diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-03-05 18:55:30 +0100 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2016-03-05 18:55:30 +0100 |
commit | cb3d27df93d54dd913aa3348c996f4ed372d1c20 (patch) | |
tree | 602c0f0c643f88699117f5191b2c9a805d77a65b /pkgs/servers/http | |
parent | aff1f4ab948b921ceaf2b81610f2f82454302b4b (diff) | |
parent | 4e8853ca8d46988d283bc06a4c7cd6cf68a25576 (diff) | |
download | nixlib-cb3d27df93d54dd913aa3348c996f4ed372d1c20.tar nixlib-cb3d27df93d54dd913aa3348c996f4ed372d1c20.tar.gz nixlib-cb3d27df93d54dd913aa3348c996f4ed372d1c20.tar.bz2 nixlib-cb3d27df93d54dd913aa3348c996f4ed372d1c20.tar.lz nixlib-cb3d27df93d54dd913aa3348c996f4ed372d1c20.tar.xz nixlib-cb3d27df93d54dd913aa3348c996f4ed372d1c20.tar.zst nixlib-cb3d27df93d54dd913aa3348c996f4ed372d1c20.zip |
Merge remote-tracking branch 'origin/master' into hardened-stdenv
Diffstat (limited to 'pkgs/servers/http')
-rw-r--r-- | pkgs/servers/http/nginx/default.nix | 10 | ||||
-rw-r--r-- | pkgs/servers/http/nginx/unstable.nix | 10 |
2 files changed, 18 insertions, 2 deletions
diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix index aaa858e302c9..1aaa24127023 100644 --- a/pkgs/servers/http/nginx/default.nix +++ b/pkgs/servers/http/nginx/default.nix @@ -1,6 +1,7 @@ { stdenv, fetchurl, fetchFromGitHub, openssl, zlib, pcre, libxml2, libxslt, expat , gd, geoip , modules ? [] +, hardening ? true }: with stdenv.lib; @@ -53,7 +54,14 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations -Wno-error=conditional-uninitialized"; - preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; + preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules) + + optionalString (hardening && (stdenv.cc.cc.isGNU or false)) '' + configureFlagsArray=( + --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2" + --with-ld-opt="-pie -Wl,-z,relro,-z,now" + ) + '' + ; hardeningEnable = [ "pie" ]; diff --git a/pkgs/servers/http/nginx/unstable.nix b/pkgs/servers/http/nginx/unstable.nix index 5840dee0ba53..e85fb96d2edb 100644 --- a/pkgs/servers/http/nginx/unstable.nix +++ b/pkgs/servers/http/nginx/unstable.nix @@ -2,6 +2,7 @@ , gd, geoip , withStream ? false , modules ? [] +, hardening ? true }: with stdenv.lib; @@ -51,7 +52,14 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations"; - preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; + preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules) + + optionalString (hardening && (stdenv.cc.cc.isGNU or false)) '' + configureFlagsArray=( + --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2" + --with-ld-opt="-pie -Wl,-z,relro,-z,now" + ) + '' + ; postInstall = '' mv $out/sbin $out/bin |