staging-next 2024-09-21 (#343421)

doc/stdenv/stdenv.chapter.md

@@ -518,8 +518,10 @@ There are a number of variables that control what phases are executed and in wha
 
 Specifies the phases. You can change the order in which phases are executed, or add new phases, by setting this variable. If it’s not set, the default value is used, which is `$prePhases unpackPhase patchPhase $preConfigurePhases configurePhase $preBuildPhases buildPhase checkPhase $preInstallPhases installPhase fixupPhase installCheckPhase $preDistPhases distPhase $postPhases`.
 
+The elements of `phases` must not contain spaces. If `phases` is specified as a Nix Language attribute, it should be specified as lists instead of strings. The same rules apply to the `*Phases` variables.
+
 It is discouraged to set this variable, as it is easy to miss some important functionality hidden in some of the less obviously needed phases (like `fixupPhase` which patches the shebang of scripts).
-Usually, if you just want to add a few phases, it’s more convenient to set one of the variables below (such as `preInstallPhases`).
+Usually, if you just want to add a few phases, it’s more convenient to set one of the `*Phases` variables below.
 
 ##### `prePhases` {#var-stdenv-prePhases}
 

maintainers/scripts/fetch-kde-qt.sh

@@ -156,7 +156,7 @@ files_before=$(grep -c 'src = ' "$SRCS")
 echo "writing output file $SRCS ..."
 cat >"$SRCS" <<EOF
 # DO NOT EDIT! This file is generated automatically.
-# Command: $0 $@
+# Command: ./maintainers/scripts/fetch-kde-qt.sh $@
 { fetchurl, mirror }:
 
 {

maintainers/scripts/kde/collect-missing-deps.py

@@ -72,6 +72,7 @@
     },
     "kwin": {
         "display-info",  # newer versions identify as libdisplay-info
+        "Libcap",  # used to call setcap at build time and nothing else
     },
     "libksysguard": {
         "Libcap",  # used to call setcap at build time and nothing else
@@ -90,6 +91,7 @@
     },
     "powerdevil": {
         "DDCUtil",  # cursed, intentionally disabled
+        "Libcap",  # used to call setcap at build time and nothing else
     },
     "print-manager": {
         "PackageKitQt6",  # used for auto-installing drivers which does not work for obvious reasons

maintainers/scripts/kde/generate-sources.py

@@ -23,7 +23,8 @@
 '''.strip())
 
 ROOT_TEMPLATE = jinja2.Template('''
-{callPackage}: {
+{ callPackage }:
+{
   {%- for p in packages %}
   {{ p }} = callPackage ./{{ p }} { };
   {%- endfor %}

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -271,6 +271,11 @@
 - The `mautrix-signal` module was adapted to incorporate the configuration rearrangement that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work.
   In case you want to update your configuration make sure to check the NixOS manual.
 
+- The dhcpcd service (`networking.useDHCP`) has been hardened and now runs exclusively as the "dhcpcd" user.
+  Users that were relying on the root privileges in `networking.dhcpcd.runHook` will have to write specific [sudo](security.sudo.extraRules) or [polkit](security.polkit.extraConfig) rules to allow dhcpcd to perform privileged actions.
+
+  As part of these changes, the DHCP lease files directory has also been moved from `/var/db/dhcpcd` to `/var/lib/dhcpcd`. This migration is performed automatically, but users may have to update their backup configuration.
+
 - `singularity-tools` have the `storeDir` argument removed from its override interface and use `builtins.storeDir` instead.
 
 - Two build helpers in `singularity-tools`, i.e., `mkLayer` and `shellScript`, are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases.
@@ -503,9 +508,6 @@
 - The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer.
   Consequently the package `pkgs.ma1sd` has also been removed.
 
-- `ffmpeg_5` has been removed. Please use the unversioned `ffmpeg`,
-  pin a newer version, or if necessary pin `ffmpeg_4` for compatibility.
-
 - The `rss-bridge` service drops the support to load a configuration file from `${config.services.rss-bridge.dataDir}/config.ini.php`.
   Consider using the `services.rss-bridge.config` option instead.
 
