Commit a58a8909 authored by Paul Meyer's avatar Paul Meyer
Browse files

checksec: add missing deps, don't clean env 



Fix dependencies that are required by checksec.
Previously, checksec would sanitiz  PATH, removing the PATH set by
the wrapper. A patch was added to remove this behavior.
Also replacing tools referenced with an absolute path with their
store path.

Co-authored-by: default avatarJonathan Cooper <jonathan@cooper.cafe>
parent 9cec5c80

pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch

0 → 100644
+25 −0
Original line number Diff line number Diff line 
From 3b047ab4271919856ae0a3dee3a03a24045c0016 Mon Sep 17 00:00:00 2001

From: Paul Meyer <49727155+katexochen@users.noreply.github.com>

Date: Mon, 13 Nov 2023 20:24:54 +0000

Subject: [PATCH] don't sanatize the environment



---

 checksec | 3 ---

 1 file changed, 3 deletions(-)



diff --git a/checksec b/checksec

index 4fc3c31..135223a 100755

--- a/checksec

+++ b/checksec

@@ -2,9 +2,6 @@

 # Do not edit this file directly, this file is generated from the files

 # in the src directory. Any updates to this file will be overwritten when generated



-# sanitize the environment before run

-[[ "$(env | /bin/sed -r -e '/^(PWD|SHLVL|_)=/d')" ]] && exec -c "$0" "$@"

-

 # --- Modified Version ---

 # Name    : checksec.sh

 # Version : 1.7.0

--

2.42.0

pkgs/os-specific/linux/checksec/default.nix

+32 −8
Original line number Diff line number Diff line 
{ lib

, stdenv

, fetchpatch

, fetchFromGitHub

, makeWrapper



  # dependencies

, binutils

, coreutils

, curl

, elfutils

, file

, findutils

, binutils-unwrapped

, gawk

, glibc

, coreutils

, sysctl

, gnugrep

, gnused

, openssl

, procps

, sysctl

, wget

, which

}:



stdenv.mkDerivation rec {
@@ -24,6 +35,8 @@ stdenv.mkDerivation rec { 


  patches = [

    ./0001-attempt-to-modprobe-config-before-checking-kernel.patch

    # Tool would sanitize the environment, removing the PATH set by our wrapper.

    ./0002-don-t-sanatize-the-environment.patch

  ];



  nativeBuildInputs = [
@@ -33,18 +46,29 @@ stdenv.mkDerivation rec { 
  installPhase =

    let

      path = lib.makeBinPath [

        findutils

        binutils

        coreutils

        curl

        elfutils

        file

        binutils-unwrapped

        sysctl

        findutils

        gawk

        gnugrep

        gnused

        openssl

        procps

        sysctl

        wget

        which

      ];

    in

    ''

      mkdir -p $out/bin

      install checksec $out/bin

      substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6

      substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -"

      substituteInPlace $out/bin/checksec \

        --replace "/bin/sed" "${gnused}/bin/sed" \

        --replace "/usr/bin/id" "${coreutils}/bin/id" \

        --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6"

      wrapProgram $out/bin/checksec \

        --prefix PATH : ${path}

    '';