diff options
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/checksec')
-rw-r--r-- | nixpkgs/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch | 27 | ||||
-rw-r--r-- | nixpkgs/pkgs/os-specific/linux/checksec/default.nix | 43 |
2 files changed, 70 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch b/nixpkgs/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch new file mode 100644 index 000000000000..2caf52f3c0a3 --- /dev/null +++ b/nixpkgs/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch @@ -0,0 +1,27 @@ +From 6503848d9e0eb009e5f462116a963beacb208930 Mon Sep 17 00:00:00 2001 +From: Austin Seipp <aseipp@pobox.com> +Date: Thu, 20 Feb 2014 00:11:44 -0600 +Subject: [PATCH] attempt to 'modprobe config' before checking kernel + +Signed-off-by: Austin Seipp <aseipp@pobox.com> +--- + checksec.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/checksec.sh b/checksec.sh +index dd1f72e..63acc29 100644 +--- a/checksec.sh ++++ b/checksec.sh +@@ -337,7 +337,8 @@ kernelcheck() { + printf " userspace processes, this option lists the status of kernel configuration\n" + printf " options that harden the kernel itself against attack.\n\n" + printf " Kernel config: " +- ++ ++ modprobe configs 2> /dev/null + if [ -f /proc/config.gz ] ; then + kconfig="zcat /proc/config.gz" + printf "\033[32m/proc/config.gz\033[m\n\n" +-- +1.8.3.2 + diff --git a/nixpkgs/pkgs/os-specific/linux/checksec/default.nix b/nixpkgs/pkgs/os-specific/linux/checksec/default.nix new file mode 100644 index 000000000000..6c927ae93afb --- /dev/null +++ b/nixpkgs/pkgs/os-specific/linux/checksec/default.nix @@ -0,0 +1,43 @@ +{ stdenv, fetchurl, file, findutils, binutils-unwrapped, glibc, coreutils, sysctl }: + +stdenv.mkDerivation rec { + name = "checksec-${version}"; + version = "1.5"; + + src = fetchurl { + url = "https://www.trapkit.de/tools/checksec.sh"; + sha256 = "0iq9v568mk7g7ksa1939g5f5sx7ffq8s8n2ncvphvlckjgysgf3p"; + }; + + patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch ]; + + unpackPhase = '' + mkdir ${name} + cp $src ${name}/checksec.sh + cd ${name} + ''; + + installPhase = '' + mkdir -p $out/bin + cp checksec.sh $out/bin/checksec + chmod +x $out/bin/checksec + substituteInPlace $out/bin/checksec --replace /bin/bash ${stdenv.shell} + substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6 + substituteInPlace $out/bin/checksec --replace find ${findutils}/bin/find + substituteInPlace $out/bin/checksec --replace "file $" "${file}/bin/file $" + substituteInPlace $out/bin/checksec --replace "xargs file" "xargs ${file}/bin/file" + substituteInPlace $out/bin/checksec --replace " readelf -" " ${binutils-unwrapped}/bin/readelf -" + substituteInPlace $out/bin/checksec --replace "(readelf -" "(${binutils-unwrapped}/bin/readelf -" + substituteInPlace $out/bin/checksec --replace "command_exists readelf" "command_exists ${binutils-unwrapped}/bin/readelf" + substituteInPlace $out/bin/checksec --replace "/sbin/sysctl -" "${sysctl}/bin/sysctl -" + substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" + ''; + + meta = { + description = "A tool for checking security bits on executables"; + homepage = "http://www.trapkit.de/tools/checksec.html"; + license = stdenv.lib.licenses.bsd3; + platforms = stdenv.lib.platforms.linux; + maintainers = [ stdenv.lib.maintainers.thoughtpolice ]; + }; +} |