From a6ddcd45da2105b1b8b43f92756cbd07db973699 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Jul 2019 21:26:13 +0200
Subject: checksec: 1.5 -> 2.0.1

---
 ...to-modprobe-config-before-checking-kernel.patch | 23 +++++-----
 pkgs/os-specific/linux/checksec/default.nix        | 50 ++++++++++------------
 2 files changed, 35 insertions(+), 38 deletions(-)

(limited to 'pkgs/os-specific/linux/checksec')

diff --git a/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch b/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch
index 2caf52f3c0a3..9beeab0f9543 100644
--- a/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch
+++ b/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch
@@ -8,20 +8,21 @@ Signed-off-by: Austin Seipp <aseipp@pobox.com>
  checksec.sh | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
 
-diff --git a/checksec.sh b/checksec.sh
+diff --git a/checksec b/checksec
 index dd1f72e..63acc29 100644
---- a/checksec.sh
-+++ b/checksec.sh
-@@ -337,7 +337,8 @@ kernelcheck() {
-   printf "  userspace processes, this option lists the status of kernel configuration\n"
-   printf "  options that harden the kernel itself against attack.\n\n"
-   printf "  Kernel config: "
-- 
+--- a/checksec
++++ b/checksec
+@@ -676,7 +676,8 @@ kernelcheck() {
+   echo_message "  userspace processes, this option lists the status of kernel configuration\n" '' '' ''
+   echo_message "  options that harden the kernel itself against attack.\n\n" '' '' ''
+   echo_message "  Kernel config:\n" '' '' '{ "kernel": '
+-
 +
 +  modprobe configs 2> /dev/null
-   if [ -f /proc/config.gz ] ; then
-     kconfig="zcat /proc/config.gz"
-     printf "\033[32m/proc/config.gz\033[m\n\n"
+   if [[ ! "${1}" == "" ]] ; then
+     kconfig="cat ${1}"
+     echo_message "  Warning: The config ${1} on disk may not represent running kernel config!\n\n" "${1}" "<kernel config=\"${1}\"" "{ \"KernelConfig\":\"${1}\","
+     # update the architecture based on the config rather than the system
 -- 
 1.8.3.2
 
diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix
index 6c927ae93afb..dc704dc167e0 100644
--- a/pkgs/os-specific/linux/checksec/default.nix
+++ b/pkgs/os-specific/linux/checksec/default.nix
@@ -1,43 +1,39 @@
-{ stdenv, fetchurl, file, findutils, binutils-unwrapped, glibc, coreutils, sysctl }:
+{ stdenv, fetchFromGitHub, makeWrapper, file, findutils
+, binutils-unwrapped, glibc, coreutils, sysctl, openssl
+}:
 
 stdenv.mkDerivation rec {
-  name = "checksec-${version}";
-  version = "1.5";
+  pname = "checksec";
+  version = "2.0.1";
 
-  src = fetchurl {
-    url    = "https://www.trapkit.de/tools/checksec.sh";
-    sha256 = "0iq9v568mk7g7ksa1939g5f5sx7ffq8s8n2ncvphvlckjgysgf3p";
+  src = fetchFromGitHub {
+    owner = "slimm609";
+    repo = "checksec.sh";
+    rev = version;
+    sha256 = "04lzwm24d576h425rgvgjj2wim29i3961jrj35r43wrswmrsc3r2";
   };
 
   patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch ];
+  nativeBuildInputs = [ makeWrapper ];
 
-  unpackPhase = ''
-    mkdir ${name}
-    cp $src ${name}/checksec.sh
-    cd ${name}
-  '';
-
-  installPhase = ''
+  installPhase = let
+    path = stdenv.lib.makeBinPath [
+      findutils file binutils-unwrapped sysctl openssl
+    ];
+  in ''
     mkdir -p $out/bin
-    cp checksec.sh $out/bin/checksec
-    chmod +x $out/bin/checksec
-    substituteInPlace $out/bin/checksec --replace /bin/bash ${stdenv.shell}
+    install checksec $out/bin
     substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6
-    substituteInPlace $out/bin/checksec --replace find ${findutils}/bin/find
-    substituteInPlace $out/bin/checksec --replace "file $" "${file}/bin/file $"
-    substituteInPlace $out/bin/checksec --replace "xargs file" "xargs ${file}/bin/file"
-    substituteInPlace $out/bin/checksec --replace " readelf -" " ${binutils-unwrapped}/bin/readelf -"
-    substituteInPlace $out/bin/checksec --replace "(readelf -" "(${binutils-unwrapped}/bin/readelf -"
-    substituteInPlace $out/bin/checksec --replace "command_exists readelf" "command_exists ${binutils-unwrapped}/bin/readelf"
-    substituteInPlace $out/bin/checksec --replace "/sbin/sysctl -" "${sysctl}/bin/sysctl -"
     substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -"
+    wrapProgram $out/bin/checksec \
+      --prefix PATH : ${path}
   '';
 
-  meta = {
+  meta = with stdenv.lib; {
     description = "A tool for checking security bits on executables";
     homepage    = "http://www.trapkit.de/tools/checksec.html";
-    license     = stdenv.lib.licenses.bsd3;
-    platforms   = stdenv.lib.platforms.linux;
-    maintainers = [ stdenv.lib.maintainers.thoughtpolice ];
+    license     = licenses.bsd3;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice globin ];
   };
 }
-- 
cgit 1.4.1