diff options
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/checksec/default.nix')
-rw-r--r-- | nixpkgs/pkgs/os-specific/linux/checksec/default.nix | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/checksec/default.nix b/nixpkgs/pkgs/os-specific/linux/checksec/default.nix new file mode 100644 index 000000000000..07574722cd20 --- /dev/null +++ b/nixpkgs/pkgs/os-specific/linux/checksec/default.nix @@ -0,0 +1,105 @@ +{ lib +, stdenv +, fetchpatch +, fetchFromGitHub +, makeWrapper +, testers +, runCommand + + # dependencies +, binutils +, coreutils +, curl +, elfutils +, file +, findutils +, gawk +, glibc +, gnugrep +, gnused +, openssl +, procps +, sysctl +, wget +, which + + # tests +, checksec +}: + +stdenv.mkDerivation rec { + pname = "checksec"; + version = "2.6.0"; + + src = fetchFromGitHub { + owner = "slimm609"; + repo = "checksec.sh"; + rev = version; + hash = "sha256-BWtchWXukIDSLJkFX8M/NZBvfi7vUE2j4yFfS0KEZDo="; + }; + + patches = [ + ./0001-attempt-to-modprobe-config-before-checking-kernel.patch + # Tool would sanitize the environment, removing the PATH set by our wrapper. + ./0002-don-t-sanatize-the-environment.patch + # Fix the exit code of debug_report command. Check if PR 226 was merged when upgrading version. + (fetchpatch { + url = "https://github.com/slimm609/checksec.sh/commit/851ebff6972f122fde5507f1883e268bbff1f23d.patch"; + hash = "sha256-DOcVF+oPGIR9VSbqE+EqWlcNANEvou1gV8qBvJLGLBE="; + }) + ]; + + nativeBuildInputs = [ + makeWrapper + ]; + + installPhase = + let + path = lib.makeBinPath [ + binutils + coreutils + curl + elfutils + file + findutils + gawk + gnugrep + gnused + openssl + procps + sysctl + wget + which + ]; + in + '' + mkdir -p $out/bin + install checksec $out/bin + substituteInPlace $out/bin/checksec \ + --replace "/bin/sed" "${gnused}/bin/sed" \ + --replace "/usr/bin/id" "${coreutils}/bin/id" \ + --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6" + wrapProgram $out/bin/checksec \ + --prefix PATH : ${path} + ''; + + passthru.tests = { + version = testers.testVersion { + package = checksec; + version = "v${version}"; + }; + debug-report = runCommand "debug-report" { buildInputs = [ checksec ]; } '' + checksec --debug_report || exit 1 + echo "OK" + touch $out + ''; + }; + + meta = with lib; { + description = "Tool for checking security bits on executables"; + homepage = "https://www.trapkit.de/tools/checksec/"; + license = licenses.bsd3; + platforms = platforms.linux; + maintainers = with maintainers; [ thoughtpolice globin ]; + }; +} |