commit 4739a32ec87577968ed73d79d203d7c69a64bf55 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

checksec: 2.6.0 -> 3.0.2

authored by Siddhartha Sahu and committed by Weijia Wang 9 months ago 4739a32e 5e4c9c51

+15 -124

3 changed files

expand all

unified split

pkgs

by-name

checksec

0001-attempt-to-modprobe-config-before-checking-kernel.patch

0002-don-t-sanatize-the-environment.patch

package.nix

-24

pkgs/by-name/ch/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch

··· 1 - From 5cfb08effd21d9278e3eb8901c85112a331c3181 Mon Sep 17 00:00:00 2001 2 - From: Austin Seipp <aseipp@pobox.com> 3 - Date: Tue, 26 Oct 2021 09:23:07 +0000 4 - Subject: [PATCH] attempt to 'modprobe config' before checking kernel 5 - 6 - --- 7 - checksec | 1 + 8 - 1 file changed, 1 insertion(+) 9 - 10 - diff --git a/checksec b/checksec 11 - index 5536250..895073b 100755 12 - --- a/checksec 13 - +++ b/checksec 14 - @@ -1059,6 +1059,7 @@ kernelcheck() { 15 - echo_message " options that harden the kernel itself against attack.\n\n" '' '' '' 16 - echo_message " Kernel config:\n" '' '' '{ "kernel": ' 17 - 18 - + modprobe configs 2> /dev/null 19 - if [[ ! "${1}" == "" ]]; then 20 - kconfig="cat ${1}" 21 - echo_message " Warning: The config ${1} on disk may not represent running kernel config!\n\n" "${1}" "<kernel config=\"${1}\"" "{ \"KernelConfig\":\"${1}\"" 22 - -- 23 - 2.33.0 24 -

-25

pkgs/by-name/ch/checksec/0002-don-t-sanatize-the-environment.patch

··· 1 - From 3b047ab4271919856ae0a3dee3a03a24045c0016 Mon Sep 17 00:00:00 2001 2 - From: Paul Meyer <49727155+katexochen@users.noreply.github.com> 3 - Date: Mon, 13 Nov 2023 20:24:54 +0000 4 - Subject: [PATCH] don't sanatize the environment 5 - 6 - --- 7 - checksec | 3 --- 8 - 1 file changed, 3 deletions(-) 9 - 10 - diff --git a/checksec b/checksec 11 - index 4fc3c31..135223a 100755 12 - --- a/checksec 13 - +++ b/checksec 14 - @@ -2,9 +2,6 @@ 15 - # Do not edit this file directly, this file is generated from the files 16 - # in the src directory. Any updates to this file will be overwritten when generated 17 - 18 - -# sanitize the environment before run 19 - -[[ "$(env | /bin/sed -r -e '/^(PWD|SHLVL|_)=/d')" ]] && exec -c "$0" "$@" 20 - - 21 - # --- Modified Version --- 22 - # Name : checksec.sh 23 - # Version : 1.7.0 24 - -- 25 - 2.42.0

+15 -75

pkgs/by-name/ch/checksec/package.nix

··· 1 1 { 2 2 lib, 3 - stdenv, 4 - fetchpatch, 5 3 fetchFromGitHub, 6 - makeWrapper, 7 - testers, 8 - runCommand, 9 4 10 - # dependencies 11 - binutils, 12 - coreutils, 13 - curl, 14 - elfutils, 15 - file, 16 - findutils, 17 - gawk, 18 - glibc, 19 - gnugrep, 20 - gnused, 21 - openssl, 22 - procps, 23 - sysctl, 24 - wget, 25 - which, 5 + buildGoModule, 26 6 27 7 # tests 8 + testers, 28 9 checksec, 29 10 }: 30 11 31 - stdenv.mkDerivation rec { 12 + buildGoModule rec { 32 13 pname = "checksec"; 33 - version = "2.6.0"; 14 + version = "3.0.2"; 34 15 35 16 src = fetchFromGitHub { 36 17 owner = "slimm609"; 37 - repo = "checksec.sh"; 38 - rev = version; 39 - hash = "sha256-BWtchWXukIDSLJkFX8M/NZBvfi7vUE2j4yFfS0KEZDo="; 18 + repo = "checksec"; 19 + tag = version; 20 + hash = "sha256-ZpDowTmnK23+ZocOY1pJMgMSn7FiQQGvMg/gSbiL1nw="; 40 21 }; 41 22 42 - patches = [ 43 - ./0001-attempt-to-modprobe-config-before-checking-kernel.patch 44 - # Tool would sanitize the environment, removing the PATH set by our wrapper. 45 - ./0002-don-t-sanatize-the-environment.patch 46 - # Fix the exit code of debug_report command. Check if PR 226 was merged when upgrading version. 47 - (fetchpatch { 48 - url = "https://github.com/slimm609/checksec.sh/commit/851ebff6972f122fde5507f1883e268bbff1f23d.patch"; 49 - hash = "sha256-DOcVF+oPGIR9VSbqE+EqWlcNANEvou1gV8qBvJLGLBE="; 50 - }) 51 - ]; 23 + vendorHash = "sha256-7poHsEsRATljkqtfGxzqUbqhwSjVmiao2KoMVQ8LkD4="; 52 24 53 - nativeBuildInputs = [ 54 - makeWrapper 25 + ldflags = [ 26 + "-s" 27 + "-w" 28 + "-X main.version=${version}" 55 29 ]; 56 30 57 - installPhase = 58 - let 59 - path = lib.makeBinPath [ 60 - binutils 61 - coreutils 62 - curl 63 - elfutils 64 - file 65 - findutils 66 - gawk 67 - gnugrep 68 - gnused 69 - openssl 70 - procps 71 - sysctl 72 - wget 73 - which 74 - ]; 75 - in 76 - '' 77 - mkdir -p $out/bin 78 - install checksec $out/bin 79 - substituteInPlace $out/bin/checksec \ 80 - --replace "/bin/sed" "${gnused}/bin/sed" \ 81 - --replace "/usr/bin/id" "${coreutils}/bin/id" \ 82 - --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6" 83 - wrapProgram $out/bin/checksec \ 84 - --prefix PATH : ${path} 85 - ''; 86 - 87 31 passthru.tests = { 88 32 version = testers.testVersion { 89 33 package = checksec; 90 - version = "v${version}"; 34 + inherit version; 91 35 }; 92 - debug-report = runCommand "debug-report" { buildInputs = [ checksec ]; } '' 93 - checksec --debug_report || exit 1 94 - echo "OK" 95 - touch $out 96 - ''; 97 36 }; 98 37 99 38 meta = with lib; { 100 39 description = "Tool for checking security bits on executables"; 101 40 mainProgram = "checksec"; 102 - homepage = "https://www.trapkit.de/tools/checksec/"; 41 + homepage = "https://slimm609.github.io/checksec/"; 103 42 license = licenses.bsd3; 104 43 platforms = platforms.linux; 105 44 maintainers = with maintainers; [ 106 45 thoughtpolice 107 46 globin 47 + sdht0 108 48 ]; 109 49 }; 110 50 }