pkgs/os-specific/linux/busybox/default.nix at devShellTools-shell

tjh.dev / nixpkgs
fork atom
nixpkgs mirror (for testing) github.com/NixOS/nixpkgs
nix
fork atom
nixpkgs / pkgs / os-specific / linux / busybox / default.nix
at devShellTools-shell 215 lines 6.9 kB view raw
wrap content
  1{
  2  stdenv,
  3  lib,
  4  buildPackages,
  5  fetchurl,
  6  fetchpatch,
  7  fetchFromGitLab,
  8  enableStatic ? stdenv.hostPlatform.isStatic,
  9  enableMinimal ? false,
 10  enableAppletSymlinks ? true,
 11  # Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping:
 12  # nix build -f pkgs/top-level/release.nix stdenvBootstrapTools.x86_64-linux.dist
 13  useMusl ? stdenv.hostPlatform.libc == "musl",
 14  musl,
 15  extraConfig ? "",
 16}:
 17
 18assert stdenv.hostPlatform.libc == "musl" -> useMusl;
 19
 20let
 21  configParser = ''
 22    function parseconfig {
 23        while read LINE; do
 24            NAME=`echo "$LINE" | cut -d \  -f 1`
 25            OPTION=`echo "$LINE" | cut -d \  -f 2`
 26
 27            if ! [[ "$NAME" =~ ^CONFIG_ ]]; then continue; fi
 28
 29            echo "parseconfig: removing $NAME"
 30            sed -i /$NAME'\(=\| \)'/d .config
 31
 32            echo "parseconfig: setting $NAME=$OPTION"
 33            echo "$NAME=$OPTION" >> .config
 34        done
 35    }
 36  '';
 37
 38  libcConfig = lib.optionalString useMusl ''
 39    CONFIG_FEATURE_UTMP n
 40    CONFIG_FEATURE_WTMP n
 41  '';
 42
 43  # The debian version lags behind the upstream version and also contains
 44  # a debian-specific suffix. We only fetch the debian repository to get the
 45  # default.script
 46  debianVersion = "1.30.1-6";
 47  debianSource = fetchFromGitLab {
 48    domain = "salsa.debian.org";
 49    owner = "installer-team";
 50    repo = "busybox";
 51    rev = "debian/1%${debianVersion}";
 52    sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8=";
 53  };
 54  debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script";
 55  outDispatchPath = "$out/default.script";
 56in
 57
 58stdenv.mkDerivation rec {
 59  pname = "busybox";
 60  version = "1.36.1";
 61
 62  # Note to whoever is updating busybox: please verify that:
 63  # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
 64  # still builds after the update.
 65  src = fetchurl {
 66    url = "https://busybox.net/downloads/${pname}-${version}.tar.bz2";
 67    sha256 = "sha256-uMwkyVdNgJ5yecO+NJeVxdXOtv3xnKcJ+AzeUOR94xQ=";
 68  };
 69
 70  hardeningDisable = [
 71    "format"
 72    "pie"
 73  ]
 74  ++ lib.optionals enableStatic [ "fortify" ];
 75
 76  patches = [
 77    ./busybox-in-store.patch
 78    (fetchurl {
 79      name = "CVE-2022-28391.patch";
 80      url = "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
 81      sha256 = "sha256-yviw1GV+t9tbHbY7YNxEqPi7xEreiXVqbeRyf8c6Awo=";
 82    })
 83    (fetchurl {
 84      name = "CVE-2022-28391.patch";
 85      url = "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
 86      sha256 = "sha256-vl1wPbsHtXY9naajjnTicQ7Uj3N+EQ8pRNnrdsiow+w=";
 87    })
 88    (fetchpatch {
 89      name = "CVE-2022-48174.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15216
 90      url = "https://git.busybox.net/busybox/patch/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209";
 91      hash = "sha256-mpDEwYncpU6X6tmtj9xM2KCrB/v2ys5bYxmPPrhm6es=";
 92    })
 93    (fetchpatch {
 94      name = "CVE-2023-42366.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15874
 95      # This patch is also used by Alpine, see https://git.alpinelinux.org/aports/tree/main/busybox/0037-awk.c-fix-CVE-2023-42366-bug-15874.patch
 96      url = "https://bugs.busybox.net/attachment.cgi?id=9697";
 97      hash = "sha256-2eYfLZLjStea9apKXogff6sCAdG9yHx0ZsgUBaGfQIA=";
 98    })
 99    (fetchpatch {
100      name = "CVE-2023-42363.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15865
101      url = "https://git.launchpad.net/ubuntu/+source/busybox/plain/debian/patches/CVE-2023-42363.patch?id=c9d8a323b337d58e302717d41796aa0242963d5a";
102      hash = "sha256-1W9Q8+yFkYQKzNTrvndie8QuaEbyAFL1ZASG2fPF+Z4=";
103    })
104    (fetchpatch {
105      name = "CVE-2023-42364_CVE-2023-42365.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15871 https://bugs.busybox.net/show_bug.cgi?id=15868
106      url = "https://git.alpinelinux.org/aports/plain/main/busybox/CVE-2023-42364-CVE-2023-42365.patch?id=8a4bf5971168bf48201c05afda7bee0fbb188e13";
107      hash = "sha256-nQPgT9eA1asCo38Z9X7LR9My0+Vz5YBPba3ARV3fWcc=";
108    })
109  ]
110  ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
111
112  separateDebugInfo = true;
113
114  postPatch = "patchShebangs .";
115
116  configurePhase = ''
117    export KCONFIG_NOTIMESTAMP=1
118    make ${if enableMinimal then "allnoconfig" else "defconfig"}
119
120    ${configParser}
121
122    cat << EOF | parseconfig
123
124    CONFIG_PREFIX "$out"
125    CONFIG_INSTALL_NO_USR y
126
127    CONFIG_LFS y
128
129    # More features for modprobe.
