Merge branch 'master' into waagent-module

NixOS · Dec 8, 2024 · caa4105 · caa4105
2 parents d07d8a5 + d88cb59
commit caa4105
Show file tree

Hide file tree

Showing 523 changed files with 8,988 additions and 10,361 deletions.
diff --git a/.github/workflows/eval-lib-tests.yml b/.github/workflows/eval-lib-tests.yml
@@ -0,0 +1,30 @@
+name: "Building Nixpkgs lib-tests"
+
+permissions:
+  contents: read
+
+on:
+  pull_request_target:
+    paths:
+      - 'lib/**'
+jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  nixpkgs-lib-tests:
+    name: nixpkgs-lib-tests
+    runs-on: ubuntu-latest
+    needs: get-merge-commit
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        if: needs.get-merge-commit.outputs.mergedSha
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+      - name: Building Nixpkgs lib-tests
+        run: |
+          nix-build --arg pkgs "(import ./ci/. {}).pkgs" ./lib/tests/release.nix
diff --git a/.mergify.yml b/.mergify.yml
@@ -0,0 +1,22 @@
+queue_rules:
+  # This rule is for https://docs.mergify.com/commands/queue/
+  # and can be triggered with: @mergifyio queue
+  - name: default
+    merge_conditions:
+      # all github action checks in this list are required to merge a pull request
+      - check-success=Attributes
+      - check-success=Check
+      - check-success=Outpaths (aarch64-darwin)
+      - check-success=Outpaths (aarch64-linux)
+      - check-success=Outpaths (x86_64-darwin)
+      - check-success=Outpaths (x86_64-linux)
+      - check-success=Process
+      - check-success=Request
+      - check-success=Tag
+      - check-success=editorconfig-check
+      - check-success=label-pr
+      - check-success=nix-files-parseable-check
+      - check-success=nixfmt-check
+      - check-success=nixpkgs-vet
+    # queue up to 5 pull requests at a time
+    batch_size: 5
diff --git a/ci/OWNERS b/ci/OWNERS
@@ -157,6 +157,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 # Python-related code and docs
 /doc/languages-frameworks/python.section.md   @mweinelt @natsukium
 /maintainers/scripts/update-python-libraries  @mweinelt @natsukium
+/pkgs/by-name/up/update-python-libraries      @mweinelt @natsukium
 /pkgs/development/interpreters/python         @mweinelt @natsukium
 /pkgs/top-level/python-packages.nix                     @natsukium
 /pkgs/top-level/release-python.nix                      @natsukium
@@ -206,8 +207,8 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 
 # Browsers
 /pkgs/applications/networking/browsers/firefox @mweinelt
-/pkgs/applications/networking/browsers/chromium @emilylange
-/nixos/tests/chromium.nix @emilylange
+/pkgs/applications/networking/browsers/chromium @emilylange @networkException
+/nixos/tests/chromium.nix @emilylange @networkException
 
 # Certificate Authorities
 pkgs/data/misc/cacert/ @ajs124 @lukegb @mweinelt

diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
@@ -4668,6 +4668,13 @@
     name = "Carl Richard Theodor Schneider";
     keys = [ { fingerprint = "2017 E152 BB81 5C16 955C  E612 45BC C1E2 709B 1788"; } ];
   };
+  cryo = {
+    email = "[email protected]";
+    github = "cry0ice";
+    githubId = 176274027;
+    name = "Cryo";
+    keys = [ { fingerprint = "2CF7 F8E8 2258 5751 2591  F97F 4B12 E34A 25A9 AB35"; } ];
+  };
   Cryolitia = {
     name = "Cryolitia PukNgae";
     email = "[email protected]";
@@ -4800,6 +4807,12 @@
     github = "d4ilyrun";
     githubId = 34611103;
   };
+  d4rk = {
+    name = "Anoop Menon";
+    email = "[email protected]";
+    github = "d4rk";
+    githubId = 22163;
+  };
   d4rkstar = {
     name = "Bruno Salzano";
     email = "[email protected]";
@@ -18091,6 +18104,13 @@
     githubId = 4579165;
     name = "Danny Bautista";
   };
+  pyrotelekinetic = {
+    name = "Clover";
+    email = "[email protected]";
+    github = "pyrotelekinetic";
+    githubId = 29682759;
+    keys = [ { fingerprint = "5963 78DB 25AA 608D 2743  D466 5D6A D9AE 71B3 F983"; } ];
+  };
   pyrox0 = {
     name = "Pyrox";
     email = "[email protected]";
@@ -22782,7 +22802,7 @@
     githubId = 332418;
   };
   tsandrini = {
-    email = "[email protected]";
+    email = "[email protected]";
     name = "Tomáš Sandrini";
     github = "tsandrini";
     githubId = 21975189;

