diff options
author | Charles Strahan <charles@cstrahan.com> | 2018-03-06 19:21:10 -0500 |
---|---|---|
committer | Charles Strahan <charles@cstrahan.com> | 2018-03-06 19:21:10 -0500 |
commit | 806edaa0a20db3358836d55d203500b87dbe8624 (patch) | |
tree | 2b1ad60c859a4dc9af4e3c7bf711e59fbcba7849 /pkgs/build-support | |
parent | 634c748050391b6f7c908d4716be026f839dceaf (diff) | |
download | nixlib-806edaa0a20db3358836d55d203500b87dbe8624.tar nixlib-806edaa0a20db3358836d55d203500b87dbe8624.tar.gz nixlib-806edaa0a20db3358836d55d203500b87dbe8624.tar.bz2 nixlib-806edaa0a20db3358836d55d203500b87dbe8624.tar.lz nixlib-806edaa0a20db3358836d55d203500b87dbe8624.tar.xz nixlib-806edaa0a20db3358836d55d203500b87dbe8624.tar.zst nixlib-806edaa0a20db3358836d55d203500b87dbe8624.zip |
hardening: ld wrapper changes, setup-hook, etc
Diffstat (limited to 'pkgs/build-support')
-rw-r--r-- | pkgs/build-support/bintools-wrapper/add-hardening.sh | 47 | ||||
-rw-r--r-- | pkgs/build-support/bintools-wrapper/ld-wrapper.sh | 2 | ||||
-rw-r--r-- | pkgs/build-support/bintools-wrapper/setup-hook.sh | 4 | ||||
-rw-r--r-- | pkgs/build-support/cc-wrapper/add-hardening.sh | 4 | ||||
-rw-r--r-- | pkgs/build-support/cc-wrapper/cc-wrapper.sh | 1 | ||||
-rw-r--r-- | pkgs/build-support/cc-wrapper/setup-hook.sh | 4 |
6 files changed, 40 insertions, 22 deletions
diff --git a/pkgs/build-support/bintools-wrapper/add-hardening.sh b/pkgs/build-support/bintools-wrapper/add-hardening.sh index 5282d17fce27..0f62aa49542a 100644 --- a/pkgs/build-support/bintools-wrapper/add-hardening.sh +++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh @@ -1,33 +1,45 @@ -hardeningFlags=(relro bindnow) -# Intentionally word-split in case 'hardeningEnable' is defined in -# Nix. Also, our bootstrap tools version of bash is old enough that -# undefined arrays trip `set -u`. -if [[ -v hardeningEnable[@] ]]; then - hardeningFlags+=(${hardeningEnable[@]}) -fi -hardeningLDFlags=() +allHardeningFlags=(pie relro bindnow) +hardeningFlags=() -declare -A hardeningDisableMap +declare -A hardeningEnableMap=() -# Intentionally word-split in case 'hardeningDisable' is defined in Nix. -for flag in ${hardeningDisable[@]:-IGNORED_KEY} @hardening_unsupported_flags@ -do - hardeningDisableMap[$flag]=1 +# Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The +# array expansion also prevents undefined variables from causing trouble with +# `set -u`. +for flag in ${NIX_@infixSalt@_HARDENING_ENABLE-}; do + hardeningEnableMap[$flag]=1 done +# Remove unsupported flags. if (( "${NIX_DEBUG:-0}" >= 1 )); then + declare -A hardeningDisableMap=() +fi +for flag in @hardening_unsupported_flags@; do + [[ -n ${hardeningEnableMap[$flag]} ]] || continue + if (( "${NIX_DEBUG:-0}" >= 1 )); then + hardeningDisableMap[$flag]=1 + fi + unset hardeningEnableMap[$flag] +done + +if (( "${NIX_DEBUG:-0}" >= 1 )); then + # Determine which flags were effectively disabled so we can report below. + for flag in ${allHardeningFlags[@]}; do + if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then + hardeningDisableMap[$flag]=1 + fi + done + printf 'HARDENING: disabled flags:' >&2 (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2 echo >&2 fi -if [[ -z "${hardeningDisableMap[all]:-}" ]]; then +if (( "${#hardeningEnableMap[@]}" )); then if (( "${NIX_DEBUG:-0}" >= 1 )); then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi - for flag in "${hardeningFlags[@]}" - do - if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then + for flag in "${!hardeningEnableMap[@]}"; do case $flag in pie) if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then @@ -48,6 +60,5 @@ if [[ -z "${hardeningDisableMap[all]:-}" ]]; then # tool supports each flag. ;; esac - fi done fi diff --git a/pkgs/build-support/bintools-wrapper/ld-wrapper.sh b/pkgs/build-support/bintools-wrapper/ld-wrapper.sh index bbab9a6b71d1..672a3dcbe385 100644 --- a/pkgs/build-support/bintools-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/bintools-wrapper/ld-wrapper.sh @@ -58,7 +58,7 @@ fi source @out@/nix-support/add-hardening.sh extraAfter=() -extraBefore=("${hardeningLDFlags[@]}") +extraBefore=(${hardeningLDFlags[@]+"${hardeningLDFlags[@]}"}) if [ -z "${NIX_@infixSalt@_LDFLAGS_SET:-}" ]; then extraAfter+=($NIX_@infixSalt@_LDFLAGS) diff --git a/pkgs/build-support/bintools-wrapper/setup-hook.sh b/pkgs/build-support/bintools-wrapper/setup-hook.sh index 48a00b0b9b07..831ee9b03872 100644 --- a/pkgs/build-support/bintools-wrapper/setup-hook.sh +++ b/pkgs/build-support/bintools-wrapper/setup-hook.sh @@ -83,6 +83,10 @@ do fi done +# If unset, assume the default hardening flags. +: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"} +export NIX_HARDENING_ENABLE + # No local scope in sourced file unset -v role_pre role_post cmd upper_case set +u diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index de5eb2506a83..0b483c12e841 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,4 +1,4 @@ -allHardeningFlags=(fortify stackprotector pie pic strictoverflow format relro bindnow) +allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) hardeningCFlags=() declare -A hardeningEnableMap=() @@ -12,7 +12,7 @@ done # Remove unsupported flags. if (( "${NIX_DEBUG:-0}" >= 1 )); then - declare -A hardeningDisableMap=() + declare -A hardeningDisableMap=() fi for flag in @hardening_unsupported_flags@; do [[ -n ${hardeningEnableMap[$flag]} ]] || continue diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 15118d99db72..8a3cfb694b4f 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -135,7 +135,6 @@ source @out@/nix-support/add-hardening.sh # Add the flags for the C compiler proper. extraAfter=($NIX_@infixSalt@_CFLAGS_COMPILE) - extraBefore=(${hardeningCFlags[@]+"${hardeningCFlags[@]}"}) if [ "$dontLink" != 1 ]; then diff --git a/pkgs/build-support/cc-wrapper/setup-hook.sh b/pkgs/build-support/cc-wrapper/setup-hook.sh index 29a7306b9b7e..15b84dca2794 100644 --- a/pkgs/build-support/cc-wrapper/setup-hook.sh +++ b/pkgs/build-support/cc-wrapper/setup-hook.sh @@ -147,6 +147,10 @@ export ${role_pre}CXX=@named_cxx@ export CC${role_post}=@named_cc@ export CXX${role_post}=@named_cxx@ +# If unset, assume the default hardening flags. +: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"} +export NIX_HARDENING_ENABLE + # No local scope in sourced file unset -v role_pre role_post set +u |