tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / os-specific / linux / opensnitch-ebpf / default.nix
at devShellTools-shell 68 lines 1.6 kB view raw
1{ 2 lib, 3 kernel, 4 stdenv, 5 clang-tools, 6 llvmPackages, 7 elfutils, 8 flex, 9 bison, 10 bc, 11 opensnitch, 12}: 13 14stdenv.mkDerivation rec { 15 pname = "opensnitch_ebpf"; 16 version = "${opensnitch.version}-${kernel.version}"; 17 18 inherit (opensnitch) src; 19 20 sourceRoot = "${src.name}/ebpf_prog"; 21 22 nativeBuildInputs = with llvmPackages; [ 23 bc 24 bison 25 clang 26 clang-tools 27 elfutils 28 flex 29 libllvm 30 ]; 31 32 # We set -fno-stack-protector here to work around a clang regression. 33 # This is fine - bpf programs do not use stack protectors 34 # https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=opensnitch-ebpf-module&id=984b952a784eb701f691dd9f2d45dfeb8d15053b 35 env.NIX_CFLAGS_COMPILE = "-fno-stack-protector"; 36 37 env.KERNEL_DIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/source"; 38 env.KERNEL_HEADERS = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; 39 40 extraConfig = '' 41 CONFIG_UPROBE_EVENTS=y 42 ''; 43 44 installPhase = '' 45 runHook preInstall 46 47 for file in opensnitch*.o; do 48 install -Dm644 "$file" "$out/etc/opensnitchd/$file" 49 done 50 51 runHook postInstall 52 ''; 53 54 postFixup = '' 55 # reduces closure size significantly (fixes https://github.com/NixOS/nixpkgs/issues/391351) 56 for file in $out/etc/opensnitchd/*.o; do 57 llvm-strip --strip-debug $file 58 done 59 ''; 60 61 meta = with lib; { 62 description = "eBPF process monitor module for OpenSnitch"; 63 homepage = "https://github.com/evilsocket/opensnitch"; 64 license = licenses.gpl3Only; 65 maintainers = with maintainers; [ onny ]; 66 platforms = platforms.linux; 67 }; 68}