Use general hardening flag toggle lists

The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow

1 files changed, 4 insertions, 4 deletions

diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
index 6e12a0d8bc8f..a8a08e5e1443 100644
--- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
@@ -56,7 +56,6 @@ if [ "$nonFlagArgs" = 0 ]; then
     dontLink=1
 fi
 
-
 # Optionally filter out paths not refering to the store.
 params=("$@")
 if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then
@@ -90,16 +89,17 @@ if [[ "@prog@" = *++ ]]; then
     fi
 fi
 
+source @out@/nix-support/add-hardening.sh
+
 # Add the flags for the C compiler proper.
-extraAfter=($NIX_CFLAGS_COMPILE)
+extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]})
 extraBefore=()
 
-
 if [ "$dontLink" != 1 ]; then
 
     # Add the flags that should only be passed to the compiler when
     # linking.
-    extraAfter+=($NIX_CFLAGS_LINK)
+    extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]})
 
     # Add the flags that should be passed to the linker (and prevent
     # `ld-wrapper' from adding NIX_LDFLAGS again).