Merge master into staging-next

lib/systems/default.nix

@@ -85,17 +85,18 @@ rec {
         # is why we use the more obscure "bfd" and not "binutils" for this
         # choice.
         else                                     "bfd";
-      extensions = rec {
-        sharedLibrary = assert final.hasSharedLibraries;
-          /**/ if final.isDarwin  then ".dylib"
+      extensions = lib.optionalAttrs final.hasSharedLibraries {
+        sharedLibrary =
+          if      final.isDarwin  then ".dylib"
           else if final.isWindows then ".dll"
           else                         ".so";
+      } // {
         staticLibrary =
           /**/ if final.isWindows then ".lib"
           else                         ".a";
         library =
-          /**/ if final.isStatic then staticLibrary
-          else                        sharedLibrary;
+          /**/ if final.isStatic then final.extensions.staticLibrary
+          else                        final.extensions.sharedLibrary;
         executable =
           /**/ if final.isWindows then ".exe"
           else                         "";

maintainers/maintainer-list.nix

@@ -10839,6 +10839,12 @@
       fingerprint = "FEF0 AE2D 5449 3482 5F06  40AA 186A 1EDA C5C6 3F83";
     }];
   };
+  mig4ng = {
+    email = "mig4ng@gmail.com";
+    github = "mig4ng";
+    githubId = 5817039;
+    name = "Miguel Carneiro";
+  };
   mightyiam = {
     email = "mightyiampresence@gmail.com";
     github = "mightyiam";
@@ -18466,6 +18472,12 @@
     github = "zmitchell";
     githubId = 10246891;
   };
+  znewman01 = {
+    email = "znewman01@gmail.com";
+    github = "znewman01";
+    githubId = 873857;
+    name = "Zack Newman";
+  };
   zoedsoupe = {
     github = "zoedsoupe";
     githubId = 44469426;

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -26,6 +26,8 @@
 
 - [trust-dns](https://trust-dns.org/), a Rust based DNS server built to be safe and secure from the ground up. Available as [services.trust-dns](#opt-services.trust-dns.enable).
 
+- [osquery](https://www.osquery.io/), a SQL powered operating system instrumentation, monitoring, and analytics.
+
 ## Backward Incompatibilities {#sec-release-23.11-incompatibilities}
 
 - The `boot.loader.raspberryPi` options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs ([before mid-2019](https://github.com/NixOS/nixpkgs/pull/62462)) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices.

nixos/lib/make-disk-image.nix

@@ -572,7 +572,7 @@ let format' = format; in let
       ${lib.optionalString installBootLoader ''
         # In this throwaway resource, we only have /dev/vda, but the actual VM may refer to another disk for bootloader, e.g. /dev/vdb
         # Use this option to create a symlink from vda to any arbitrary device you want.
-        ${optionalString (config.boot.loader.grub.device != "/dev/vda") ''
+        ${optionalString (config.boot.loader.grub.enable && config.boot.loader.grub.device != "/dev/vda") ''
             mkdir -p $(dirname ${config.boot.loader.grub.device})
             ln -s /dev/vda ${config.boot.loader.grub.device}
         ''}

nixos/modules/module-list.nix

@@ -764,6 +764,7 @@
   ./services/monitoring/nagios.nix
   ./services/monitoring/netdata.nix
   ./services/monitoring/opentelemetry-collector.nix
+  ./services/monitoring/osquery.nix
   ./services/monitoring/parsedmarc.nix
   ./services/monitoring/prometheus/alertmanager-irc-relay.nix
   ./services/monitoring/prometheus/alertmanager.nix

nixos/modules/rename.nix

@@ -72,7 +72,6 @@ in
     (mkRemovedOptionModule [ "services" "mesos" ] "The corresponding package was removed from nixpkgs.")
     (mkRemovedOptionModule [ "services" "moinmoin" ] "The corresponding package was removed from nixpkgs.")
     (mkRemovedOptionModule [ "services" "mwlib" ] "The corresponding package was removed from nixpkgs.")
-    (mkRemovedOptionModule [ "services" "osquery" ] "The osquery module has been removed")
     (mkRemovedOptionModule [ "services" "pantheon" "files" ] ''
       This module was removed, please add pkgs.pantheon.elementary-files to environment.systemPackages directly.
     '')

