+4

pkgs/by-name/pd/pdf2odt/package.nix

··· 49 49 imagemagick 50 50 zip 51 51 ]; 52 52 + execer = [ 53 53 + # zip can exec; confirmed 2 invocations in pdf2odt don't 54 54 + "cannot:${zip}/bin/zip" 55 55 + ]; 52 56 }; 53 57 54 58 meta = with lib; {

+10

pkgs/development/libraries/libarchive/default.nix

··· 23 23 , cmake 24 24 , nix 25 25 , samba 26 26 + 27 27 + # for passthru.lore 28 28 + , binlore 26 29 }: 27 30 28 31 assert xarSupport -> libxml2 != null; ··· 125 128 passthru.tests = { 126 129 inherit cmake nix samba; 127 130 }; 131 131 + 132 132 + # bsdtar is detected as "cannot" because its exec is internal to 133 133 + # calls it makes into libarchive itself. If binlore gains support 134 134 + # for detecting another layer down into libraries, this can be cut. 135 135 + passthru.binlore.out = binlore.synthesize finalAttrs.finalPackage '' 136 136 + execer can bin/bsdtar 137 137 + ''; 128 138 })

+12

pkgs/development/libraries/ncurses/default.nix

··· 11 11 , mouseSupport ? false, gpm 12 12 , unicodeSupport ? true 13 13 , testers 14 14 + , binlore 14 15 }: 15 16 16 17 stdenv.mkDerivation (finalAttrs: { ··· 178 179 179 180 preFixup = lib.optionalString (!stdenv.hostPlatform.isCygwin && !enableStatic) '' 180 181 rm "$out"/lib/*.a 182 182 + ''; 183 183 + 184 184 + # I'm not very familiar with ncurses, but it looks like most of the 185 185 + # exec here will run hard-coded executables. There's one that is 186 186 + # dynamic, but it looks like it only comes from executing a terminfo 187 187 + # file, so I think it isn't going to be under user control via CLI? 188 188 + # Happy to have someone help nail this down in either direction! 189 189 + # The "capability" is 'iprog', and I could only find 1 real example: 190 190 + # https://invisible-island.net/ncurses/terminfo.ti.html#tic-linux-s 191 191 + passthru.binlore.out = binlore.synthesize ncurses '' 192 192 + execer cannot bin/{reset,tput,tset} 181 193 ''; 182 194 183 195 meta = with lib; {

