hardening: debug with NIX_DEBUG

1 files changed, 9 insertions, 0 deletions

diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
index ab8ce610e27a..abfd49766db2 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -14,30 +14,39 @@ if [[ ! $hardeningDisable == "all" ]]; then
     if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then
       case $flag in
         fortify)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling fortify; fi
           hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
           ;;
         stackprotector)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling stackprotector; fi
           hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4')
           ;;
         pie)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling CFlags -fPIE; fi
           hardeningCFlags+=('-fPIE')
           if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
+            if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling LDFlags -pie; fi
             hardeningLDFlags+=('-pie')
           fi
           ;;
         pic)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling pic; fi
           hardeningCFlags+=('-fPIC')
           ;;
         strictoverflow)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling strictoverflow; fi
           hardeningCFlags+=('-fno-strict-overflow')
           ;;
         format)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling format; fi
           hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
           ;;
         relro)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling relro; fi
           hardeningLDFlags+=('-z relro')
           ;;
         bindnow)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling bindnow; fi
           hardeningLDFlags+=('-z now')
           ;;
         *)