130    ${lib.optionalString (!enableMinimal) ''
131      CONFIG_FEATURE_MODPROBE_BLACKLIST y
132      CONFIG_FEATURE_MODUTILS_ALIAS y
133      CONFIG_FEATURE_MODUTILS_SYMBOLS y
134      CONFIG_MODPROBE_SMALL n
135    ''}
136
137    ${lib.optionalString enableStatic ''
138      CONFIG_STATIC y
139    ''}
140
141    ${lib.optionalString (!enableAppletSymlinks) ''
142      CONFIG_INSTALL_APPLET_DONT y
143      CONFIG_INSTALL_APPLET_SYMLINKS n
144    ''}
145
146    # Use the external mount.cifs program.
147    CONFIG_FEATURE_MOUNT_CIFS n
148    CONFIG_FEATURE_MOUNT_HELPERS y
149
150    # Set paths for console fonts.
151    CONFIG_DEFAULT_SETFONT_DIR "/etc/kbd"
152
153    # Bump from 4KB, much faster I/O
154    CONFIG_FEATURE_COPYBUF_KB 64
155
156    # Doesn't build with current kernel headers.
157    # https://bugs.busybox.net/show_bug.cgi?id=15934
158    CONFIG_TC n
159
160    # Set the path for the udhcpc script
161    CONFIG_UDHCPC_DEFAULT_SCRIPT "${outDispatchPath}"
162
163    ${extraConfig}
164    CONFIG_CROSS_COMPILER_PREFIX "${stdenv.cc.targetPrefix}"
165    ${libcConfig}
166    EOF
167
168    make oldconfig
169
170    runHook postConfigure
171  '';
172
173  postConfigure = lib.optionalString (useMusl && stdenv.hostPlatform.libc != "musl") ''
174    makeFlagsArray+=("CC=${stdenv.cc.targetPrefix}cc -isystem ${musl.dev}/include -B${musl}/lib -L${musl}/lib")
175  '';
176
177  makeFlags = [ "SKIP_STRIP=y" ];
178
179  postInstall = ''
180    sed -e '
181    1 a busybox() { '$out'/bin/busybox "$@"; }\
182    logger() { '$out'/bin/logger "$@"; }\
183    ' ${debianDispatcherScript} > ${outDispatchPath}
184    chmod 555 ${outDispatchPath}
185    HOST_PATH=$out/bin patchShebangs --host ${outDispatchPath}
186  '';
187
188  strictDeps = true;
189
190  depsBuildBuild = [ buildPackages.stdenv.cc ];
191
192  buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [
193    stdenv.cc.libc
194    stdenv.cc.libc.static
195  ];
196
197  enableParallelBuilding = true;
198
199  doCheck = false; # tries to access the net
200
201  passthru.shellPath = "/bin/ash";
202
203  meta = with lib; {
204    description = "Tiny versions of common UNIX utilities in a single small executable";
205    homepage = "https://busybox.net/";
206    license = licenses.gpl2Only;
207    mainProgram = "busybox";
208    maintainers = with maintainers; [
209      TethysSvensson
210      qyliss
211    ];
212    platforms = platforms.linux;
213    priority = 15; # below systemd (halt, init, poweroff, reboot) and coreutils
214  };
215}