+138 -27

pkgs/development/tools/analysis/binlore/default.nix

··· 56 56 # in here, but I'm erring on the side of flexibility 57 57 # since this form will make it easier to pilot other 58 58 # uses of binlore. 59 59 - callback = lore: drv: overrides: '' 59 59 + callback = lore: drv: '' 60 60 if [[ -d "${drv}/bin" ]] || [[ -d "${drv}/lib" ]] || [[ -d "${drv}/libexec" ]]; then 61 61 echo generating binlore for $drv by running: 62 62 echo "${yara}/bin/yara --scan-list --recursive ${lore.rules} <(printf '%s\n' ${drv}/{bin,lib,libexec}) | ${yallback}/bin/yallback ${lore.yallback}" 63 63 else 64 64 echo "failed to generate binlore for $drv (none of ${drv}/{bin,lib,libexec} exist)" 65 65 fi 66 66 - '' + 67 67 - /* 68 68 - Override lore for some packages. Unsure, but for now: 69 69 - 1. start with the ~name (pname-version) 70 70 - 2. remove characters from the end until we find a match 71 71 - in overrides/ 72 72 - 3. execute the override script with the list of expected 73 73 - lore types 74 74 - */ 75 75 - '' 76 76 - i=''${#identifier} 77 77 - filter= 78 78 - while [[ $i > 0 ]] && [[ -z "$filter" ]]; do 79 79 - if [[ -f "${overrides}/''${identifier:0:$i}" ]]; then 80 80 - filter="${overrides}/''${identifier:0:$i}" 81 81 - echo using "${overrides}/''${identifier:0:$i}" to generate overriden binlore for $drv 82 82 - break 83 83 - fi 84 84 - ((i--)) || true # don't break build 85 85 - done # || true # don't break build 66 66 + 86 67 if [[ -d "${drv}/bin" ]] || [[ -d "${drv}/lib" ]] || [[ -d "${drv}/libexec" ]]; then 87 87 - ${yara}/bin/yara --scan-list --recursive ${lore.rules} <(printf '%s\n' ${drv}/{bin,lib,libexec}) | ${yallback}/bin/yallback ${lore.yallback} "$filter" 68 68 + ${yara}/bin/yara --scan-list --recursive ${lore.rules} <(printf '%s\n' ${drv}/{bin,lib,libexec}) | ${yallback}/bin/yallback ${lore.yallback} 88 69 fi 89 70 ''; 90 71 }; 91 91 - overrides = (src + "/overrides"); 92 72 93 73 in rec { 74 74 + /* 75 75 + Output a directory containing lore for multiple drvs. 76 76 + 77 77 + This will `make` lore for drv in drvs and then combine lore 78 78 + of the same type across all packages into a single file. 79 79 + 80 80 + When drvs are also specified in the strip argument, corresponding 81 81 + lore is made relative by stripping the path of each drv from 82 82 + matching entries. (This is mainly useful in a build process that 83 83 + uses a chain of two or more derivations where the output of one 84 84 + is the source for the next. See resholve for an example.) 85 85 + */ 94 86 collect = { lore ? loreDef, drvs, strip ? [ ] }: (runCommand "more-binlore" { } '' 95 87 mkdir $out 96 88 for lorefile in ${toString lore.types}; do 97 89 cat ${lib.concatMapStrings (x: x + "/$lorefile ") (map (make lore) (map lib.getBin (builtins.filter lib.isDerivation drvs)))} > $out/$lorefile 98 98 - substituteInPlace $out/$lorefile ${lib.concatMapStrings (x: "--replace '${x}/' '' ") strip} 90 90 + substituteInPlace $out/$lorefile ${lib.concatMapStrings (x: "--replace-quiet '${x}/' '' ") strip} 99 91 done 100 92 ''); 101 101 - # TODO: echo for debug, can be removed at some point 93 93 + 94 94 + /* 95 95 + Output a directory containing lore for a single drv. 96 96 + 97 97 + This produces lore for the derivation (via lore.callback) and 98 98 + appends any lore that the derivation itself wrote to nix-support 99 99 + or which was overridden in drv.binlore.<outputName> (passthru). 100 100 + 101 101 + > *Note*: Since the passthru is attached to all outputs, binlore 102 102 + > is an attrset namespaced by outputName to support packages with 103 103 + > executables in more than one output. 104 104 + 105 105 + Since the last entry wins, the effective priority is: 106 106 + drv.binlore.<outputName> > $drv/nix-support > lore generated here by callback 107 107 + */ 102 108 make = lore: drv: runCommand "${drv.name}-binlore" { 103 103 - identifier = drv.name; 104 109 drv = drv; 105 110 } ('' 106 111 mkdir $out 107 112 touch $out/{${builtins.concatStringsSep "," lore.types}} 108 113 109 109 - ${lore.callback lore drv overrides} 114 114 + ${lore.callback lore drv} 115 115 + '' + 116 116 + # append lore from package's $out and drv.binlore.${drv.outputName} (last entry wins) 117 117 + '' 118 118 + for lore_type in ${builtins.toString lore.types}; do 119 119 + if [[ -f "${drv}/nix-support/$lore_type" ]]; then 120 120 + cat "${drv}/nix-support/$lore_type" >> "$out/$lore_type" 121 121 + fi 122 122 + '' + lib.optionalString (builtins.hasAttr "binlore" drv && builtins.hasAttr drv.outputName drv.binlore) '' 123 123 + if [[ -f "${drv.binlore."