diff options
author | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-30 12:26:56 -0600 |
---|---|---|
committer | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-30 12:26:56 -0600 |
commit | d8ecd5eb0d30c3dc302e336755a4a1d6d0cb1ba4 (patch) | |
tree | d2e7805aa5bdff96bf1f89849515904a1b892ae4 /nixos/modules/security/wrappers | |
parent | 264db4e30936cbb4dd9f88123aafb42a5259e74f (diff) | |
download | nixlib-d8ecd5eb0d30c3dc302e336755a4a1d6d0cb1ba4.tar nixlib-d8ecd5eb0d30c3dc302e336755a4a1d6d0cb1ba4.tar.gz nixlib-d8ecd5eb0d30c3dc302e336755a4a1d6d0cb1ba4.tar.bz2 nixlib-d8ecd5eb0d30c3dc302e336755a4a1d6d0cb1ba4.tar.lz nixlib-d8ecd5eb0d30c3dc302e336755a4a1d6d0cb1ba4.tar.xz nixlib-d8ecd5eb0d30c3dc302e336755a4a1d6d0cb1ba4.tar.zst nixlib-d8ecd5eb0d30c3dc302e336755a4a1d6d0cb1ba4.zip |
Switching to individually generated derivations
Diffstat (limited to 'nixos/modules/security/wrappers')
-rw-r--r-- | nixos/modules/security/wrappers/default.nix | 46 |
1 files changed, 26 insertions, 20 deletions
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 71799175011c..757765ed08c4 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -8,21 +8,24 @@ let (n: v: (if v ? "program" then v else v // {program=n;})) wrappers); - mkWrapper = { program, source ? null, ...}: '' - parentWrapperDir=$(dirname ${wrapperDir}) - gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \ - -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ - -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include - ''; - - wrappedPrograms = pkgs.stdenv.mkDerivation { - name = "permissions-wrapper"; - unpackPhase = "true"; - installPhase = '' - mkdir -p $out/bin - ${lib.concatMapStrings mkWrapper programs} - ''; - }; + mkWrapper = { program, source ? null, ...}: + let buildWrapper = '' + parentWrapperDir=$(dirname ${wrapperDir}) + gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \ + -Wformat -Wformat-security -Werror=format-security \ + -fstack-protector-strong --param ssp-buffer-size=4 \ + -D_FORTIFY_SOURCE=2 -fPIC \ + -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ + -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include + ''; + in pkgs.stdenv.mkDerivation { + name = "${program}-wrapper"; + unpackPhase = "true"; + installPhase = '' + mkdir -p $out/bin + ${buildWrapper} + ''; + }; ###### Activation script for the setcap wrappers mkSetcapProgram = @@ -32,10 +35,11 @@ let , owner ? "nobody" , group ? "nogroup" , ... - }: + }: assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3"); - '' - cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program} + let wrapperDrv = mkWrapper { inherit program source; }; + in '' + cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program} # Prevent races chmod 0000 $wrapperDir/${program} @@ -60,8 +64,10 @@ let , setgid ? false , permissions ? "u+rx,g+x,o+x" , ... - }: '' - cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program} + }: + let wrapperDrv = mkWrapper { inherit program source; }; + in '' + cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program} # Prevent races chmod 0000 $wrapperDir/${program} |