nixos/modules/services/monitoring/osquery.nix

@@ -0,0 +1,97 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.services.osquery;
+  dirname = path: with lib.strings; with lib.lists; concatStringsSep "/"
+    (init (splitString "/" (normalizePath path)));
+
+  # conf is the osquery configuration file used when the --config_plugin=filesystem.
+  # filesystem is the osquery default value for the config_plugin flag.
+  conf = pkgs.writeText "osquery.conf" (builtins.toJSON cfg.settings);
+
+  # flagfile is the file containing osquery command line flags to be
+  # provided to the application using the special --flagfile option.
+  flagfile = pkgs.writeText "osquery.flags"
+    (concatStringsSep "\n"
+      (mapAttrsToList (name: value: "--${name}=${value}")
+        # Use the conf derivation if not otherwise specified.
+        ({ config_path = conf; } // cfg.flags)));
+
+  osqueryi = pkgs.runCommand "osqueryi" { nativeBuildInputs = [ pkgs.makeWrapper ]; } ''
+    mkdir -p $out/bin
+    makeWrapper ${pkgs.osquery}/bin/osqueryi $out/bin/osqueryi \
+      --add-flags "--flagfile ${flagfile}"
+  '';
+in
+{
+  options.services.osquery = {
+    enable = mkEnableOption (mdDoc "osqueryd daemon");
+
+    settings = mkOption {
+      default = { };
+      description = mdDoc ''
+        Configuration to be written to the osqueryd JSON configuration file.
+        To understand the configuration format, refer to https://osquery.readthedocs.io/en/stable/deployment/configuration/#configuration-components.
+      '';
+      example = {
+        options.utc = false;
+      };
+      type = types.attrs;
+    };
+
+    flags = mkOption {
+      default = { };
+      description = mdDoc ''
+        Attribute set of flag names and values to be written to the osqueryd flagfile.
+        For more information, refer to https://osquery.readthedocs.io/en/stable/installation/cli-flags.
+      '';
+      example = {
+        config_refresh = "10";
+      };
+      type = with types;
+        submodule {
+          freeformType = attrsOf str;
+          options = {
+            database_path = mkOption {
+              default = "/var/lib/osquery/osquery.db";
+              readOnly = true;
+              description = mdDoc "Path used for the database file.";
+              type = path;
+            };
+            logger_path = mkOption {
+              default = "/var/log/osquery";
+              readOnly = true;
+              description = mdDoc "Base directory used for logging.";
+              type = path;
+            };
+            pidfile = mkOption {
+              default = "/run/osquery/osqueryd.pid";
+              readOnly = true;
+              description = mdDoc "Path used for pid file.";
+              type = path;
+            };
+          };
+        };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ osqueryi ];
+    systemd.services.osqueryd = {
+      after = [ "network.target" "syslog.service" ];
+      description = "The osquery daemon";
+      serviceConfig = {
+        ExecStart = "${pkgs.osquery}/bin/osqueryd --flagfile ${flagfile}";
+        PIDFile = cfg.flags.pidfile;
+        LogsDirectory = cfg.flags.logger_path;
+        StateDirectory = dirname cfg.flags.database_path;
+        Restart = "always";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+    systemd.tmpfiles.rules = [
+      "d ${dirname (cfg.flags.pidfile)} 0755 root root -"
+    ];
+  };
+}

nixos/tests/all-tests.nix

@@ -577,6 +577,7 @@ in {
   openvscode-server = handleTest ./openvscode-server.nix {};
   orangefs = handleTest ./orangefs.nix {};
   os-prober = handleTestOn ["x86_64-linux"] ./os-prober.nix {};
+  osquery = handleTestOn ["x86_64-linux"] ./osquery.nix {};
   osrm-backend = handleTest ./osrm-backend.nix {};
   overlayfs = handleTest ./overlayfs.nix {};
   pacemaker = handleTest ./pacemaker.nix {};

