Merge staging-next-23.11 into staging-23.11

nixos/modules/services/desktops/flatpak.nix

@@ -35,6 +35,7 @@ in {
     services.dbus.packages = [ pkgs.flatpak ];
 
     systemd.packages = [ pkgs.flatpak ];
+    systemd.tmpfiles.packages = [ pkgs.flatpak ];
 
     environment.profiles = [
       "$HOME/.local/share/flatpak/exports"

nixos/modules/services/misc/ollama.nix

@@ -21,6 +21,8 @@ in
         example = "/home/foo";
         description = ''
           The home directory that the ollama service is started in.
+
+          See also `services.ollama.writablePaths` and `services.ollama.sandbox`.
         '';
       };
       models = lib.mkOption {
@@ -29,6 +31,37 @@ in
         example = "/path/to/ollama/models";
         description = ''
           The directory that the ollama service will read models from and download new models to.
+
+          See also `services.ollama.writablePaths` and `services.ollama.sandbox`
+          if downloading models or other mutation of the filesystem is required.
+        '';
+      };
+      sandbox = lib.mkOption {
+        type = types.bool;
+        default = true;
+        example = false;
+        description = ''
+          Whether to enable systemd's sandboxing capabilities.
+
+          This sets [`DynamicUser`](
+          https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser=
+          ), which runs the server as a unique user with read-only access to most of the filesystem.
+
+          See also `services.ollama.writablePaths`.
+        '';
+      };
+      writablePaths = lib.mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        example = [ "/home/foo" "/mnt/foo" ];
+        description = ''
+          Paths that the server should have write access to.
+
+          This sets [`ReadWritePaths`](
+          https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ReadWritePaths=
+          ), which allows specified paths to be written to through the default sandboxing.
+
+          See also `services.ollama.sandbox`.
         '';
       };
       listenAddress = lib.mkOption {
@@ -54,8 +87,8 @@ in
         type = types.attrsOf types.str;
         default = { };
         example = {
-          HOME = "/tmp";
           OLLAMA_LLM_LIBRARY = "cpu";
+          HIP_VISIBLE_DEVICES = "0,1";
         };
         description = ''
           Set arbitrary environment variables for the ollama service.
@@ -80,9 +113,10 @@ in
       };
       serviceConfig = {
         ExecStart = "${lib.getExe ollamaPackage} serve";
-        WorkingDirectory = "%S/ollama";
+        WorkingDirectory = cfg.home;
         StateDirectory = [ "ollama" ];
-        DynamicUser = true;
+        DynamicUser = cfg.sandbox;
+        ReadWritePaths = cfg.writablePaths;
       };
     };
 

nixos/tests/installed-tests/flatpak.nix

@@ -7,6 +7,7 @@ makeInstalledTest {
   testConfig = {
     xdg.portal.enable = true;
     xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
+    xdg.portal.config.common.default = "gtk";
     services.flatpak.enable = true;
     environment.systemPackages = with pkgs; [ gnupg ostree python3 ];
     virtualisation.memorySize = 2047;

pkgs/applications/networking/browsers/google-chrome/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, patchelf, makeWrapper
+{ lib, stdenv, patchelf, makeWrapper, fetchurl
 
 # Linked dynamic libraries.
 , glib, fontconfig, freetype, pango, cairo, libX11, libXi, atk, nss, nspr
@@ -28,15 +28,9 @@
 ## Gentoo
 , bzip2, libcap
 
-# Which distribution channel to use.
-, channel ? "stable"
-
 # Necessary for USB audio devices.
 , pulseSupport ? true, libpulseaudio
 
-# Only needed for getting information about upstream binaries
-, chromium
-
 , gsettings-desktop-schemas
 , gnome
 
@@ -52,8 +46,6 @@ let
     withCustomModes = true;
   };
 
-  version = chromium.upstream-info.version;
-
   deps = [
     glib fontconfig freetype pango cairo libX11 libXi atk nss nspr
     libXcursor libXext libXfixes libXrender libXScrnSaver libXcomposite libxcb
@@ -70,18 +62,14 @@ let
     ++ lib.optional libvaSupport libva
     ++ [ gtk3 gtk4 ];
 
