cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Merge pull request #177336 from ncfavier/wrappers-source-check

Browse source 
nixos/security/wrappers: use an assertion for the existence check
This commit is contained in:
Michele Guerini Rocco 2022-06-12 18:07:40 +02:00 committed by GitHub
commit 2b6c834377
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
nixos/modules/security/wrappers/default.nix
View file

@ -202,15 +202,21 @@ in
###### implementation ###### implementation
config = { config = {
assertions = lib.mapAttrsToList assertions = lib.concatLists (lib.mapAttrsToList
(name: opts: (name: opts: [
{ assertion = opts.setuid || opts.setgid -> opts.capabilities == ""; { assertion = opts.setuid || opts.setgid -> opts.capabilities == "";
message = '' message = ''
The security.wrappers.${name} wrapper is not valid: The security.wrappers.${name} wrapper is not valid:
setuid/setgid and capabilities are mutually exclusive. setuid/setgid and capabilities are mutually exclusive.
''; '';
} }
) wrappers; { assertion = lib.pathHasContext (toString opts.source) -> lib.pathExists opts.source;
message = ''
The security.wrappers.${name} wrapper is not valid:
the source store path '${opts.source}' does not exist.
'';
}
]) wrappers);
security.wrappers = security.wrappers =
let let
@ -273,33 +279,5 @@ in
ln --symbolic "$wrapperDir" "${wrapperDir}" ln --symbolic "$wrapperDir" "${wrapperDir}"
fi fi
''; '';
###### wrappers consistency checks
system.extraDependencies = lib.singleton (pkgs.runCommandLocal
"ensure-all-wrappers-paths-exist" { }
''
# make sure we produce output
mkdir -p $out
echo -n "Checking that Nix store paths of all wrapped programs exist... "
declare -A wrappers
${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v:
"wrappers['${n}']='${v.source}'") wrappers)}
for name in "''${!wrappers[@]}"; do
path="''${wrappers[$name]}"
if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then
test -t 1 && echo -ne '\033[1;31m'
echo "FAIL"
echo "The path $path does not exist!"
echo 'Please, check the value of `security.wrappers."'$name'".source`.'
test -t 1 && echo -ne '\033[0m'
exit 1
fi
done
echo "OK"
'');
}; };
} }