cc-wrapper: check ld hardening capabilities in stdenv

2 files changed, 11 insertions, 3 deletions

diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index be15bc692a20..60e62ffad608 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -4,8 +4,12 @@ hardeningCFlags=()
 hardeningLDFlags=()
 hardeningDisable=${hardeningDisable:-""}
 
-if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then
-  hardeningDisable+=" bindnow relro"
+if [[ -z "@ld_supports_bindnow@" ]]; then
+  hardeningDisable+=" bindnow"
+fi
+
+if [[ -z "@ld_supports_relro@" ]]; then
+  hardeningDisable+=" relro"
 fi
 
 if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi
diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix
index 10bd5f77f72d..08ca8195b68b 100644
--- a/pkgs/build-support/cc-wrapper/default.nix
+++ b/pkgs/build-support/cc-wrapper/default.nix
@@ -237,8 +237,12 @@ stdenv.mkDerivation {
       cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook
       rm $out/nix-support/setup-hook.tmp
 
+      # some linkers on some platforms don't support -z
+      export ld_supports_bindnow=$([[ "$($ldPath/ld -z now 2>&1 || true)" =~ "un(known|recognized) option" ]])
+      export ld_supports_relro=$([[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "un(known|recognized) option" ]])
+
       substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh
-      cp -p ${./add-hardening.sh} $out/nix-support/add-hardening.sh
+      substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh
       cp -p ${./utils.sh} $out/nix-support/utils.sh
     ''
     + extraBuildCommands;