Rebase onto e4ad989506ec7d71f7302cc3067abd82730a4beb HEAD rootfs

Signed-off-by: Alyssa Ross <hi@alyssa.is>

1 files changed, 54 insertions, 8 deletions

diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix
index 1bdd4cf5f67..07574722cd2 100644
--- a/pkgs/os-specific/linux/checksec/default.nix
+++ b/pkgs/os-specific/linux/checksec/default.nix
@@ -1,14 +1,30 @@
 { lib
 , stdenv
+, fetchpatch
 , fetchFromGitHub
 , makeWrapper
+, testers
+, runCommand
+
+  # dependencies
+, binutils
+, coreutils
+, curl
+, elfutils
 , file
 , findutils
-, binutils-unwrapped
+, gawk
 , glibc
-, coreutils
-, sysctl
+, gnugrep
+, gnused
 , openssl
+, procps
+, sysctl
+, wget
+, which
+
+  # tests
+, checksec
 }:
 
 stdenv.mkDerivation rec {
@@ -24,6 +40,13 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./0001-attempt-to-modprobe-config-before-checking-kernel.patch
+    # Tool would sanitize the environment, removing the PATH set by our wrapper.
+    ./0002-don-t-sanatize-the-environment.patch
+    # Fix the exit code of debug_report command. Check if PR 226 was merged when upgrading version.
+    (fetchpatch {
+      url = "https://github.com/slimm609/checksec.sh/commit/851ebff6972f122fde5507f1883e268bbff1f23d.patch";
+      hash = "sha256-DOcVF+oPGIR9VSbqE+EqWlcNANEvou1gV8qBvJLGLBE=";
+    })
   ];
 
   nativeBuildInputs = [
@@ -33,22 +56,45 @@ stdenv.mkDerivation rec {
   installPhase =
     let
       path = lib.makeBinPath [
-        findutils
+        binutils
+        coreutils
+        curl
+        elfutils
         file
-        binutils-unwrapped
-        sysctl
+        findutils
+        gawk
+        gnugrep
+        gnused
         openssl
+        procps
+        sysctl
+        wget
+        which
       ];
     in
     ''
       mkdir -p $out/bin
       install checksec $out/bin
-      substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6
-      substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -"
+      substituteInPlace $out/bin/checksec \
+        --replace "/bin/sed" "${gnused}/bin/sed" \
+        --replace "/usr/bin/id" "${coreutils}/bin/id" \
+        --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6"
       wrapProgram $out/bin/checksec \
         --prefix PATH : ${path}
     '';
 
+  passthru.tests = {
+    version = testers.testVersion {
+      package = checksec;
+      version = "v${version}";
+    };
+    debug-report = runCommand "debug-report" { buildInputs = [ checksec ]; } ''
+      checksec --debug_report || exit 1
+      echo "OK"
+      touch $out
+    '';
+  };
+
   meta = with lib; {
     description = "Tool for checking security bits on executables";
     homepage = "https://www.trapkit.de/tools/checksec/";