nixpkgs/nixos/modules/security/wrappers/wrapper.nix

{ stdenv, linuxHeaders, parentWrapperDir, debug ? false }:
# For testing:
# $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { parentWrapperDir = "/run/wrappers"; debug = true; }'
stdenv.mkDerivation {
  name = "security-wrapper";
  buildInputs = [ linuxHeaders ];
  dontUnpack = true;
  hardeningEnable = [ "pie" ];
  CFLAGS = [
    ''-DWRAPPER_DIR="${parentWrapperDir}"''
  ] ++ (if debug then [
    "-Werror" "-Og" "-g"
  ] else [
    "-Wall" "-O2"
  ]);
  dontStrip = debug;
  installPhase = ''
    mkdir -p $out/bin
    $CC $CFLAGS ${./wrapper.c} -o $out/bin/security-wrapper
  '';
}
nixos/wrappers: fix applying capabilities With libcap 2.41 the output of cap_to_text changed, also the original author of code hoped that this would never happen. To counter this now the security-wrapper only relies on the syscall ABI, which is more stable and robust than string parsing. If new breakages occur this will be more obvious because version numbers will be incremented. Furthermore all errors no make execution explicitly fail instead of hiding errors behind debug environment variables and the code style was more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/) 2021-01-14 08:24:27 +01:00			`{ stdenv, linuxHeaders, parentWrapperDir, debug ? false }:`
			`# For testing:`
			`# $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { parentWrapperDir = "/run/wrappers"; debug = true; }'`
			`stdenv.mkDerivation {`
			`name = "security-wrapper";`
			`buildInputs = [ linuxHeaders ];`
			`dontUnpack = true;`
			`hardeningEnable = [ "pie" ];`
			`CFLAGS = [`
Update nixos/modules/security/wrappers/wrapper.nix Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com> 2021-01-14 09:00:34 +00:00			`''-DWRAPPER_DIR="${parentWrapperDir}"''`
nixos/wrappers: fix applying capabilities With libcap 2.41 the output of cap_to_text changed, also the original author of code hoped that this would never happen. To counter this now the security-wrapper only relies on the syscall ABI, which is more stable and robust than string parsing. If new breakages occur this will be more obvious because version numbers will be incremented. Furthermore all errors no make execution explicitly fail instead of hiding errors behind debug environment variables and the code style was more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/) 2021-01-14 08:24:27 +01:00			`] ++ (if debug then [`
			`"-Werror" "-Og" "-g"`
			`] else [`
			`"-Wall" "-O2"`
			`]);`
			`dontStrip = debug;`
			`installPhase = ''`
			`mkdir -p $out/bin`
			`$CC $CFLAGS ${./wrapper.c} -o $out/bin/security-wrapper`
			`'';`
			`}`