Merge pull request #204836 from Izorkin/add-shadow-tcb

2022-12-24 01:06:04 +01:00 · 2022-12-24 01:06:04 +01:00 · ca4153f6e3
commit ca4153f6e3
parent e95d1a063e 05046655d8
2 changed files with 69 additions and 34 deletions
--- a/pkgs/os-specific/linux/shadow/default.nix
+++ b/pkgs/os-specific/linux/shadow/default.nix
@ -1,13 +1,16 @@
-{ lib, stdenv, nixosTests, fetchpatch, fetchFromGitHub, autoreconfHook, libxslt
-, libxml2 , docbook_xml_dtd_45, docbook_xsl, itstool, flex, bison, runtimeShell
-, libxcrypt, pam ? null, glibcCross ? null
+{ lib, stdenv, fetchFromGitHub
+, runtimeShell, nixosTests, fetchpatch
+, autoreconfHook, bison, flex
+, docbook_xml_dtd_45, docbook_xsl
+, itstool , libxml2, libxslt
+, libxcrypt
+, glibcCross ? null
+, pam ? null
+, withTcb ? stdenv.isLinux, tcb
 }:
-
 let
-
  glibc =
-    if stdenv.hostPlatform != stdenv.buildPlatform
-    then glibcCross
+    if stdenv.hostPlatform != stdenv.buildPlatform then glibcCross
    else assert stdenv.hostPlatform.libc == "glibc"; stdenv.cc.libc;

 in
@ -23,17 +26,26 @@ stdenv.mkDerivation rec {
    sha256 = "sha256-L54DhdBYthfB9436t/XWXiqKhW7rfd0GLS7pYGB32rA=";
  };

+  outputs = [ "out" "su" "dev" "man" ];
+
+  RUNTIME_SHELL = runtimeShell;
+
+  nativeBuildInputs = [
+    autoreconfHook bison flex
+    docbook_xml_dtd_45 docbook_xsl
+    itstool libxml2 libxslt
+  ];
+
  buildInputs = [ libxcrypt ]
-    ++ lib.optional (pam != null && stdenv.isLinux) pam;
-  nativeBuildInputs = [autoreconfHook libxslt libxml2
-    docbook_xml_dtd_45 docbook_xsl flex bison itstool
-    ];
+    ++ lib.optional (pam != null && stdenv.isLinux) pam
+    ++ lib.optional withTcb tcb;

  patches = [
    ./keep-path.patch
    # Obtain XML resources from XML catalog (patch adapted from gtk-doc)
    ./respect-xml-catalog-files-var.patch
    ./runtime-shell.patch
+    ./fix-install-with-tcb.patch
    # Fix HAVE_SHADOWGRP configure check
    (fetchpatch {
      url = "https://github.com/shadow-maint/shadow/commit/a281f241b592aec636d1b93a99e764499d68c7ef.patch";
@ -41,16 +53,10 @@ stdenv.mkDerivation rec {
    })
  ];

-  RUNTIME_SHELL = runtimeShell;
-
  # The nix daemon often forbids even creating set[ug]id files.
-  postPatch =
-    ''sed 's/^\(s[ug]idperms\) = [0-9]755/\1 = 0755/' -i src/Makefile.am
-    '';
-
-  outputs = [ "out" "su" "dev" "man" ];
-
-  enableParallelBuilding = true;
+  postPatch = ''
+    sed 's/^\(s[ug]idperms\) = [0-9]755/\1 = 0755/' -i src/Makefile.am
+  '';

  # Assume System V `setpgrp (void)', which is the default on GNU variants
  # (`AC_FUNC_SETPGRP' is not cross-compilation capable.)
@ -64,23 +70,24 @@ stdenv.mkDerivation rec {
    "--with-group-name-max-length=32"
    "--with-bcrypt"
    "--with-yescrypt"
-  ] ++ lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd";
+  ] ++ lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd"
+    ++ lib.optional withTcb "--with-tcb";

-  preBuild = lib.optionalString (stdenv.hostPlatform.libc == "glibc")
-    ''
-      substituteInPlace lib/nscd.c --replace /usr/sbin/nscd ${glibc.bin}/bin/nscd
-    '';
+  preBuild = lib.optionalString (stdenv.hostPlatform.libc == "glibc") ''
+    substituteInPlace lib/nscd.c --replace /usr/sbin/nscd ${glibc.bin}/bin/nscd
+  '';

-  postInstall =
-    ''
-      # Don't install ‘groups’, since coreutils already provides it.
-      rm $out/bin/groups
-      rm $man/share/man/man1/groups.*
+  postInstall = ''
+    # Don't install ‘groups’, since coreutils already provides it.
+    rm $out/bin/groups
+    rm $man/share/man/man1/groups.*

-      # Move the su binary into the su package
-      mkdir -p $su/bin
-      mv $out/bin/su $su/bin
-    '';
+    # Move the su binary into the su package
+    mkdir -p $su/bin
+    mv $out/bin/su $su/bin
+  '';
+
+  enableParallelBuilding = true;

  disallowedReferences = lib.optional (stdenv.buildPlatform != stdenv.hostPlatform) stdenv.shellPackage;

--- a/pkgs/os-specific/linux/shadow/fix-install-with-tcb.patch
+++ b/pkgs/os-specific/linux/shadow/fix-install-with-tcb.patch
@ -0,0 +1,28 @@
+diff --git a/src/Makefile.am b/src/Makefile.am
+index a1a2e4e..fa17f9d 100644
+--- a/src/Makefile.am
+++ b/src/Makefile.am
+@@ -74,10 +74,6 @@ suidubins += newgidmap newuidmap
+ endif
+ endif
+ 
+-if WITH_TCB
+-shadowsgidubins = passwd
+-endif
+-
+ LDADD          = $(INTLLIBS) \
+ 		 $(top_builddir)/libmisc/libmisc.la \
+ 		 $(top_builddir)/lib/libshadow.la \
+@@ -146,12 +142,6 @@ install-am: all-am
+ 	set -e; for i in $(suidusbins); do \
+ 		chmod $(suidperms) $(DESTDIR)$(usbindir)/$$i; \
+ 	done
+-if WITH_TCB
+-	set -e; for i in $(shadowsgidubins); do \
+-		chown root:shadow $(DESTDIR)$(ubindir)/$$i; \
+-		chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
+-	done
+-endif
+ if ENABLE_SUBIDS
+ if FCAPS
+ 	setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap