diff options
| author | Charles Strahan <charles@cstrahan.com> | 2017-08-07 23:20:21 -0400 |
|---|---|---|
| committer | Charles Strahan <charles@cstrahan.com> | 2018-03-06 00:30:00 -0500 |
| commit | 9fe17b2153ed7cc206aaeeb1c1316094b774db4d (patch) | |
| tree | 8006434401bd33f8472a22483f9f88a31709f4dd /pkgs/build-support/cc-wrapper | |
| parent | cc4677c36ee8d880e881459ad114fd2224b3ac1c (diff) | |
| download | nixlib-9fe17b2153ed7cc206aaeeb1c1316094b774db4d.tar nixlib-9fe17b2153ed7cc206aaeeb1c1316094b774db4d.tar.gz nixlib-9fe17b2153ed7cc206aaeeb1c1316094b774db4d.tar.bz2 nixlib-9fe17b2153ed7cc206aaeeb1c1316094b774db4d.tar.lz nixlib-9fe17b2153ed7cc206aaeeb1c1316094b774db4d.tar.xz nixlib-9fe17b2153ed7cc206aaeeb1c1316094b774db4d.tar.zst nixlib-9fe17b2153ed7cc206aaeeb1c1316094b774db4d.zip | |
hardening: fix #18995
Diffstat (limited to 'pkgs/build-support/cc-wrapper')
| -rw-r--r-- | pkgs/build-support/cc-wrapper/add-hardening.sh | 37 |
1 files changed, 22 insertions, 15 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index a35ff3cb4260..f0da0a855169 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,33 +1,41 @@ -hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) -# Intentionally word-split in case 'hardeningEnable' is defined in -# Nix. Also, our bootstrap tools version of bash is old enough that -# undefined arrays trip `set -u`. -if [[ -v hardeningEnable[@] ]]; then - hardeningFlags+=(${hardeningEnable[@]}) -fi +allHardeningFlags=(fortify stackprotector pie pic strictoverflow format relro bindnow) hardeningCFlags=() declare -A hardeningDisableMap +declare -A hardeningEnableMap -# Intentionally word-split in case 'hardeningDisable' is defined in Nix. -for flag in ${hardeningDisable[@]:-IGNORED_KEY} @hardening_unsupported_flags@ -do +# Create table of unsupported flags for this toolchain. +for flag in @hardening_unsupported_flags@; do hardeningDisableMap[$flag]=1 done +# Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The +# array expansion also prevents undefined variables from causing trouble with +# `set -u`. +for flag in ${NIX_HARDENING_ENABLE+}; do + if [[ -n "${hardeningDisableMap[$flag]}" ]]; then + hardeningEnableMap[$flag]=1 + fi +done + if (( "${NIX_DEBUG:-0}" >= 1 )); then + # Determine which flags were effectively disabled so we can report below. + for flag in ${allHardeningFlags[@]}; do + if [[ -z "${hardeningEnableMap[$flag]}" ]]; then + hardeningDisableMap[$flag]=1 + fi + done + printf 'HARDENING: disabled flags:' >&2 (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2 echo >&2 fi -if [[ -z "${hardeningDisableMap[all]:-}" ]]; then +if (( "${#hardeningEnableMap[@]}" )); then if (( "${NIX_DEBUG:-0}" >= 1 )); then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi - for flag in "${hardeningFlags[@]}" - do - if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then + for flag in "${!hardeningEnableMap[@]}"; do case $flag in fortify) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi @@ -62,6 +70,5 @@ if [[ -z "${hardeningDisableMap[all]:-}" ]]; then # tool supports each flag. ;; esac - fi done fi |