Trim C wrapper to work on Darwin

2025-03-31 04:04:45 +00:00 · 2024-02-26 21:20:32 -08:00 · 2024-02-26 21:20:32 -08:00 · 69006ab74c
commit 69006ab74c
parent 30780a056e
3 changed files with 29 additions and 30 deletions
--- a/modules/security/wrappers/default.nix
+++ b/modules/security/wrappers/default.nix
@ -72,14 +72,14 @@ let
    # They're taken from pkgs.glibc so that we don't have to keep as close
    # an eye on glibc changes. Not every relevant variable is in this header,
    # so we maintain a slightly stricter list in wrapper.c itself as well.
-    unsecvars = lib.overrideDerivation (pkgs.srcOnly pkgs.glibc)
-      ({ name, ... }: {
-        name = "${name}-unsecvars";
-        installPhase = ''
-          mkdir $out
-          cp sysdeps/generic/unsecvars.h $out
-        '';
-      });
+    # unsecvars = lib.overrideDerivation (pkgs.srcOnly pkgs.glibc)
+    #   ({ name, ... }: {
+    #     name = "${name}-unsecvars";
+    #     installPhase = ''
+    #       mkdir $out
+    #       cp sysdeps/generic/unsecvars.h $out
+    #     '';
+    #   });
  };

  mkWrapper =
--- a/modules/security/wrappers/wrapper.c
+++ b/modules/security/wrappers/wrapper.c
@ -3,21 +3,21 @@
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
-#include <stdnoreturn.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/xattr.h>
-#include <fcntl.h>
-#include <dirent.h>
-#include <errno.h>
-#include <sys/prctl.h>
-#include <limits.h>
-#include <stdint.h>
-#include <syscall.h>
-#include <byteswap.h>
+// #include <stdnoreturn.h>
+// #include <sys/types.h>
+// #include <sys/stat.h>
+// #include <sys/xattr.h>
+// #include <fcntl.h>
+// #include <dirent.h>
+// #include <errno.h>
+// #include <sys/prctl.h>
+// #include <limits.h>
+// #include <stdint.h>
+// #include <syscall.h>
+// #include <byteswap.h>

 // imported from glibc
-#include "unsecvars.h"
+// #include "unsecvars.h"

 #ifndef SOURCE_PROG
 #error SOURCE_PROG should be defined via preprocessor commandline
@ -86,12 +86,12 @@ int main(int argc, char **argv) {
    //
    // If we don't explicitly unset them, it's quite easy to just set LD_PRELOAD,
    // have it passed through to the wrapped program, and gain privileges.
-    for (char *unsec = UNSECURE_ENVVARS_TUNABLES UNSECURE_ENVVARS; *unsec; unsec = strchr(unsec, 0) + 1) {
-        if (debug) {
-            fprintf(stderr, "unsetting %s\n", unsec);
-        }
-        unsetenv(unsec);
-    }
+    // for (char *unsec = UNSECURE_ENVVARS_TUNABLES UNSECURE_ENVVARS; *unsec; unsec = strchr(unsec, 0) + 1) {
+    //     if (debug) {
+    //         fprintf(stderr, "unsetting %s\n", unsec);
+    //     }
+    //     unsetenv(unsec);
+    // }

    execve(SOURCE_PROG, argv, environ);
    
--- a/modules/security/wrappers/wrapper.nix
+++ b/modules/security/wrappers/wrapper.nix
@ -1,9 +1,8 @@
-{ stdenv, unsecvars, linuxHeaders, sourceProg, debug ? false }:
+{ stdenv, sourceProg, debug ? false }:
 # For testing:
 # $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { sourceProg = "${pkgs.hello}/bin/hello"; debug = true; }'
 stdenv.mkDerivation {
  name = "security-wrapper-${baseNameOf sourceProg}";
-  buildInputs = [ linuxHeaders ];
  dontUnpack = true;
  CFLAGS = [
    ''-DSOURCE_PROG="${sourceProg}"''
@ -15,6 +14,6 @@ stdenv.mkDerivation {
  dontStrip = debug;
  installPhase = ''
    mkdir -p $out/bin
-    $CC $CFLAGS ${./wrapper.c} -I${unsecvars} -o $out/bin/security-wrapper
+    $CC $CFLAGS ${./wrapper.c} -o $out/bin/security-wrapper
  '';
 }