Robert Obryk
1bdbc0b0fe
nixos/security/wrappers: stop using .real
files
...
Before this change it was crucial that nonprivileged users are unable to
create hardlinks to SUID wrappers, lest they be able to provide a
different `.real` file alongside. That was ensured by not providing a
location writable to them in the /run/wrappers tmpfs, (unless
disabled) by the fs.protected_hardlinks=1 sysctl, and by the explicit
own-path check in the wrapper. After this change, ensuring
that property is no longer important, and the check is most likely
redundant.
The simplification of expectations of the wrapper will make it
easier to remove some of the assertions in the wrapper (which currently
cause the wrapper to fail in no_new_privs environments, instead of
executing the target with non-elevated privileges).
Note that wrappers had to be copied (not symlinked) into /run/wrappers
due to the SUID/capability bits, and they couldn't be hard/softlinks of
each other due to those bits potentially differing. Thus, this change
doesn't increase the amount of memory used by /run/wrappers.
This change removes part of the test that is obsoleted by the removal of
`.real` files.
2023-08-27 14:10:36 +02:00
Robert Obryk
44fde723be
nixos/security/wrappers: generate a separate and more complete apparmor policy fragment for each wrapper
...
This change includes some stuff (e.g. reading of the `.real` file,
execution of the wrapper's target) that belongs to the apparmor policy
of the wrapper. This necessitates making them distinct for each wrapper.
The main reason for this change is as a preparation for making each
wrapper be a distinct binary.
2023-08-27 14:10:07 +02:00
Robert Obryk
c0e607da61
nixos/tests/wrappers: test apparmor configuration
...
Wrappers generate pieces of apparmor policies for inclusion, which are
used only in a single place in nixpkgs, for `ping`. They are built only
if apparmor is enabled.
This change causes the test to test:
- that the apparmor includes can be generated,
- that `ping` works with apparmor enabled (as the only policy that
references these includes).
Ideally there would be some other NixOS test that verifies that `ping`
specifically works. Sadly, there isn't one.
2023-08-27 14:09:57 +02:00
Franz Pletz
94d494b2f6
Merge pull request #246851 from anund/noson-pulse
...
noson: fix pulse audio streaming support
2023-08-25 20:14:46 +02:00
Matthias Beyer
fa5a83c687
Merge pull request #251417 from fabaff/adax-bump
...
python311Packages.adax: 0.2.0 -> 0.3.0
2023-08-25 20:14:16 +02:00
Franz Pletz
fb6f1934a2
Merge pull request #248040 from felschr/tor-browser-malloc
...
tor-browser-bundle-bin: deprecate useHardenedMalloc
2023-08-25 20:12:38 +02:00
Franz Pletz
9bd52fd1bf
Merge pull request #250517 from aaronjheng/datadog-agent
...
datadog-agent: unpin go1.18
2023-08-25 20:04:45 +02:00
Franz Pletz
5fc4687280
Merge pull request #229452 from Leixb/headsetcontrol27
...
headsetcontrol: 2.6.1 -> 2.7.0
2023-08-25 20:04:19 +02:00
Franz Pletz
4df994d359
Merge pull request #248486 from S-NA/updates/deadd-notification-center
...
deadd-notification-center: 2.0.4 -> 2.1.1
2023-08-25 20:02:43 +02:00
Franz Pletz
c0967315ff
Merge pull request #249600 from anthonyroussel/nvtop_3_0_2
...
nvtop: 3.0.1 -> 3.0.2
2023-08-25 20:01:45 +02:00
Matthias Beyer
39e95f3c64
Merge pull request #251411 from SuperSandro2000/smenu
...
smenu: 1.2.0 -> 1.3.0
2023-08-25 20:01:07 +02:00
Pol Dellaiera
5cf3fa6186
Merge pull request #251266 from marsam/update-1password
...
_1password: 2.19.0 -> 2.20.0
2023-08-25 19:57:00 +02:00
Martin Weinelt
18c66967d6
Merge pull request #251256 from NixOS/home-assistant
...
home-assistant: 2023.8.3 -> 2023.8.4
2023-08-25 19:54:08 +02:00
Vladimír Čunát
68eb95705f
Merge #251367 : revert "python3Packages.pillow & python3Packages.pillow-simd: Fix cross compilation"
2023-08-25 19:47:10 +02:00
Fabian Affolter
19a689af9e
python311Packages.adax: disable on unsupported Python releases
2023-08-25 19:46:49 +02:00
Fabian Affolter
2d4cda191f
python311Packages.adax: add changelog to meta
2023-08-25 19:46:18 +02:00
Matthias Beyer
347a238ef8
Merge pull request #251404 from r-ryantm/auto-update/clash-meta
...
clash-meta: 1.15.0 -> 1.15.1
2023-08-25 19:46:09 +02:00
Matthias Beyer
80ee147b6f
Merge pull request #251408 from matrss/disable-getoptions-tests-against-yash
...
getoptions: disable tests against yash
2023-08-25 19:45:22 +02:00
Fabian Affolter
75213da35d
python311Packages.adax: 0.2.0 -> 0.3.0
...
Diff: https://github.com/Danielhiversen/pyadax/compare/0.2.0...0.3.0
2023-08-25 19:43:01 +02:00
Lin Jian
3e025f1393
emacsWithPackages: add a note for EMACSNATIVELOADPATH
2023-08-25 17:42:21 +00:00
Lin Jian
7f8cd3d8f9
emacsWithPackages: remove redundant colons
2023-08-25 17:42:21 +00:00
Lin Jian
d380784357
emacsWithPackages: fix logic of adding EMACSNATIVELOADPATH
...
