diff options
| author | obadz <obadz-git@obadz.com> | 2016-08-22 01:19:35 +0100 |
|---|---|---|
| committer | obadz <obadz-git@obadz.com> | 2016-08-22 01:19:35 +0100 |
| commit | 24a9183f907cec515724484d84b0cf236de2e8d0 (patch) | |
| tree | 67ab37c4de5d8e8f17b78cc8c6680f25edf7d930 /pkgs/servers/http | |
| parent | ba50fd71700bf796ea2339115733ca5a850015ea (diff) | |
| parent | b092538811a2bd4454ed9b056952c0a10f091076 (diff) | |
| download | nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.gz nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.bz2 nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.lz nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.xz nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.zst nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.zip | |
Merge branch 'hardened-stdenv' into staging
Closes #12895 Amazing work by @globin & @fpletz getting hardened compiler flags by enabled default on the whole package set
Diffstat (limited to 'pkgs/servers/http')
| -rw-r--r-- | pkgs/servers/http/nginx/generic.nix | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/pkgs/servers/http/nginx/generic.nix b/pkgs/servers/http/nginx/generic.nix index 6817f18bd1db..b1d70907e28c 100644 --- a/pkgs/servers/http/nginx/generic.nix +++ b/pkgs/servers/http/nginx/generic.nix @@ -49,14 +49,9 @@ stdenv.mkDerivation { NIX_CFLAGS_COMPILE = [ "-I${libxml2.dev}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations"; - preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules) - + optionalString (hardening && (stdenv.cc.cc.isGNU or false)) '' - configureFlagsArray=( - --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2" - --with-ld-opt="-pie -Wl,-z,relro,-z,now" - ) - '' - ; + preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules); + + hardeningEnable = [ "pie" ]; postInstall = '' mv $out/sbin $out/bin |