diff --git a/pkgs/applications/networking/ids/suricata/bpf_stubs_workaround.patch b/pkgs/applications/networking/ids/suricata/bpf_stubs_workaround.patch new file mode 100644 index 00000000000..d4e8c95fea2 --- /dev/null +++ b/pkgs/applications/networking/ids/suricata/bpf_stubs_workaround.patch @@ -0,0 +1,19 @@ +*** suricata-5.0.0/ebpf/Makefile.in 2019-10-16 22:39:13.174649416 +0200 +--- suricata-5.0.0/ebpf/Makefile.in.fixed 2019-10-16 22:38:41.822201802 +0200 +*************** +*** 527,533 **** + @BUILD_EBPF_TRUE@$(BPF_TARGETS): %.bpf: %.c + # From C-code to LLVM-IR format suffix .ll (clang -S -emit-llvm) + @BUILD_EBPF_TRUE@ ${CLANG} -Wall $(BPF_CFLAGS) -O2 \ +! @BUILD_EBPF_TRUE@ -I/usr/include/$(build_cpu)-$(build_os)/ \ + @BUILD_EBPF_TRUE@ -D__KERNEL__ -D__ASM_SYSREG_H \ + @BUILD_EBPF_TRUE@ -target bpf -S -emit-llvm $< -o ${@:.bpf=.ll} + # From LLVM-IR to BPF-bytecode in ELF-obj file +--- 527,533 ---- + @BUILD_EBPF_TRUE@$(BPF_TARGETS): %.bpf: %.c + # From C-code to LLVM-IR format suffix .ll (clang -S -emit-llvm) + @BUILD_EBPF_TRUE@ ${CLANG} -Wall $(BPF_CFLAGS) -O2 \ +! @BUILD_EBPF_TRUE@ -idirafter ../bpf_stubs_workaround \ + @BUILD_EBPF_TRUE@ -D__KERNEL__ -D__ASM_SYSREG_H \ + @BUILD_EBPF_TRUE@ -target bpf -S -emit-llvm $< -o ${@:.bpf=.ll} + # From LLVM-IR to BPF-bytecode in ELF-obj file diff --git a/pkgs/applications/networking/ids/suricata/default.nix b/pkgs/applications/networking/ids/suricata/default.nix index 62f755c4d7c..7f2a9d71fe5 100644 --- a/pkgs/applications/networking/ids/suricata/default.nix +++ b/pkgs/applications/networking/ids/suricata/default.nix @@ -1,14 +1,18 @@ { stdenv , lib , fetchurl +, clang +, llvm , pkgconfig , makeWrapper , file -, geoip , hyperscan , jansson +, libbpf , libcap_ng +, libelf , libevent +, libmaxminddb , libnet , libnetfilter_log , libnetfilter_queue @@ -30,24 +34,30 @@ in stdenv.mkDerivation rec { pname = "suricata"; - version = "4.1.5"; + version = "5.0.0"; src = fetchurl { url = "https://www.openinfosecfoundation.org/download/${pname}-${version}.tar.gz"; - sha256 = "0jy738rs3ds1gbn8hv26ck23z9k6pjrjxdpavkyn7znpbi9zdrff"; + sha256 = "0qwav4qpvx3i5khkyvdvx42n8b9mza8c4cpxvrf7m4lnf51cqgba"; }; nativeBuildInputs = [ + clang + llvm makeWrapper pkgconfig - ]; + ] + ++ lib.optionals rustSupport [ rustc cargo ] + ; buildInputs = [ - geoip jansson + libbpf libcap_ng + libelf libevent libmagic + libmaxminddb libnet libnetfilter_log libnetfilter_queue @@ -62,17 +72,29 @@ stdenv.mkDerivation rec { python zlib ] - ++ lib.optional hyperscanSupport [ hyperscan ] - ++ lib.optional redisSupport [ redis hiredis ] - ++ lib.optional rustSupport [ rustc cargo ] + ++ lib.optional hyperscanSupport hyperscan + ++ lib.optionals redisSupport [ redis hiredis ] ; enableParallelBuilding = true; + patches = lib.optional stdenv.is64bit ./bpf_stubs_workaround.patch; + + postPatch = '' + substituteInPlace ./configure \ + --replace "/usr/bin/file" "${file}/bin/file" + substituteInPlace ./libhtp/configure \ + --replace "/usr/bin/file" "${file}/bin/file" + + mkdir -p bpf_stubs_workaround/gnu + touch bpf_stubs_workaround/gnu/stubs-32.h + ''; + configureFlags = [ "--disable-gccmarch-native" - "--enable-afl" "--enable-af-packet" + "--enable-ebpf" + "--enable-ebpf-build" "--enable-gccprotect" "--enable-geoip" "--enable-luajit" @@ -97,6 +119,13 @@ stdenv.mkDerivation rec { "--enable-rust-experimental" ]; + postConfigure = '' + # Avoid unintended clousure growth. + sed -i 's|/nix/store/\(.\{8\}\)[^-]*-|/nix/store/\1...-|g' ./src/build-info.h + ''; + + hardeningDisable = [ "stackprotector" ]; + installFlags = [ "e_localstatedir=\${TMPDIR}" "e_logdir=\${TMPDIR}" @@ -115,6 +144,8 @@ stdenv.mkDerivation rec { postInstall = '' wrapProgram "$out/bin/suricatasc" \ --prefix PYTHONPATH : $PYTHONPATH:$(toPythonPath "$out") + substituteInPlace "$out/etc/suricata/suricata.yaml" \ + --replace "/etc/suricata" "$out/etc/suricata" ''; meta = with stdenv.lib; { diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index db96c53dac1..bb4abbfc270 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -6252,7 +6252,9 @@ in sshguard = callPackage ../tools/security/sshguard {}; - suricata = callPackage ../applications/networking/ids/suricata { }; + suricata = callPackage ../applications/networking/ids/suricata { + python = python3; + }; softhsm = callPackage ../tools/security/softhsm { inherit (darwin) libobjc;