@@ -558,6 +560,16 @@
 - Minimal installer ISOs are no longer built on the small channel.
   Please obtain installer images from the full release channels.
 
+- The default FFmpeg version is now 7, and FFmpeg 5 has been removed.
+  Please prefer using the package variants without a version suffix,
+  or pin FFmpeg 6 or 4 if necessary for compatibility.
+  Note that we keep old versions around only as required
+  to support packages in the tree,
+  and FFmpeg 4 especially should be avoided in favour of newer versions
+  as it may be removed soon.
+
+- `openssl` now defaults to the latest version line `3.3.x`, instead of `3.0.x` before. While there should be no major code incompatibilities, newer OpenSSL versions typically strengthen the default security level. This means that you may have to explicitly allow weak ciphers, hashes and key lengths if necessary. See: [OpenSSL security level documentation](https://docs.openssl.org/3.3/man3/SSL_CTX_set_security_level/).
+
 - The `isync` package has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details.
 
 - Legacy package `globalprotect-openconnect` 1.x and related module
@@ -607,8 +619,6 @@
 
 - `nixosTests` now provide a working IPv6 setup for VLAN 1 by default.
 
-- `services.dhcpcd` is now started with additional systemd sandbox/hardening options for better security. When using `networking.dhcpcd.runHook` these settings are not applied.
-
 - Kanidm can now be provisioned using the new [`services.kanidm.provision`] option, but requires using a patched version available via `pkgs.kanidm.withSecretProvisioning`.
 
 - Kanidm previously had an incorrect systemd service type, causing dependent units with an `after` and `requires` directive to start before `kanidm*` finished startup. The module has now been updated in line with upstream recommendations.

nixos/modules/config/resolvconf.nix

@@ -132,6 +132,8 @@ in
     }
 
     (lib.mkIf cfg.enable {
+      users.groups.resolvconf = {};
+
       networking.resolvconf.package = pkgs.openresolv;
 
       environment.systemPackages = [ cfg.package ];
@@ -143,12 +145,13 @@ in
         wants = [ "network-pre.target" ];
         wantedBy = [ "multi-user.target" ];
         restartTriggers = [ config.environment.etc."resolvconf.conf".source ];
+        serviceConfig.RemainAfterExit = true;
 
-        serviceConfig = {
-          Type = "oneshot";
-          ExecStart = "${cfg.package}/bin/resolvconf -u";
-          RemainAfterExit = true;
-        };
+        script = ''
+          ${lib.getExe cfg.package} -u
+          chgrp -R resolvconf /etc/resolv.conf /run/resolvconf
+          chmod -R g=u /etc/resolv.conf /run/resolvconf
+        '';
       };
 
     })

nixos/modules/installer/tools/nix-fallback-paths.nix

@@ -1,7 +1,8 @@
 {
-  x86_64-linux = "/nix/store/vhv7ckr0winivvwfqxd54d6pgq2hx1is-nix-2.18.8";
-  i686-linux = "/nix/store/8x7rmgi225r5kygpf17swvk3vll0c61y-nix-2.18.8";
-  aarch64-linux = "/nix/store/sbyj0rb1wd314zfxpf834d0clvxrxmv3-nix-2.18.8";
-  x86_64-darwin = "/nix/store/vsy1wl865md71qv177nchj0aj5p26pkl-nix-2.18.8";
-  aarch64-darwin = "/nix/store/54kqc2da3fjyjgzab4vaszxjmdvii6yk-nix-2.18.8";
+  x86_64-linux = "/nix/store/vi6fh1mhzl5m0knn3y056wnl07sri6c5-nix-2.24.8";
+  i686-linux = "/nix/store/s4wdfq4dzii2jhy1mv2h7b5hpzhf40hm-nix-2.24.8";
+  aarch64-linux = "/nix/store/g50zn4kdcnlgkwbvyi9f9icj9i2x83i5-nix-2.24.8";
+  riscv64-linux = "/nix/store/8ws83k3wc9a639hp6dyprsmvb24fd14w-nix-riscv64-unknown-linux-gnu-2.24.8";
+  x86_64-darwin = "/nix/store/1dhc9a68j5lcnkgdrcm2kbydnbzrlldg-nix-2.24.8";
+  aarch64-darwin = "/nix/store/7gv39q83hm8b7cwcpx1vlcs424qmp67p-nix-2.24.8";
 }

