diff options
| author | Alyssa Ross <hi@alyssa.is> | 2023-09-01 11:51:02 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-09-01 11:51:02 +0000 |
| commit | aa4353b499e6950b7333578f936455a628145c31 (patch) | |
| tree | c6332cedece2327a18d08794755b3fc0f9f1905b /nixpkgs/pkgs/build-support/cc-wrapper | |
| parent | ac456d475f4e50818499b804359355c0f3b4bbf7 (diff) | |
| parent | 52185f4d76c18d8348f963795dfed1de018e8dfe (diff) | |
| download | nixlib-aa4353b499e6950b7333578f936455a628145c31.tar nixlib-aa4353b499e6950b7333578f936455a628145c31.tar.gz nixlib-aa4353b499e6950b7333578f936455a628145c31.tar.bz2 nixlib-aa4353b499e6950b7333578f936455a628145c31.tar.lz nixlib-aa4353b499e6950b7333578f936455a628145c31.tar.xz nixlib-aa4353b499e6950b7333578f936455a628145c31.tar.zst nixlib-aa4353b499e6950b7333578f936455a628145c31.zip | |
Merge https://github.com/NixOS/nixpkgs
Diffstat (limited to 'nixpkgs/pkgs/build-support/cc-wrapper')
| -rw-r--r-- | nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh | 27 | ||||
| -rw-r--r-- | nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh | 4 | ||||
| -rw-r--r-- | nixpkgs/pkgs/build-support/cc-wrapper/default.nix | 2 |
3 files changed, 19 insertions, 14 deletions
diff --git a/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh b/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh index 7f5cd4cf4af3..8d02b4e5124d 100644 --- a/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,4 +1,5 @@ -declare -a hardeningCFlags=() +declare -a hardeningCFlagsAfter=() +declare -a hardeningCFlagsBefore=() declare -A hardeningEnableMap=() @@ -48,15 +49,19 @@ for flag in "${!hardeningEnableMap[@]}"; do fortify | fortify3) # Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly # set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address'). - hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE') + hardeningCFlagsBefore+=('-O2' '-U_FORTIFY_SOURCE') + # Unset any _FORTIFY_SOURCE values the command-line may have set before + # enforcing our own value, avoiding (potentially fatal) redefinition + # warnings + hardeningCFlagsAfter+=('-U_FORTIFY_SOURCE') case $flag in fortify) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi - hardeningCFlags+=('-D_FORTIFY_SOURCE=2') + hardeningCFlagsAfter+=('-D_FORTIFY_SOURCE=2') ;; fortify3) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi - hardeningCFlags+=('-D_FORTIFY_SOURCE=3') + hardeningCFlagsAfter+=('-D_FORTIFY_SOURCE=3') ;; *) # Ignore unsupported. @@ -65,20 +70,20 @@ for flag in "${!hardeningEnableMap[@]}"; do ;; stackprotector) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi - hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') + hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') ;; pie) # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi - hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}") + hardeningCFlagsBefore=('-fPIE' "${hardeningCFlagsBefore[@]}") if [[ ! (" ${params[*]} " =~ " -shared " || " ${params[*]} " =~ " -static ") ]]; then if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi - hardeningCFlags=('-pie' "${hardeningCFlags[@]}") + hardeningCFlagsBefore=('-pie' "${hardeningCFlagsBefore[@]}") fi ;; pic) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi - hardeningCFlags+=('-fPIC') + hardeningCFlagsBefore+=('-fPIC') ;; strictoverflow) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi @@ -89,14 +94,14 @@ for flag in "${!hardeningEnableMap[@]}"; do # # See: https://github.com/llvm/llvm-project/blob/llvmorg-16.0.6/clang/lib/Driver/ToolChains/Clang.cpp#L6315 # - hardeningCFlags+=('-fwrapv') + hardeningCFlagsBefore+=('-fwrapv') else - hardeningCFlags+=('-fno-strict-overflow') + hardeningCFlagsBefore+=('-fno-strict-overflow') fi ;; format) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi - hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') + hardeningCFlagsBefore+=('-Wformat' '-Wformat-security' '-Werror=format-security') ;; *) # Ignore unsupported. Checked in Nix that at least *some* diff --git a/nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 244a0bb6623b..9dcd29c64431 100644 --- a/nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -171,8 +171,8 @@ fi source @out@/nix-support/add-hardening.sh # Add the flags for the C compiler proper. -extraAfter=($NIX_CFLAGS_COMPILE_@suffixSalt@) -extraBefore=(${hardeningCFlags[@]+"${hardeningCFlags[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@) +extraAfter=(${hardeningCFlagsAfter[@]+"${hardeningCFlagsAfter[@]}"} $NIX_CFLAGS_COMPILE_@suffixSalt@) +extraBefore=(${hardeningCFlagsBefore[@]+"${hardeningCFlagsBefore[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@) if [ "$dontLink" != 1 ]; then diff --git a/nixpkgs/pkgs/build-support/cc-wrapper/default.nix b/nixpkgs/pkgs/build-support/cc-wrapper/default.nix index c7c733a427aa..f52ac48a1a87 100644 --- a/nixpkgs/pkgs/build-support/cc-wrapper/default.nix +++ b/nixpkgs/pkgs/build-support/cc-wrapper/default.nix @@ -69,7 +69,7 @@ let includeFortifyHeaders' = if includeFortifyHeaders != null then includeFortifyHeaders - else targetPlatform.libc == "musl"; + else (targetPlatform.libc == "musl" && isGNU); # Prefix for binaries. Customarily ends with a dash separator. # |