diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-11-21 16:12:21 +0100 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-11-21 16:12:48 +0100 |
commit | 048a4cd441a59cbf89defb18bb45c9f0b4429b35 (patch) | |
tree | f8f5850ff05521ab82d65745894714a8796cbfb6 /pkgs/os-specific/linux/checksec/default.nix | |
parent | 030c5028b07afcedce7c5956015c629486cc79d9 (diff) | |
parent | 4c2d05dd6435d449a3651a6dd314d9411b5f8146 (diff) | |
download | nixpkgs-rootfs.tar nixpkgs-rootfs.tar.gz nixpkgs-rootfs.tar.bz2 nixpkgs-rootfs.tar.lz nixpkgs-rootfs.tar.xz nixpkgs-rootfs.tar.zst nixpkgs-rootfs.zip |
Signed-off-by: Alyssa Ross <hi@alyssa.is>
Diffstat (limited to 'pkgs/os-specific/linux/checksec/default.nix')
-rw-r--r-- | pkgs/os-specific/linux/checksec/default.nix | 62 |
1 files changed, 54 insertions, 8 deletions
diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix index 1bdd4cf5f67..07574722cd2 100644 --- a/pkgs/os-specific/linux/checksec/default.nix +++ b/pkgs/os-specific/linux/checksec/default.nix @@ -1,14 +1,30 @@ { lib , stdenv +, fetchpatch , fetchFromGitHub , makeWrapper +, testers +, runCommand + + # dependencies +, binutils +, coreutils +, curl +, elfutils , file , findutils -, binutils-unwrapped +, gawk , glibc -, coreutils -, sysctl +, gnugrep +, gnused , openssl +, procps +, sysctl +, wget +, which + + # tests +, checksec }: stdenv.mkDerivation rec { @@ -24,6 +40,13 @@ stdenv.mkDerivation rec { patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch + # Tool would sanitize the environment, removing the PATH set by our wrapper. + ./0002-don-t-sanatize-the-environment.patch + # Fix the exit code of debug_report command. Check if PR 226 was merged when upgrading version. + (fetchpatch { + url = "https://github.com/slimm609/checksec.sh/commit/851ebff6972f122fde5507f1883e268bbff1f23d.patch"; + hash = "sha256-DOcVF+oPGIR9VSbqE+EqWlcNANEvou1gV8qBvJLGLBE="; + }) ]; nativeBuildInputs = [ @@ -33,22 +56,45 @@ stdenv.mkDerivation rec { installPhase = let path = lib.makeBinPath [ - findutils + binutils + coreutils + curl + elfutils file - binutils-unwrapped - sysctl + findutils + gawk + gnugrep + gnused openssl + procps + sysctl + wget + which ]; in '' mkdir -p $out/bin install checksec $out/bin - substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6 - substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" + substituteInPlace $out/bin/checksec \ + --replace "/bin/sed" "${gnused}/bin/sed" \ + --replace "/usr/bin/id" "${coreutils}/bin/id" \ + --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6" wrapProgram $out/bin/checksec \ --prefix PATH : ${path} ''; + passthru.tests = { + version = testers.testVersion { + package = checksec; + version = "v${version}"; + }; + debug-report = runCommand "debug-report" { buildInputs = [ checksec ]; } '' + checksec --debug_report || exit 1 + echo "OK" + touch $out + ''; + }; + meta = with lib; { description = "Tool for checking security bits on executables"; homepage = "https://www.trapkit.de/tools/checksec/"; |