nixos/modules/programs/steam.nix

@@ -31,7 +31,7 @@ in {
       default = pkgs.steam;
       defaultText = lib.literalExpression "pkgs.steam";
       example = lib.literalExpression ''
-        pkgs.steam-small.override {
+        pkgs.steam.override {
           extraEnv = {
             MANGOHUD = true;
             OBS_VKCAPTURE = true;

nixos/modules/services/desktop-managers/plasma6.nix

@@ -249,10 +249,11 @@ in {
 
     xdg.portal.enable = true;
     xdg.portal.extraPortals = [
+      kdePackages.kwallet
       kdePackages.xdg-desktop-portal-kde
       pkgs.xdg-desktop-portal-gtk
     ];
-    xdg.portal.configPackages = mkDefault [kdePackages.xdg-desktop-portal-kde];
+    xdg.portal.configPackages = mkDefault [kdePackages.plasma-workspace];
     services.pipewire.enable = mkDefault true;
 
     # Enable screen reader by default

nixos/modules/services/networking/dhcpcd.nix

@@ -10,7 +10,7 @@ let
   enableDHCP = config.networking.dhcpcd.enable &&
         (config.networking.useDHCP || lib.any (i: i.useDHCP == true) interfaces);
 
-  enableNTPService = (config.services.ntp.enable || config.services.ntpd-rs.enable || config.services.openntpd.enable || config.services.chrony.enable);
+  useResolvConf = config.networking.resolvconf.enable;
 
   # Don't start dhcpcd on explicitly configured interfaces or on
   # interfaces that are part of a bridge, bond or sit device.
@@ -88,23 +88,6 @@ let
       ${cfg.extraConfig}
     '';
 
-  exitHook = pkgs.writeText "dhcpcd.exit-hook" ''
-    ${lib.optionalString enableNTPService ''
-      if [ "$reason" = BOUND -o "$reason" = REBOOT ]; then
-        # Restart ntpd. We need to restart it to make sure that it will actually do something:
-        # if ntpd cannot resolve the server hostnames in its config file, then it will never do
-        # anything ever again ("couldn't resolve ..., giving up on it"), so we silently lose
-        # time synchronisation. This also applies to openntpd.
-        ${lib.optionalString config.services.ntp.enable "/run/current-system/systemd/bin/systemctl try-reload-or-restart ntpd.service || true"}
-        ${lib.optionalString config.services.ntpd-rs.enable "/run/current-system/systemd/bin/systemctl try-reload-or-restart ntpd-rs.service || true"}
-        ${lib.optionalString config.services.openntpd.enable "/run/current-system/systemd/bin/systemctl try-reload-or-restart openntpd.service || true"}
-        ${lib.optionalString config.services.chrony.enable "/run/current-system/systemd/bin/systemctl try-reload-or-restart chronyd.service || true"}
-      fi
-    ''}
-
-    ${cfg.runHook}
-  '';
-
 in
 
 {
@@ -181,6 +164,19 @@ in
       description = ''
          Shell code that will be run after all other hooks. See
          `man dhcpcd-run-hooks` for details on what is possible.
+
+         ::: {.note}
+         To use sudo or similar tools in your script you may have to set:
+
+             systemd.services.dhcpcd.serviceConfig.NoNewPrivileges = false;
+
+         In addition, as most of the filesystem is inaccessible to dhcpcd
+         by default, you may want to define some exceptions, e.g.
+
+             systemd.services.dhcpcd.serviceConfig.ReadOnlyPaths = [
+               "/run/user/1000/bus"  # to send desktop notifications
+             ];
+         :::
       '';
     };
 
