nomicon/pkgs/applications/virtualization/qemu/default.nix

{ stdenv, fetchurl, fetchpatch, python2, zlib, pkgconfig, glib
, ncurses, perl, pixman, vde2, alsaLib, texinfo, flex
, bison, lzo, snappy, libaio, gnutls, nettle, curl
, makeWrapper
, attr, libcap, libcap_ng
, CoreServices, Cocoa, rez, setfile
, numaSupport ? stdenv.isLinux, numactl
, seccompSupport ? stdenv.isLinux, libseccomp
, pulseSupport ? !stdenv.isDarwin, libpulseaudio
, sdlSupport ? !stdenv.isDarwin, SDL
, vncSupport ? true, libjpeg, libpng
, spiceSupport ? !stdenv.isDarwin, spice, spice_protocol, usbredir
, x86Only ? false
, nixosTestRunner ? false
}:

with stdenv.lib;
let
  version = "2.8.0";
  audio = optionalString (hasSuffix "linux" stdenv.system) "alsa,"
    + optionalString pulseSupport "pa,"
    + optionalString sdlSupport "sdl,";
in

stdenv.mkDerivation rec {
  name = "qemu-"
    + stdenv.lib.optionalString x86Only "x86-only-"
    + stdenv.lib.optionalString nixosTestRunner "for-vm-tests-"
    + version;

  src = fetchurl {
    url = "http://wiki.qemu.org/download/qemu-${version}.tar.bz2";
    sha256 = "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs";
  };

  buildInputs =
    [ python2 zlib pkgconfig glib ncurses perl pixman
      vde2 texinfo flex bison makeWrapper lzo snappy
      gnutls nettle curl
    ]
    ++ optionals stdenv.isDarwin [ CoreServices Cocoa rez setfile ]
    ++ optionals seccompSupport [ libseccomp ]
    ++ optionals numaSupport [ numactl ]
    ++ optionals pulseSupport [ libpulseaudio ]
    ++ optionals sdlSupport [ SDL ]
    ++ optionals vncSupport [ libjpeg libpng ]
    ++ optionals spiceSupport [ spice_protocol spice usbredir ]
    ++ optionals stdenv.isLinux [ alsaLib libaio libcap_ng libcap attr ];

  enableParallelBuilding = true;

  patches = [
    ./no-etc-install.patch

    (fetchurl {
      name = "CVE-2017-2615.patch";
      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64";
      sha256 = "0miph2x4d474issa44hmc542zxmkc7lsr4ncb7pwarq6j7v52l8h";
    })

    (fetchurl {
      name = "CVE-2017-5667.patch";
      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=42922105beb14c2fc58185ea022b9f72fb5465e9";
      sha256 = "049vq70is3fj9bf4ysfj3s44iz93qhyqn6xijck32w1x6yyzqyx4";
     })

    (fetchurl {
      name = "CVE-2017-5898.patch";
      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a";
      sha256 = "1y2j0qw04s8fl0cs8i619y08kj75lxn3c0y19g710fzpk3rq8dvn";
     })

    (fetchurl {
      name = "CVE-2017-5931.patch";
      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=a08aaff811fb194950f79711d2afe5a892ae03a4";
      sha256 = "0hlih9jhbb1mb174hvxs7pf7lgcs7s9g705ri9rliw7wrhqdpja5";
     })

    (fetchurl {
      name = "CVE-2017-5973.patch";
      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=f89b60f6e5fee3923bedf80e82b4e5efc1bb156b";
      sha256 = "06niyighjxb4p5z2as3mqfmrwrzn4sq47j7raipbq9gnda7x9sw6";
     })

  ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch;

  hardeningDisable = [ "stackprotector" ];

  configureFlags =
    [ "--smbd=smbd" # use `smbd' from $PATH
      "--audio-drv-list=${audio}"
      "--sysconfdir=/etc"
      "--localstatedir=/var"
    ]
    ++ optional numaSupport "--enable-numa"
    ++ optional seccompSupport "--enable-seccomp"
    ++ optional spiceSupport "--enable-spice"
    ++ optional x86Only "--target-list=i386-softmmu,x86_64-softmmu"
    ++ optional stdenv.isDarwin "--enable-cocoa"
    ++ optional stdenv.isLinux "--enable-linux-aio";

  postFixup =
    ''
      for exe in $out/bin/qemu-system-* ; do
        paxmark m $exe
      done
    '';