Without this change, EMACSNATIVELOADPATH will not be added if
EMACSLOADPATH is added.
2023-08-25 17:42:21 +00:00
Matthias Beyer
a12258c461
Merge pull request #251393 from schuelermine/add/genemichaels
...
genemichaels: init
2023-08-25 19:38:34 +02:00
Angus Dippenaar
0093ac7102
stm32cubemx: 6.8.1 -> 6.9.1
...
Release notes: https://www.st.com/resource/en/release_note/rn0094-stm32cubemx-release-691-stmicroelectronics.pdf
In the release notes, it mentions that it's bundled with Java 17, so
this is the same version which is pinned in this package.
2023-08-25 17:37:52 +00:00
Angus Dippenaar
437e88c919
maintainers: add angaz
2023-08-25 17:37:52 +00:00
Matthias Beyer
0bbd448bd5
Merge pull request #251392 from r-ryantm/auto-update/riffdiff
...
riffdiff: 2.25.0 -> 2.25.2
2023-08-25 19:27:24 +02:00
Matthias Beyer
fa08e19344
Merge pull request #251403 from fabaff/types-beautifulsoup4
...
python311Packages.types-html5lib: init at 1.1.11.15, python311Packages.types-beautifulsoup4: init at 4.12.0.6
2023-08-25 19:21:41 +02:00
Sandro Jäckel
77eb86d962
smenu: 1.2.0 -> 1.3.0
...
Diff: https://github.com/p-gen/smenu/compare/v1.2.0...v1.3.0
2023-08-25 19:16:48 +02:00
Matthias Riße
1974feb428
getoptions: disable tests against yash
2023-08-25 19:05:14 +02:00
Anselm Schüler
cc515a6e01
genemichaels: init at 0.1.21
2023-08-25 19:02:58 +02:00
Matthias Beyer
697d179231
Merge pull request #251399 from r-ryantm/auto-update/k3sup
...
k3sup: 0.12.14 -> 0.12.15
2023-08-25 19:02:32 +02:00
figsoda
6bc39510ae
Merge pull request #251317 from GaetanLepage/rainbow-delimiters
...
vimPlugins.rainbow-delimiters-nvim: init at 2023-08-25
2023-08-25 12:55:19 -04:00
figsoda
e2df13eb5a
Merge pull request #251309 from r-ryantm/auto-update/ast-grep
...
ast-grep: 0.11.0 -> 0.11.1
2023-08-25 12:54:54 -04:00
figsoda
0ca251a070
Merge pull request #251339 from marsam/update-scheme-manpages
...
scheme-manpages: unstable-2023-06-04 -> unstable-2023-08-13
2023-08-25 12:43:45 -04:00
Matthias Beyer
0c06e91e7b
Merge pull request #251390 from r-ryantm/auto-update/grpc_cli
...
grpc_cli: 1.56.2 -> 1.57.0
2023-08-25 18:41:27 +02:00
figsoda
60f3de2df5
Merge pull request #251332 from marsam/update-millet
...
millet: 0.12.9 -> 0.13.0
2023-08-25 12:38:43 -04:00
figsoda
f29ffd9e36
Merge pull request #251363 from khaneliman/fastfetch
...
fastfetch: 2.0.3 -> 2.0.4
2023-08-25 12:37:35 -04:00
Matthias Beyer
30b996303f
Merge pull request #251396 from r-ryantm/auto-update/netdata
...
netdata: 1.42.0 -> 1.42.1
2023-08-25 18:35:53 +02:00
Fabian Affolter
32b62b08e9
python311Packages.types-beautifulsoup4: init at 4.12.0.6
2023-08-25 18:33:52 +02:00
Fabian Affolter
019f208ada
python311Packages.types-html5lib: init at 1.1.11.15
2023-08-25 18:33:46 +02:00
Franz Pletz
72631d762f
Merge pull request #251055 from lheckemann/virt-manager-osx
...
virt-manager: produce a macos application
2023-08-25 18:33:26 +02:00
Franz Pletz
31d331e7ce
Merge pull request #251186 from skorpy2009/zoom
...
zoom-us: 5.15.5.5603 -> 5.15.10.6882
2023-08-25 18:31:40 +02:00
R. Ryantm
eadaccffc7
clash-meta: 1.15.0 -> 1.15.1
2023-08-25 16:29:05 +00:00
figsoda
b07e62ccf1
Merge pull request #251381 from MoritzBoehme/gum-add-main-program
2023-08-25 12:28:25 -04:00
Ryan Mulligan
37587d2860
Merge pull request #251067 from cdmistman/cad/update-bun
...
bun: 0.7.3 -> 0.8.0
2023-08-25 09:20:18 -07:00
R. Ryantm
dafab32a63
k3sup: 0.12.14 -> 0.12.15
2023-08-25 16:06:02 +00:00
Bobby Rong
ea96bb8a5a
Merge pull request #251282 from bobby285271/upd/pantheon
...
pantheon.elementary-files: 6.4.1 -> 6.5.0
2023-08-25 23:56:24 +08:00
Matthias Beyer
103bbccbf6
Merge pull request #251359 from r-ryantm/auto-update/iqtree
...
iqtree: 2.2.2.6 -> 2.2.2.7
2023-08-25 17:53:42 +02:00
Matthias Beyer
7eb4df7985
Merge pull request #251386 from r-ryantm/auto-update/traefik
...
traefik: 2.10.3 -> 2.10.4
2023-08-25 17:53:32 +02:00
Matthias Beyer
b980fb511c
Merge pull request #251372 from 06kellyjac/diffoci
...
diffoci: init at 0.1.1
2023-08-25 17:53:20 +02:00