@@ -206,22 +202,6 @@ in
 
   config = lib.mkIf enableDHCP {
 
-    assertions = [ {
-      # dhcpcd doesn't start properly with malloc ∉ [ jemalloc libc mimalloc scudo ]
-      # see https://github.com/NixOS/nixpkgs/issues/151696
-      assertion =
-        dhcpcd.enablePrivSep
-          -> lib.elem config.environment.memoryAllocator.provider [ "jemalloc" "libc" "mimalloc" "scudo" ];
-      message = ''
-        dhcpcd with privilege separation is incompatible with chosen system malloc.
-          Currently `graphene-hardened` allocator is known to be broken.
-          To disable dhcpcd's privilege separation, overlay Nixpkgs and override dhcpcd
-          to set `enablePrivSep = false`.
-      '';
-    } ];
-
-    environment.etc."dhcpcd.conf".source = dhcpcdConf;
-
     systemd.services.dhcpcd = let
       cfgN = config.networking;
       hasDefaultGatewaySet = (cfgN.defaultGateway != null && cfgN.defaultGateway.address != "")
@@ -233,7 +213,7 @@ in
         wants = [ "network.target" ];
         before = [ "network-online.target" ];
 
-        restartTriggers = lib.optional (enableNTPService || cfg.runHook != "") [ exitHook ];
+        restartTriggers = [ cfg.runHook ];
 
         # Stopping dhcpcd during a reconfiguration is undesirable
         # because it brings down the network interfaces configured by
@@ -247,46 +227,64 @@ in
         serviceConfig =
           { Type = "forking";
             PIDFile = "/run/dhcpcd/pid";
+            SupplementaryGroups = lib.optional useResolvConf "resolvconf";
+            User = "dhcpcd";
+            Group = "dhcpcd";
+            StateDirectory = "dhcpcd";
             RuntimeDirectory = "dhcpcd";
+
+            ExecStartPre = "+${pkgs.writeShellScript "migrate-dhcpcd" ''
+              # migrate from old database directory
+              if test -f /var/db/dhcpcd/duid; then
+                echo 'migrating DHCP leases from /var/db/dhcpcd to /var/lib/dhcpcd ...'
+                mv /var/db/dhcpcd/* -t /var/lib/dhcpcd
+                chown dhcpcd:dhcpcd /var/lib/dhcpcd/*
+                rmdir /var/db/dhcpcd || true
+                echo done
+              fi
+            ''}";
+
             ExecStart = "@${dhcpcd}/sbin/dhcpcd dhcpcd --quiet ${lib.optionalString cfg.persistent "--persistent"} --config ${dhcpcdConf}";
             ExecReload = "${dhcpcd}/sbin/dhcpcd --rebind";
             Restart = "always";
-          } // lib.optionalAttrs (cfg.runHook == "") {
-            # Proc filesystem
-            ProcSubset = "all";
-            ProtectProc = "invisible";
-            # Access write directories
-            UMask = "0027";
-            # Capabilities
-            CapabilityBoundingSet = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" "CAP_SETGID" "CAP_SETUID" "CAP_SYS_CHROOT" ];
-            # Security
-            NoNewPrivileges = true;
-            # Sandboxing
-            ProtectSystem = true;
-            ProtectHome = true;
-            PrivateTmp = true;
+            AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ];
+            ReadWritePaths = [ "/proc/sys/net/ipv6" ]
+              ++ lib.optionals useResolvConf [ "/etc/resolv.conf" "/run/resolvconf" ];
+            DeviceAllow = "";
+            LockPersonality = true;
+            MemoryDenyWriteExecute = true;
+            NoNewPrivileges = lib.mkDefault true;  # may be disabled for sudo in runHook
             PrivateDevices = true;
+            PrivateMounts = true;
+            PrivateTmp = true;
             PrivateUsers = false;
-            ProtectHostname = true;
             ProtectClock = true;
-            ProtectKernelTunables = false;
-            ProtectKernelModules = true;
-            ProtectKernelLogs = true;
             ProtectControlGroups = true;
+            ProtectHome = "tmpfs";  # allow exceptions to be added to ReadOnlyPaths, etc.
+            ProtectHostname = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectProc = "invisible";
+            ProtectSystem = "strict";
+            RemoveIPC = true;
             RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" "AF_PACKET" ];
             RestrictNamespaces = true;
-            LockPersonality = true;
-            MemoryDenyWriteExecute = true;
             RestrictRealtime = true;
             RestrictSUIDSGID = true;
-            RemoveIPC = true;
-            PrivateMounts = true;
-            # System Call Filtering
+            SystemCallFilter = [
+              "@system-service"
+              "~@aio" "~@chown" "~@keyring" "~@memlock"
+            ];
             SystemCallArchitectures = "native";
-            SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "chroot" "gettid" "setgroups" "setuid" ];
+            UMask = "0027";
           };
       };
 
