Replace in-tree AppArmor kernel patches

[joachifm]

This patch removes the in-tree AppArmor kernel patches for linux 3.2
and 3.4, instead using patches from the apparmor-kernel-patches package.

I have confirmed that the checksums are in fact the same, and
I am able to do map (x: readFile x.patch) linux_3_{2,4}.kernelPatches
and have the patch contents read back to me, which indicates to me that
the builds should work as before.

A possible refinement is to provide a convenience wrapper for accessing
AppArmor kernel patches (in { name = ...; patch = ...; } format), but that
is beyond the scope of what I wanted to do here.

cc @thoughtpolice

[joachifm]

Okay, so there's some breakage after all, but it's not clear to me exactly what's wrong (from looking at the travis log) ...

[joachifm]

Having looked closer at the travis log, I'm not sure the failure is related to this PR.
I'm seeing

building gitweb.cgi

GEN gitweb.cgi

building decorate.o

CC date.o

tar: Unexpected EOF in archive

tar: Unexpected EOF in archive

building diffcore-break.o

CC decorate.o

building diffcore-delta.o

CC diffcore-break.o

building diffcore-order.o

CC diffcore-delta.o

gcc: internal compiler error: Killed (program cc1)

Please submit a full bug report,

with preprocessed source if appropriate.

See <http://gcc.gnu.org/bugs.html> for instructions.

make: *** [archive-tar.o] Error 4

make: *** Waiting for unfinished jobs....

gcc: internal compiler error: Killed (program cc1)

Please submit a full bug report,

with preprocessed source if appropriate.

See <http://gcc.gnu.org/bugs.html> for instructions.

make: *** [convert.o] Error 4

gcc: internal compiler error: Killed (program cc1)

and then

tar: Error is not recoverable: exiting now

do not know how to unpack source archive /nix/store/78zlc85xafhy7wndkwk94dznh81506b9-linux-3.2.68.tar.xz

/nix/store/3sqnsignf07mwz12fmi9r4g4vigxg3al-stdenv/setup: line 484: 6462 Killed xz -d < "$fn"

6463 Done | tar xf -

do not know how to unpack source archive /nix/store/78zlc85xafhy7wndkwk94dznh81506b9-linux-3.2.68.tar.xz

builder for ‘/nix/store/qk8dc7acfqyzr1pcyywl6vw98frz20v6-linux-config-3.2.68.drv’ failed with exit code 1

builder for ‘/nix/store/fhwcnml888irzvz2fvl3p5q6gfxf3m0b-linux-headers-3.2.68.drv’ failed with exit code 1

killing process 4998

killing process 7879

error: build of ‘/nix/store/fhwcnml888irzvz2fvl3p5q6gfxf3m0b-linux-headers-3.2.68.drv’ failed

Linux 3.2 at least builds for me, but building all that stuff locally is not feasible for me, so I'm not quite sure how to proceed in debugging this.

[offlinehacker]

Meh nox is really best effort, and half of time produces bad results. I think if checksums are the same, it's should be safe to merge.

[thoughtpolice]

Hrm, this looks OK to me, but I wonder if we should even continue supporting 3.2 and 3.4 kernels? I mean, yes, sure, they're LTS, but A) it's unlikely many people use them, B) they can be added back if we delete them before 15.05, and C) in the best case, it just lets us get rid of all this. Kernel 3.5+ has full AppArmor patch support.

[thoughtpolice]

Also, our Hydra/kernel configuration doesn't exactly build the slimmest little vmlinux, so I'm sure Hydra would appreciate not having to build the 3.2 and 3.4 kernel a ton of times.

[joachifm]

I don't care about older kernels at all (I only want the latest version supported by grsecurity). That said, removing old kernels seems orthogonal to this issue; I intended this to be a functional no-op.

Two thoughts, though.
There is not much left to be removed as far as AppArmor patching is concerned, this patch makes it quite cheap and it could easily be made cheaper still.

AppArmor distributes patches for kernels 2.6.36 through 3.12 and for kernels 3.4+ there's a patch for network rule support. If those patches are in there for a reason, I'm not sure its fair to say that 3.5+ has full AppArmor support (I don't use old kernels, though, so I don't know what is actually supported).

[joachifm]

I have implemented a first draft of the AppArmor patch convenience wrapper I had in mind here: https://github.com/joachifm/nixpkgs/tree/apparmor-kernel-patches-convenience. With this changeset, you can apply AppArmor patches to any kernel almost for-free (passing them via kernelPatches from the pkgs toplevel). Linux 3.2 and 3.4 exprs are now both more than halved in size. If you like this, I can bake it into this PR.

[thoughtpolice]

FWIW, in place of this, I'm simply dropping all older kernels in #7220 and promoting AppAmor 2.9 to stable. I think this is the proper way to go.

Sorry for not responding sooner.

[joachifm]

Okay.