nixos/tests/osquery.nix

@@ -0,0 +1,56 @@
+import ./make-test-python.nix ({ lib, pkgs, ... }:
+
+with lib;
+
+let
+  config_refresh = "10";
+  nullvalue = "NULL";
+  utc = false;
+in
+{
+  name = "osquery";
+  meta = with maintainers; {
+    maintainers = [ znewman01 lewo ];
+  };
+
+  nodes.machine = { config, pkgs, ... }: {
+    services.osquery = {
+      enable = true;
+
+      settings.options = { inherit nullvalue utc; };
+      flags = {
+        inherit config_refresh;
+        nullvalue = "IGNORED";
+      };
+    };
+  };
+
+  testScript = { nodes, ... }:
+    let
+      cfg = nodes.machine.services.osquery;
+    in
+    ''
+      machine.start()
+      machine.wait_for_unit("osqueryd.service")
+
+      # Stop the osqueryd service so that we can use osqueryi to check information stored in the database.
+      machine.wait_until_succeeds("systemctl stop osqueryd.service")
+
+      # osqueryd was able to query information about the host.
+      machine.succeed("echo 'SELECT address FROM etc_hosts LIMIT 1;' | osqueryi | tee /dev/console | grep -q '127.0.0.1'")
+
+      # osquery binaries respect configuration from the Nix config option.
+      machine.succeed("echo 'SELECT value FROM osquery_flags WHERE name = \"utc\";' | osqueryi | tee /dev/console | grep -q ${boolToString utc}")
+
+      # osquery binaries respect configuration from the Nix flags option.
+      machine.succeed("echo 'SELECT value FROM osquery_flags WHERE name = \"config_refresh\";' | osqueryi | tee /dev/console | grep -q ${config_refresh}")
+
+      # Demonstrate that osquery binaries prefer configuration plugin options over CLI flags.
+      # https://osquery.readthedocs.io/en/latest/deployment/configuration/#options.
+      machine.succeed("echo 'SELECT value FROM osquery_flags WHERE name = \"nullvalue\";' | osqueryi | tee /dev/console | grep -q ${nullvalue}")
+
+      # Module creates directories for default database_path and pidfile flag values.
+      machine.succeed("test -d $(dirname ${cfg.flags.database_path})")
+      machine.succeed("test -d $(dirname ${cfg.flags.pidfile})")
+    '';
+})

pkgs/applications/graphics/ImageMagick/default.nix

@@ -47,13 +47,13 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "imagemagick";
-  version = "7.1.1-12";
+  version = "7.1.1-13";
 
   src = fetchFromGitHub {
     owner = "ImageMagick";
     repo = "ImageMagick";
     rev = finalAttrs.version;
-    hash = "sha256-URwSufiTcLGWRFNOJidJyEcIPxWUSdN7yHaCiFh7GEI=";
+    hash = "sha256-HrUka7VLF9YH23TxDQeQpulQf3ssSfYOhi29v2onvCE=";
   };
 
   outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big
@@ -124,7 +124,7 @@ stdenv.mkDerivation (finalAttrs: {
   '';
 
   passthru.tests = {
-    version = testers.testVersion { package = imagemagick; };
+    version = testers.testVersion { package = finalAttrs.finalPackage; };
     inherit (python3.pkgs) img2pdf;
     pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
   };

pkgs/applications/networking/cluster/kubevpn/default.nix

@@ -0,0 +1,26 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "kubevpn";
+  version = "1.1.34";
+
+  src = fetchFromGitHub {
+    owner  = "KubeNetworks";
+    repo   = "kubevpn";
+    rev    = "v${version}";
+    sha256 = "sha256-P4lROZ6UxsCtMwGWIDBkXjd8v/wtD7u9LBoUUzP9Tz0=";
+  };
+
+  vendorHash = "sha256-LihRVqVMrN45T9NLOQw/EsrEMTSLYYhWzVm+lYXtFRQ=";
+
+  # TODO investigate why some config tests are failing
+  doCheck = false;
+
+  meta = with lib; {
+    changelog = "https://github.com/KubeNetworks/kubevpn/releases/tag/${src.rev}";
+    description = "Create a VPN and connect to Kubernetes cluster network, access resources, and more";
+    homepage = "https://github.com/KubeNetworks/kubevpn";
+    license = licenses.mit;
+    maintainers = with maintainers; [ mig4ng ];
+  };
+}

pkgs/applications/networking/cluster/nomad/default.nix

@@ -77,9 +77,20 @@ rec {
 
   nomad_1_5 = generic {
     buildGoModule = buildGo120Module;
-    version = "1.5.6";
-    sha256 = "sha256-eFzGaTJ9BcK5F10lkTKB3sNaGZsmZ0BbPZI6kT5ZUpo=";
-    vendorSha256 = "sha256-tOUQr44wUhhCccvj4dCI7fvLMrKaEX7xY7035Q3wU3M=";
+    version = "1.5.7";
+    sha256 = "sha256-IafIC1YVbJFQjC04S2rqjDgB83uSFpMajgsKxfFc/H8=";
+    vendorSha256 = "sha256-y3WiQuoQn6SdwTgtPWuB6EBtsJC+YleQPzownZQNkno=";
+    passthru.tests.nomad = nixosTests.nomad;
+    preCheck = ''
+      export PATH="$PATH:/build/go/bin"
+    '';
+  };
+
+  nomad_1_6 = generic {
+    buildGoModule = buildGo120Module;
+    version = "1.6.0";
+    sha256 = "sha256-979SlqBu2/kUdPB4BplhOcEq0J2sjKmFkEiLOzOAUPM=";
+    vendorSha256 = "sha256-Y3O7ADzZPlLWFbXSYBcI6b5MAhMD0UnkhQxO9VJMpOY=";
     passthru.tests.nomad = nixosTests.nomad;
     preCheck = ''
       export PATH="$PATH:/build/go/bin"