diff --git a/maintainers/scripts/update-python-libraries b/maintainers/scripts/update-python-libraries
@@ -1,3 +1,3 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -I nixpkgs=channel:nixpkgs-unstable -i bash -p "python3.withPackages (ps: with ps; [ packaging requests ])" -p nix-prefetch-git
-exec python3 pkgs/development/interpreters/python/update-python-libraries/update-python-libraries.py $@
+exec python3 pkgs/by-name/up/update-python-libraries/update-python-libraries.py $@
diff --git a/nixos/doc/manual/configuration/user-mgmt.chapter.md b/nixos/doc/manual/configuration/user-mgmt.chapter.md
@@ -122,7 +122,7 @@ The primary benefit of this is to remove a dependency on perl.
 This is experimental.
 :::
 
-Like systemd-sysusers, Userborn adoesn't depend on Perl but offers some more
+Like systemd-sysusers, Userborn doesn't depend on Perl but offers some more
 advantages over systemd-sysusers:
 
 1. It can create "normal" users (with a GID >= 1000).

diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -24,6 +24,10 @@
 
 - [waagent](https://github.com/Azure/WALinuxAgent), the Microsoft Azure Linux Agent (waagent) manages Linux provisioning and VM interaction with the Azure Fabric Controller. Available with [services.waagent](options.html#opt-services.waagent.enable).
 
+- [mqtt-exporter](https://github.com/kpetremann/mqtt-exporter/), a Prometheus exporter for exposing messages from MQTT. Available as [services.prometheus.exporters.mqtt](#opt-services.prometheus.exporters.mqtt.enable).
+
+- [Buffyboard](https://gitlab.postmarketos.org/postmarketOS/buffybox/-/tree/master/buffyboard), a framebuffer on-screen keyboard. Available as [services.buffyboard](option.html#opt-services.buffyboard).
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Backward Incompatibilities {#sec-release-25.05-incompatibilities}
@@ -50,6 +54,10 @@
 
 - `nodePackages.webpack-dev-server` has been removed, as it should be installed in projects that use it instead.
 
+- `racket_7_9` has been removed, as it is insecure. It is recommended to use Racket 8 instead.
+
+- `fluxus` has been removed, as it depends on `racket_7_9` and had no updates in 9 years.
+
 - The behavior of the `networking.nat.externalIP` and `networking.nat.externalIPv6` options has been changed. `networking.nat.forwardPorts` now only forwards packets destined for the specified IP addresses.
 
 - `nodePackages.meshcommander` has been removed, as the package was deprecated by Intel.
@@ -64,7 +72,7 @@
   files have changed from `$out/share/fonts/{opentype,truetype}/NerdFonts` to
   `$out/share/fonts/{opentype,truetype}/NerdFonts/<fontDirName>`, where `<fontDirName>` can be found in the
   [official website](https://www.nerdfonts.com/font-downloads) as the titles in preview images, with the "Nerd Font"
-  suffix and any whitespaces trimmed.
+  suffix and any whitespaces trimmed. Configuration changes are required, see build output.
 
 - `retroarch` has been refactored and the older `retroarch.override { cores = [ ... ]; }` to create a RetroArch derivation with custom cores doesn't work anymore, use `retroarch.withCores (cores: [ ... ])` instead. If you need more customization (e.g.: custom settings), use `wrapRetroArch` instead.
 
@@ -85,6 +93,11 @@
   add `vimPlugins.notmuch-vim` to your (Neo)vim configuration if you want the
   vim plugin.
 
+- `prisma` and `prisma-engines` have been updated to version 6.0.1, which
+  introduces several breaking changes. See the
+  [Prisma ORM upgrade guide](https://www.prisma.io/docs/orm/more/upgrade-guides/upgrading-versions/upgrading-to-prisma-6)
+  for more information.
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Other Notable Changes {#sec-release-25.05-notable-changes}
@@ -93,6 +106,8 @@
 
 - Cinnamon has been updated to 6.4.
 
