nixos/security/wrappers: check that sources exist

Add a shell script that checks if the paths of all wrapped programs
actually exist to catch mistakes. This only checks for Nix store paths,
which are always expected to exist at build time.
This commit is contained in:
rnhmjoj 2021-06-10 14:57:52 +02:00
parent 22004f7e8f
commit 7d8b303e3f
No known key found for this signature in database
GPG Key ID: BFBAF4C975F76450

View File

@ -226,7 +226,7 @@ in
]}"
'';
###### setcap activation script
###### wrappers activation script
system.activationScripts.wrappers =
lib.stringAfter [ "specialfs" "users" ]
''
@ -257,5 +257,33 @@ in
ln --symbolic $wrapperDir ${wrapperDir}
fi
'';
###### wrappers consistency checks
system.extraDependencies = lib.singleton (pkgs.runCommandLocal
"ensure-all-wrappers-paths-exist" { }
''
# make sure we produce output
mkdir -p $out
echo -n "Checking that Nix store paths of all wrapped programs exist... "
declare -A wrappers
${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v:
"wrappers['${n}']='${v.source}'") wrappers)}
for name in "''${!wrappers[@]}"; do
path="''${wrappers[$name]}"
if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then
test -t 1 && echo -ne '\033[1;31m'
echo "FAIL"
echo "The path $path does not exist!"
echo 'Please, check the value of `security.wrappers."'$name'".source`.'
test -t 1 && echo -ne '\033[0m'
exit 1
fi
done
echo "OK"
'');
};
}