${drv.outputName}"}/$lore_type" ]]; then 124 124 + cat "${drv.binlore."${drv.outputName}"}/$lore_type" >> "$out/$lore_type" 125 125 + fi 126 126 + '' + '' 127 127 + done 110 128 111 129 echo binlore for $drv written to $out 112 130 ''); 131 131 + 132 132 + /* 133 133 + Utility function for creating override lore for drv. 134 134 + 135 135 + We normally attach this lore to `drv.passthru.binlore.<outputName>`. 136 136 + 137 137 + > *Notes*: 138 138 + > - Since the passthru is attached to all outputs, binlore is an 139 139 + > attrset namespaced by outputName to support packages with 140 140 + > executables in more than one output. You'll generally just use 141 141 + > `out` or `bin`. 142 142 + > - We can reconsider the passthru attr name if someone adds 143 143 + > a new lore provider. We settled on `.binlore` for now to make it 144 144 + > easier for people to figure out what this is for. 145 145 + 146 146 + The lore argument should be a Shell script (string) that generates 147 147 + the necessary lore. You can use arbitrary Shell, but this function 148 148 + includes a shell DSL you can use to declare/generate lore in most 149 149 + cases. It has the following functions: 150 150 + 151 151 + - `execer <verdict> [<path>...]` 152 152 + - `wrapper <wrapper_path> <original_path>` 153 153 + 154 154 + Writing every override explicitly in a Nix list would be tedious 155 155 + for large packages, but this small shell DSL enables us to express 156 156 + many overrides efficiently via pathname expansion/globbing. 157 157 + 158 158 + Here's a very general example of both functions: 159 159 + 160 160 + passthru.binlore.out = binlore.synthesize finalAttrs.finalPackage '' 161 161 + execer can bin/hello bin/{a,b,c} 162 162 + wrapper bin/hello bin/.hello-wrapped 163 163 + ''; 164 164 + 165 165 + And here's a specific example of how pathname expansion enables us 166 166 + to express lore for the single-binary variant of coreutils while 167 167 + being both explicit and (somewhat) efficient: 168 168 + 169 169 + passthru = {} // optionalAttrs (singleBinary != false) { 170 170 + binlore.out = binlore.synthesize coreutils '' 171 171 + execer can bin/{chroot,env,install,nice,nohup,runcon,sort,split,stdbuf,timeout} 172 172 + execer cannot bin/{[,b2sum,base32,base64,basename,basenc,cat,chcon,chgrp,chmod,chown,cksum,comm,cp,csplit,cut,date,dd,df,dir,dircolors,dirname,du,echo,expand,expr,factor,false,fmt,fold,groups,head,hostid,id,join,kill,link,ln,logname,ls,md5sum,mkdir,mkfifo,mknod,mktemp,mv,nl,nproc,numfmt,od,paste,pathchk,pinky,pr,printenv,printf,ptx,pwd,readlink,realpath,rm,rmdir,seq,sha1sum,sha224sum,sha256sum,sha384sum,sha512sum,shred,shuf,sleep,stat,stty,sum,sync,tac,tail,tee,test,touch,tr,true,truncate,tsort,tty,uname,unexpand,uniq,unlink,uptime,users,vdir,wc,who,whoami,yes} 173 173 + ''; 174 174 + }; 175 175 + 176 176 + Caution: Be thoughtful about using a bare wildcard (*) glob here. 177 177 + We should generally override lore only when a human understands if 178 178 + the executable will exec arbitrary user-passed executables. A bare 179 179 + glob can match new executables added in future package versions 180 180 + before anyone can audit them. 181 181 + */ 182 182 + synthesize = drv: loreSynthesizingScript: runCommand "${drv.name}-lore-override" { 183 183 + drv = drv; 184 184 + } ('' 185 185 + execer(){ 186 186 + local verdict="$1" 187 187 + 188 188 + shift 189 189 + 190 190 + for path in "$@"; do 191 191 + if [[ -f "$PWD/$path" ]]; then 192 192 + echo "$verdict:$PWD/$path" 193 193 + else 194 194 + echo "error: Tried to synthesize execer lore for missing file: $PWD/$path" >&2 195 195 + exit 2 196 196 + fi 197 197 + done 198 198 + } >> $out/execers 199 199 + 200 200 + wrapper(){ 201 201 + local wrapper="$1" 202 202 + local original="$2" 203 203 + 204 204 + if [[ ! -f "$wrapper" ]]; then 205 205 + echo "error: Tried to synthesize wrapper lore for missing wrapper: $PWD/$wrapper" >&2 206 206 + exit 2 207 207 + fi 208 208 + 209 209 + if [[ ! -f "$original" ]]; then 210 210 + echo "error: Tried to synthesize wrapper lore for missing original: $PWD/$original" >&2 211 211 + exit 2 212 212 + fi 213 213 + 214 214 + echo "$PWD/$wrapper:$PWD/$original" 215 215 + 216 216 + } >> $out/wrappers 217 217 + 218 218 + mkdir $out 219 219 + 220 220 + # lore override commands are relative to the drv root 221 221 + cd $drv 222 222 + 223 223 + '' + loreSynthesizingScript); 113 224 }