  postInstall =
    ''
      # Add a ‘qemu-kvm’ wrapper for compatibility/convenience.
      p="$out/bin/qemu-system-${if stdenv.system == "x86_64-linux" then "x86_64" else "i386"}"
      if [ -e "$p" ]; then
        makeWrapper "$p" $out/bin/qemu-kvm --add-flags "\$([ -e /dev/kvm ] && echo -enable-kvm)"
      fi
    '';

  meta = with stdenv.lib; {
    homepage = http://www.qemu.org/;
    description = "A generic and open source machine emulator and virtualizer";
    license = licenses.gpl2Plus;
    maintainers = with maintainers; [ viric eelco ];
    platforms = platforms.linux ++ platforms.darwin;
  };
}
qemu: use python2 8 years ago			`{ stdenv, fetchurl, fetchpatch, python2, zlib, pkgconfig, glib`
qemu: 2.7 -> 2.8, drop 2.7 7 years ago			`, ncurses, perl, pixman, vde2, alsaLib, texinfo, flex`
qemu: add curl to buildInputs Enables support for accessing files over HTTP: qemu-system-x86_64 -drive media=cdrom,file=http://host/path.iso,readonly Increases the closures size from 445 to 447 MiB. 8 years ago			`, bison, lzo, snappy, libaio, gnutls, nettle, curl`
Revert "qemu: 2.2.2 -> 2.3.0" This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee. 9 years ago			`, makeWrapper`
qemu: compile with cocoa for darwin support This uses the --enable-cocoa flag in qemu to build in Darwin. 8 years ago			`, attr, libcap, libcap_ng`
			`, CoreServices, Cocoa, rez, setfile`
			`, numaSupport ? stdenv.isLinux, numactl`
			`, seccompSupport ? stdenv.isLinux, libseccomp`
			`, pulseSupport ? !stdenv.isDarwin, libpulseaudio`
			`, sdlSupport ? !stdenv.isDarwin, SDL`
Revert "qemu: 2.2.2 -> 2.3.0" This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee. 9 years ago			`, vncSupport ? true, libjpeg, libpng`
qemu: compile with cocoa for darwin support This uses the --enable-cocoa flag in qemu to build in Darwin. 8 years ago			`, spiceSupport ? !stdenv.isDarwin, spice, spice_protocol, usbredir`
Revert "qemu: 2.2.2 -> 2.3.0" This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee. 9 years ago			`, x86Only ? false`
nixos/tests: Use a patched QEMU for testing The reason to patch QEMU is that with latest Nix, tests like "printing" or "misc" fail because they expect the store paths to be owned by uid 0 and gid 0. Starting with NixOS/nix@5e51ffb1c265e16486fcdd888ce4a04db9e5552b, Nix builds inside of a new user namespace. Unfortunately this also means that bind-mounted store paths that are part of the derivation's inputs are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534. This in turn causes things like sudo or cups to fail with errors about insecure file permissions. So in order to avoid that, let's make sure the VM always gets files owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store path. In addition, this adds a virtualisation.qemu.program option so that we can make sure that we only use the patched version if we're really running NixOS VM tests (that is, whenever we have imported test-instrumentation.nix). Tested against the "misc" and "printing" tests. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 8 years ago			`, nixosTestRunner ? false`
qemu: Merge stuff from qemu-kvm 11 years ago			`}:`
qemu-1.3.1 Also, old qemu is unreferenced in nixos and nixpkgs tree, so remove it absent explicit need. 12 years ago
qemu: 2.0.0 -> 2.2.0 Additionally, add support for more external features as well as more sound system types. 10 years ago			`with stdenv.lib;`
			`let`
qemu: 2.7 -> 2.8, drop 2.7 7 years ago			`version = "2.8.0";`
Revert "qemu: 2.2.2 -> 2.3.0" This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee. 9 years ago			`audio = optionalString (hasSuffix "linux" stdenv.system) "alsa,"`
			`+ optionalString pulseSupport "pa,"`
			`+ optionalString sdlSupport "sdl,";`
qemu: 2.0.0 -> 2.2.0 Additionally, add support for more external features as well as more sound system types. 10 years ago			`in`
qemu-kvm: Disambiguate 11 years ago
qemu-1.3.1 Also, old qemu is unreferenced in nixos and nixpkgs tree, so remove it absent explicit need. 12 years ago			`stdenv.mkDerivation rec {`
qemu: 2.7 -> 2.8, drop 2.7 7 years ago			`name = "qemu-"`
qemu-kvm: Mark the version for tests (cherry picked from commit d58a4ec1ba77e390c53c09ba6198b78f8568d495) 8 years ago			`+ stdenv.lib.optionalString x86Only "x86-only-"`
			`+ stdenv.lib.optionalString nixosTestRunner "for-vm-tests-"`
			`+ version;`
qemu-1.3.1 Also, old qemu is unreferenced in nixos and nixpkgs tree, so remove it absent explicit need. 12 years ago
			`src = fetchurl {`
qemu: qemu-2.4.0-x86-only -> qemu-x86-only-2.4.0 9 years ago			`url = "http://wiki.qemu.org/download/qemu-${version}.tar.bz2";`
qemu: 2.7 -> 2.8, drop 2.7 7 years ago			`sha256 = "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs";`
qemu-1.3.1 Also, old qemu is unreferenced in nixos and nixpkgs tree, so remove it absent explicit need. 12 years ago			`};`

