checksec: version 1.5

Signed-off-by: Austin Seipp <aseipp@pobox.com>

2 files changed, 68 insertions, 0 deletions

diff --git a/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch b/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch
new file mode 100644
index 00000000000..2caf52f3c0a
--- /dev/null
+++ b/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch
@@ -0,0 +1,27 @@
+From 6503848d9e0eb009e5f462116a963beacb208930 Mon Sep 17 00:00:00 2001
+From: Austin Seipp <aseipp@pobox.com>
+Date: Thu, 20 Feb 2014 00:11:44 -0600
+Subject: [PATCH] attempt to 'modprobe config' before checking kernel
+
+Signed-off-by: Austin Seipp <aseipp@pobox.com>
+---
+ checksec.sh | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/checksec.sh b/checksec.sh
+index dd1f72e..63acc29 100644
+--- a/checksec.sh
++++ b/checksec.sh
+@@ -337,7 +337,8 @@ kernelcheck() {
+   printf "  userspace processes, this option lists the status of kernel configuration\n"
+   printf "  options that harden the kernel itself against attack.\n\n"
+   printf "  Kernel config: "
+- 
++
++  modprobe configs 2> /dev/null
+   if [ -f /proc/config.gz ] ; then
+     kconfig="zcat /proc/config.gz"
+     printf "\033[32m/proc/config.gz\033[m\n\n"
+-- 
+1.8.3.2
+
diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix
new file mode 100644
index 00000000000..5e5ed6da1c9
--- /dev/null
+++ b/pkgs/os-specific/linux/checksec/default.nix
@@ -0,0 +1,41 @@
+{ stdenv, fetchurl, file, findutils, elfutils, glibc }:
+
+stdenv.mkDerivation rec {
+  name = "checksec-${version}";
+  version = "1.5";
+  src = fetchurl {
+    url    = "http://www.trapkit.de/tools/checksec.sh";
+    sha256 = "0iq9v568mk7g7ksa1939g5f5sx7ffq8s8n2ncvphvlckjgysgf3p";
+  };
+
+  patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch ];
+
+  unpackPhase = ''
+    mkdir ${name}-${version}
+    cp $src ${name}-${version}/checksec.sh
+    cd ${name}-${version}
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp checksec.sh $out/bin/checksec
+    chmod +x $out/bin/checksec
+    substituteInPlace $out/bin/checksec --replace /bin/bash ${stdenv.shell}
+    substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc}/lib/libc.so.6
+    substituteInPlace $out/bin/checksec --replace find ${findutils}/bin/find
+    substituteInPlace $out/bin/checksec --replace "file $" "${file}/bin/file $"
+    substituteInPlace $out/bin/checksec --replace "xargs file" "xargs ${file}/bin/file"
+    substituteInPlace $out/bin/checksec --replace " readelf -" " ${elfutils}/bin/readelf -"
+    substituteInPlace $out/bin/checksec --replace "(readelf -" "(${elfutils}/bin/readelf -"
+    substituteInPlace $out/bin/checksec --replace "command_exists readelf" "command_exists ${elfutils}/bin/readelf"
+  '';
+
+  phases = "unpackPhase patchPhase installPhase";
+
+  meta = {
+    description = "A tool for checking security bits on executables";
+    platforms   = stdenv.lib.platforms.linux;
+    license     = stdenv.lib.licenses.bsd3;
+    maintainers = [ stdenv.lib.maintainers.thoughtpolice ];
+  };
+}