pkgs/applications/radio/cloudlog/default.nix

@@ -8,13 +8,13 @@
 
 stdenvNoCC.mkDerivation rec {
   pname = "cloudlog";
-  version = "2.4.3";
+  version = "2.4.5";
 
   src = fetchFromGitHub {
     owner = "magicbug";
     repo = "Cloudlog";
     rev = version;
-    sha256 = "sha256-2L+Yp8yxhmoVh34cW1s5Xy1f0X2xUo3UP32XcAV2LsM=";
+    sha256 = "sha256-L68jk49lGw9LNSqIPlDp2WHoQhn8UBW6VDZwsCtjTQI=";
   };
 
   postPath = ''

pkgs/development/interpreters/elixir/generic-builder.nix

@@ -50,14 +50,14 @@ stdenv.mkDerivation ({
     # to PATH so the scripts can run without problems.
 
     for f in $out/bin/*; do
-     b=$(basename $f)
+      b=$(basename $f)
       if [ "$b" = mix ]; then continue; fi
       wrapProgram $f \
         --prefix PATH ":" "${lib.makeBinPath [ erlang coreutils curl bash ]}"
     done
 
     substituteInPlace $out/bin/mix \
-          --replace "/usr/bin/env elixir" "${coreutils}/bin/env elixir"
+      --replace "/usr/bin/env elixir" "${coreutils}/bin/env $out/bin/elixir"
   '';
 
   pos = builtins.unsafeGetAttrPos "sha256" args;

pkgs/development/node-packages/node-packages.json

@@ -123,6 +123,7 @@
 , "diagnostic-languageserver"
 , "diff2html-cli"
 , "dockerfile-language-server-nodejs"
+, "dotenv-cli"
 , "dotenv-vault"
 , "elasticdump"
 , "@electron-forge/cli"

pkgs/development/ocaml-modules/iri/default.nix

@@ -4,15 +4,16 @@
 
 buildDunePackage rec {
   pname = "iri";
-  version = "0.6.0";
-  duneVersion = "3";
+  version = "0.7.0";
+
+  minimalOCamlVersion = "4.12";
 
   src = fetchFromGitLab {
     domain = "framagit.org";
     owner = "zoggy";
     repo = "ocaml-iri";
     rev = version;
-    sha256 = "sha256:0zk8nnwcyljkc1a556byncv6cn1vqhk4267z1lm15flh1k7chyax";
+    hash = "sha256-Mkg7kIIVpKbeWUras1RqtJsRx2Q3dBnm4QqSMJFweF8=";
   };
 
   propagatedBuildInputs = [ sedlex uunf uutf ];

pkgs/development/web/minify/default.nix

@@ -1,24 +1,51 @@
-{ buildGoModule, fetchFromGitHub, lib }:
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, installShellFiles
+, nix-update-script
+, testers
+, minify
+}:
 
 buildGoModule rec {
   pname = "minify";
-  version = "2.11.1";
+  version = "2.12.7";
 
   src = fetchFromGitHub {
     owner = "tdewolff";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-qna2u+Y4eRGLNvRKDbL/VQud1pn8b1wWzbKQM1p0Yws=";
+    hash = "sha256-V3lFM58ciU9RrIp5s+ZMaCUAfRJxbTuQxusXhLCiGmI=";
   };
 
-  vendorSha256 = "sha256-stj3fOaPM70kF6vTX/DEs4qFq/O0Vq0TFw0J/3L5NmA=";
+  patches = [ ./update-go-version-mod.patch ];
+
+  vendorHash = "sha256-v3ZPaeE1YW9BRXHxGsmN8tHv3ApOY+NivfePctOmYlM=";
+
+  nativeBuildInputs = [ installShellFiles ];
 
   ldflags = [ "-s" "-w" "-X main.Version=${version}" ];
 
+  subPackages = [ "cmd/minify" ];
+
+  passthru = {
+    updateScript = nix-update-script { };
+    tests.version = testers.testVersion {
+      inherit version;
+      package = minify;
+      command = "minify --version";
+    };
+  };
+
+  postInstall = ''
+    installShellCompletion --cmd minify --bash cmd/minify/bash_completion
+  '';
+
   meta = with lib; {
-    description = "Minifiers for web formats";
-    license = licenses.mit;
+    description = "Go minifiers for web formats";
     homepage = "https://go.tacodewolff.nl/minify";
     downloadPage = "https://github.com/tdewolff/minify";
+    changelog = "https://github.com/tdewolff/minify/releases/tag/v${version}";
+    license = licenses.mit;
   };
 }

