nixpkgs-suyu/pkgs/applications/virtualization/lkl/default.nix
Yureka 502c8c1587 lklWithFirewall: init
There is a pull request in the LKL repo adding firewall support:
https://github.com/lkl/linux/pull/431
It simply enables the appropriate options in the kernel config, since
the framework is already there.
It has not been merged yet, because enabling these options by default
would lead to bigger lkl binaries and an overall slowdown for all users.
However, since we can provide an opt-in variant with Firewall support,
there is no reason not to do it.

This is very useful for nftables rule checking without having access to
the kernel interface.
2022-09-21 08:17:34 +02:00

77 lines
2.6 KiB
Nix

{ lib, stdenv, fetchFromGitHub, bc, python3, bison, flex, fuse, libarchive
, buildPackages
, firewallSupport ? false
}:
stdenv.mkDerivation rec {
pname = "lkl";
version = "2022-05-18";
outputs = [ "dev" "lib" "out" ];
src = fetchFromGitHub {
owner = "lkl";
repo = "linux";
rev = "10c7b5dee8c424cc2ab754e519ecb73350283ff9";
sha256 = "sha256-D3HQdKzhB172L62a+8884bNhcv7vm/c941wzbYtbf4I=";
};
nativeBuildInputs = [ bc bison flex python3 ];
buildInputs = [ fuse libarchive ];
postPatch = ''
# Fix a /usr/bin/env reference in here that breaks sandboxed builds
patchShebangs arch/lkl/scripts
patchShebangs scripts/ld-version.sh
# Fixup build with newer Linux headers: https://github.com/lkl/linux/pull/484
sed '1i#include <linux/sockios.h>' -i tools/lkl/lib/hijack/xlate.c
'' + lib.optionalString firewallSupport ''
cat ${./lkl-defconfig-enable-nftables} >> arch/lkl/configs/defconfig
'';
installPhase = ''
mkdir -p $out/bin $lib/lib $dev
cp tools/lkl/bin/lkl-hijack.sh $out/bin
sed -i $out/bin/lkl-hijack.sh \
-e "s,LD_LIBRARY_PATH=.*,LD_LIBRARY_PATH=$lib/lib,"
cp tools/lkl/{cptofs,fs2tar,lklfuse} $out/bin
ln -s cptofs $out/bin/cpfromfs
cp -r tools/lkl/include $dev/
cp tools/lkl/liblkl.a \
tools/lkl/lib/liblkl.so \
tools/lkl/lib/hijack/liblkl-hijack.so $lib/lib
'';
# We turn off format and fortify because of these errors (fortify implies -O2, which breaks the jitter entropy code):
# fs/xfs/xfs_log_recover.c:2575:3: error: format not a string literal and no format arguments [-Werror=format-security]
# crypto/jitterentropy.c:54:3: error: #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c."
hardeningDisable = [ "format" "fortify" ];
makeFlags = [
"-C tools/lkl"
"CC=${stdenv.cc}/bin/${stdenv.cc.targetPrefix}cc"
"HOSTCC=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}cc"
"CROSS_COMPILE=${stdenv.cc.targetPrefix}"
];
enableParallelBuilding = true;
meta = with lib; {
description = "The Linux kernel as a library";
longDescription = ''
LKL (Linux Kernel Library) aims to allow reusing the Linux kernel code as
extensively as possible with minimal effort and reduced maintenance
overhead
'';
homepage = "https://github.com/lkl/linux/";
platforms = platforms.linux; # Darwin probably works too but I haven't tested it
license = licenses.gpl2;
maintainers = with maintainers; [ copumpkin ];
};
}