pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #267304 from katexochen/fix/checksec-2

checksec: add missing deps, don't clean env, add tests

authored by

K900 and committed by
GitHub 67f1e620 b9aa1e95

+79 -8
unified split
+25
pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch
···
··· 1 + From 3b047ab4271919856ae0a3dee3a03a24045c0016 Mon Sep 17 00:00:00 2001 2 + From: Paul Meyer <49727155+katexochen@users.noreply.github.com> 3 + Date: Mon, 13 Nov 2023 20:24:54 +0000 4 + Subject: [PATCH] don't sanatize the environment 5 + 6 + --- 7 + checksec | 3 --- 8 + 1 file changed, 3 deletions(-) 9 + 10 + diff --git a/checksec b/checksec 11 + index 4fc3c31..135223a 100755 12 + --- a/checksec 13 + +++ b/checksec 14 + @@ -2,9 +2,6 @@ 15 + # Do not edit this file directly, this file is generated from the files 16 + # in the src directory. Any updates to this file will be overwritten when generated 17 + 18 + -# sanitize the environment before run 19 + -[[ "$(env | /bin/sed -r -e '/^(PWD|SHLVL|_)=/d')" ]] && exec -c "$0" "$@" 20 + - 21 + # --- Modified Version --- 22 + # Name : checksec.sh 23 + # Version : 1.7.0 24 + -- 25 + 2.42.0
+54 -8
pkgs/os-specific/linux/checksec/default.nix
··· 1 { lib 2 , stdenv 3 , fetchFromGitHub 4 , makeWrapper 5 , file 6 , findutils 7 - , binutils-unwrapped 8 , glibc 9 - , coreutils 10 , sysctl 11 - , openssl 12 }: 13 14 stdenv.mkDerivation rec { ··· 24 25 patches = [ 26 ./0001-attempt-to-modprobe-config-before-checking-kernel.patch 27 ]; 28 29 nativeBuildInputs = [ ··· 33 installPhase = 34 let 35 path = lib.makeBinPath [ 36 - findutils 37 file 38 - binutils-unwrapped 39 - sysctl 40 openssl 41 ]; 42 in 43 '' 44 mkdir -p $out/bin 45 install checksec $out/bin 46 - substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6 47 - substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" 48 wrapProgram $out/bin/checksec \ 49 --prefix PATH : ${path} 50 ''; 51 52 meta = with lib; { 53 description = "Tool for checking security bits on executables";
··· 1 { lib 2 , stdenv 3 + , fetchpatch 4 , fetchFromGitHub 5 , makeWrapper 6 + , testers 7 + , runCommand 8 + 9 + # dependencies 10 + , binutils 11 + , coreutils 12 + , curl 13 + , elfutils 14 , file 15 , findutils 16 + , gawk 17 , glibc 18 + , gnugrep 19 + , gnused 20 + , openssl 21 + , procps 22 , sysctl 23 + , wget 24 + , which 25 + 26 + # tests 27 + , checksec 28 }: 29 30 stdenv.mkDerivation rec { ··· 40 41 patches = [ 42 ./0001-attempt-to-modprobe-config-before-checking-kernel.patch 43 + # Tool would sanitize the environment, removing the PATH set by our wrapper. 44 + ./0002-don-t-sanatize-the-environment.patch 45 + # Fix the exit code of debug_report command. Check if PR 226 was merged when upgrading version. 46 + (fetchpatch { 47 + url = "https://github.com/slimm609/checksec.sh/commit/851ebff6972f122fde5507f1883e268bbff1f23d.patch"; 48 + hash = "sha256-DOcVF+oPGIR9VSbqE+EqWlcNANEvou1gV8qBvJLGLBE="; 49 + }) 50 ]; 51 52 nativeBuildInputs = [ ··· 56 installPhase = 57 let 58 path = lib.makeBinPath [ 59 + binutils 60 + coreutils 61 + curl 62 + elfutils 63 file 64 + findutils 65 + gawk 66 + gnugrep 67 + gnused 68 openssl 69 + procps 70 + sysctl 71 + wget 72 + which 73 ]; 74 in 75 '' 76 mkdir -p $out/bin 77 install checksec $out/bin 78 + substituteInPlace $out/bin/checksec \ 79 + --replace "/bin/sed" "${gnused}/bin/sed" \ 80 + --replace "/usr/bin/id" "${coreutils}/bin/id" \ 81 + --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6" 82 wrapProgram $out/bin/checksec \ 83 --prefix PATH : ${path} 84 ''; 85 + 86 + passthru.tests = { 87 + version = testers.testVersion { 88 + package = checksec; 89 + version = "v${version}"; 90 + }; 91 + debug-report = runCommand "debug-report" { buildInputs = [ checksec ]; } '' 92 + checksec --debug_report || exit 1 93 + echo "OK" 94 + touch $out 95 + ''; 96 + }; 97 98 meta = with lib; { 99 description = "Tool for checking security bits on executables";