Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/lock-kernel-modules: use udevadm settle #138001

Merged
merged 1 commit into from
Sep 15, 2021
Merged

nixos/lock-kernel-modules: use udevadm settle #138001

merged 1 commit into from
Sep 15, 2021

Conversation

rnhmjoj
Copy link
Contributor

@rnhmjoj rnhmjoj commented Sep 15, 2021

Motivation for this change

Fix for #73095

Instead of relying on systemd-udev-settle, which is deprecated,
directly call udevamd settle to wait for hardware to settle.

Things done

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Sep 15, 2021
@rnhmjoj
Copy link
Contributor Author

rnhmjoj commented Sep 15, 2021

@GrahamcOfBorg test hardened

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Sep 15, 2021
@rnhmjoj
nixos/lock-kernel-modules: use udevadm settle
dc34788 
Instead of relying on systemd-udev-settle, which is deprecated,
directly call `udevamd settle` to wait for hardware to settle.
@rnhmjoj rnhmjoj merged commit 0d1656e into NixOS:master Sep 15, 2021
@peterhoeg
Copy link
Member

Only seeing this after it was merged - I definitely think we should add a few lines of documentation next to the udevadm settle call to explain why we are doing this.

@Izorkin
Copy link
Contributor

Izorkin commented Sep 18, 2021

WARNING: This update breaks IPv4 protokol in use hardening mode mode on linux kernels 5.13 and above.

Temporary fix:

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index a4a2e8b1ff8..b0626bc890d 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -38,6 +38,11 @@ with lib;
   security.apparmor.enable = mkDefault true;
   security.apparmor.killUnconfinedConfinables = mkDefault true;

+  boot.kernelModules = [
+    # In kernel version 5.13 and higher, the af_packet module is trying to loading after modules are locked.
+    "af_packet"
+  ];
+
   boot.kernelParams = [
     # Slab/slub sanity checks, redzoning, and poisoning
     "slub_debug=FZP"

@Izorkin
Copy link
Contributor

Izorkin commented Sep 18, 2021

cc @joachifm @peterhoeg @rnhmjoj

@rnhmjoj
Copy link
Contributor Author

rnhmjoj commented Sep 18, 2021

I must have messed up the ordering: I tried to combine the dependencies of systemd-udev-settle with this service, but it obviously didn't work right. I'll open a PR to revert this.

@rnhmjoj rnhmjoj deleted the lock-kernel-udev branch July 10, 2023 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joachifm joachifm joachifm approved these changes

@peterhoeg peterhoeg Awaiting requested review from peterhoeg

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rnhmjoj @peterhoeg @Izorkin @joachifm