ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

push sheeet
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details

Browse Source
This commit is contained in:
Dark Steveneq
2025-10-09 14:15:47 +02:00
commit 646b892680
49168 changed files with 5897842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
pkgs/by-name/cr/cryptsetup/package.nix Normal file
View File

@@ -0,0 +1,120 @@
{
lib,
stdenv,
fetchurl,
lvm2,
json_c,
asciidoctor,
openssl,
libuuid,
pkg-config,
popt,
nixosTests,
libargon2,
withInternalArgon2 ? false,
# Programs enabled by default upstream are implicitly enabled unless
# manually set to false.
programs ? { },
# The release tarballs contain precomputed manpage files, so we don't need
# to run asciidoctor on the man sources. By avoiding asciidoctor, we make
# the bare NixOS build hash independent of changes to the ruby ecosystem,
# saving mass-rebuilds.
rebuildMan ? false,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "cryptsetup";
version = "2.8.1";
outputs = [
"bin"
"out"
"dev"
"man"
];
separateDebugInfo = true;
src = fetchurl {
url =
"mirror://kernel/linux/utils/cryptsetup/v${lib.versions.majorMinor finalAttrs.version}/"
+ "cryptsetup-${finalAttrs.version}.tar.xz";
hash = "sha256-LDN563ZZfcq1CRFEmwE+JpfEv/zHFtu/DZsOj7u0b7Q=";
};
patches = [
# Allow reading tokens from a relative path, see #167994
./relative-token-path.patch
];
postPatch = ''
patchShebangs tests
# O_DIRECT is filesystem dependent and fails in a sandbox (on tmpfs)
# and on several filesystem types (btrfs, zfs) without sandboxing.
# Remove it, see discussion in #46151
substituteInPlace tests/unit-utils-io.c --replace "| O_DIRECT" ""
'';
NIX_LDFLAGS = lib.optionalString (stdenv.cc.isGNU && !stdenv.hostPlatform.isStatic) "-lgcc_s";
configureFlags = [
"--with-crypto_backend=openssl"
"--disable-ssh-token"
"--with-tmpfilesdir=${placeholder "out"}/lib/tmpfiles.d"
]
++ lib.optionals (!rebuildMan) [
"--disable-asciidoc"
]
++ lib.optionals (!withInternalArgon2) [
"--enable-libargon2"
]
++ lib.optionals stdenv.hostPlatform.isStatic [
"--disable-external-tokens"
# We have to override this even though we're removing token
# support, because the path still gets included in the binary even
# though it isn't used.
"--with-luks2-external-tokens-path=/"
]
++ (lib.mapAttrsToList (lib.flip lib.enableFeature)) programs;
nativeBuildInputs = [ pkg-config ] ++ lib.optionals rebuildMan [ asciidoctor ];
propagatedBuildInputs = [
lvm2
json_c
openssl
libuuid
popt
]
++ lib.optional (!withInternalArgon2) libargon2;
enableParallelBuilding = true;
# The test [7] header backup in compat-test fails with a mysterious
# "out of memory" error, even though tons of memory is available.
# Issue filed upstream: https://gitlab.com/cryptsetup/cryptsetup/-/issues/763
doCheck = !stdenv.hostPlatform.isMusl;
passthru = {
tests = {
nixos = lib.optionalAttrs stdenv.hostPlatform.isLinux (
lib.recurseIntoAttrs (
lib.filterAttrs (name: _value: lib.hasPrefix "luks" name) nixosTests.installer
)
);
};
};
meta = {
homepage = "https://gitlab.com/cryptsetup/cryptsetup/";
description = "LUKS for dm-crypt";
changelog = "https://gitlab.com/cryptsetup/cryptsetup/-/raw/v${finalAttrs.version}/docs/v${finalAttrs.version}-ReleaseNotes";
license = lib.licenses.gpl2Plus;
mainProgram = "cryptsetup";
maintainers = with lib.maintainers; [
numinit
raitobezarius
];
platforms = with lib.platforms; linux;
};
})

50
pkgs/by-name/cr/cryptsetup/relative-token-path.patch Normal file
View File

@@ -0,0 +1,50 @@
From 4f95ab1f8110a8ab9d7b0e192731ce467f6e5c26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Janne=20He=C3=9F?= <janne@hess.ooo>
Date: Sun, 4 Sep 2022 11:15:02 -0600
Subject: [PATCH] Allow loading token handlers from the default search path
Since [1] landed in cryptsetup, token handlers (libcryptsetup-token-*.so)
are loaded from a fixed path defined at compile-time. This is
problematic with NixOS since it introduces a dependency cycle
between cryptsetup and systemd.
This downstream patch [2] allows loading token plugins from the
default library search path. This approach is not accepted upstream [3]
due to security concerns, but the potential attack vectors require
root access and they are sufficiently addressed:
* cryptsetup could be used as a setuid binary (not used in NixOS).
In this case, LD_LIBRARY_PATH is ignored because of secure-execution
mode.
* cryptsetup running as root could lead to a malicious token handler
being loaded through LD_LIBRARY_PATH. However, fixing the path
doesn't prevent the same malicious .so being loaded through LD_PRELOAD.
[1] https://gitlab.com/cryptsetup/cryptsetup/-/commit/5b9e98f94178d3cd179d9f6e2a0a68c7d9eb6507
[2] https://github.com/NixOS/nixpkgs/issues/167994#issuecomment-1094249369
[3] https://gitlab.com/cryptsetup/cryptsetup/-/issues/733
---
lib/luks2/luks2_token.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c
index 26467253..6f8329f0 100644
--- a/lib/luks2/luks2_token.c
+++ b/lib/luks2/luks2_token.c
@@ -151,12 +151,10 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp
token = &ret->u.v2;
- r = snprintf(buf, sizeof(buf), "%s/libcryptsetup-token-%s.so", crypt_token_external_path(), name);
+ r = snprintf(buf, sizeof(buf), "libcryptsetup-token-%s.so", name);
if (r < 0 || (size_t)r >= sizeof(buf))
return -EINVAL;
- assert(*buf == '/');
-
log_dbg(cd, "Trying to load %s.", buf);
h = dlopen(buf, RTLD_LAZY);
--
2.37.2