diff options
| author | John Ericson <John.Ericson@Obsidian.Systems> | 2017-08-03 15:34:23 -0400 |
|---|---|---|
| committer | John Ericson <John.Ericson@Obsidian.Systems> | 2017-08-07 03:05:51 -0400 |
| commit | 2493454e13c25ff990d06deb38b1024e4a0a99f8 (patch) | |
| tree | eb61a13198aea3837e41cbee38274eea91cd415f /pkgs/build-support/cc-wrapper/add-hardening.sh | |
| parent | a8bd415fa06a100b29297db86aadb6f00da70bbf (diff) | |
| download | nixlib-2493454e13c25ff990d06deb38b1024e4a0a99f8.tar nixlib-2493454e13c25ff990d06deb38b1024e4a0a99f8.tar.gz nixlib-2493454e13c25ff990d06deb38b1024e4a0a99f8.tar.bz2 nixlib-2493454e13c25ff990d06deb38b1024e4a0a99f8.tar.lz nixlib-2493454e13c25ff990d06deb38b1024e4a0a99f8.tar.xz nixlib-2493454e13c25ff990d06deb38b1024e4a0a99f8.tar.zst nixlib-2493454e13c25ff990d06deb38b1024e4a0a99f8.zip | |
cc-wrapper: Use `set -u` throughout
Now is an opportune time to do this, as the infixSalt conversion in `add-flags.sh` ensures that all the relevant `NIX_*` vars will be defined even if empty.
Diffstat (limited to 'pkgs/build-support/cc-wrapper/add-hardening.sh')
| -rw-r--r-- | pkgs/build-support/cc-wrapper/add-hardening.sh | 40 |
1 files changed, 21 insertions, 19 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index c91ff0a9d0bd..aa8eb720486c 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,67 +1,69 @@ hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) -# Intentionally word-split in case 'hardeningEnable' is defined in Nix. -hardeningFlags+=(${hardeningEnable[@]}) +# Intentionally word-split in case 'hardeningEnable' is defined in +# Nix. Also, our bootstrap tools version of bash is old enough that +# undefined arrays trip `set -u`. +if [[ -v hardeningEnable[@] ]]; then + hardeningFlags+=(${hardeningEnable[@]}) +fi hardeningCFlags=() hardeningLDFlags=() declare -A hardeningDisableMap -# Intentionally word-split in case 'hardeningDisable' is defined in Nix. The -# array expansion also prevents undefined variables from causing trouble with -# `set -u`. -for flag in ${hardeningDisable[@]} @hardening_unsupported_flags@ +# Intentionally word-split in case 'hardeningDisable' is defined in Nix. +for flag in ${hardeningDisable[@]:-IGNORED_KEY} @hardening_unsupported_flags@ do hardeningDisableMap[$flag]=1 done -if [[ -n "$NIX_DEBUG" ]]; then +if [[ -n "${NIX_DEBUG:-}" ]]; then printf 'HARDENING: disabled flags:' >&2 (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2 echo >&2 fi -if [[ -z "${hardeningDisableMap[all]}" ]]; then - if [[ -n "$NIX_DEBUG" ]]; then +if [[ -z "${hardeningDisableMap[all]:-}" ]]; then + if [[ -n "${NIX_DEBUG:-}" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi for flag in "${hardeningFlags[@]}" do - if [[ -z "${hardeningDisableMap[$flag]}" ]]; then + if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then case $flag in fortify) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling fortify >&2; fi hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') ;; stackprotector) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling stackprotector >&2; fi hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') ;; pie) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi hardeningCFlags+=('-fPIE') if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi hardeningLDFlags+=('-pie') fi ;; pic) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling pic >&2; fi hardeningCFlags+=('-fPIC') ;; strictoverflow) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling strictoverflow >&2; fi hardeningCFlags+=('-fno-strict-overflow') ;; format) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling format >&2; fi hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') ;; relro) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling relro >&2; fi hardeningLDFlags+=('-z' 'relro') ;; bindnow) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling bindnow >&2; fi hardeningLDFlags+=('-z' 'now') ;; *) |