diff options
author | rnhmjoj <rnhmjoj@inventati.org> | 2021-06-10 14:57:52 +0200 |
---|---|---|
committer | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-13 10:38:04 +0200 |
commit | 7d8b303e3fd76ccf58cfe26348e889def3663546 (patch) | |
tree | 669f4193ac15ab6cee82dc9e577b449eabeb02a3 /nixos/modules/security/wrappers | |
parent | 22004f7e8febc6ae6553c44ecd8bf9da9ddc5260 (diff) | |
download | nixpkgs-7d8b303e3fd76ccf58cfe26348e889def3663546.tar nixpkgs-7d8b303e3fd76ccf58cfe26348e889def3663546.tar.gz nixpkgs-7d8b303e3fd76ccf58cfe26348e889def3663546.tar.bz2 nixpkgs-7d8b303e3fd76ccf58cfe26348e889def3663546.tar.lz nixpkgs-7d8b303e3fd76ccf58cfe26348e889def3663546.tar.xz nixpkgs-7d8b303e3fd76ccf58cfe26348e889def3663546.tar.zst nixpkgs-7d8b303e3fd76ccf58cfe26348e889def3663546.zip |
nixos/security/wrappers: check that sources exist
Add a shell script that checks if the paths of all wrapped programs actually exist to catch mistakes. This only checks for Nix store paths, which are always expected to exist at build time.
Diffstat (limited to 'nixos/modules/security/wrappers')
-rw-r--r-- | nixos/modules/security/wrappers/default.nix | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 8b1f5da2ba2..2ce26854be4 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -226,7 +226,7 @@ in ]}" ''; - ###### setcap activation script + ###### wrappers activation script system.activationScripts.wrappers = lib.stringAfter [ "specialfs" "users" ] '' @@ -257,5 +257,33 @@ in ln --symbolic $wrapperDir ${wrapperDir} fi ''; + + ###### wrappers consistency checks + system.extraDependencies = lib.singleton (pkgs.runCommandLocal + "ensure-all-wrappers-paths-exist" { } + '' + # make sure we produce output + mkdir -p $out + + echo -n "Checking that Nix store paths of all wrapped programs exist... " + + declare -A wrappers + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: + "wrappers['${n}']='${v.source}'") wrappers)} + + for name in "''${!wrappers[@]}"; do + path="''${wrappers[$name]}" + if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then + test -t 1 && echo -ne '\033[1;31m' + echo "FAIL" + echo "The path $path does not exist!" + echo 'Please, check the value of `security.wrappers."'$name'".source`.' + test -t 1 && echo -ne '\033[0m' + exit 1 + fi + done + + echo "OK" + ''); }; } |