{
stdenv,
lib,
pkgs,
buildPackages,
fetchurl,
fetchpatch,
fetchFromGitLab,
enableStatic ? stdenv.hostPlatform.isStatic,
enableMinimal ? false,
enableAppletSymlinks ? true,
# Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping:
# nix build -f pkgs/top-level/release.nix stdenvBootstrapTools.x86_64-linux.dist
useMusl ? stdenv.hostPlatform.libc == "musl",
musl,
extraConfig ? "",
}:
assert stdenv.hostPlatform.libc == "musl" -> useMusl;
let
configParser = ''
function parseconfig {
while read LINE; do
NAME=`echo "$LINE" | cut -d \ -f 1`
OPTION=`echo "$LINE" | cut -d \ -f 2`
if ! [[ "$NAME" =~ ^CONFIG_ ]]; then continue; fi
echo "parseconfig: removing $NAME"
sed -i /$NAME'\(=\| \)'/d .config
echo "parseconfig: setting $NAME=$OPTION"
echo "$NAME=$OPTION" >> .config
done
}
'';
libcConfig = lib.optionalString useMusl ''
CONFIG_FEATURE_UTMP n
CONFIG_FEATURE_WTMP n
'';
# The debian version lags behind the upstream version and also contains
# a debian-specific suffix. We only fetch the debian repository to get the
# default.script
debianVersion = "1.30.1-6";
debianSource = fetchFromGitLab {
domain = "salsa.debian.org";
owner = "installer-team";
repo = "busybox";
rev = "debian/1%${debianVersion}";
sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8=";
};
debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script";
outDispatchPath = "$out/default.script";
in
stdenv.mkDerivation rec {
pname = "busybox";
version = pkgs.busybox.version;
# Note to whoever is updating busybox: please verify that:
# nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
# still builds after the update.
src = pkgs.busybox.src;
hardeningDisable = [
"format"
"pie"
] ++ lib.optionals enableStatic [ "fortify" ];
patches = [
(fetchurl {
name = "CVE-2022-28391.patch";
url = "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
sha256 = "sha256-yviw1GV+t9tbHbY7YNxEqPi7xEreiXVqbeRyf8c6Awo=";
})
(fetchurl {
name = "CVE-2022-28391.patch";
url = "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
sha256 = "sha256-vl1wPbsHtXY9naajjnTicQ7Uj3N+EQ8pRNnrdsiow+w=";
})
(fetchpatch {
name = "CVE-2022-48174.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15216
url = "https://git.busybox.net/busybox/patch/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209";
hash = "sha256-mpDEwYncpU6X6tmtj9xM2KCrB/v2ys5bYxmPPrhm6es=";
})
(fetchpatch {
name = "CVE-2023-42366.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15874
# This patch is also used by Alpine, see https://git.alpinelinux.org/aports/tree/main/busybox/0037-awk.c-fix-CVE-2023-42366-bug-15874.patch
url = "https://bugs.busybox.net/attachment.cgi?id=9697";
hash = "sha256-2eYfLZLjStea9apKXogff6sCAdG9yHx0ZsgUBaGfQIA=";
})
(fetchpatch {
name = "CVE-2023-42363.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15865
url = "https://git.launchpad.net/ubuntu/+source/busybox/plain/debian/patches/CVE-2023-42363.patch?id=c9d8a323b337d58e302717d41796aa0242963d5a";
hash = "sha256-1W9Q8+yFkYQKzNTrvndie8QuaEbyAFL1ZASG2fPF+Z4=";
})
(fetchpatch {
name = "CVE-2023-42364_CVE-2023-42365.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15871 https://bugs.busybox.net/show_bug.cgi?id=15868
url = "https://git.alpinelinux.org/aports/plain/main/busybox/CVE-2023-42364-CVE-2023-42365.patch?id=8a4bf5971168bf48201c05afda7bee0fbb188e13";
hash = "sha256-nQPgT9eA1asCo38Z9X7LR9My0+Vz5YBPba3ARV3fWcc=";
})
] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
separateDebugInfo = true;
# postPatch = "patchShebangs .";
configurePhase = ''
export KCONFIG_NOTIMESTAMP=1
make ${if enableMinimal then "allnoconfig" else "defconfig"}
${configParser}
cat << EOF | parseconfig
CONFIG_PREFIX "$out"
CONFIG_INSTALL_NO_USR y
CONFIG_LFS y
# More features for modprobe.
${lib.optionalString (!enableMinimal) ''
CONFIG_FEATURE_MODPROBE_BLACKLIST y
CONFIG_FEATURE_MODUTILS_ALIAS y
CONFIG_FEATURE_MODUTILS_SYMBOLS y
CONFIG_MODPROBE_SMALL n
''}
${lib.optionalString enableStatic ''
CONFIG_STATIC y
''}
${lib.optionalString (!enableAppletSymlinks) ''
CONFIG_INSTALL_APPLET_DONT y
CONFIG_INSTALL_APPLET_SYMLINKS n
''}
# Use the external mount.cifs program.
CONFIG_FEATURE_MOUNT_CIFS n
CONFIG_FEATURE_MOUNT_HELPERS y
# BB_SHADOW
FEATURE_SHADOWPASSWDS y
CONFIG_USE_BB_PWD_GRP y
CONFIG_USE_BB_SHADOW y
CONFIG_USE_BB_CRYPT y
USE_BB_CRYPT_SHA y
CONFIG_FEATURE_DEFAULT_PASSWD_ALGO "sha512"
# Set paths for console fonts.
CONFIG_DEFAULT_SETFONT_DIR "/etc/kbd"
# Bump from 4KB, much faster I/O
CONFIG_FEATURE_COPYBUF_KB 64
# Doesn't build with current kernel headers.
# https://bugs.busybox.net/show_bug.cgi?id=15934
CONFIG_TC n
# Set the path for the udhcpc script
CONFIG_UDHCPC_DEFAULT_SCRIPT "/usr/share/busybox/"
${extraConfig}
CONFIG_CROSS_COMPILER_PREFIX "${stdenv.cc.targetPrefix}"
${libcConfig}
EOF
make oldconfig
runHook postConfigure
'';
postConfigure = lib.optionalString (useMusl && stdenv.hostPlatform.libc != "musl") ''
makeFlagsArray+=("CC=${stdenv.cc.targetPrefix}cc -isystem ${musl.dev}/include -B${musl}/lib -L${musl}/lib")
'';
makeFlags = [ "SKIP_STRIP=y" ];
strictDeps = true;
depsBuildBuild = [ buildPackages.stdenv.cc ];
buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [
stdenv.cc.libc
stdenv.cc.libc.static
];
enableParallelBuilding = true;
doCheck = false; # tries to access the net
passthru.shellPath = "/bin/ash";
meta = with lib; {
description = "Tiny versions of common UNIX utilities in a single small executable";
homepage = "https://busybox.net/";
license = licenses.gpl2Only;
maintainers = with maintainers; [
TethysSvensson
qyliss
];
platforms = platforms.linux;
priority = 15; # below systemd (halt, init, poweroff, reboot) and coreutils
};
}