Simplifying the wrapper program derivation

7 years ago · f8b8c353ff
parent fb6d13c01a
commit f8b8c353ff
1 changed files with 5 additions and 7 deletions
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@ -9,17 +9,15 @@ let
      wrappers);

  securityWrapper = pkgs.stdenv.mkDerivation {
-    name         = "security-wrapper";
-    unpackPhase  = "true";
+    name            = "security-wrapper";
+    phases          = [ "installPhase" "fixupPhase" ];
+    buildInputs     = [ pkgs.libcap pkgs.libcap_ng pkgs.linuxHeaders ];
+    hardeningEnable = [ "pie" ];
    installPhase = ''
      mkdir -p $out/bin
      parentWrapperDir=$(dirname ${wrapperDir})
      gcc -Wall -O2 -DWRAPPER_DIR=\"$parentWrapperDir\" \
-          -Wformat -Wformat-security -Werror=format-security \
-          -fstack-protector-strong --param ssp-buffer-size=4 \
-          -D_FORTIFY_SOURCE=2 -fPIC \
-          -lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-          -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
+          -lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper
    '';
  };