Revert "qemu: 2.2.2 -> 2.3.0" This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee. 9 years ago			`buildInputs =`
qemu: use python2 8 years ago			`[ python2 zlib pkgconfig glib ncurses perl pixman`
qemu: 2.7 -> 2.8, drop 2.7 7 years ago			`vde2 texinfo flex bison makeWrapper lzo snappy`
qemu: add curl to buildInputs Enables support for accessing files over HTTP: qemu-system-x86_64 -drive media=cdrom,file=http://host/path.iso,readonly Increases the closures size from 445 to 447 MiB. 8 years ago			`gnutls nettle curl`
Revert "qemu: 2.2.2 -> 2.3.0" This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee. 9 years ago			`]`
qemu: compile with cocoa for darwin support This uses the --enable-cocoa flag in qemu to build in Darwin. 8 years ago			`++ optionals stdenv.isDarwin [ CoreServices Cocoa rez setfile ]`
			`++ optionals seccompSupport [ libseccomp ]`
			`++ optionals numaSupport [ numactl ]`
Revert "qemu: 2.2.2 -> 2.3.0" This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee. 9 years ago			`++ optionals pulseSupport [ libpulseaudio ]`
			`++ optionals sdlSupport [ SDL ]`
			`++ optionals vncSupport [ libjpeg libpng ]`
			`++ optionals spiceSupport [ spice_protocol spice usbredir ]`
qemu: compile with cocoa for darwin support This uses the --enable-cocoa flag in qemu to build in Darwin. 8 years ago			`++ optionals stdenv.isLinux [ alsaLib libaio libcap_ng libcap attr ];`
qemu-1.3.1 Also, old qemu is unreferenced in nixos and nixpkgs tree, so remove it absent explicit need. 12 years ago
			`enableParallelBuilding = true;`

qemu: patch security issues in 9pfs CVE-2016-7116, others have no ID assigned, yet. Fixes from 2.7 tree. 8 years ago			`patches = [`
			`./no-etc-install.patch`
qemu: apply patches for multiple CVEs Fixes: * CVE-2017-2615 * CVE-2017-5667 * CVE-2017-5898 * CVE-2017-5931 * CVE-2017-5973 We are vulnerable to even more CVEs but those are either not severe like memory leaks in obscure situations or upstream hasn't acknowledged the patch yet. cc #23072 7 years ago
			`(fetchurl {`
			`name = "CVE-2017-2615.patch";`
			`url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64";`
			`sha256 = "0miph2x4d474issa44hmc542zxmkc7lsr4ncb7pwarq6j7v52l8h";`
			`})`

			`(fetchurl {`
			`name = "CVE-2017-5667.patch";`
			`url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=42922105beb14c2fc58185ea022b9f72fb5465e9";`
			`sha256 = "049vq70is3fj9bf4ysfj3s44iz93qhyqn6xijck32w1x6yyzqyx4";`
			`})`

			`(fetchurl {`
			`name = "CVE-2017-5898.patch";`
			`url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a";`
			`sha256 = "1y2j0qw04s8fl0cs8i619y08kj75lxn3c0y19g710fzpk3rq8dvn";`
			`})`

			`(fetchurl {`
			`name = "CVE-2017-5931.patch";`
			`url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=a08aaff811fb194950f79711d2afe5a892ae03a4";`
			`sha256 = "0hlih9jhbb1mb174hvxs7pf7lgcs7s9g705ri9rliw7wrhqdpja5";`
			`})`