-  suffix = lib.optionalString (channel != "stable") "-${channel}";
-
-  crashpadHandlerBinary = if lib.versionAtLeast version "94"
-    then "chrome_crashpad_handler"
-    else "crashpad_handler";
+in stdenv.mkDerivation (finalAttrs: {
+  pname = "google-chrome";
+  version = "124.0.6367.118";
 
-in stdenv.mkDerivation {
-  inherit version;
-
-  name = "google-chrome${suffix}-${version}";
-
-  src = chromium.chromeSrc;
+  src = fetchurl {
+    url = "https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${finalAttrs.version}-1_amd64.deb";
+    hash = "sha256-H3bv6WiVBl4j38ROZ80+SD9UO9ok+xxcKFxDd9yjWNY=";
+  };
 
   nativeBuildInputs = [ patchelf makeWrapper ];
   buildInputs = [
@@ -103,11 +91,8 @@ in stdenv.mkDerivation {
   installPhase = ''
     runHook preInstall
 
-    case ${channel} in
-      beta) appname=chrome-beta      dist=beta     ;;
-      dev)  appname=chrome-unstable  dist=unstable ;;
-      *)    appname=chrome           dist=stable   ;;
-    esac
+    appname=chrome
+    dist=stable
 
     exe=$out/bin/google-chrome-$dist
 
@@ -149,7 +134,7 @@ in stdenv.mkDerivation {
       --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \
       --add-flags ${lib.escapeShellArg commandLineArgs}
 
-    for elf in $out/share/google/$appname/{chrome,chrome-sandbox,${crashpadHandlerBinary}}; do
+    for elf in $out/share/google/$appname/{chrome,chrome-sandbox,chrome_crashpad_handler}; do
       patchelf --set-rpath $rpath $elf
       patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" $elf
     done
@@ -162,13 +147,8 @@ in stdenv.mkDerivation {
     homepage = "https://www.google.com/chrome/browser/";
     license = licenses.unfree;
     sourceProvenance = with sourceTypes; [ binaryNativeCode ];
-    maintainers = with maintainers; [ primeos ];
-    # Note from primeos: By updating Chromium I also update Google Chrome and
-    # will try to merge PRs and respond to issues but I'm not actually using
-    # Google Chrome.
+    maintainers = with maintainers; [ jnsgruk ];
     platforms = [ "x86_64-linux" ];
-    mainProgram =
-      if (channel == "dev") then "google-chrome-unstable"
-      else "google-chrome-${channel}";
+    mainProgram = "google-chrome-stable";
   };
-}
+})

pkgs/applications/networking/instant-messengers/discord/default.nix

@@ -2,7 +2,7 @@
 let
   versions =
     if stdenv.isLinux then {
-      stable = "0.0.51";
+      stable = "0.0.52";
       ptb = "0.0.81";
       canary = "0.0.369";
       development = "0.0.17";
@@ -17,7 +17,7 @@ let
     x86_64-linux = {
       stable = fetchurl {
         url = "https://dl.discordapp.net/apps/linux/${version}/discord-${version}.tar.gz";
-        hash = "sha256-w8zLeaqJXdbI67X/UDxSLQxZei5eraa/BkMZa+GDpYk=";
+        hash = "sha256-5cJzedEuxdGizgUenB+DjFf+MwYk8uTH4tjiWzur+q8=";
       };
       ptb = fetchurl {
         url = "https://dl-ptb.discordapp.net/apps/linux/${version}/discord-ptb-${version}.tar.gz";

pkgs/applications/networking/instant-messengers/telegram/telegram-desktop/default.nix

@@ -63,14 +63,14 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "telegram-desktop";
-  version = "4.16.8";
+  version = "5.0.0";
 
   src = fetchFromGitHub {
     owner = "telegramdesktop";
     repo = "tdesktop";
     rev = "v${version}";
     fetchSubmodules = true;
-    hash = "sha256-M8wFhuTTEJippgvS93LNRqREV2TGF04ccps5oOmSr+0=";
+    hash = "sha256-BjXz2LwsvmJIaN+FZ4+mLu01jaajPvwf8YPqCjx7Kw4=";
   };
 
