pkgs/os-specific/linux/checksec/default.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / pkgs / os-specific / linux / checksec / default.nix
at 23.11-beta 105 lines 2.3 kB view raw
  1{ lib
  2, stdenv
  3, fetchpatch
  4, fetchFromGitHub
  5, makeWrapper
  6, testers
  7, runCommand
  8
  9  # dependencies
 10, binutils
 11, coreutils
 12, curl
 13, elfutils
 14, file
 15, findutils
 16, gawk
 17, glibc
 18, gnugrep
 19, gnused
 20, openssl
 21, procps
 22, sysctl
 23, wget
 24, which
 25
 26  # tests
 27, checksec
 28}:
 29
 30stdenv.mkDerivation rec {
 31  pname = "checksec";
 32  version = "2.6.0";
 33
 34  src = fetchFromGitHub {
 35    owner = "slimm609";
 36    repo = "checksec.sh";
 37    rev = version;
 38    hash = "sha256-BWtchWXukIDSLJkFX8M/NZBvfi7vUE2j4yFfS0KEZDo=";
 39  };
 40
 41  patches = [
 42    ./0001-attempt-to-modprobe-config-before-checking-kernel.patch
 43    # Tool would sanitize the environment, removing the PATH set by our wrapper.
 44    ./0002-don-t-sanatize-the-environment.patch
 45    # Fix the exit code of debug_report command. Check if PR 226 was merged when upgrading version.
 46    (fetchpatch {
 47      url = "https://github.com/slimm609/checksec.sh/commit/851ebff6972f122fde5507f1883e268bbff1f23d.patch";
 48      hash = "sha256-DOcVF+oPGIR9VSbqE+EqWlcNANEvou1gV8qBvJLGLBE=";
 49    })
 50  ];
 51
 52  nativeBuildInputs = [
 53    makeWrapper
 54  ];
 55
 56  installPhase =
 57    let
 58      path = lib.makeBinPath [
 59        binutils
 60        coreutils
 61        curl
 62        elfutils
 63        file
 64        findutils
 65        gawk
 66        gnugrep
 67        gnused
 68        openssl
 69        procps
 70        sysctl
 71        wget
 72        which
 73      ];
 74    in
 75    ''
 76      mkdir -p $out/bin
 77      install checksec $out/bin
 78      substituteInPlace $out/bin/checksec \
 79        --replace "/bin/sed" "${gnused}/bin/sed" \
 80        --replace "/usr/bin/id" "${coreutils}/bin/id" \
 81        --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6"
 82      wrapProgram $out/bin/checksec \
 83        --prefix PATH : ${path}
 84    '';
 85
 86  passthru.tests = {
 87    version = testers.testVersion {
 88      package = checksec;
 89      version = "v${version}";
 90    };
 91    debug-report = runCommand "debug-report" { buildInputs = [ checksec ]; } ''
 92      checksec --debug_report || exit 1
 93      echo "OK"
 94      touch $out
 95    '';
 96  };
 97
 98  meta = with lib; {
 99    description = "Tool for checking security bits on executables";
100    homepage = "https://www.trapkit.de/tools/checksec/";
101    license = licenses.bsd3;
102    platforms = platforms.linux;
103    maintainers = with maintainers; [ thoughtpolice globin ];
104  };
105}