diff options
| author | Alyssa Ross <hi@alyssa.is> | 2023-08-23 10:09:14 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-08-26 09:07:03 +0000 |
| commit | 63dabcc77ef9a56655e1ca2ab2e25e6163a72c1f (patch) | |
| tree | d58934cb48f9c953b19a0d0d5cffc0d0c5561471 /nixpkgs/pkgs/build-support/cc-wrapper | |
| parent | c4eef3dacb2a3d359561f30917d9e3cc4e041be9 (diff) | |
| parent | 91a22f76cd1716f9d0149e8a5c68424bb691de15 (diff) | |
| download | nixlib-63dabcc77ef9a56655e1ca2ab2e25e6163a72c1f.tar nixlib-63dabcc77ef9a56655e1ca2ab2e25e6163a72c1f.tar.gz nixlib-63dabcc77ef9a56655e1ca2ab2e25e6163a72c1f.tar.bz2 nixlib-63dabcc77ef9a56655e1ca2ab2e25e6163a72c1f.tar.lz nixlib-63dabcc77ef9a56655e1ca2ab2e25e6163a72c1f.tar.xz nixlib-63dabcc77ef9a56655e1ca2ab2e25e6163a72c1f.tar.zst nixlib-63dabcc77ef9a56655e1ca2ab2e25e6163a72c1f.zip | |
Merge branch 'nixos-unstable' of https://github.com/NixOS/nixpkgs
Conflicts: nixpkgs/pkgs/build-support/go/module.nix nixpkgs/pkgs/development/python-modules/django-mailman3/default.nix
Diffstat (limited to 'nixpkgs/pkgs/build-support/cc-wrapper')
| -rw-r--r-- | nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh | 14 | ||||
| -rw-r--r-- | nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh | 7 | ||||
| -rw-r--r-- | nixpkgs/pkgs/build-support/cc-wrapper/default.nix | 22 |
3 files changed, 38 insertions, 5 deletions
diff --git a/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh b/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh index 07ac6737f39d..7f5cd4cf4af3 100644 --- a/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -81,8 +81,18 @@ for flag in "${!hardeningEnableMap[@]}"; do hardeningCFlags+=('-fPIC') ;; strictoverflow) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi - hardeningCFlags+=('-fno-strict-overflow') + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi + if (( @isClang@ )); then + # In Clang, -fno-strict-overflow only serves to set -fwrapv and is + # reported as an unused CLI argument if -fwrapv or -fno-wrapv is set + # explicitly, so we side step that by doing the conversion here. + # + # See: https://github.com/llvm/llvm-project/blob/llvmorg-16.0.6/clang/lib/Driver/ToolChains/Clang.cpp#L6315 + # + hardeningCFlags+=('-fwrapv') + else + hardeningCFlags+=('-fno-strict-overflow') + fi ;; format) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi diff --git a/nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 5350fc3cc9ae..244a0bb6623b 100644 --- a/nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -246,10 +246,13 @@ if [[ -e @out@/nix-support/cc-wrapper-hook ]]; then fi if (( "${NIX_CC_USE_RESPONSE_FILE:-@use_response_file_by_default@}" >= 1 )); then - exec @prog@ @<(printf "%q\n" \ + responseFile=$(mktemp --tmpdir cc-params.XXXXXX) + trap 'rm -f -- "$responseFile"' EXIT + printf "%q\n" \ ${extraBefore+"${extraBefore[@]}"} \ ${params+"${params[@]}"} \ - ${extraAfter+"${extraAfter[@]}"}) + ${extraAfter+"${extraAfter[@]}"} > "$responseFile" + @prog@ "@$responseFile" else exec @prog@ \ ${extraBefore+"${extraBefore[@]}"} \ diff --git a/nixpkgs/pkgs/build-support/cc-wrapper/default.nix b/nixpkgs/pkgs/build-support/cc-wrapper/default.nix index 551074e0a211..c7c733a427aa 100644 --- a/nixpkgs/pkgs/build-support/cc-wrapper/default.nix +++ b/nixpkgs/pkgs/build-support/cc-wrapper/default.nix @@ -51,6 +51,8 @@ # the derivation at which the `-B` and `-L` flags added by `useCcForLibs` will point , gccForLibs ? if useCcForLibs then cc else null +, fortify-headers ? null +, includeFortifyHeaders ? null }: with lib; @@ -65,6 +67,10 @@ let stdenv = stdenvNoCC; inherit (stdenv) hostPlatform targetPlatform; + includeFortifyHeaders' = if includeFortifyHeaders != null + then includeFortifyHeaders + else targetPlatform.libc == "musl"; + # Prefix for binaries. Customarily ends with a dash separator. # # TODO(@Ericson2314) Make unconditional, or optional but always true by @@ -165,6 +171,8 @@ let stdenv.targetPlatform.darwinMinVersionVariable; in +assert includeFortifyHeaders' -> fortify-headers != null; + # Ensure bintools matches assert libc_bin == bintools.libc_bin; assert libc_dev == bintools.libc_dev; @@ -189,7 +197,7 @@ stdenv.mkDerivation { # Binutils, and Apple's "cctools"; "bintools" as an attempt to find an # unused middle-ground name that evokes both. inherit bintools; - inherit cc libc nativeTools nativeLibc nativePrefix isGNU isClang; + inherit cc libc libcxx nativeTools nativeLibc nativePrefix isGNU isClang; emacsBufferSetup = pkgs: '' ; We should handle propagation here too @@ -414,6 +422,16 @@ stdenv.mkDerivation { echo "${libc_lib}" > $out/nix-support/orig-libc echo "${libc_dev}" > $out/nix-support/orig-libc-dev + '' + # fortify-headers is a set of wrapper headers that augment libc + # and use #include_next to pass through to libc's true + # implementations, so must appear before them in search order. + # in theory a correctly placed -idirafter could be used, but in + # practice the compiler may have been built with a --with-headers + # like option that forces the libc headers before all -idirafter, + # hence -isystem here. + + optionalString includeFortifyHeaders' '' + echo "-isystem ${fortify-headers}/include" >> $out/nix-support/libc-cflags '') ## @@ -609,6 +627,8 @@ stdenv.mkDerivation { env = { + inherit isClang; + # for substitution in utils.bash expandResponseParams = "${expand-response-params}/bin/expand-response-params"; shell = getBin shell + shell.shellPath or ""; |