diff options
author | K900 <me@0upti.me> | 2023-11-18 15:14:00 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-11-18 15:14:00 +0300 |
commit | 67f1e6206a040386a88dd3dc41dc4024926fee41 (patch) | |
tree | 78d989576acc3cd3fec9a6fbe32fb0998e904572 | |
parent | b9aa1e958b732626062f78fd0a0dd60ae42d84a6 (diff) | |
parent | a503c9757cf9e8f66aa0a29bbeeab59c6bce7836 (diff) | |
download | nixpkgs-67f1e6206a040386a88dd3dc41dc4024926fee41.tar nixpkgs-67f1e6206a040386a88dd3dc41dc4024926fee41.tar.gz nixpkgs-67f1e6206a040386a88dd3dc41dc4024926fee41.tar.bz2 nixpkgs-67f1e6206a040386a88dd3dc41dc4024926fee41.tar.lz nixpkgs-67f1e6206a040386a88dd3dc41dc4024926fee41.tar.xz nixpkgs-67f1e6206a040386a88dd3dc41dc4024926fee41.tar.zst nixpkgs-67f1e6206a040386a88dd3dc41dc4024926fee41.zip |
Merge pull request #267304 from katexochen/fix/checksec-2
checksec: add missing deps, don't clean env, add tests
-rw-r--r-- | pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch | 25 | ||||
-rw-r--r-- | pkgs/os-specific/linux/checksec/default.nix | 62 |
2 files changed, 79 insertions, 8 deletions
diff --git a/pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch b/pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch new file mode 100644 index 00000000000..bd639574f63 --- /dev/null +++ b/pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch @@ -0,0 +1,25 @@ +From 3b047ab4271919856ae0a3dee3a03a24045c0016 Mon Sep 17 00:00:00 2001 +From: Paul Meyer <49727155+katexochen@users.noreply.github.com> +Date: Mon, 13 Nov 2023 20:24:54 +0000 +Subject: [PATCH] don't sanatize the environment + +--- + checksec | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/checksec b/checksec +index 4fc3c31..135223a 100755 +--- a/checksec ++++ b/checksec +@@ -2,9 +2,6 @@ + # Do not edit this file directly, this file is generated from the files + # in the src directory. Any updates to this file will be overwritten when generated + +-# sanitize the environment before run +-[[ "$(env | /bin/sed -r -e '/^(PWD|SHLVL|_)=/d')" ]] && exec -c "$0" "$@" +- + # --- Modified Version --- + # Name : checksec.sh + # Version : 1.7.0 +-- +2.42.0 diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix index 1bdd4cf5f67..07574722cd2 100644 --- a/pkgs/os-specific/linux/checksec/default.nix +++ b/pkgs/os-specific/linux/checksec/default.nix @@ -1,14 +1,30 @@ { lib , stdenv +, fetchpatch , fetchFromGitHub , makeWrapper +, testers +, runCommand + + # dependencies +, binutils +, coreutils +, curl +, elfutils , file , findutils -, binutils-unwrapped +, gawk , glibc -, coreutils -, sysctl +, gnugrep +, gnused , openssl +, procps +, sysctl +, wget +, which + + # tests +, checksec }: stdenv.mkDerivation rec { @@ -24,6 +40,13 @@ stdenv.mkDerivation rec { patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch + # Tool would sanitize the environment, removing the PATH set by our wrapper. + ./0002-don-t-sanatize-the-environment.patch + # Fix the exit code of debug_report command. Check if PR 226 was merged when upgrading version. + (fetchpatch { + url = "https://github.com/slimm609/checksec.sh/commit/851ebff6972f122fde5507f1883e268bbff1f23d.patch"; + hash = "sha256-DOcVF+oPGIR9VSbqE+EqWlcNANEvou1gV8qBvJLGLBE="; + }) ]; nativeBuildInputs = [ @@ -33,22 +56,45 @@ stdenv.mkDerivation rec { installPhase = let path = lib.makeBinPath [ - findutils + binutils + coreutils + curl + elfutils file - binutils-unwrapped - sysctl + findutils + gawk + gnugrep + gnused openssl + procps + sysctl + wget + which ]; in '' mkdir -p $out/bin install checksec $out/bin - substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6 - substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" + substituteInPlace $out/bin/checksec \ + --replace "/bin/sed" "${gnused}/bin/sed" \ + --replace "/usr/bin/id" "${coreutils}/bin/id" \ + --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6" wrapProgram $out/bin/checksec \ --prefix PATH : ${path} ''; + passthru.tests = { + version = testers.testVersion { + package = checksec; + version = "v${version}"; + }; + debug-report = runCommand "debug-report" { buildInputs = [ checksec ]; } '' + checksec --debug_report || exit 1 + echo "OK" + touch $out + ''; + }; + meta = with lib; { description = "Tool for checking security bits on executables"; homepage = "https://www.trapkit.de/tools/checksec/"; |