diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-02-26 18:38:15 +0100 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2016-03-05 18:55:26 +0100 |
commit | aff1f4ab948b921ceaf2b81610f2f82454302b4b (patch) | |
tree | 6e51e90a41409d56cfa084b9ca64921f2611fafc /pkgs/tools | |
parent | a2e449e43e82e258b94c723d92a5e9af641967e7 (diff) | |
download | nixlib-aff1f4ab948b921ceaf2b81610f2f82454302b4b.tar nixlib-aff1f4ab948b921ceaf2b81610f2f82454302b4b.tar.gz nixlib-aff1f4ab948b921ceaf2b81610f2f82454302b4b.tar.bz2 nixlib-aff1f4ab948b921ceaf2b81610f2f82454302b4b.tar.lz nixlib-aff1f4ab948b921ceaf2b81610f2f82454302b4b.tar.xz nixlib-aff1f4ab948b921ceaf2b81610f2f82454302b4b.tar.zst nixlib-aff1f4ab948b921ceaf2b81610f2f82454302b4b.zip |
Use general hardening flag toggle lists
The following parameters are now available: * hardeningDisable To disable specific hardening flags * hardeningEnable To enable specific hardening flags Only the cc-wrapper supports this right now, but these may be reused by other wrappers, builders or setup hooks. cc-wrapper supports the following flags: * fortify * stackprotector * pie (disabled by default) * pic * strictoverflow * format * relro * bindnow
Diffstat (limited to 'pkgs/tools')
74 files changed, 76 insertions, 80 deletions
diff --git a/pkgs/tools/X11/xbindkeys-config/default.nix b/pkgs/tools/X11/xbindkeys-config/default.nix index b4fc755bd84a..cef071bb3b61 100644 --- a/pkgs/tools/X11/xbindkeys-config/default.nix +++ b/pkgs/tools/X11/xbindkeys-config/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "1rs3li2hyig6cdzvgqlbz0vw6x7rmgr59qd6m0cvrai8xhqqykda"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = https://packages.debian.org/source/xbindkeys-config; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 24fec4e33bbd..e7164bf07b6c 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index d1f13b77f0c1..41043cda5b65 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index 20f7038067db..da0983fc0970 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./CVE-2014-8139.diff diff --git a/pkgs/tools/archivers/xarchive/default.nix b/pkgs/tools/archivers/xarchive/default.nix index 6407fe4f350b..115fc8e3aff1 100644 --- a/pkgs/tools/archivers/xarchive/default.nix +++ b/pkgs/tools/archivers/xarchive/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ gtk2 pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A GTK+ front-end for command line archiving tools"; diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index 8be743c8dd0a..145b81c95bc8 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; diff --git a/pkgs/tools/bootloaders/refind/default.nix b/pkgs/tools/bootloaders/refind/default.nix index f27dd3c5be67..f38b24c0fc07 100644 --- a/pkgs/tools/bootloaders/refind/default.nix +++ b/pkgs/tools/bootloaders/refind/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ unzip gnu-efi efibootmgr dosfstools imagemagick ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; HOSTARCH = if stdenv.system == "x86_64-linux" then "x64" diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix index 2de5736a4c22..7e7558f69e69 100644 --- a/pkgs/tools/cd-dvd/cdrdao/default.nix +++ b/pkgs/tools/cd-dvd/cdrdao/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { buildInputs = [ lame libvorbis libmad pkgconfig libao ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Adjust some headers to match glibc 2.12 ... patch is a diff between # the cdrdao CVS head and the 1.2.3 release. diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index 34bb109a1715..0b10f30497d2 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; - hardening_format = false; + hardeningDisable = [ "format" ]; # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/cd-dvd/dvdisaster/default.nix b/pkgs/tools/cd-dvd/dvdisaster/default.nix index 38e86c8ff1f2..7db35e2b80e2 100644 --- a/pkgs/tools/cd-dvd/dvdisaster/default.nix +++ b/pkgs/tools/cd-dvd/dvdisaster/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "0f8gjnia2fxcbmhl8b3qkr5b7idl8m855dw7xw2fnmbqwvcm6k4w"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; nativeBuildInputs = [ gettext pkgconfig which ]; buildInputs = [ glib gtk2 ]; diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 6ddebe6b99d0..986f940b9069 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { postInstall = "rm -rf $out/share/doc"; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = with stdenv.lib; { homepage = http://tukaani.org/xz/; diff --git a/pkgs/tools/filesystems/fusesmb/default.nix b/pkgs/tools/filesystems/fusesmb/default.nix index c53400e6afdd..5a3451810a12 100644 --- a/pkgs/tools/filesystems/fusesmb/default.nix +++ b/pkgs/tools/filesystems/fusesmb/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { ln -fs ${samba}/lib/libsmbclient.so $out/lib/libsmbclient.so.0 ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Samba mounted via FUSE"; diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix index d3964b1e4275..5613bac9b1a5 100644 --- a/pkgs/tools/filesystems/udftools/default.nix +++ b/pkgs/tools/filesystems/udftools/default.nix @@ -11,7 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; patches = [ ./gcc5.patch ]; - hardening_fortify = false; + + hardeningDisable = [ "fortify" ]; preConfigure = '' sed -e '1i#include <limits.h>' -i cdrwtool/cdrwtool.c -i pktsetup/pktsetup.c diff --git a/pkgs/tools/graphics/barcode/default.nix b/pkgs/tools/graphics/barcode/default.nix index 7e6c99313418..d6a31bd5c7f7 100644 --- a/pkgs/tools/graphics/barcode/default.nix +++ b/pkgs/tools/graphics/barcode/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1indapql5fjz0bysyc88cmc54y8phqrbi7c76p71fgjp45jcyzp8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "GNU barcode generator"; diff --git a/pkgs/tools/graphics/editres/default.nix b/pkgs/tools/graphics/editres/default.nix index c3d9a859f3ff..cdf38d1218ad 100644 --- a/pkgs/tools/graphics/editres/default.nix +++ b/pkgs/tools/graphics/editres/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-appdefaultdir=$(out)/share/X11/app-defaults/editres"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://cgit.freedesktop.org/xorg/app/editres/"; diff --git a/pkgs/tools/graphics/ggobi/default.nix b/pkgs/tools/graphics/ggobi/default.nix index 03326aa4562f..e7fb3e773c1d 100644 --- a/pkgs/tools/graphics/ggobi/default.nix +++ b/pkgs/tools/graphics/ggobi/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-all-plugins"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Visualization program for exploring high-dimensional data"; diff --git a/pkgs/tools/graphics/graphviz/2.0.nix b/pkgs/tools/graphics/graphviz/2.0.nix index e08b1309d414..6f236509a310 100644 --- a/pkgs/tools/graphics/graphviz/2.0.nix +++ b/pkgs/tools/graphics/graphviz/2.0.nix @@ -14,8 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc libtool fontconfig pango gd]; - hardening_format = false; - hardening_fortify = false; + hardeningDisable = [ "format" "fortify" ]; configureFlags = [ "--with-pngincludedir=${libpng}/include" diff --git a/pkgs/tools/graphics/graphviz/2.32.nix b/pkgs/tools/graphics/graphviz/2.32.nix index 7f11f076dcc8..ede6624ac59d 100644 --- a/pkgs/tools/graphics/graphviz/2.32.nix +++ b/pkgs/tools/graphics/graphviz/2.32.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { ] ++ stdenv.lib.optional (xorg == null) "--without-x"; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; preBuild = '' sed -e 's@am__append_5 *=.*@am_append_5 =@' -i lib/gvc/Makefile diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 9a9621dd784e..82f958321bdd 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch diff --git a/pkgs/tools/graphics/nifskope/default.nix b/pkgs/tools/graphics/nifskope/default.nix index e28a2e164885..392527a21198 100644 --- a/pkgs/tools/graphics/nifskope/default.nix +++ b/pkgs/tools/graphics/nifskope/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; # Inspired by linux-install/nifskope.spec.in. installPhase = diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix index dc145a0d8623..abcbabea596c 100644 --- a/pkgs/tools/graphics/plotutils/default.nix +++ b/pkgs/tools/graphics/plotutils/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { configureFlags = "--enable-libplotter"; # required for pstoedit - hardening_format = false; + hardeningDisable = [ "format" ]; doCheck = true; diff --git a/pkgs/tools/graphics/pngcheck/default.nix b/pkgs/tools/graphics/pngcheck/default.nix index f67e7202521b..496b1d355729 100644 --- a/pkgs/tools/graphics/pngcheck/default.nix +++ b/pkgs/tools/graphics/pngcheck/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0pzkj1bb4kdybk6vbfq9s0wzdm5szmrgixkas3xmbpv4mhws1w3p"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makefile = "Makefile.unx"; makeFlags = "ZPATH=${zlib}/lib"; diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix index a1aefbff33c6..f2a85c73c2af 100644 --- a/pkgs/tools/graphics/qrcode/default.nix +++ b/pkgs/tools/graphics/qrcode/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { inherit (s) rev url sha256; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -p "$out"/{bin,share/doc/qrcode} diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index c584ed282d6b..898031cbaf3f 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix index f0e53696fc5c..b96c469e3468 100644 --- a/pkgs/tools/graphics/zbar/default.nix +++ b/pkgs/tools/graphics/zbar/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--disable-video" ]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = with stdenv.lib; { description = "Bar code reader"; diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 6e7c6daca56d..a06d3d0729a1 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -20,7 +20,7 @@ let }; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; patches = optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch; diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix index d537c0f506fc..132707106af0 100644 --- a/pkgs/tools/misc/ddccontrol/default.nix +++ b/pkgs/tools/misc/ddccontrol/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { ddccontrol-db ]; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = '' newPath=$(echo "${ddccontrol-db}/share/ddccontrol-db" | sed "s/\\//\\\\\\//g") diff --git a/pkgs/tools/misc/detox/default.nix b/pkgs/tools/misc/detox/default.nix index 4475010f3b85..7d17dee8b53c 100644 --- a/pkgs/tools/misc/detox/default.nix +++ b/pkgs/tools/misc/detox/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [flex]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://detox.sourceforge.net/; diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index f99b83a2a0a5..80fb3c6a694c 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure diff --git a/pkgs/tools/misc/gbdfed/default.nix b/pkgs/tools/misc/gbdfed/default.nix index d3b62149bdf3..1ba4bceb7876 100644 --- a/pkgs/tools/misc/gbdfed/default.nix +++ b/pkgs/tools/misc/gbdfed/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { patches = [ ./Makefile.