+9

pkgs/os-specific/linux/nixos-rebuild/default.nix

··· 10 10 , lib 11 11 , nixosTests 12 12 , installShellFiles 13 13 + , binlore 14 14 + , nixos-rebuild 13 15 }: 14 16 let 15 17 fallback = import ./../../../../nixos/modules/installer/tools/nix-fallback-paths.nix; ··· 48 50 specialisations = nixosTests.nixos-rebuild-specialisations; 49 51 target-host = nixosTests.nixos-rebuild-target-host; 50 52 }; 53 53 + 54 54 + # nixos-rebuild can’t execute its arguments 55 55 + # (but it can run ssh with the with the options stored in $NIX_SSHOPTS, 56 56 + # and ssh can execute its arguments...) 57 57 + passthru.binlore.out = binlore.synthesize nixos-rebuild '' 58 58 + execer cannot bin/nixos-rebuild 59 59 + ''; 51 60 52 61 meta = { 53 62 description = "Rebuild your NixOS configuration and switch to it, on local hosts and remote";

+9

pkgs/os-specific/linux/procps-ng/default.nix

··· 15 15 # exception is ‘watch’ which is portable enough to run on pretty much 16 16 # any UNIX-compatible system. 17 17 , watchOnly ? !(stdenv.isLinux || stdenv.isCygwin) 18 18 + 19 19 + , binlore 20 20 + , procps 18 21 }: 19 22 20 23 stdenv.mkDerivation rec { ··· 59 62 installPhase = lib.optionalString watchOnly '' 60 63 install -m 0755 -D watch $out/bin/watch 61 64 install -m 0644 -D watch.1 $out/share/man/man1/watch.1 65 65 + ''; 66 66 + 67 67 + # no obvious exec in documented arguments; haven't trawled source 68 68 + # to figure out what exec binlore hits on 69 69 + passthru.binlore.out = binlore.synthesize procps '' 70 70 + execer cannot bin/{ps,top,free} 62 71 ''; 63 72 64 73 meta = with lib; {

