pkgs/by-name/ch/checksec/package.nix

   1 { lib
   2 , stdenv
   3 , fetchpatch
   4 , fetchFromGitHub
   5 , makeWrapper
   6 , testers
   7 , runCommand
   8
   9   # dependencies
  10 , binutils
  11 , coreutils
  12 , curl
  13 , elfutils
  14 , file
  15 , findutils
  16 , gawk
  17 , glibc
  18 , gnugrep
  19 , gnused
  20 , openssl
  21 , procps
  22 , sysctl
  23 , wget
  24 , which
  25
  26   # tests
  27 , checksec
  28 }:
  29
  30 stdenv.mkDerivation rec {
  31   pname = "checksec";
  32   version = "2.6.0";
  33
  34   src = fetchFromGitHub {
  35     owner = "slimm609";
  36     repo = "checksec.sh";
  37     rev = version;
  38     hash = "sha256-BWtchWXukIDSLJkFX8M/NZBvfi7vUE2j4yFfS0KEZDo=";
  39   };
  40
  41   patches = [
  42     ./0001-attempt-to-modprobe-config-before-checking-kernel.patch
  43     # Tool would sanitize the environment, removing the PATH set by our wrapper.
  44     ./0002-don-t-sanatize-the-environment.patch
  45     # Fix the exit code of debug_report command. Check if PR 226 was merged when upgrading version.
  46     (fetchpatch {
  47       url = "https://github.com/slimm609/checksec.sh/commit/851ebff6972f122fde5507f1883e268bbff1f23d.patch";
  48       hash = "sha256-DOcVF+oPGIR9VSbqE+EqWlcNANEvou1gV8qBvJLGLBE=";
  49     })
  50   ];
  51
  52   nativeBuildInputs = [
  53     makeWrapper
  54   ];
  55
  56   installPhase =
  57     let
  58       path = lib.makeBinPath [
  59         binutils
  60         coreutils
  61         curl
  62         elfutils
  63         file
  64         findutils
  65         gawk
  66         gnugrep
  67         gnused
  68         openssl
  69         procps
  70         sysctl
  71         wget
  72         which
  73       ];
  74     in
  75     ''
  76       mkdir -p $out/bin
  77       install checksec $out/bin
  78       substituteInPlace $out/bin/checksec \
  79         --replace "/bin/sed" "${gnused}/bin/sed" \
  80         --replace "/usr/bin/id" "${coreutils}/bin/id" \
  81         --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6"
  82       wrapProgram $out/bin/checksec \
  83         --prefix PATH : ${path}
  84     '';
  85
  86   passthru.tests = {
  87     version = testers.testVersion {
  88       package = checksec;
  89       version = "v${version}";
  90     };
  91     debug-report = runCommand "debug-report" { buildInputs = [ checksec ]; } ''
  92       checksec --debug_report || exit 1
  93       echo "OK"
  94       touch $out
  95     '';
  96   };
  97
  98   meta = with lib; {
  99     description = "Tool for checking security bits on executables";
 100     mainProgram = "checksec";
 101     homepage = "https://www.trapkit.de/tools/checksec/";
 102     license = licenses.bsd3;
 103     platforms = platforms.linux;
 104     maintainers = with maintainers; [ thoughtpolice globin ];
 105   };
 106 }