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Bitmap Font Editor"; diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index f3c09ef686a9..d56f9b3ce0f0 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,7 +52,7 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; - hardening_all = false; + hardeningDisable = [ "all" ]; preConfigure = '' for i in "tests/util/"*.in diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix index c0579b918164..a690ef2084b2 100644 --- a/pkgs/tools/misc/grub/default.nix +++ b/pkgs/tools/misc/grub/default.nix @@ -36,7 +36,7 @@ stdenv.mkDerivation { # autoreconfHook required for the splashimage patch. buildInputs = [ autoreconfHook texinfo ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; prePatch = '' unpackFile $gentooPatches diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix index 39c1ce9c0c11..fc8784decc5f 100644 --- a/pkgs/tools/misc/grub/trusted.nix +++ b/pkgs/tools/misc/grub/trusted.nix @@ -47,8 +47,7 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses libusb freetype gettext devicemapper ] ++ optional doCheck qemu; - hardening_stackprotector = false; - hardening_pic = false; + hardeningDisable = [ "stackprotector" "pic" ]; preConfigure = '' for i in "tests/util/"*.in diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix index b73d83201e0e..7946a3b062fc 100644 --- a/pkgs/tools/misc/gummiboot/default.nix +++ b/pkgs/tools/misc/gummiboot/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # Sigh, gummiboot should be able to find this in buildInputs configureFlags = [ diff --git a/pkgs/tools/misc/ipxe/default.nix b/pkgs/tools/misc/ipxe/default.nix index 0830eb51b3ca..78f49588e8c3 100644 --- a/pkgs/tools/misc/ipxe/default.nix +++ b/pkgs/tools/misc/ipxe/default.nix @@ -19,8 +19,7 @@ stdenv.mkDerivation { preConfigure = "cd src"; # not possible due to assembler code - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; makeFlags = [ "ECHO_E_BIN_ECHO=echo" "ECHO_E_BIN_ECHO_E=echo" # No /bin/echo here. diff --git a/pkgs/tools/misc/memtest86+/default.nix b/pkgs/tools/misc/memtest86+/default.nix index 097c26071fcf..62d490ea4f9e 100644 --- a/pkgs/tools/misc/memtest86+/default.nix +++ b/pkgs/tools/misc/memtest86+/default.nix @@ -22,8 +22,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-I. -std=gnu90"; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" "pic" ]; buildFlags = "memtest.bin"; diff --git a/pkgs/tools/misc/pal/default.nix b/pkgs/tools/misc/pal/default.nix index a65bd1fe8ec1..f92069e7b9f5 100644 --- a/pkgs/tools/misc/pal/default.nix +++ b/pkgs/tools/misc/pal/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ glib gettext readline pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://palcal.sourceforge.net/; diff --git a/pkgs/tools/misc/sutils/default.nix b/pkgs/tools/misc/sutils/default.nix index 48c47cc3d8db..8d4f00ee8478 100644 --- a/pkgs/tools/misc/sutils/default.nix +++ b/pkgs/tools/misc/sutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0xqk42vl82chy458d64fj68a4md4bxaip8n3xw9skxz0a1sgvks8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = ''sed -i "s@/usr/local@$out@" Makefile''; diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix index cba343863bef..4ef050b409e5 100644 --- a/pkgs/tools/misc/uucp/default.nix +++ b/pkgs/tools/misc/uucp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b5nhl9vvif1w3wdipjsk8ckw49jj1w85xw1mmqi3zbcpazia306"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Unix-unix cp over serial line, also includes cu program"; diff --git a/pkgs/tools/misc/vorbisgain/default.nix b/pkgs/tools/misc/vorbisgain/default.nix index 292023a1b582..567783f63138 100644 --- a/pkgs/tools/misc/vorbisgain/default.nix +++ b/pkgs/tools/misc/vorbisgain/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1v1h6mhnckmvvn7345hzi9abn5z282g4lyyl4nnbqwnrr98v0vfx"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ unzip libogg libvorbis ]; diff --git a/pkgs/tools/misc/wv/default.nix b/pkgs/tools/misc/wv/default.nix index 3d828a55121e..debc2c239ad6 100644 --- a/pkgs/tools/misc/wv/default.nix +++ b/pkgs/tools/misc/wv/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation { buildInputs = [ zlib imagemagick libpng glib pkgconfig libgsf libxml2 bzip2 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Converter from Microsoft Word formats to human-editable ones"; diff --git a/pkgs/tools/misc/xfstests/default.nix