diff options
71 files changed, 566 insertions, 816 deletions
diff --git a/nixos/modules/services/misc/synergy.nix b/nixos/modules/services/misc/synergy.nix index e630992f797b..0cbdc7599c0f 100644 --- a/nixos/modules/services/misc/synergy.nix +++ b/nixos/modules/services/misc/synergy.nix @@ -115,7 +115,7 @@ in description = "Synergy server"; wantedBy = optional cfgS.autoStart "graphical-session.target"; path = [ pkgs.synergy ]; - serviceConfig.ExecStart = ''${pkgs.synergy}/bin/synergys -c ${cfgS.configFile} -f${optionalString (cfgS.address != "") " -a ${cfgS.address}"}${optionalString (cfgS.screenName != "") " -n ${cfgS.screenName}"}${optionalString cfgS.tls.enable " --enable-crypto"}${optionalString (cfgS.tls.cert != null) (" --tls-cert=${cfgS.tls.cert}")}''; + serviceConfig.ExecStart = ''${pkgs.synergy}/bin/synergys -c ${cfgS.configFile} -f${optionalString (cfgS.address != "") " -a ${cfgS.address}"}${optionalString (cfgS.screenName != "") " -n ${cfgS.screenName}"}${optionalString cfgS.tls.enable " --enable-crypto"}${optionalString (cfgS.tls.cert != null) (" --tls-cert ${cfgS.tls.cert}")}''; serviceConfig.Restart = "on-failure"; }; }) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index cb3b9a248c0e..380f1a7d27e2 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -691,6 +691,7 @@ in { wmderland = handleTest ./wmderland.nix {}; wpa_supplicant = handleTest ./wpa_supplicant.nix {}; wordpress = handleTest ./wordpress.nix {}; + wrappers = handleTest ./wrappers.nix {}; writefreely = handleTest ./web-apps/writefreely.nix {}; xandikos = handleTest ./xandikos.nix {}; xautolock = handleTest ./xautolock.nix {}; diff --git a/nixos/tests/wrappers.nix b/nixos/tests/wrappers.nix new file mode 100644 index 000000000000..08c1ad0b6b99 --- /dev/null +++ b/nixos/tests/wrappers.nix @@ -0,0 +1,79 @@ +import ./make-test-python.nix ({ pkgs, ... }: +let + userUid = 1000; + usersGid = 100; + busybox = pkgs : pkgs.busybox.override { + # Without this, the busybox binary drops euid to ruid for most applets, including id. + # See https://bugs.busybox.net/show_bug.cgi?id=15101 + extraConfig = "CONFIG_FEATURE_SUID n"; + }; +in +{ + name = "wrappers"; + + nodes.machine = { config, pkgs, ... }: { + ids.gids.users = usersGid; + + users.users = { + regular = { + uid = userUid; + isNormalUser = true; + }; + }; + + security.wrappers = { + suidRoot = { + owner = "root"; + group = "root"; + setuid = true; + source = "${busybox pkgs}/bin/busybox"; + program = "suid_root_busybox"; + }; + sgidRoot = { + owner = "root"; + group = "root"; + setgid = true; + source = "${busybox pkgs}/bin/busybox"; + program = "sgid_root_busybox"; + }; + withChown = { + owner = "root"; + group = "root"; + source = "${pkgs.libcap}/bin/capsh"; + program = "capsh_with_chown"; + capabilities = "cap_chown+ep"; + }; + }; + }; + + testScript = + '' + def cmd_as_regular(cmd): + return "su -l regular -c '{0}'".format(cmd) + + def test_as_regular(cmd, expected): + out = machine.succeed(cmd_as_regular(cmd)).strip() + assert out == expected, "Expected {0} to output {1}, but got {2}".format(cmd, expected, out) + + test_as_regular('${busybox pkgs}/bin/busybox id -u', '${toString userUid}') + test_as_regular('${busybox pkgs}/bin/busybox id -ru', '${toString userUid}') + test_as_regular('${busybox pkgs}/bin/busybox id -g', '${toString usersGid}') + test_as_regular('${busybox pkgs}/bin/busybox id -rg', '${toString usersGid}') + + test_as_regular('/run/wrappers/bin/suid_root_busybox id -u', '0') + test_as_regular('/run/wrappers/bin/suid_root_busybox id -ru', '${toString userUid}') + test_as_regular('/run/wrappers/bin/suid_root_busybox id -g', '${toString usersGid}') + test_as_regular('/run/wrappers/bin/suid_root_busybox id -rg', '${toString usersGid}') + + test_as_regular('/run/wrappers/bin/sgid_root_busybox id -u', '${toString