From 96063873e2fd24dd4dbe44f85d079026ef62b6ef Mon Sep 17 00:00:00 2001
From: Andrey Arapov <arno@nixaid.com>
Date: Sun, 5 Apr 2015 21:13:26 +0200
Subject: checksec: use binutils instead of elfutils

readelf which makes most of checks should come from binutils package instead of elfutils

E.g. the PIE check from checksec, different readelf gives different result:
(elfutils)
$ /nix/store/rgrji20513g19ci0sa6jydm86gpf4j42-elfutils-0.158/bin/readelf -d /nix/store/q1sbn93v4k3166s091s9biygv9srv8qa-nginx-1.6.2/bin/nginx
2>/dev/null |grep -q '(DEBUG)' ; echo $?
1

(binutils)
$ /nix/store/b8qhjrwf8sf9ggkjxqqav7f1m6w83bh0-binutils-2.23.1/bin/readelf -d /nix/store/q1sbn93v4k3166s091s9biygv9srv8qa-nginx-1.6.2/bin/nginx
2>/dev/null | grep -q '(DEBUG)' ; echo $?
0
---
 pkgs/os-specific/linux/checksec/default.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'pkgs/os-specific/linux/checksec')

diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix
index 4701d774dfdc..b423dc3a0862 100644
--- a/pkgs/os-specific/linux/checksec/default.nix
+++ b/pkgs/os-specific/linux/checksec/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, file, findutils, elfutils, glibc }:
+{ stdenv, fetchurl, file, findutils, binutils, glibc, procps, coreutils }:
 
 stdenv.mkDerivation rec {
   name = "checksec-${version}";
@@ -25,9 +25,11 @@ stdenv.mkDerivation rec {
     substituteInPlace $out/bin/checksec --replace find ${findutils}/bin/find
     substituteInPlace $out/bin/checksec --replace "file $" "${file}/bin/file $"
     substituteInPlace $out/bin/checksec --replace "xargs file" "xargs ${file}/bin/file"
-    substituteInPlace $out/bin/checksec --replace " readelf -" " ${elfutils}/bin/readelf -"
-    substituteInPlace $out/bin/checksec --replace "(readelf -" "(${elfutils}/bin/readelf -"
-    substituteInPlace $out/bin/checksec --replace "command_exists readelf" "command_exists ${elfutils}/bin/readelf"
+    substituteInPlace $out/bin/checksec --replace " readelf -" " ${binutils}/bin/readelf -"
+    substituteInPlace $out/bin/checksec --replace "(readelf -" "(${binutils}/bin/readelf -"
+    substituteInPlace $out/bin/checksec --replace "command_exists readelf" "command_exists ${binutils}/bin/readelf"
+    substituteInPlace $out/bin/checksec --replace "/sbin/sysctl -" "${procps}/sbin/sysctl -"
+    substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -"
   '';
 
   phases = "unpackPhase patchPhase installPhase";
-- 
cgit 1.4.1