jolheiser/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Switching to individually generated derivations

Browse Source
This commit is contained in:
Parnell Springmeyer 2017-01-30 12:26:56 -06:00
parent 264db4e309
commit d8ecd5eb0d
No known key found for this signature in database
GPG Key ID: DCCF89258EAD874A
1 changed files with 26 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
nixos/modules/security/wrappers/default.nix
View File

@ -8,21 +8,24 @@ let
(n: v: (if v ? "program" then v else v // {program=n;}))
wrappers);
mkWrapper = { program, source ? null, ...}: ''
parentWrapperDir=$(dirname ${wrapperDir})
gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
-lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
'';
wrappedPrograms = pkgs.stdenv.mkDerivation {
name = "permissions-wrapper";
unpackPhase = "true";
installPhase = ''
mkdir -p $out/bin
${lib.concatMapStrings mkWrapper programs}
'';
};
mkWrapper = { program, source ? null, ...}:
let buildWrapper = ''
parentWrapperDir=$(dirname ${wrapperDir})
gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
-Wformat -Wformat-security -Werror=format-security \
-fstack-protector-strong --param ssp-buffer-size=4 \
-D_FORTIFY_SOURCE=2 -fPIC \
-lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
'';
in pkgs.stdenv.mkDerivation {
name = "${program}-wrapper";
unpackPhase = "true";
installPhase = ''
mkdir -p $out/bin
${buildWrapper}
'';
};
###### Activation script for the setcap wrappers
mkSetcapProgram =
@ -32,10 +35,11 @@ let
, owner ? "nobody"
, group ? "nogroup"
, ...
}:
}:
assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
''
cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}
let wrapperDrv = mkWrapper { inherit program source; };
in ''
cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}
# Prevent races
chmod 0000 $wrapperDir/${program}
@ -60,8 +64,10 @@ let
, setgid ? false
, permissions ? "u+rx,g+x,o+x"
, ...
}: ''
cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}
}:
let wrapperDrv = mkWrapper { inherit program source; };
in ''
cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}
# Prevent races
chmod 0000 $wrapperDir/${program}