+- `services.avahi.ipv6` now defaults to true.
+
 - `bind.cacheNetworks` now only controls access for recursive queries, where it previously controlled access for all queries.
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
diff --git a/nixos/modules/misc/locate.nix b/nixos/modules/misc/locate.nix
@@ -278,18 +278,32 @@ in
         PRUNE_BIND_MOUNTS = if cfg.pruneBindMounts then "yes" else "no";
       };
       serviceConfig = {
+        CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_CHOWN";
         Nice = 19;
         IOSchedulingClass = "idle";
+        IPAddressDeny = "any";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
         PrivateTmp = "yes";
+        PrivateDevices = true;
         PrivateNetwork = "yes";
-        NoNewPrivileges = "yes";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHostname = true;
+        RestrictAddressFamilies = "AF_UNIX";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
         ReadOnlyPaths = "/";
         # Use dirOf cfg.output because mlocate creates temporary files next to
         # the actual database. We could specify and create them as well,
         # but that would make this quite brittle when they change something.
         # NOTE: If /var/cache does not exist, this leads to the misleading error message:
         # update-locatedb.service: Failed at step NAMESPACE spawning …/update-locatedb-start: No such file or directory
         ReadWritePaths = dirOf cfg.output;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service @chown";
       };
     };
 

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -588,6 +588,7 @@
   ./services/hardware/bluetooth.nix
   ./services/hardware/bolt.nix
   ./services/hardware/brltty.nix
+  ./services/hardware/buffyboard.nix
   ./services/hardware/ddccontrol.nix
   ./services/hardware/display.nix
   ./services/hardware/fancontrol.nix

diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
@@ -210,5 +210,5 @@ in
     };
   };
 
-  meta.maintainers = with lib.maintainers; [ julm ];
+  meta.maintainers = with lib.maintainers; [ julm grimmauld ];
 }
diff --git a/nixos/modules/security/wrappers/wrapper.c b/nixos/modules/security/wrappers/wrapper.c
@@ -170,15 +170,6 @@ static int make_caps_ambient(const char *self_path) {
     "MALLOC_ARENA_TEST\0"
 
 int main(int argc, char **argv) {
-    ASSERT(argc >= 1);
-
-    // argv[0] goes into a lot of places, to a far greater degree than other elements
-    // of argv. glibc has had buffer overflows relating to argv[0], eg CVE-2023-6246.
-    // Since we expect the wrappers to be invoked from either $PATH or /run/wrappers/bin,
-    // there should be no reason to pass any particularly large values here, so we can
-    // be strict for strictness' sake.
-    ASSERT(strlen(argv[0]) < 512);
-
     int debug = getenv(wrapper_debug) != NULL;
 
     // Drop insecure environment variables explicitly
@@ -209,10 +200,22 @@ int main(int argc, char **argv) {
         return 1;
     }
 
+    char *replacement_argv[2] = {SOURCE_PROG, NULL};
+    char *old_argv0;
+    // Replace untrusted or missing argv[0] by the wrapped program path.
+    // This mitigates vulnerabilities caused by incorrect handling in privileged code.
+    if (argv[0]) {
+        old_argv0 = argv[0];
+        argv[0] = SOURCE_PROG;
+    } else {
+        old_argv0 = "«nullptr»";
+        argv = replacement_argv;
+    }
+
     execve(SOURCE_PROG, argv, environ);
-    
+
     fprintf(stderr, "%s: cannot run `%s': %s\n",
-        argv[0], SOURCE_PROG, strerror(errno));
+        old_argv0, SOURCE_PROG, strerror(errno));
 
     return 1;
 }
diff --git a/nixos/modules/services/continuous-integration/github-runners.nix b/nixos/modules/services/continuous-integration/github-runners.nix
@@ -6,5 +6,5 @@
     ./github-runner/service.nix
   ];
 
-  meta.maintainers = with lib.maintainers; [ veehaitch newam ];
+  meta.maintainers = with lib.maintainers; [ veehaitch ];
 }
diff --git a/nixos/modules/services/desktop-managers/lomiri.nix b/nixos/modules/services/desktop-managers/lomiri.nix
@@ -90,6 +90,7 @@ in
             lomiri-filemanager-app
             lomiri-gallery-app
             lomiri-history-service
+            lomiri-mediaplayer-app
             lomiri-polkit-agent
             lomiri-schemas # exposes some required dbus interfaces
             lomiri-session # wrappers to properly launch the session
-Original file line number
+Diff line change
@@ Expand Up / @@ -210,5 +210,5 @@ in @@
         };
       };
-      meta.maintainers = with lib.maintainers; [ julm ];
+      meta.maintainers = with lib.maintainers; [ julm grimmauld ];
     }