Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/ananicy: disable ananicy-cpp's BPF on hardened kernels, cleanup #331722

Merged
merged 3 commits into from
Aug 5, 2024
Merged

nixos/ananicy: disable ananicy-cpp's BPF on hardened kernels, cleanup #331722

merged 3 commits into from
Aug 5, 2024

Conversation

JohnRTitor
Copy link
Contributor

Description of changes

Ananicy-Cpp does not work with hardened kernels, because bpf support is fully supported on hardened. So let's disable it.
Fixes #327382
Follow up to #330488

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@JohnRTitor JohnRTitor requested a review from Artturin August 2, 2024 09:39
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Aug 2, 2024
@JohnRTitor JohnRTitor mentioned this pull request Aug 2, 2024
Closed
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Aug 2, 2024
@JohnRTitor
Copy link
Contributor Author

CC @Artturin

@JohnRTitor JohnRTitor merged commit 0a7eaa5 into NixOS:master Aug 5, 2024
26 checks passed
@JohnRTitor JohnRTitor deleted the ananicy-cpp branch August 5, 2024 17:25
MrQubo
MrQubo reviewed Dec 2, 2024
View reviewed changes
nixos/modules/services/misc/ananicy.nix
# Ananicy-CPP with BPF is not supported on hardened kernels https://github.com/NixOS/nixpkgs/issues/327382
finalPackage =
if (servicename == "ananicy-cpp" && config.boot.kernelPackages.isHardened) then
(cfg.package { withBpf = false; })
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Calling package works? I've tried in repl and it doesn't. I assume this should be cfg.package.override { withBpf = false; }.

The problem is that this makes it's impossible to override withBpf to true. There is a way to make bpf version work on hardened (explained in the linked issue), and I intend to apply this on my system and use bpf version of ananicy-cpp.

I couldn't find if there's a way to check whether the argument was overriden? We could add this functionality to makeOverridable.

Though a better idea is probably to add withBpf as a service option.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JohnRTitor Yeah, this doesn't work. Just upgraded to 24.11 and got

error: attempt to call something which is not a function but a set: { type = "derivation"; NIX_HARDENING_ENABLE = «thunk»; __ignoreNulls = true; __structuredAttrs = «thunk»; all = «thunk»; args = «thunk»; buildInputs = «thunk»; builder = «thunk»; cmakeFlags = «thunk»; configureFlags = «thunk»; «37 attributes elided» }

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ugh, I hate GitHub, you never saw that comment, because it was pending. I always forget about this...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PRs welcomed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though a better idea is probably to add withBpf as a service option.

No, because it just duplicates the package override.

Copy link
Contributor

@MrQubo MrQubo Dec 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though a better idea is probably to add withBpf as a service option.

No, because it just duplicates the package override.

I've made an issue, so we won't misuse this already merged PR. #360957

This was referenced Dec 2, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MrQubo MrQubo MrQubo left review comments

@Artturin Artturin Awaiting requested review from Artturin

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ananicy-cpp service failure on hardened kernel
2 participants
@JohnRTitor @MrQubo