-
-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace in-tree AppArmor kernel patches #6872
Conversation
Okay, so there's some breakage after all, but it's not clear to me exactly what's wrong (from looking at the travis log) ... |
Having looked closer at the travis log, I'm not sure the failure is related to this PR.
and then
Linux 3.2 at least builds for me, but building all that stuff locally is not feasible for me, so I'm not quite sure how to proceed in debugging this. |
Meh nox is really best effort, and half of time produces bad results. I think if checksums are the same, it's should be safe to merge. |
Hrm, this looks OK to me, but I wonder if we should even continue supporting 3.2 and 3.4 kernels? I mean, yes, sure, they're LTS, but A) it's unlikely many people use them, B) they can be added back if we delete them before 15.05, and C) in the best case, it just lets us get rid of all this. Kernel 3.5+ has full AppArmor patch support. |
Also, our Hydra/kernel configuration doesn't exactly build the slimmest little |
I don't care about older kernels at all (I only want the latest version supported by grsecurity). That said, removing old kernels seems orthogonal to this issue; I intended this to be a functional no-op. Two thoughts, though. AppArmor distributes patches for kernels 2.6.36 through 3.12 and for kernels 3.4+ there's a patch for network rule support. If those patches are in there for a reason, I'm not sure its fair to say that 3.5+ has full AppArmor support (I don't use old kernels, though, so I don't know what is actually supported). |
I have implemented a first draft of the AppArmor patch convenience wrapper I had in mind here: https://github.com/joachifm/nixpkgs/tree/apparmor-kernel-patches-convenience. With this changeset, you can apply AppArmor patches to any kernel almost for-free (passing them via kernelPatches from the pkgs toplevel). Linux 3.2 and 3.4 exprs are now both more than halved in size. If you like this, I can bake it into this PR. |
This patch removes the in-tree AppArmor kernel patches for linux 3.2 and 3.4, instead using patches from the apparmor-kernel-patches package. I have confirmed that the checksums are in fact the same, and I am able to do `map (x: readFile x.patch) linux_3_{2,4}.kernelPatches` and have the patch contents read back to me, which indicates to me that the builds should work as before. A possible refinement is to provide a convenience wrapper for accessing AppArmor kernel patches (in `{ name = ...; patch = ...; }` format), but that is beyond the scope of what I wanted to do here.
8b75b67
to
32080b8
Compare
FWIW, in place of this, I'm simply dropping all older kernels in #7220 and promoting AppAmor 2.9 to stable. I think this is the proper way to go. Sorry for not responding sooner. |
Okay. |
This patch removes the in-tree AppArmor kernel patches for linux 3.2
and 3.4, instead using patches from the apparmor-kernel-patches package.
I have confirmed that the checksums are in fact the same, and
I am able to do
map (x: readFile x.patch) linux_3_{2,4}.kernelPatches
and have the patch contents read back to me, which indicates to me that
the builds should work as before.
A possible refinement is to provide a convenience wrapper for accessing
AppArmor kernel patches (in
{ name = ...; patch = ...; }
format), but thatis beyond the scope of what I wanted to do here.
cc @thoughtpolice