userUid}') + test_as_regular('/run/wrappers/bin/sgid_root_busybox id -ru', '${toString userUid}') + test_as_regular('/run/wrappers/bin/sgid_root_busybox id -g', '0') + test_as_regular('/run/wrappers/bin/sgid_root_busybox id -rg', '${toString usersGid}') + + # We are only testing the permitted set, because it's easiest to look at with capsh. + machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_CHOWN')) + machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_SYS_ADMIN')) + machine.succeed(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_CHOWN')) + machine.fail(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_SYS_ADMIN')) + ''; +}) diff --git a/pkgs/applications/audio/espeak/edit.nix b/pkgs/applications/audio/espeak/edit.nix index 2240a8561164..2c86a036ceb2 100644 --- a/pkgs/applications/audio/espeak/edit.nix +++ b/pkgs/applications/audio/espeak/edit.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, pkg-config, unzip, portaudio, wxGTK, sox }: +{ lib, stdenv, fetchurl, pkg-config, unzip, portaudio, wxGTK32, sox }: stdenv.mkDerivation rec { pname = "espeakedit"; @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { }; nativeBuildInputs = [ pkg-config unzip ]; - buildInputs = [ portaudio wxGTK ]; + buildInputs = [ portaudio wxGTK32 ]; # TODO: # Uhm, seems like espeakedit still wants espeak-data/ in $HOME, even thought @@ -27,6 +27,7 @@ stdenv.mkDerivation rec { ./espeakedit-configurable-sox-path.patch ./espeakedit-configurable-path-espeak-data.patch ./espeakedit-gcc6.patch + ./espeakedit-wxgtk30.patch ]; postPatch = '' diff --git a/pkgs/applications/audio/espeak/espeakedit-wxgtk30.patch b/pkgs/applications/audio/espeak/espeakedit-wxgtk30.patch new file mode 100644 index 000000000000..04e578824986 --- /dev/null +++ b/pkgs/applications/audio/espeak/espeakedit-wxgtk30.patch @@ -0,0 +1,32 @@ +diff -uNr a/src/espeakedit.cpp b/src/espeakedit.cpp +--- a/src/espeakedit.cpp ++++ b/src/espeakedit.cpp +@@ -123,7 +126,7 @@ bool MyApp::OnInit(void) + {//===================== + + int j; +-wxChar *p; ++const wxChar *p; + char param[120]; + + +diff -uNr a/src/spect.cpp b/src/spect.cpp +--- a/src/spect.cpp ++++ b/src/spect.cpp +@@ -1,6 +1,7 @@ + /*************************************************************************** + * Copyright (C) 2005 to 2007 by Jonathan Duddington * + * email: jonsd@users.sourceforge.net * ++ * Copyright (C) 2013 by Reece H. Dunn * + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * +@@ -92,6 +93,8 @@ float SpectTilt(int value, int freq) + + + SpectFrame::SpectFrame(SpectFrame *copy) ++ : FONT_SMALL(8,wxSWISS,wxNORMAL,wxNORMAL) ++ , FONT_MEDIUM(9,wxSWISS,wxNORMAL,wxNORMAL) + {//===================================== + + int ix; diff --git a/pkgs/applications/audio/spotify/default.nix b/pkgs/applications/audio/spotify/default.nix index ecbdaec7f28a..2c821ec6b4c8 100644 --- a/pkgs/applications/audio/spotify/default.nix +++ b/pkgs/applications/audio/spotify/default.nix @@ -2,6 +2,9 @@ , glib, pango, cairo, atk, gdk-pixbuf, gtk3, cups, nspr, nss, libpng, libnotify , libgcrypt, systemd, fontconfig, dbus, expat, ffmpeg, curlWithGnuTls, zlib, gnome , at-spi2-atk, at-spi2-core, libpulseaudio, libdrm, mesa, libxkbcommon + # High-DPI support: Spotify's --force-device-scale-factor argument + # not added if `null`, otherwise, should be a number. +, deviceScaleFactor ? null }: let @@ -67,7 +70,7 @@ let in stdenv.mkDerivation { - pname = "spotify-unwrapped"; + pname = "spotify"; inherit version; # fetch from snapcraft instead of the debian repository most repos fetch from. @@ -143,6 +146,9 @@ stdenv.mkDerivation { librarypath="${lib.makeLibraryPath deps}:$libdir" wrapProgram $out/share/spotify/spotify \ ''${gappsWrapperArgs[@]} \ + ${lib.optionalString (deviceScaleFactor != null) '' + --add-flags "--force-device-scale-factor=${toString deviceScaleFactor}" \ + ''} \ --prefix LD_LIBRARY_PATH : "$librarypath" \ --prefix PATH : "${gnome.zenity}/bin" diff --git a/pkgs/applications/audio/spotify/wrapper.nix b/pkgs/applications/audio/spotify/wrapper.nix deleted file mode 100644 index 418ef3cbc03e..000000000000 --- a/pkgs/applications/audio/spotify/wrapper.