From cc73dc83b36b76baab8bf2282c2e0fcc1ebbbd5a Mon Sep 17 00:00:00 2001 From: Mario Rodas Date: Sun, 12 Jun 2022 15:38:05 -0500 Subject: [PATCH] Revert "nixos/security/wrappers: use an assertion for the existence check" --- nixos/modules/security/wrappers/default.nix | 40 ++++++++++++++++----- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index ec4fe33b8f1d..169ef7442626 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -202,21 +202,15 @@ in ###### implementation config = { - assertions = lib.concatLists (lib.mapAttrsToList - (name: opts: [ + assertions = lib.mapAttrsToList + (name: opts: { assertion = opts.setuid || opts.setgid -> opts.capabilities == ""; message = '' The security.wrappers.${name} wrapper is not valid: setuid/setgid and capabilities are mutually exclusive. ''; } - { assertion = lib.pathHasContext (toString opts.source) -> lib.pathExists opts.source; - message = '' - The security.wrappers.${name} wrapper is not valid: - the source store path '${opts.source}' does not exist. - ''; - } - ]) wrappers); + ) wrappers; security.wrappers = let @@ -279,5 +273,33 @@ in ln --symbolic "$wrapperDir" "${wrapperDir}" fi ''; + + ###### wrappers consistency checks + system.extraDependencies = lib.singleton (pkgs.runCommandLocal + "ensure-all-wrappers-paths-exist" { } + '' + # make sure we produce output + mkdir -p $out + + echo -n "Checking that Nix store paths of all wrapped programs exist... " + + declare -A wrappers + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: + "wrappers['${n}']='${v.source}'") wrappers)} + + for name in "''${!wrappers[@]}"; do + path="''${wrappers[$name]}" + if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then + test -t 1 && echo -ne '\033[1;31m' + echo "FAIL" + echo "The path $path does not exist!" + echo 'Please, check the value of `security.wrappers."'$name'".source`.' + test -t 1 && echo -ne '\033[0m' + exit 1 + fi + done + + echo "OK" + ''); }; }