   patches = [

pkgs/applications/science/math/R/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, bzip2, gfortran, libX11, libXmu, libXt, libjpeg, libpng
+{ lib, stdenv, fetchurl, fetchpatch, bzip2, gfortran, libX11, libXmu, libXt, libjpeg, libpng
 , libtiff, ncurses, pango, pcre2, perl, readline, tcl, texlive, texliveSmall, tk, xz, zlib
 , less, texinfo, graphviz, icu, pkg-config, bison, imake, which, jdk, blas, lapack
 , curl, Cocoa, Foundation, libobjc, libcxx, tzdata
@@ -37,6 +37,12 @@ stdenv.mkDerivation (finalAttrs: {
 
   patches = [
     ./no-usr-local-search-paths.patch
+    (fetchpatch {
+      # https://hiddenlayer.com/research/r-bitrary-code-execution/
+      name = "CVE-2024-27322.patch";
+      url = "https://github.com/r-devel/r-svn/commit/f7c46500f455eb4edfc3656c3fa20af61b16abb7.patch";
+      hash = "sha256-CH2mMmie9E96JeGSC7UGm7/roUNhK5xv6HO53N2ixEI=";
+    })
   ];
 
   # Test of the examples for package 'tcltk' fails in Darwin sandbox. See:

pkgs/applications/virtualization/qemu/default.nix

@@ -111,6 +111,77 @@ stdenv.mkDerivation (finalAttrs: {
   separateDebugInfo = !(stdenv.isAarch64 && stdenv.isLinux);
 
   patches = [
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-1.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/eb546a3f49f45e6870ec91d792cd09f8a662c16e.patch";
+      hash = "sha256-YJCyTH/dtE3j1UnFkXB3COCKLhyeZlnHI+NCYC++urM=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-2.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/1b2a52712b249e14d246cd9c7db126088e6e64db.patch";
+      hash = "sha256-N7rvrYZEAXL/f5LhKrPYhzoV6dLdUMolNMvmJTdkTVk=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-3.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/fbeb0a160cbcc067c0e1f0d380cea4a31de213e3.patch";
+      hash = "sha256-fgB7tS0+303mHPpvNzvZT7xib6yCcVzvnGccFJnCTaY=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-4.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/4f01537ced3e787bd985b8f8de5869b92657160a.patch";
+      hash = "sha256-ssp/MefVQMfHh2q2m/MRzyu57D3q/cCiabOtUT/BQ0k=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-5.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/5d53ff200b5b0e02473b4f38bb6ea74e781115d9.patch";
+      hash = "sha256-UzPONq9AcmdXK+c40eftJA7JRiNiprM4U9Na78fFp+8=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-6.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/15b41461ea7386005194d79d0736f1975c6301d7.patch";
+      hash = "sha256-dXBbWh0ep6+oEXE/i51m6r0iX19qISpmLy2Uw/rtR0I=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-7.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/ab995895adcf30d0be416da281a0bcf3dd3f93a5.patch";
+      hash = "sha256-74xgr+mZ/EPdv/919G/useydya58mHczca8AZkobg5Q=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-8.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/6e7e387b7931d8f6451128ed06f8bca8ffa64fda.patch";
+      hash = "sha256-nj12/4EzZnLfL6NjX2X0dnXa42ESmqVuk8NcU7gZtTQ=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-9.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/1c5005c450928c77056621a561568cdea2ee24db.patch";
+      hash = "sha256-sAaQwv/JY8IWhNQcvFMl0w4c1AqiVGuZJ/a0OLhFx2s=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-10.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/516bdbc2341892fb3b3173ec393c6dfc9515608f.patch";
+      hash = "sha256-VTD8QlqPUs+QZMBU9qisilpClYMvSJY9J0dsUFods5M=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-11.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/4e6240e184cd6303b7275118c7d574c973a3be35.patch";
+      hash = "sha256-NlgzWoWmik4aDGuYiZlvn28HL2ZhBcjv7TgC5Wo+Vrk=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-12.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/9666bd2b7967182d7891e83187f41f0ae3c3cb05.patch";
+      hash = "sha256-w+ZSXkME6wtsYlDE9ELHl6CjvkLjRtTuxqF15u5mQWU=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-13.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/35a67d2aa8caf8eb0bee7d38515924c95417047e.patch";
+      hash = "sha256-3kL8HMjTe3mbvb7K07zJOHbp676oBsynLi24k2N1iBY=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-14.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/1cfe45956e03070f894e91b304e233b4d5b99719.patch";
+      hash = "sha256-jnZ/kvKugCc5EjETuyXQ8v3zlpkay1J9BaopmlRIRgE=";
+    })
+
     ./fix-qemu-ga.patch
 