+    # Note: the service could run with `DynamicUser`, however that makes
+    # impossible (for no good reason, see systemd issue #20495) to disable
+    # `NoNewPrivileges` or `ProtectHome`, which users may want to in order
+    # to run certain scripts in `networking.dhcpcd.runHook`.
     users.users.dhcpcd = {
       isSystemUser = true;
       group = "dhcpcd";
@@ -295,9 +293,7 @@ in
 
     environment.systemPackages = [ dhcpcd ];
 
-    environment.etc."dhcpcd.exit-hook" = lib.mkIf (enableNTPService || cfg.runHook != "") {
-      source = exitHook;
-    };
+    environment.etc."dhcpcd.exit-hook".text = cfg.runHook;
 
     powerManagement.resumeCommands = lib.mkIf config.systemd.services.dhcpcd.enable
       ''

nixos/modules/services/video/go2rtc/default.nix

@@ -55,8 +55,8 @@ in
           ffmpeg = {
             bin = mkOption {
               type = path;
-              default = lib.getExe pkgs.ffmpeg_7-headless;
-              defaultText = literalExpression "lib.getExe pkgs.ffmpeg_7-headless";
+              default = lib.getExe pkgs.ffmpeg-headless;
+              defaultText = literalExpression "lib.getExe pkgs.ffmpeg-headless";
               description = ''
                 The ffmpeg package to use for transcoding.
               '';

nixos/tests/all-tests.nix

@@ -1070,6 +1070,7 @@ in {
   unbound = handleTest ./unbound.nix {};
   unifi = handleTest ./unifi.nix {};
   unit-php = handleTest ./web-servers/unit-php.nix {};
+  unit-perl = handleTest ./web-servers/unit-perl.nix {};
   upnp.iptables = handleTest ./upnp.nix { useNftables = false; };
   upnp.nftables = handleTest ./upnp.nix { useNftables = true; };
   uptermd = handleTest ./uptermd.nix {};

nixos/tests/chrony.nix

@@ -13,8 +13,6 @@ import ./make-test-python.nix ({ lib, ... }:
       specialisation.hardened.configuration = {
         services.chrony.enableMemoryLocking = true;
         environment.memoryAllocator.provider = "graphene-hardened";
-        # dhcpcd privsep is incompatible with graphene-hardened
-        networking.useNetworkd = true;
       };
     };
   };

nixos/tests/hardened.nix

@@ -11,11 +11,6 @@ import ./make-test-python.nix ({ pkgs, ... } : {
       imports = [ ../modules/profiles/hardened.nix ];
       environment.memoryAllocator.provider = "graphene-hardened";
       nix.settings.sandbox = false;
-      nixpkgs.overlays = [
-        (final: super: {
-          dhcpcd = super.dhcpcd.override { enablePrivSep = false; };
-        })
-      ];
       virtualisation.emptyDiskImages = [ 4096 ];
       boot.initrd.postDeviceCommands = ''
         ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb

nixos/tests/installed-tests/geocode-glib.nix

@@ -4,8 +4,10 @@ makeInstalledTest {
   testConfig = {
     i18n.supportedLocales = [
       "en_US.UTF-8/UTF-8"
-      # The tests require this locale available.
+      # The tests require these locales.
       "en_GB.UTF-8/UTF-8"
+      "cs_CZ.UTF-8/UTF-8"
+      "sv_SE.UTF-8/UTF-8"
     ];
   };