+23 -1

pkgs/tools/misc/coreutils/default.nix

··· 7 7 , perl 8 8 , texinfo 9 9 , xz 10 10 + , binlore 11 11 + , coreutils 10 12 , gmpSupport ? true, gmp 11 13 , aclSupport ? stdenv.isLinux, acl 12 14 , attrSupport ? stdenv.isLinux, attr ··· 27 29 assert selinuxSupport -> libselinux != null && libsepol != null; 28 30 29 31 let 30 30 - inherit (lib) concatStringsSep isString optional optionals optionalString; 32 32 + inherit (lib) concatStringsSep isString optional optionalAttrs optionals optionalString; 31 33 isCross = (stdenv.hostPlatform != stdenv.buildPlatform); 32 34 in 33 35 stdenv.mkDerivation rec { ··· 180 182 + optionalString minimal '' 181 183 rm -r "$out/share" 182 184 ''; 185 185 + 186 186 + passthru = {} // optionalAttrs (singleBinary != false) { 187 187 + # everything in the single binary gets the same verdict, so we 188 188 + # override _that case_ with verdicts from separate binaries. 189 189 + # 190 190 + # binlore only spots exec in runcon on some platforms (i.e., not 191 191 + # darwin; see comment on inverse case below) 192 192 + binlore.out = binlore.synthesize coreutils '' 193 193 + execer can bin/{chroot,env,install,nice,nohup,runcon,sort,split,stdbuf,timeout} 194 194 + execer cannot bin/{[,b2sum,base32,base64,basename,basenc,cat,chcon,chgrp,chmod,chown,cksum,comm,cp,csplit,cut,date,dd,df,dir,dircolors,dirname,du,echo,expand,expr,factor,false,fmt,fold,groups,head,hostid,id,join,kill,link,ln,logname,ls,md5sum,mkdir,mkfifo,mknod,mktemp,mv,nl,nproc,numfmt,od,paste,pathchk,pinky,pr,printenv,printf,ptx,pwd,readlink,realpath,rm,rmdir,seq,sha1sum,sha224sum,sha256sum,sha384sum,sha512sum,shred,shuf,sleep,stat,stty,sum,sync,tac,tail,tee,test,touch,tr,true,truncate,tsort,tty,uname,unexpand,uniq,unlink,uptime,users,vdir,wc,who,whoami,yes} 195 195 + ''; 196 196 + } // optionalAttrs (singleBinary == false) { 197 197 + # binlore only spots exec in runcon on some platforms (i.e., not 198 198 + # darwin; I have a note that the behavior may need selinux?). 199 199 + # hard-set it so people working on macOS don't miss cases of 200 200 + # runcon until ofBorg fails. 201 201 + binlore.out = binlore.synthesize coreutils '' 202 202 + execer can bin/runcon 203 203 + ''; 204 204 + }; 183 205 184 206 meta = with lib; { 185 207 homepage = "https://www.gnu.org/software/coreutils/";

+5 -1

pkgs/tools/misc/linuxquota/default.nix

··· 1 1 - { lib, stdenv, fetchurl, e2fsprogs, openldap, pkg-config }: 1 1 + { lib, stdenv, fetchurl, e2fsprogs, openldap, pkg-config, binlore, linuxquota }: 2 2 3 3 stdenv.mkDerivation rec { 4 4 version = "4.09"; ··· 13 13 14 14 nativeBuildInputs = [ pkg-config ]; 15 15 buildInputs = [ e2fsprogs openldap ]; 16 16 + 17 17 + passthru.binlore.out = binlore.synthesize linuxquota '' 18 18 + execer cannot bin/quota 19 19 + ''; 16 20 17 21 meta = with lib; { 18 22 description = "Tools to manage kernel-level quotas in Linux";

+7

pkgs/tools/nix/nixos-install-tools/default.nix

··· 8 8 nixos-install-tools, 9 9 runCommand, 10 10 nixosTests, 11 11 + binlore, 11 12 }: 12 13 let 13 14 inherit (nixos {}) config; ··· 62 63 touch $out 63 64 ''; 64 65 }; 66 66 + 67 67 + # no documented flags show signs of exec; skim of source suggests 68 68 + # it's just --help execing man 69 69 + passthru.binlore.out = binlore.synthesize nixos-install-tools '' 70 70 + execer cannot bin/nixos-generate-config 71 71 + ''; 65 72 }).overrideAttrs { 66 73 inherit version; 67 74 pname = "nixos-install-tools";

+9 -1

pkgs/tools/text/esh/default.nix

··· 1 1 - { lib, stdenv, fetchFromGitHub, asciidoctor, gawk, gnused, runtimeShell }: 1 1 + { lib, stdenv, fetchFromGitHub, asciidoctor, gawk, gnused, runtimeShell, binlore, esh }: 2 2 3 3 stdenv.mkDerivation rec { 4 4 pname = "esh"; ··· 29 29 30 30 doCheck = true; 31 31 checkTarget = "test"; 32 32 + 33 33 + # working around a bug in file. Was fixed in 34 34 + # file 5.41-5.43 but regressed in 5.44+ 35 35 + # see https://bugs.astron.com/view.php?id=276 36 36 + # "can" verdict because of `-s SHELL` arg 37 37 + passthru.binlore.out = binlore.synthesize esh '' 38 38 + execer can bin/esh 39 39 + ''; 32 40 33 41 meta = with lib; { 34 42 description = "Simple templating engine based on shell";