     # QEMU upstream does not demand compatibility to pre-10.13, so 9p-darwin

pkgs/development/libraries/flatpak/default.nix

@@ -54,14 +54,14 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "flatpak";
-  version = "1.14.4";
+  version = "1.14.6";
 
   # TODO: split out lib once we figure out what to do with triggerdir
   outputs = [ "out" "dev" "man" "doc" "devdoc" "installedTests" ];
 
   src = fetchurl {
     url = "https://github.com/flatpak/flatpak/releases/download/${finalAttrs.version}/flatpak-${finalAttrs.version}.tar.xz";
-    sha256 = "sha256-ijTb0LZ8Q051mLmOxpCVPQRvDbJuSArq+0bXKuxxZ5k="; # Taken from https://github.com/flatpak/flatpak/releases/
+    sha256 = "sha256-U482ssb4xw7v0S0TrVsa2DCCAQaovTqfa45NnegeSUY="; # Taken from https://github.com/flatpak/flatpak/releases/
   };
 
   patches = [

pkgs/development/libraries/flatpak/fix-test-paths.patch

@@ -63,7 +63,7 @@ index afa11a6b..5b12055f 100755
  flatpak build-finish ${DIR} >&2
  mkdir -p repos
 diff --git a/tests/make-test-runtime.sh b/tests/make-test-runtime.sh
-index 4ba950df..fd50fab3 100755
+index 6345ff58..fd50fab3 100755
 --- a/tests/make-test-runtime.sh
 +++ b/tests/make-test-runtime.sh
 @@ -28,9 +28,10 @@ EOF
@@ -78,7 +78,7 @@ index 4ba950df..fd50fab3 100755
  mkdir -p ${DIR}/usr/bin
  mkdir -p ${DIR}/usr/lib
  ln -s ../lib ${DIR}/usr/lib64
-@@ -40,40 +41,17 @@ if test -f /sbin/ldconfig.real; then
+@@ -40,46 +41,17 @@ if test -f /sbin/ldconfig.real; then
  else
      cp "$(type -P ldconfig)" "${DIR}/usr/bin"
  fi
@@ -89,6 +89,12 @@ index 4ba950df..fd50fab3 100755
 -    local f=$1
 -    shift
 -
+-    # Check if the program is installed
+-    if ! command -v "${f}" &> /dev/null; then
+-        echo "${f} not found"
+-        exit 1
+-    fi
+-
 -    if grep -qFe "${f}" $BINS; then
 -        # Already handled
 -        return 0
@@ -129,7 +135,7 @@ index 4ba950df..fd50fab3 100755
  done
  ln -s bash ${DIR}/usr/bin/sh
 
-@@ -84,11 +62,13 @@ echo "Hello world, from a runtime$EXTRA"
+@@ -90,11 +62,13 @@ echo "Hello world, from a runtime$EXTRA"
  EOF
  chmod a+x ${DIR}/usr/bin/runtime_hello.sh
 

pkgs/development/libraries/flatpak/unset-env-vars.patch

@@ -1,11 +1,11 @@
 diff --git a/common/flatpak-run.c b/common/flatpak-run.c
-index 8fa8c0e0..e1cdeba0 100644
+index 6f54a9d0..102d9b90 100644
 --- a/common/flatpak-run.c
 +++ b/common/flatpak-run.c
-@@ -1900,6 +1900,7 @@ static const ExportData default_exports[] = {
-   {"XKB_CONFIG_ROOT", NULL},
-   {"GIO_EXTRA_MODULES", NULL},
+@@ -1902,6 +1902,7 @@ static const ExportData default_exports[] = {
    {"GDK_BACKEND", NULL},
+   {"VK_DRIVER_FILES", NULL},
+   {"VK_ICD_FILENAMES", NULL},
 +  {"GDK_PIXBUF_MODULE_FILE", NULL},
  };