do I know how to test it.
I think commit titles should use linuxPackages.lkrg though. A top-level lkrg attribute doesn't exist, so OfBorg doesn't test this. linuxPackages.lkrg should hopefully make it try to build it for the default kernel version.
|
btw: #232099 <- there was open PR for bump, but nobody merge it :( |
| unsigned int pcfi_enforce = 1; | ||
| unsigned int umh_validate = 1; | ||
| -unsigned int umh_enforce = 1; | ||
| +unsigned int umh_enforce = 0; |
There was a problem hiding this comment.
To be honest, I'm not a fan of this approach.
IMO, it should be handled either by setting appropriate kernel parameters during boot or sysctl config.
Patching the module seems like a last resort when nothing else would work.
There was a problem hiding this comment.
hmmm, I have tried turning it off by cmdline and as far as I remember it didn't work(?) I'll tinker with it further tomorrow, but yeah, I can drop this
There was a problem hiding this comment.
Got an idea and I'll try generating a patch for p_umh_global on every nix evaluation so umh actually works correctly 😎
There was a problem hiding this comment.
@surfaceflinger 🤔 not sure. Then everytime somebody need recompile module 🤔
Maybe we can write nixosModule for it and use sysctl 🤔
There was a problem hiding this comment.
@chivay, I talked to @RaitoBezarius and it seems like umh filter will be pointless and mostly problematic with Nix.
We can theoretically patch paths in src but then lkrg would depend on packages like systemd-coredump.
We have 3 options left:
- Patching out umh like I did above and instead relying on nix trustedusers + noexec for everything that isn't /nix/store
- Just bumping the version and let others have to turn off umh manually (It doesn't work correctly from end user perspective anyway, 1st option wins over this imo)
- We take this issue upstream.
If we're going upstream, I think about booting lkrg without umh, list of allowed UMHs would be reported to the interface and then we could switch umh filter on - without option to turn it off
This won't work with nixos-rebuild switch if some umh gets updated.
There was a problem hiding this comment.
This filtering module seems to come with a lot of problems, imagine you put in there the Nix store paths and perform an upgrade of NixOS, you need to reload the new kernel module before continuing otherwise all the new usermodehelpers will be broken.
There was a problem hiding this comment.
I guess since we're going to have secureboot in nixpkgs soon, maybe reporting umhs to the module could be done in initrd which would be signed in an UKI
There was a problem hiding this comment.
We won't have kernel lockdown before we fix the determinism of module signatures, though.
wegank
added
the
2.status: stale
|
closed in favor of the linked PR |
7 participants
Description of changes
Updated lkrg so it's compatible with 6.1+
Also added a patch to set umh_enforce to 0 by default (but the patch itself has to be applied explicitly). Not sure if it'll be useful but I load lkrg in stage 1 before everything and in this case I think it's the best way of making umh log-only.
Switched to finalAttrs instead of rec because why not.
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)