commit 67f1e6206a040386a88dd3dc41dc4024926fee41

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #267304 from katexochen/fix/checksec-2

checksec: add missing deps, don't clean env, add tests

authored by

K900 and committed by

GitHub 2 years ago 67f1e620 b9aa1e95

+79 -8

2 changed files

expand all

unified split

pkgs

os-specific

linux

checksec

0002-don-t-sanatize-the-environment.patch

default.nix

+25

pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch

··· 1 + From 3b047ab4271919856ae0a3dee3a03a24045c0016 Mon Sep 17 00:00:00 2001 2 + From: Paul Meyer <49727155+katexochen@users.noreply.github.com> 3 + Date: Mon, 13 Nov 2023 20:24:54 +0000 4 + Subject: [PATCH] don't sanatize the environment 5 + 6 + --- 7 + checksec | 3 --- 8 + 1 file changed, 3 deletions(-) 9 + 10 + diff --git a/checksec b/checksec 11 + index 4fc3c31..135223a 100755 12 + --- a/checksec 13 + +++ b/checksec 14 + @@ -2,9 +2,6 @@ 15 + # Do not edit this file directly, this file is generated from the files 16 + # in the src directory. Any updates to this file will be overwritten when generated 17 + 18 + -# sanitize the environment before run 19 + -[[ "$(env | /bin/sed -r -e '/^(PWD|SHLVL|_)=/d')" ]] && exec -c "$0" "$@" 20 + - 21 + # --- Modified Version --- 22 + # Name : checksec.sh 23 + # Version : 1.7.0 24 + -- 25 + 2.42.0

+54 -8

pkgs/os-specific/linux/checksec/default.nix

··· 1 1 { lib 2 2 , stdenv 3 + , fetchpatch 3 4 , fetchFromGitHub 4 5 , makeWrapper 6 + , testers 7 + , runCommand 8 + 9 + # dependencies 10 + , binutils 11 + , coreutils 12 + , curl 13 + , elfutils 5 14 , file 6 15 , findutils 7 - , binutils-unwrapped 16 + , gawk 8 17 , glibc 9 - , coreutils 18 + , gnugrep 19 + , gnused 20 + , openssl 21 + , procps 10 22 , sysctl 11 - , openssl 23 + , wget 24 + , which 25 + 26 + # tests 27 + , checksec 12 28 }: 13 29 14 30 stdenv.mkDerivation rec { ··· 24 40 25 41 patches = [ 26 42 ./0001-attempt-to-modprobe-config-before-checking-kernel.patch 43 + # Tool would sanitize the environment, removing the PATH set by our wrapper. 44 + ./0002-don-t-sanatize-the-environment.patch 45 + # Fix the exit code of debug_report command. Check if PR 226 was merged when upgrading version. 46 + (fetchpatch { 47 + url = "https://github.com/slimm609/checksec.sh/commit/851ebff6972f122fde5507f1883e268bbff1f23d.patch"; 48 + hash = "sha256-DOcVF+oPGIR9VSbqE+EqWlcNANEvou1gV8qBvJLGLBE="; 49 + }) 27 50 ]; 28 51 29 52 nativeBuildInputs = [ ··· 33 56 installPhase = 34 57 let 35 58 path = lib.makeBinPath [ 36 - findutils 59 + binutils 60 + coreutils 61 + curl 62 + elfutils 37 63 file 38 - binutils-unwrapped 39 - sysctl 64 + findutils 65 + gawk 66 + gnugrep 67 + gnused 40 68 openssl 69 + procps 70 + sysctl 71 + wget 72 + which 41 73 ]; 42 74 in 43 75 '' 44 76 mkdir -p $out/bin 45 77 install checksec $out/bin 46 - substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6 47 - substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" 78 + substituteInPlace $out/bin/checksec \ 79 + --replace "/bin/sed" "${gnused}/bin/sed" \ 80 + --replace "/usr/bin/id" "${coreutils}/bin/id" \ 81 + --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6" 48 82 wrapProgram $out/bin/checksec \ 49 83 --prefix PATH : ${path} 50 84 ''; 85 + 86 + passthru.tests = { 87 + version = testers.testVersion { 88 + package = checksec; 89 + version = "v${version}"; 90 + }; 91 + debug-report = runCommand "debug-report" { buildInputs = [ checksec ]; } '' 92 + checksec --debug_report || exit 1 93 + echo "OK" 94 + touch $out 95 + ''; 96 + }; 51 97 52 98 meta = with lib; { 53 99 description = "Tool for checking security bits on executables";