pkgs/development/web/minify/update-go-version-mod.patch

@@ -0,0 +1,12 @@
+diff --git a/go.mod b/go.mod
+index cebe363..f9ae9c8 100644
+--- a/go.mod
++++ b/go.mod
+@@ -1,6 +1,6 @@
+ module github.com/tdewolff/minify/v2
+ 
+-go 1.13
++go 1.18
+ 
+ require (
+ 	github.com/cheekybits/is v0.0.0-20150225183255-68e9c0620927 // indirect

pkgs/tools/security/rbw/default.nix

@@ -5,7 +5,7 @@
 , openssl
 , pkg-config
 , installShellFiles
-, Security
+, darwin
 
   # rbw-fzf
 , withFzf ? false
@@ -24,20 +24,23 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "rbw";
-  version = "1.7.1";
+  version = "1.8.1";
 
   src = fetchzip {
     url = "https://git.tozt.net/rbw/snapshot/rbw-${version}.tar.gz";
-    sha256 = "sha256-xE3T3iVXFaaTF90ehQiG6+dLXcsqrHeprSMUnlSsxkE=";
+    sha256 = "sha256-cRfCsuhVlTRSgndf4rZrfLG/+NgI4VshVwbQydJt2cE=";
   };
 
-  cargoHash = "sha256-eaG56FGz4smlqDPi/CJ0KB7NMEgp684X19PVWxGQutw=";
+  cargoHash = "sha256-CFhBSRqWAJJJkeMNnLwp6/pLhIZHFvdlPn7pjfJFBWw=";
 
   nativeBuildInputs = [
     installShellFiles
   ] ++ lib.optionals stdenv.isLinux [ pkg-config ];
 
-  buildInputs = lib.optionals stdenv.isDarwin [ Security ];
+  buildInputs = lib.optionals stdenv.isDarwin [
+    darwin.apple_sdk.frameworks.Security
+    darwin.apple_sdk.frameworks.AppKit
+  ];
 
   preConfigure = lib.optionalString stdenv.isLinux ''
     export OPENSSL_INCLUDE_DIR="${openssl.dev}/include"

pkgs/tools/system/osquery/Remove-circular-definition-of-AUDIT_FILTER_EXCLUDE.patch

@@ -0,0 +1,25 @@
+From: Jack Baldry <jack.baldry@grafana.com>
+Date: Tue, 15 Nov 2022 15:40:31 -0400
+Subject: [PATCH] Remove circular definition of AUDIT_FILTER_EXCLUDE
+
+https://github.com/osquery/osquery/issues/6551
+
+Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
+---
+ libraries/cmake/source/libaudit/src/lib/libaudit.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/libraries/cmake/source/libaudit/src/lib/libaudit.h b/libraries/cmake/source/libaudit/src/libaudit.h
+--- a/libraries/cmake/source/libaudit/src/lib/libaudit.h
++++ b/libraries/cmake/source/libaudit/src/lib/libaudit.h
+@@ -260,7 +260,6 @@ extern "C" {
+ #define AUDIT_KEY_SEPARATOR 0x01
+ 
+ /* These are used in filter control */
+-#define AUDIT_FILTER_EXCLUDE	AUDIT_FILTER_TYPE
+ #define AUDIT_FILTER_MASK	0x07	/* Mask to get actual filter */
+ #define AUDIT_FILTER_UNSET	0x80	/* This value means filter is unset */
+ 
+-- 
+2.38.1
+

pkgs/tools/system/osquery/Remove-git-reset.patch

@@ -0,0 +1,37 @@
+From: Jack Baldry <jack.baldry@grafana.com>
+Date: Tue, 15 Nov 2022 13:48:07 -0400
+Subject: [PATCH] Remove git reset
+
+This is not required for nixpkgs builds because we are not working in
+the source repository and therefore do not need to be careful about
+updating submodule content.
+
+Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
+---
+ libraries/cmake/source/modules/utils.cmake | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/libraries/cmake/source/modules/utils.cmake b/libraries/cmake/source/modules/utils.cmake
+--- a/libraries/cmake/source/modules/utils.cmake
++++ b/libraries/cmake/source/modules/utils.cmake
+@@ -102,17 +102,6 @@ function(patchSubmoduleSourceCode library_name patches_dir source_dir apply_to_d
+     file(COPY "${source_dir}" DESTINATION "${parent_dir}")
+   endif()
+ 
+-  # We need to restore the source code to its original state, pre patch
+-  execute_process(
+-    COMMAND "${GIT_EXECUTABLE}" reset --hard HEAD
+-    RESULT_VARIABLE process_exit_code
+-    WORKING_DIRECTORY "${source_dir}"
+-  )
+-
+-  if(NOT ${process_exit_code} EQUAL 0)
+-    message(FATAL_ERROR "Failed to git reset the following submodule: \"${source_dir}\"")
+-  endif()
+-
+   set(patchSubmoduleSourceCode_Patched TRUE PARENT_SCOPE)
+ endfunction()
+ 
+-- 
+2.38.1
+

