Merge pull request #267304 from katexochen/fix/checksec-2

checksec: add missing deps, don't clean env, add tests

2 files changed, 79 insertions, 8 deletions

diff --git a/pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch b/pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch
new file mode 100644
index 00000000000..bd639574f63
--- /dev/null
+++ b/pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch
@@ -0,0 +1,25 @@
+From 3b047ab4271919856ae0a3dee3a03a24045c0016 Mon Sep 17 00:00:00 2001
+From: Paul Meyer <49727155+katexochen@users.noreply.github.com>
+Date: Mon, 13 Nov 2023 20:24:54 +0000
+Subject: [PATCH] don't sanatize the environment
+
+---
+ checksec | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/checksec b/checksec
+index 4fc3c31..135223a 100755
+--- a/checksec
++++ b/checksec
+@@ -2,9 +2,6 @@
+ # Do not edit this file directly, this file is generated from the files
+ # in the src directory. Any updates to this file will be overwritten when generated
+
+-# sanitize the environment before run
+-[[ "$(env | /bin/sed -r -e '/^(PWD|SHLVL|_)=/d')" ]] && exec -c "$0" "$@"
+-
+ # --- Modified Version ---
+ # Name    : checksec.sh
+ # Version : 1.7.0
+--
+2.42.0
diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix
index 1bdd4cf5f67..07574722cd2 100644
--- a/pkgs/os-specific/linux/checksec/default.nix
+++ b/pkgs/os-specific/linux/checksec/default.nix
@@ -1,14 +1,30 @@
 { lib
 , stdenv
+, fetchpatch
 , fetchFromGitHub
 , makeWrapper
+, testers
+, runCommand
+
+  # dependencies
+, binutils
+, coreutils
+, curl
+, elfutils
 , file
 , findutils
-, binutils-unwrapped
+, gawk
 , glibc
-, coreutils
-, sysctl
+, gnugrep
+, gnused
 , openssl
+, procps
+, sysctl
+, wget
+, which
+
+  # tests
+, checksec
 }:
 
 stdenv.mkDerivation rec {
@@ -24,6 +40,13 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./0001-attempt-to-modprobe-config-before-checking-kernel.patch
+    # Tool would sanitize the environment, removing the PATH set by our wrapper.
+    ./0002-don-t-sanatize-the-environment.patch
+    # Fix the exit code of debug_report command. Check if PR 226 was merged when upgrading version.
+    (fetchpatch {
+      url = "https://github.com/slimm609/checksec.sh/commit/851ebff6972f122fde5507f1883e268bbff1f23d.patch";
+      hash = "sha256-DOcVF+oPGIR9VSbqE+EqWlcNANEvou1gV8qBvJLGLBE=";
+    })
   ];
 
   nativeBuildInputs = [
@@ -33,22 +56,45 @@ stdenv.mkDerivation rec {
   installPhase =
     let
       path = lib.makeBinPath [
-        findutils
+        binutils
+        coreutils
+        curl
+        elfutils
         file
-        binutils-unwrapped
-        sysctl
+        findutils
+        gawk
+        gnugrep
+        gnused
         openssl
+        procps
+        sysctl
+        wget
+        which
       ];
     in
     ''
       mkdir -p $out/bin
       install checksec $out/bin
-      substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6
-      substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -"
+      substituteInPlace $out/bin/checksec \
+        --replace "/bin/sed" "${gnused}/bin/sed" \
+        --replace "/usr/bin/id" "${coreutils}/bin/id" \
+        --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6"
       wrapProgram $out/bin/checksec \
         --prefix PATH : ${path}
     '';
 
+  passthru.tests = {
+    version = testers.testVersion {
+      package = checksec;
+      version = "v${version}";
+    };
+    debug-report = runCommand "debug-report" { buildInputs = [ checksec ]; } ''
+      checksec --debug_report || exit 1
+      echo "OK"
+      touch $out
+    '';
+  };
+
   meta = with lib; {
     description = "Tool for checking security bits on executables";
     homepage = "https://www.trapkit.de/tools/checksec/";