movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

Switching to individually generated derivations

Browse source
This commit is contained in:
Parnell Springmeyer 2017-01-30 12:26:56 -06:00
parent 264db4e309
commit d8ecd5eb0d
No known key found for this signature in database
GPG key ID: DCCF89258EAD874A
1 changed files with 26 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

46
nixos/modules/security/wrappers/default.nix
View file

@ -8,21 +8,24 @@ let
(n: v: (if v ? "program" then v else v // {program=n;})) (n: v: (if v ? "program" then v else v // {program=n;}))
wrappers); wrappers);
mkWrapper = { program, source ? null, ...}: '' mkWrapper = { program, source ? null, ...}:
parentWrapperDir=$(dirname ${wrapperDir}) let buildWrapper = ''
gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \ parentWrapperDir=$(dirname ${wrapperDir})
-lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include -Wformat -Wformat-security -Werror=format-security \
''; -fstack-protector-strong --param ssp-buffer-size=4 \
-D_FORTIFY_SOURCE=2 -fPIC \
wrappedPrograms = pkgs.stdenv.mkDerivation { -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
name = "permissions-wrapper"; -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
unpackPhase = "true"; '';
installPhase = '' in pkgs.stdenv.mkDerivation {
mkdir -p $out/bin name = "${program}-wrapper";
${lib.concatMapStrings mkWrapper programs} unpackPhase = "true";
''; installPhase = ''
}; mkdir -p $out/bin
${buildWrapper}
'';
};
###### Activation script for the setcap wrappers ###### Activation script for the setcap wrappers
mkSetcapProgram = mkSetcapProgram =
@ -32,10 +35,11 @@ let
, owner ? "nobody" , owner ? "nobody"
, group ? "nogroup" , group ? "nogroup"
, ... , ...
}: }:
assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3"); assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
'' let wrapperDrv = mkWrapper { inherit program source; };
cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program} in ''
cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}
# Prevent races # Prevent races
chmod 0000 $wrapperDir/${program} chmod 0000 $wrapperDir/${program}
@ -60,8 +64,10 @@ let
, setgid ? false , setgid ? false
, permissions ? "u+rx,g+x,o+x" , permissions ? "u+rx,g+x,o+x"
, ... , ...
}: '' }:
cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program} let wrapperDrv = mkWrapper { inherit program source; };
in ''
cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}
# Prevent races # Prevent races
chmod 0000 $wrapperDir/${program} chmod 0000 $wrapperDir/${program}