pkgs/tools/system/osquery/Remove-system-controls-table.patch

@@ -0,0 +1,157 @@
+From: Jack Baldry <jack.baldry@grafana.com>
+Date: Wed, 16 Nov 2022 22:00:06 -0400
+Subject: [PATCH] Remove system controls table
+
+Relies on <sys/sysctl.h> which is not present in glibc since 2.32.
+
+Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
+---
+ osquery/tables/system/CMakeLists.txt         |  4 --
+ specs/CMakeLists.txt                         |  1 -
+ specs/posix/system_controls.table            | 21 -------
+ tests/integration/tables/system_controls.cpp | 61 --------------------
+ 4 files changed, 87 deletions(-)
+ delete mode 100644 specs/posix/system_controls.table
+ delete mode 100644 tests/integration/tables/system_controls.cpp
+
+diff --git a/osquery/tables/system/CMakeLists.txt b/osquery/tables/system/CMakeLists.txt
+--- a/osquery/tables/system/CMakeLists.txt
++++ b/osquery/tables/system/CMakeLists.txt
+@@ -43,7 +43,6 @@ function(generateOsqueryTablesSystemSystemtable)
+       posix/smbios_utils.cpp
+       posix/sudoers.cpp
+       posix/suid_bin.cpp
+-      posix/system_controls.cpp
+       posix/ulimit_info.cpp
+     )
+   endif()
+@@ -82,7 +81,6 @@ function(generateOsqueryTablesSystemSystemtable)
+       linux/shared_memory.cpp
+       linux/smbios_tables.cpp
+       linux/startup_items.cpp
+-      linux/sysctl_utils.cpp
+       linux/system_info.cpp
+       linux/usb_devices.cpp
+       linux/user_groups.cpp
+@@ -156,7 +154,6 @@ function(generateOsqueryTablesSystemSystemtable)
+       darwin/smbios_tables.cpp
+       darwin/smc_keys.cpp
+       darwin/startup_items.cpp
+-      darwin/sysctl_utils.cpp
+       darwin/system_extensions.mm
+       darwin/system_info.cpp
+       darwin/time_machine.cpp
+@@ -326,7 +323,6 @@ function(generateOsqueryTablesSystemSystemtable)
+       posix/shell_history.h
+       posix/ssh_keys.h
+       posix/sudoers.h
+-      posix/sysctl_utils.h
+       posix/last.h
+       posix/openssl_utils.h
+       posix/authorized_keys.h
+diff --git a/specs/CMakeLists.txt b/specs/CMakeLists.txt
+--- a/specs/CMakeLists.txt
++++ b/specs/CMakeLists.txt
+@@ -246,7 +246,6 @@ function(generateNativeTables)
+     "posix/socket_events.table:linux,macos"
+     "posix/sudoers.table:linux,macos,freebsd"
+     "posix/suid_bin.table:linux,macos,freebsd"
+-    "posix/system_controls.table:linux,macos,freebsd"
+     "posix/ulimit_info.table:linux,macos,freebsd"
+     "posix/usb_devices.table:linux,macos"
+     "posix/user_events.table:linux,macos,freebsd"
+diff --git a/specs/posix/system_controls.table b/specs/posix/system_controls.table
+deleted file mode 100644
+--- a/specs/posix/system_controls.table
++++ /dev/null
+@@ -1,21 +0,0 @@
+-table_name("system_controls")
+-description("sysctl names, values, and settings information.")
+-schema([
+-    Column("name", TEXT, "Full sysctl MIB name", index=True),
+-    Column("oid", TEXT, "Control MIB", additional=True),
+-    Column("subsystem", TEXT, "Subsystem ID, control type", additional=True),
+-    Column("current_value", TEXT, "Value of setting"),
+-    Column("config_value", TEXT, "The MIB value set in /etc/sysctl.conf"),
+-    Column("type", TEXT, "Data type"),
+-])
+-extended_schema(DARWIN, [
+-    Column("field_name", TEXT, "Specific attribute of opaque type"),
+-])
+-
+-implementation("system_controls@genSystemControls")
+-fuzz_paths([
+-    "/run/sysctl.d/",
+-    "/usr/lib/sysctl.d/",
+-    "/lib/sysctl.d/",
+-    "/sys"
+-])
+diff --git a/tests/integration/tables/system_controls.cpp b/tests/integration/tables/system_controls.cpp
+deleted file mode 100644
+--- a/tests/integration/tables/system_controls.cpp
++++ /dev/null
+@@ -1,61 +0,0 @@
+-/**
+- * Copyright (c) 2014-present, The osquery authors
+- *
+- * This source code is licensed as defined by the LICENSE file found in the
+- * root directory of this source tree.
+- *
+- * SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)
+- */
+-
+-// Sanity check integration test for system_controls
+-// Spec file: specs/posix/system_controls.table
+-
+-#include <osquery/tests/integration/tables/helper.h>
+-
+-namespace osquery {
+-namespace table_tests {
+-namespace {
+-
+-class SystemControlsTest : public testing::Test {
+- protected:
+-  void SetUp() override {
+-    setUpEnvironment();
+-  }
+-};
+-
+-TEST_F(SystemControlsTest, test_sanity) {
+-  auto const rows = execute_query("select * from system_controls");
+-  auto const row_map = ValidationMap{
+-      {"name", NonEmptyString},
+-      {"oid", NormalType},
+-      {"subsystem",
+-       SpecificValuesCheck{"",
+-                           "abi",
+-                           "debug",
+-                           "dev",
+-                           "fs",
+-                           "fscache",
+-                           "hw",
+-                           "kern",
+-                           "kernel",
+-                           "machdep",
+-                           "net",
+-                           "sunrpc",
+-                           "user",
+-                           "vfs",
+-                           "vm"}},
+-      {"current_value", NormalType},
+-      {"config_value", NormalType},
+-      {"type",
+-       SpecificValuesCheck{
+-           "", "node", "int", "string", "quad", "opaque", "struct"}},
+-#ifdef __APPLE__
+-      {"field_name", NormalType},
+-#endif
+-  };
+-  validate_rows(rows, row_map);
+-}
+-
+-} // namespace
+-} // namespace table_tests
+-} // namespace osquery
+-- 
+2.38.1
+