			`(fetchurl {`
			`name = "CVE-2017-5973.patch";`
			`url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=f89b60f6e5fee3923bedf80e82b4e5efc1bb156b";`
			`sha256 = "06niyighjxb4p5z2as3mqfmrwrzn4sq47j7raipbq9gnda7x9sw6";`
			`})`

nixos/tests: Use a patched QEMU for testing The reason to patch QEMU is that with latest Nix, tests like "printing" or "misc" fail because they expect the store paths to be owned by uid 0 and gid 0. Starting with NixOS/nix@5e51ffb1c265e16486fcdd888ce4a04db9e5552b, Nix builds inside of a new user namespace. Unfortunately this also means that bind-mounted store paths that are part of the derivation's inputs are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534. This in turn causes things like sudo or cups to fail with errors about insecure file permissions. So in order to avoid that, let's make sure the VM always gets files owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store path. In addition, this adds a virtualisation.qemu.program option so that we can make sure that we only use the patched version if we're really running NixOS VM tests (that is, whenever we have imported test-instrumentation.nix). Tested against the "misc" and "printing" tests. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 8 years ago			`] ++ optional nixosTestRunner ./force-uid0-on-9p.patch;`
qemu: apply patches for multiple CVEs Fixes: * CVE-2017-2615 * CVE-2017-5667 * CVE-2017-5898 * CVE-2017-5931 * CVE-2017-5973 We are vulnerable to even more CVEs but those are either not severe like memory leaks in obscure situations or upstream hasn't acknowledged the patch yet. cc #23072 7 years ago
qemu: 2.6.1 -> 2.7.0 8 years ago			`hardeningDisable = [ "stackprotector" ];`
Revert "qemu: 2.2.2 -> 2.3.0" This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee. 9 years ago
			`configureFlags =`
qemu: compile with cocoa for darwin support This uses the --enable-cocoa flag in qemu to build in Darwin. 8 years ago			[ "--smbd=smbd" # use `smbd' from $PATH
Revert "qemu: 2.2.2 -> 2.3.0" This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee. 9 years ago			`"--audio-drv-list=${audio}"`
			`"--sysconfdir=/etc"`
			`"--localstatedir=/var"`
			`]`
qemu: compile with cocoa for darwin support This uses the --enable-cocoa flag in qemu to build in Darwin. 8 years ago			`++ optional numaSupport "--enable-numa"`
			`++ optional seccompSupport "--enable-seccomp"`
Revert "qemu: 2.2.2 -> 2.3.0" This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee. 9 years ago			`++ optional spiceSupport "--enable-spice"`
			`++ optional x86Only "--target-list=i386-softmmu,x86_64-softmmu"`
qemu: compile with cocoa for darwin support This uses the --enable-cocoa flag in qemu to build in Darwin. 8 years ago			`++ optional stdenv.isDarwin "--enable-cocoa"`
			`++ optional stdenv.isLinux "--enable-linux-aio";`
Revert "qemu: 2.2.2 -> 2.3.0" This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee. 9 years ago
qemu: apply PaX markings 8 years ago			`postFixup =`
			`''`
			`for exe in $out/bin/qemu-system-* ; do`
			`paxmark m $exe`
			`done`
			`'';`

Revert "qemu: 2.2.2 -> 2.3.0" This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee. 9 years ago			`postInstall =`
			`''`
			`# Add a ‘qemu-kvm’ wrapper for compatibility/convenience.`
			`p="$out/bin/qemu-system-${if stdenv.system == "x86_64-linux" then "x86_64" else "i386"}"`
			`if [ -e "$p" ]; then`
			`makeWrapper "$p" $out/bin/qemu-kvm --add-flags "\$([ -e /dev/kvm ] && echo -enable-kvm)"`
			`fi`
			`'';`
qemu-kvm: Remove But install a qemu-kvm wrapper in qemu. 11 years ago
qemu: Update 1.5.2 -> 1.7.0 10 years ago			`meta = with stdenv.lib; {`
qemu: Update to 1.5.1 11 years ago			`homepage = http://www.qemu.org/;`
			`description = "A generic and open source machine emulator and virtualizer";`
qemu: Update 1.5.2 -> 1.7.0 10 years ago			`license = licenses.gpl2Plus;`
Unmaintain a bunch of packages 9 years ago			`maintainers = with maintainers; [ viric eelco ];`
qemu: compile with cocoa for darwin support This uses the --enable-cocoa flag in qemu to build in Darwin. 8 years ago			`platforms = platforms.linux ++ platforms.darwin;`
qemu-1.3.1 Also, old qemu is unreferenced in nixos and nixpkgs tree, so remove it absent explicit need. 12 years ago			`};`
			`}`