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ symlinkJoin -, lib -, spotify-unwrapped -, makeWrapper - - # High-DPI support: Spotify's --force-device-scale-factor argument; not added - # if `null`, otherwise, should be a number. -, deviceScaleFactor ? null -}: - -symlinkJoin { - name = "spotify-${spotify-unwrapped.version}"; - - paths = [ spotify-unwrapped.out ]; - - nativeBuildInputs = [ makeWrapper ]; - preferLocalBuild = true; - passthru.unwrapped = spotify-unwrapped; - postBuild = '' - wrapProgram $out/bin/spotify \ - ${lib.optionalString (deviceScaleFactor != null) '' - --add-flags ${lib.escapeShellArg "--force-device-scale-factor=${ - builtins.toString deviceScaleFactor - }"} - ''} - ''; - - meta = spotify-unwrapped.meta // { - priority = (spotify-unwrapped.meta.priority or 0) - 1; - }; -} diff --git a/pkgs/applications/blockchains/trezor-suite/default.nix b/pkgs/applications/blockchains/trezor-suite/default.nix index b110bd4e33be..941b1e1f6d0f 100644 --- a/pkgs/applications/blockchains/trezor-suite/default.nix +++ b/pkgs/applications/blockchains/trezor-suite/default.nix @@ -8,7 +8,7 @@ let pname = "trezor-suite"; - version = "22.8.2"; + version = "22.10.3"; name = "${pname}-${version}"; suffix = { @@ -19,8 +19,8 @@ let src = fetchurl { url = "https://github.com/trezor/${pname}/releases/download/v${version}/Trezor-Suite-${version}-${suffix}.AppImage"; sha512 = { # curl -Lfs https://github.com/trezor/trezor-suite/releases/latest/download/latest-linux{-arm64,}.yml | grep ^sha512 | sed 's/: /-/' - aarch64-linux = "sha512-tzGkEDVXOJaTfRPO4UUfDpqaddjeJvVHpf81A9hhpUTRIgbAO4fcOrTgJcgWCBotDo8nHCWjw+n5BG5PEfQ19Q=="; - x86_64-linux = "sha512-qUM3HGYXbVbLRYXetLGbShPU5ochuptCUNn0G5RD3tQeipVZsgRkQCSfZ1Zb3HgoPUOna3u8Mp7Ipu1n8xi3vg=="; + aarch64-linux = "sha512-fI0N1V+6SEZ9eNf+G/w5RcY8oeA5MsVzJnpnWoMzkkHZh5jVHgNbcqVgSPbzvQ/WZNv1MX37KETcxmDwRx//yw=="; + x86_64-linux = "sha512-zN89Qw6fQh27EaN9ARNwqhiBaiNoMic6Aq2UPG0OSUtOjEOdkGJ2pbR8MgWVccSgRH8ZmAAXZ0snVKfZWHbCjA=="; }.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}"); }; diff --git a/pkgs/applications/editors/xmlcopyeditor/default.nix b/pkgs/applications/editors/xmlcopyeditor/default.nix index d9bf7f52b2c4..bd7c237e8c13 100644 --- a/pkgs/applications/editors/xmlcopyeditor/default.nix +++ b/pkgs/applications/editors/xmlcopyeditor/default.nix @@ -1,28 +1,55 @@ -{ lib, stdenv, fetchurl, aspell, boost, expat, intltool, libxml2, libxslt, pcre, wxGTK, xercesc }: +{ lib +, stdenv +, fetchurl +, aspell +, boost +, expat +, intltool +, pkg-config +, libxml2 +, libxslt +, pcre2 +, wxGTK32 +, xercesc +, Cocoa +}: stdenv.mkDerivation rec { pname = "xmlcopyeditor"; - version = "1.2.1.3"; + version = "1.3.1.0"; src = fetchurl { - name = "${pname}-${version}.tar.gz"; url = "mirror://sourceforge/xml-copy-editor/${pname}-${version}.tar.gz"; - sha256 = "0bwxn89600jbrkvlwyawgc0c0qqxpl453mbgcb9qbbxl8984ns4v"; + sha256 = "sha256-6HHKl7hqyvF3gJ9vmjLjTT49prJ8KhEEV0qPsJfQfJE="; }; patches = [ ./xmlcopyeditor.patch ]; - CPLUS_INCLUDE_PATH = "${libxml2.dev}/include/libxml2"; - nativeBuildInputs = [ intltool ]; - buildInputs = [ aspell boost expat libxml2 libxslt pcre wxGTK xercesc ]; + nativeBuildInputs = [ + intltool + pkg-config + ]; + + buildInputs = [ + aspell + boost + expat + libxml2 + libxslt + pcre2 + wxGTK32 + xercesc + ] ++ lib.optionals stdenv.isDarwin [ + Cocoa + ]; enableParallelBuilding = true; meta = with lib; { description = "A fast, free, validating XML editor"; - homepage = "http://xml-copy-editor.sourceforge.net/"; + homepage = "https://xml-copy-editor.sourceforge.io/ |