pkgs/tools/system/osquery/Use-locale.h-instead-of-removed-xlocale.h-header.patch

@@ -0,0 +1,29 @@
+From: Jack Baldry <jack.baldry@grafana.com>
+Date: Tue, 15 Nov 2022 14:34:33 -0400
+Subject: [PATCH] Use locale.h instead of removed xlocale.h header
+
+https://sourceware.org/glibc/wiki/Release/2.26#Removal_of_.27xlocale.h.27
+
+Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
+---
+ libraries/cmake/source/augeas/gnulib/generated/linux/x86_64/lib/locale.h  | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libraries/cmake/source/augeas/gnulib/generated/linux/x86_64/lib/locale.h b/libraries/cmake/source/augeas/gnulib/generated/linux/x86_64/lib/locale.h
+--- a/libraries/cmake/source/augeas/gnulib/generated/linux/x86_64/lib/locale.h
++++ b/libraries/cmake/source/augeas/gnulib/generated/linux/x86_64/lib/locale.h
+@@ -48,9 +48,9 @@
+ /* NetBSD 5.0 mis-defines NULL.  */
+ #include <stddef.h>
+ 
+-/* Mac OS X 10.5 defines the locale_t type in <xlocale.h>.  */
++/* Mac OS X 10.5 defines the locale_t type in <locale.h>.  */
+ #if 1
+-# include <xlocale.h>
++# include <locale.h>
+ #endif
+ 
+ /* The definitions of _GL_FUNCDECL_RPL etc. are copied here.  */
+-- 
+2.38.1
+

