From 7d8b303e3fd76ccf58cfe26348e889def3663546 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Thu, 10 Jun 2021 14:57:52 +0200 Subject: [PATCH] nixos/security/wrappers: check that sources exist Add a shell script that checks if the paths of all wrapped programs actually exist to catch mistakes. This only checks for Nix store paths, which are always expected to exist at build time. --- nixos/modules/security/wrappers/default.nix | 30 ++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 8b1f5da2ba2..2ce26854be4 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -226,7 +226,7 @@ in ]}" ''; - ###### setcap activation script + ###### wrappers activation script system.activationScripts.wrappers = lib.stringAfter [ "specialfs" "users" ] '' @@ -257,5 +257,33 @@ in ln --symbolic $wrapperDir ${wrapperDir} fi ''; + + ###### wrappers consistency checks + system.extraDependencies = lib.singleton (pkgs.runCommandLocal + "ensure-all-wrappers-paths-exist" { } + '' + # make sure we produce output + mkdir -p $out + + echo -n "Checking that Nix store paths of all wrapped programs exist... " + + declare -A wrappers + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: + "wrappers['${n}']='${v.source}'") wrappers)} + + for name in "''${!wrappers[@]}"; do + path="''${wrappers[$name]}" + if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then + test -t 1 && echo -ne '\033[1;31m' + echo "FAIL" + echo "The path $path does not exist!" + echo 'Please, check the value of `security.wrappers."'$name'".source`.' + test -t 1 && echo -ne '\033[0m' + exit 1 + fi + done + + echo "OK" + ''); }; }