+33 -2

pkgs/top-level/unixtools.nix

··· 1 1 - { pkgs, buildEnv, runCommand, lib, stdenv, freebsd }: 1 1 + { pkgs, buildEnv, runCommand, lib, stdenv, freebsd, binlore }: 2 2 3 3 # These are some unix tools that are commonly included in the /usr/bin 4 4 # and /usr/sbin directory under more normal distributions. Along with ··· 30 30 priority = 10; 31 31 platforms = platforms.${stdenv.hostPlatform.parsed.kernel.name} or platforms.all; 32 32 }; 33 33 - passthru = { inherit provider; }; 33 33 + passthru = { inherit provider; } // lib.optionalAttrs (builtins.hasAttr "binlore" providers) { 34 34 + binlore.out = (binlore.synthesize (getBin bins.${cmd}) providers.binlore); 35 35 + }; 34 36 preferLocalBuild = true; 35 37 } '' 36 38 if ! [ -x ${bin} ]; then ··· 76 78 linux = if stdenv.hostPlatform.libc == "glibc" then pkgs.stdenv.cc.libc 77 79 else pkgs.netbsd.getconf; 78 80 darwin = pkgs.darwin.system_cmds; 81 81 + # I don't see any obvious arg exec in the doc/manpage 82 82 + binlore = '' 83 83 + execer cannot bin/getconf 84 84 + ''; 79 85 }; 80 86 getent = { 81 87 linux = if stdenv.hostPlatform.libc == "glibc" then pkgs.stdenv.cc.libc.getent ··· 118 124 linux = pkgs.glibc; 119 125 darwin = pkgs.darwin.adv_cmds; 120 126 freebsd = pkgs.freebsd.locale; 127 127 + # technically just targeting glibc version 128 128 + # no obvious exec in manpage 129 129 + binlore = '' 130 130 + execer cannot bin/locale 131 131 + ''; 121 132 }; 122 133 logger = { 123 134 linux = pkgs.util-linux; ··· 130 141 linux = pkgs.util-linux; 131 142 darwin = pkgs.darwin.diskdev_cmds; 132 143 freebsd = freebsd.mount; 144 144 + # technically just targeting the darwin version; binlore already 145 145 + # ids the util-linux copy as 'cannot' 146 146 + # no obvious exec in manpage args; I think binlore flags 'can' 147 147 + # on the code to run `mount_<filesystem>` variants 148 148 + binlore = '' 149 149 + execer cannot bin/mount 150 150 + ''; 133 151 }; 134 152 netstat = { 135 153 linux = pkgs.nettools; ··· 145 163 linux = pkgs.procps; 146 164 darwin = pkgs.darwin.ps; 147 165 freebsd = pkgs.freebsd.bin; 166 166 + # technically just targeting procps ps (which ids as can) 167 167 + # but I don't see obvious exec in args; have yet to look 168 168 + # for underlying cause in source 169 169 + binlore = '' 170 170 + execer cannot bin/ps 171 171 + ''; 148 172 }; 149 173 quota = { 150 174 linux = pkgs.linuxquota; ··· 168 192 linux = pkgs.procps; 169 193 darwin = pkgs.darwin.top; 170 194 freebsd = pkgs.freebsd.top; 195 195 + # technically just targeting procps top; haven't needed this in 196 196 + # any scripts so far, but overriding it for consistency with ps 197 197 + # override above and in procps. (procps also overrides 'free', 198 198 + # but it isn't included here.) 199 199 + binlore = '' 200 200 + execer cannot bin/top 201 201 + ''; 171 202 }; 172 203 umount = { 173 204 linux = pkgs.util-linux;