pkgs/tools/system/osquery/default.nix

@@ -0,0 +1,85 @@
+{ lib
+, cmake
+, fetchFromGitHub
+, git
+, llvmPackages
+, nixosTests
+, overrideCC
+, perl
+, python3
+, stdenv
+, openssl_1_1
+}:
+
+let
+  buildStdenv = overrideCC stdenv llvmPackages.clangUseLLVM;
+in
+buildStdenv.mkDerivation rec {
+  pname = "osquery";
+  version = "5.5.1";
+
+  src = fetchFromGitHub {
+    owner = "osquery";
+    repo = "osquery";
+    rev = version;
+    fetchSubmodules = true;
+    sha256 = "sha256-Q6PQVnBjAjAlR725fyny+RhQFUNwxWGjLDuS5p9JKlU=";
+  };
+
+  patches = [
+    ./Remove-git-reset.patch
+    ./Use-locale.h-instead-of-removed-xlocale.h-header.patch
+    ./Remove-circular-definition-of-AUDIT_FILTER_EXCLUDE.patch
+    # For current state of compilation against glibc in the clangWithLLVM toolchain, refer to the upstream issue in https://github.com/osquery/osquery/issues/7823.
+    ./Remove-system-controls-table.patch
+  ];
+
+
+  buildInputs = [
+    llvmPackages.libunwind
+  ];
+  nativeBuildInputs = [
+    cmake
+    git
+    perl
+    python3
+  ];
+
+  postPatch = ''
+    substituteInPlace cmake/install_directives.cmake --replace "/control" "control"
+    # This is required to build libarchive with our glibc version
+    # which provides the ARC4RANDOM_BUF function
+    substituteInPlace libraries/cmake/source/libarchive/CMakeLists.txt --replace "  target_compile_definitions(thirdparty_libarchive PRIVATE" "  target_compile_definitions(thirdparty_libarchive PRIVATE HAVE_ARC4RANDOM_BUF"
+    # We need to override this hash because we use our own openssl 1.1 version
+    substituteInPlace libraries/cmake/formula/openssl/CMakeLists.txt --replace "d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca" "e2f8d84b523eecd06c7be7626830370300fbcc15386bf5142d72758f6963ebc6"
+    cat libraries/cmake/formula/openssl/CMakeLists.txt
+  '';
+
+  # For explanation of these deletions, refer to the ./Use-locale.h-instead-of-removed-xlocale.h-header.patch file.
+  preConfigure = ''
+    find libraries/cmake/source -name 'config.h' -exec sed -i '/#define HAVE_XLOCALE_H 1/d' {} \;
+  '';
+
+  cmakeFlags = [
+    "-DOSQUERY_VERSION=${version}"
+    "-DOSQUERY_OPENSSL_ARCHIVE_PATH=${openssl_1_1.src}"
+  ];
+
+  postFixup = ''
+    patchelf --set-rpath "${llvmPackages.libunwind}/lib:$(patchelf --print-rpath $out/bin/osqueryd)" "$out/bin/osqueryd"
+  '';
+
+  passthru.tests.osquery = nixosTests.osquery;
+
+  meta = with lib; {
+    description = "SQL powered operating system instrumentation, monitoring, and analytics.";
+    longDescription = ''
+      The system controls table is not included as it does not presently compile with glibc >= 2.32.
+      For more information, refer to https://github.com/osquery/osquery/issues/7823
+    '';
+    homepage = "https://osquery.io";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ znewman01 lewo ];
+  };
+}

pkgs/top-level/all-packages.nix

@@ -1789,6 +1789,8 @@ with pkgs;
 
   openbugs = pkgsi686Linux.callPackage ../applications/science/machine-learning/openbugs { };
 
+  osquery = callPackage ../tools/system/osquery { };
+
   paperview = callPackage ../tools/X11/paperview { };
 
   pferd = callPackage ../tools/misc/pferd { };
@@ -10786,6 +10788,7 @@ with pkgs;
     nomad_1_3
     nomad_1_4
     nomad_1_5
+    nomad_1_6
     ;
 
   nomad-autoscaler = callPackage ../applications/networking/cluster/nomad-autoscaler { };
@@ -11947,9 +11950,7 @@ with pkgs;
 
   revolt-desktop = callPackage ../applications/networking/instant-messengers/revolt-desktop { };
 
-  rbw = callPackage ../tools/security/rbw {
-    inherit (darwin.apple_sdk.frameworks) Security;
-  };
+  rbw = callPackage ../tools/security/rbw { };
 
   remarshal = with python3Packages; toPythonApplication remarshal;
 
@@ -15843,9 +15844,10 @@ with pkgs;
   gcc-arm-embedded-12 = callPackage ../development/compilers/gcc-arm-embedded/12 { };
   gcc-arm-embedded = gcc-arm-embedded-12;
 
-  # Has to match the default gcc so that there are no linking errors when
-  # using C/C++ libraries in D packages
-  gdc = wrapCC (gcc.cc.override {
+  # It would be better to match the default gcc so that there are no linking errors
+  # when using C/C++ libraries in D packages, but right now versions >= 12 are broken.
+  gdc = gdc11;
+  gdc11 = wrapCC (gcc11.cc.override {
     name = "gdc";
     langCC = false;
     langC = false;
@@ -32707,6 +32709,8 @@ with pkgs;
 
   kubelogin-oidc = callPackage ../applications/networking/cluster/kubelogin-oidc { };
 
+  kubevpn = callPackage ../applications/networking/cluster/kubevpn { };
+
   k8sgpt = callPackage ../applications/networking/cluster/k8sgpt { };
 
   k9s = callPackage ../applications/networking/cluster/k9s { };