From a58a8909a1a15b50013530ff54e1a66b66daf5d4 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Wed, 21 Jun 2023 15:41:10 -0400 Subject: checksec: add missing deps, don't clean env Fix dependencies that are required by checksec. Previously, checksec would sanitiz PATH, removing the PATH set by the wrapper. A patch was added to remove this behavior. Also replacing tools referenced with an absolute path with their store path. Co-authored-by: Jonathan Cooper --- .../0002-don-t-sanatize-the-environment.patch | 25 ++++++++++++++ pkgs/os-specific/linux/checksec/default.nix | 40 +++++++++++++++++----- 2 files changed, 57 insertions(+), 8 deletions(-) create mode 100644 pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch b/pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch new file mode 100644 index 0000000000000..bd639574f63f3 --- /dev/null +++ b/pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch @@ -0,0 +1,25 @@ +From 3b047ab4271919856ae0a3dee3a03a24045c0016 Mon Sep 17 00:00:00 2001 +From: Paul Meyer <49727155+katexochen@users.noreply.github.com> +Date: Mon, 13 Nov 2023 20:24:54 +0000 +Subject: [PATCH] don't sanatize the environment + +--- + checksec | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/checksec b/checksec +index 4fc3c31..135223a 100755 +--- a/checksec ++++ b/checksec +@@ -2,9 +2,6 @@ + # Do not edit this file directly, this file is generated from the files + # in the src directory. Any updates to this file will be overwritten when generated + +-# sanitize the environment before run +-[[ "$(env | /bin/sed -r -e '/^(PWD|SHLVL|_)=/d')" ]] && exec -c "$0" "$@" +- + # --- Modified Version --- + # Name : checksec.sh + # Version : 1.7.0 +-- +2.42.0 diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix index 1bdd4cf5f6779..74b73e1e933a2 100644 --- a/pkgs/os-specific/linux/checksec/default.nix +++ b/pkgs/os-specific/linux/checksec/default.nix @@ -1,14 +1,25 @@ { lib , stdenv +, fetchpatch , fetchFromGitHub , makeWrapper + + # dependencies +, binutils +, coreutils +, curl +, elfutils , file , findutils -, binutils-unwrapped +, gawk , glibc -, coreutils -, sysctl +, gnugrep +, gnused , openssl +, procps +, sysctl +, wget +, which }: stdenv.mkDerivation rec { @@ -24,6 +35,8 @@ stdenv.mkDerivation rec { patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch + # Tool would sanitize the environment, removing the PATH set by our wrapper. + ./0002-don-t-sanatize-the-environment.patch ]; nativeBuildInputs = [ @@ -33,18 +46,29 @@ stdenv.mkDerivation rec { installPhase = let path = lib.makeBinPath [ - findutils + binutils + coreutils + curl + elfutils file - binutils-unwrapped - sysctl + findutils + gawk + gnugrep + gnused openssl + procps + sysctl + wget + which ]; in '' mkdir -p $out/bin install checksec $out/bin - substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6 - substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" + substituteInPlace $out/bin/checksec \ + --replace "/bin/sed" "${gnused}/bin/sed" \ + --replace "/usr/bin/id" "${coreutils}/bin/id" \ + --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6" wrapProgram $out/bin/checksec \ --prefix PATH : ${path} ''; -- cgit 1.4.1