diff options
Diffstat (limited to 'pkgs/os-specific/linux/busybox')
4 files changed, 25 insertions, 185 deletions
diff --git a/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch b/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch deleted file mode 100644 index 029333b57e4..00000000000 --- a/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch +++ /dev/null @@ -1,71 +0,0 @@ -From c29b637b55c93214993f40b1a223233d40b8a7d6 Mon Sep 17 00:00:00 2001 -From: Maximilian Bosch <maximilian@mbosch.me> -Date: Wed, 19 Feb 2020 22:32:28 +0100 -Subject: [PATCH] Fix build with glibc 2.31 - -This is derived from the corresponding upstream patch[1], however this -one doesn't apply cleanly on busybox-1.31.1, so I rebased the patch -locally and added it directly to nixpkgs. - -[1] https://git.busybox.net/busybox/patch/?id=d3539be8f27b8cbfdfee460fe08299158f08bcd9 ---- - coreutils/date.c | 2 +- - libbb/missing_syscalls.c | 8 -------- - util-linux/rdate.c | 8 ++++++-- - 3 files changed, 7 insertions(+), 11 deletions(-) - -diff --git a/coreutils/date.c b/coreutils/date.c -index 3414d38..931b7f9 100644 ---- a/coreutils/date.c -+++ b/coreutils/date.c -@@ -303,7 +303,7 @@ int date_main(int argc UNUSED_PARAM, char **argv) - ts.tv_sec = validate_tm_time(date_str, &tm_time); - - /* if setting time, set it */ -- if ((opt & OPT_SET) && stime(&ts.tv_sec) < 0) { -+ if ((opt & OPT_SET) && clock_settime(CLOCK_REALTIME, &ts) < 0) { - bb_perror_msg("can't set date"); - } - } -diff --git a/libbb/missing_syscalls.c b/libbb/missing_syscalls.c -index 87cf59b..dc40d91 100644 ---- a/libbb/missing_syscalls.c -+++ b/libbb/missing_syscalls.c -@@ -15,14 +15,6 @@ pid_t getsid(pid_t pid) - return syscall(__NR_getsid, pid); - } - --int stime(const time_t *t) --{ -- struct timeval tv; -- tv.tv_sec = *t; -- tv.tv_usec = 0; -- return settimeofday(&tv, NULL); --} -- - int sethostname(const char *name, size_t len) - { - return syscall(__NR_sethostname, name, len); -diff --git a/util-linux/rdate.c b/util-linux/rdate.c -index 70f829e..878375d 100644 ---- a/util-linux/rdate.c -+++ b/util-linux/rdate.c -@@ -95,9 +95,13 @@ int rdate_main(int argc UNUSED_PARAM, char **argv) - if (!(flags & 2)) { /* no -p (-s may be present) */ - if (time(NULL) == remote_time) - bb_error_msg("current time matches remote time"); -- else -- if (stime(&remote_time) < 0) -+ else { -+ struct timespec ts; -+ ts.tv_sec = remote_time; -+ ts.tv_nsec = 0; -+ if (clock_settime(CLOCK_REALTIME, &ts) < 0) - bb_perror_msg_and_die("can't set time of day"); -+ } - } - - if (flags != 1) /* not lone -s */ --- -2.25.0 - diff --git a/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch b/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch deleted file mode 100644 index d11cd670d5e..00000000000 --- a/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 45fa3f18adf57ef9d743038743d9c90573aeeb91 Mon Sep 17 00:00:00 2001 -From: Dimitri John Ledkov <xnox@ubuntu.com> -Date: Tue, 19 May 2020 18:20:39 +0100 -Subject: [PATCH] wget: implement TLS verification with - ENABLE_FEATURE_WGET_OPENSSL - -When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS -verification by default. And only ignore verification errors, if ---no-check-certificate was passed. - -Also note, that previously OPENSSL implementation did not implement -TLS verification, nor printed any warning messages that verification -was not performed. - -Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533 - -CVE-2018-1000500 - -Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> -Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> ---- - networking/wget.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - -diff --git a/networking/wget.c b/networking/wget.c -index f2fc9e215..6a8c08324 100644 ---- a/networking/wget.c -+++ b/networking/wget.c -@@ -91,6 +91,9 @@ - //config: patches, but do want to waste bandwidth expaining how wrong - //config: it is, you will be ignored. - //config: -+//config: FEATURE_WGET_OPENSSL does implement TLS verification -+//config: using the certificates available to OpenSSL. -+//config: - //config:config FEATURE_WGET_OPENSSL - //config: bool "Try to connect to HTTPS using openssl" - //config: default y -@@ -115,6 +118,9 @@ - //config: If openssl can't be executed, internal TLS code will be used - //config: (if you enabled it); if openssl can be executed but fails later, - //config: wget can't detect this, and download will fail. -+//config: -+//config: By default TLS verification is performed, unless -+//config: --no-check-certificate option is passed. - - //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP)) - -@@ -124,8 +130,11 @@ - //usage: IF_FEATURE_WGET_LONG_OPTIONS( - //usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n" - //usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n" -+//usage: IF_FEATURE_WGET_OPENSSL( -+//usage: " [--no-check-certificate]\n" -+//usage: ) - /* Since we ignore these opts, we don't show them in --help */ --/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */ -+/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */ - /* //usage: " [-nv] [-nc] [-nH] [-np]" */ - //usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..." - //usage: ) -@@ -137,7 +146,9 @@ - //usage: "Retrieve files via HTTP or FTP\n" - //usage: IF_FEATURE_WGET_LONG_OPTIONS( - //usage: "\n --spider Only check URL existence: $? is 0 if exists" --///////: "\n --no-check-certificate Don't validate the server's certificate" -+//usage: IF_FEATURE_WGET_OPENSSL( -+//usage: "\n --no-check-certificate Don't validate the server's certificate" -+//usage: ) - //usage: ) - //usage: "\n -c Continue retrieval of aborted transfer" - //usage: "\n -q Quiet" -@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) - pid = xvfork(); - if (pid == 0) { - /* Child */ -- char *argv[8]; -+ char *argv[9]; - - close(sp[0]); - xmove_fd(sp[1], 0); -@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) - argv[5] = (char*)"-servername"; - argv[6] = (char*)servername; - } -+ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) { -+ argv[7] = (char*)"-verify_return_error"; -+ } - - BB_EXECVP(argv[0], argv); - xmove_fd(3, 2); --- -2.28.0 - diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index 728d2d49118..4949cd7c14a 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -1,5 +1,5 @@ -{ stdenv, lib, buildPackages, fetchurl, fetchzip -, enableStatic ? false +{ stdenv, lib, buildPackages, fetchurl, fetchFromGitLab +, enableStatic ? stdenv.hostPlatform.isStatic , enableMinimal ? false # Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping: # nix build -f pkgs/top-level/release.nix stdenvBootstrapTools.x86_64-linux.dist @@ -32,27 +32,31 @@ let CONFIG_FEATURE_WTMP n ''; - debianName = "busybox_1.30.1-5"; - debianTarball = fetchzip { - url = "http://deb.debian.org/debian/pool/main/b/busybox/${debianName}.debian.tar.xz"; - sha256 = "03m4rvs2pd0hj0mdkdm3r4m1gh0bgwr0cvnqds297xnkfi5s01nx"; + # The debian version lags behind the upstream version and also contains + # a debian-specific suffix. We only fetch the debian repository to get the + # default.script + debianVersion = "1.30.1-6"; + debianSource = fetchFromGitLab { + domain = "salsa.debian.org"; + owner = "installer-team"; + repo = "busybox"; + rev = "debian/1%${debianVersion}"; + sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8="; }; - debianDispatcherScript = "${debianTarball}/tree/udhcpc/etc/udhcpc/default.script"; + debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script"; outDispatchPath = "$out/default.script"; in stdenv.mkDerivation rec { - # TODO: When bumping this version, please validate whether the wget patch is present upstream - # and remove the patch if it is. The patch should be present upstream for all versions 1.32.0+. - # See NixOs/nixpkgs#94722 for context. - name = "busybox-1.31.1"; + pname = "busybox"; + version = "1.33.1"; # Note to whoever is updating busybox: please verify that: # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test # still builds after the update. src = fetchurl { - url = "https://busybox.net/downloads/${name}.tar.bz2"; - sha256 = "1659aabzp8w4hayr4z8kcpbk2z1q2wqhw7i1yb0l72b45ykl1yfh"; + url = "https://busybox.net/downloads/${pname}-${version}.tar.bz2"; + sha256 = "0a0dcvsh7nxnhxc5y73fky0z30i9p7r30qfidm2akn0n5fywdkhj"; }; hardeningDisable = [ "format" "pie" ] @@ -60,9 +64,7 @@ stdenv.mkDerivation rec { patches = [ ./busybox-in-store.patch - ./0001-Fix-build-with-glibc-2.31.patch - ./0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch - ] ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch; + ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch; postPatch = "patchShebangs ."; @@ -116,9 +118,11 @@ stdenv.mkDerivation rec { logger() { '$out'/bin/logger "$@"; }\ ' ${debianDispatcherScript} > ${outDispatchPath} chmod 555 ${outDispatchPath} - PATH=$out/bin patchShebangs ${outDispatchPath} + HOST_PATH=$out/bin patchShebangs --host ${outDispatchPath} ''; + strictDeps = true; + depsBuildBuild = [ buildPackages.stdenv.cc ]; buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [ stdenv.cc.libc stdenv.cc.libc.static ]; @@ -127,10 +131,10 @@ stdenv.mkDerivation rec { doCheck = false; # tries to access the net - meta = with stdenv.lib; { + meta = with lib; { description = "Tiny versions of common UNIX utilities in a single small executable"; homepage = "https://busybox.net/"; - license = licenses.gpl2; + license = licenses.gpl2Only; maintainers = with maintainers; [ TethysSvensson ]; platforms = platforms.linux; priority = 10; diff --git a/pkgs/os-specific/linux/busybox/sandbox-shell.nix b/pkgs/os-specific/linux/busybox/sandbox-shell.nix index 036ea0a0f48..fa70e5f91d8 100644 --- a/pkgs/os-specific/linux/busybox/sandbox-shell.nix +++ b/pkgs/os-specific/linux/busybox/sandbox-shell.nix @@ -1,4 +1,4 @@ -{ busybox, stdenv}: +{ busybox}: # Minimal shell for use as basic /bin/sh in sandbox builds busybox.override { @@ -8,6 +8,7 @@ busybox.override { CONFIG_FEATURE_FANCY_ECHO y CONFIG_FEATURE_SH_MATH y CONFIG_FEATURE_SH_MATH_64 y + CONFIG_FEATURE_TEST_64 y CONFIG_ASH y CONFIG_ASH_OPTIMIZE_FOR_SIZE y |