···
(n: v: (if v ? "program" then v else v // {program=n;}))
11
-
mkWrapper = { program, source ? null, ...}: ''
12
-
parentWrapperDir=$(dirname ${wrapperDir})
13
-
gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
14
-
-lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
15
-
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
18
-
wrappedPrograms = pkgs.stdenv.mkDerivation {
19
-
name = "permissions-wrapper";
20
-
unpackPhase = "true";
23
-
${lib.concatMapStrings mkWrapper programs}
11
+
mkWrapper = { program, source ? null, ...}:
12
+
let buildWrapper = ''
13
+
parentWrapperDir=$(dirname ${wrapperDir})
14
+
gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
15
+
-Wformat -Wformat-security -Werror=format-security \
16
+
-fstack-protector-strong --param ssp-buffer-size=4 \
17
+
-D_FORTIFY_SOURCE=2 -fPIC \
18
+
-lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
19
+
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
21
+
in pkgs.stdenv.mkDerivation {
22
+
name = "${program}-wrapper";
23
+
unpackPhase = "true";
###### Activation script for the setcap wrappers
···
assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
38
-
cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}
40
+
let wrapperDrv = mkWrapper { inherit program source; };
42
+
cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}
chmod 0000 $wrapperDir/${program}
···
, permissions ? "u+rx,g+x,o+x"
64
-
cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}
68
+
let wrapperDrv = mkWrapper { inherit program source; };
70
+
cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}
chmod 0000 $wrapperDir/${program}
pyrox.dev