b/pkgs/tools/misc/xfstests/default.nix index cef5fee9cf93..31b6e74917e8 100644 --- a/pkgs/tools/misc/xfstests/default.nix +++ b/pkgs/tools/misc/xfstests/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { buildInputs = [ acl autoreconfHook attr gawk libaio libuuid libxfs openssl perl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' # Patch the destination directory diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix index 0729f35db59b..d262f7fc9e0c 100644 --- a/pkgs/tools/networking/chrony/default.nix +++ b/pkgs/tools/networking/chrony/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap; nativeBuildInputs = [ pkgconfig ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; configureFlags = [ "--chronyvardir=$(out)/var/lib/chrony" diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix index 915562bd7791..91232b4ffa74 100644 --- a/pkgs/tools/networking/dhcpdump/default.nix +++ b/pkgs/tools/networking/dhcpdump/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [libpcap perl]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -pv $out/bin diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix index 6032e53f0baa..b05f4e8e80ee 100644 --- a/pkgs/tools/networking/dnsmasq/default.nix +++ b/pkgs/tools/networking/dnsmasq/default.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { "LOCALEDIR=$(out)/share/locale" ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postBuild = optionalString stdenv.isLinux '' make -C contrib/wrt diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index 90bc8b54f28f..a9f2419b1368 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' prefix=$out/eggdrop diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 414ff692d10d..13f8cedc673d 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix index 53e17e6cecdc..140d58e3163e 100644 --- a/pkgs/tools/networking/mailutils/default.nix +++ b/pkgs/tools/networking/mailutils/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./path-to-cat.patch ./no-gets.patch ]; diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix index 349dba12538c..7a1eac59eeae 100644 --- a/pkgs/tools/networking/netboot/default.nix +++ b/pkgs/tools/networking/netboot/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { buildInputs = [ yacc lzo db4 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Mini PXE server"; diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 47fa2708821a..b2242fe54546 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ libcap openssl ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postInstall = '' rm -rf $out/share/doc diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix index 25af3e11cafb..c1f78c911a1a 100644 --- a/pkgs/tools/networking/openfortivpn/default.nix +++ b/pkgs/tools/networking/openfortivpn/default.nix @@ -17,7 +17,7 @@ in stdenv.mkDerivation { buildInputs = [ openssl ppp autoreconfHook ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd" diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 7ade847b97be..6e497a0093e1 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -63,7 +63,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postInstall = '' # Install ssh-copy-id, it's very useful. diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix index 8b0b3d9a736c..fc4ca793199d 100644 --- a/pkgs/tools/networking/radvd/default.nix +++ b/pkgs/tools/networking/radvd/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libdaemon bison flex check ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = with stdenv.lib; { homepage = http://www.litech.org/radvd/; diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix index e59e6d460803..36c6a2deead0 100644 --- a/pkgs/tools/networking/socat/default.nix +++ b/pkgs/tools/networking/socat/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "A utility for bidirectional data transfer between two independent data channels"; diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix index 3fe6144b72ca..3a5117653c83 100644 --- a/pkgs/tools/networking/telnet/default.nix +++ b/pkgs/tools/networking/telnet/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ncurses]; diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix index 22f991d8fe2a..1c8829a07b27 100644 --- a/pkgs/tools/networking/trickle/default.nix +++ b/pkgs/tools/networking/trickle/default.nix @@ -22,7 +22,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-libevent"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Lightweight userspace bandwidth shaper"; diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix index 1c7c946000eb..e7c771618480 100644 --- a/pkgs/tools/networking/uwimap/default.nix +++ b/pkgs/tools/networking/uwimap/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation { # -fPIC is required to compile php with imap on x86_64 systems + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC"; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ openssl ] ++ stdenv.lib.optional (!stdenv.isDarwin) pam; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index ba9552d4faea..81d43fa501cf 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://vde.sourceforge.net/; diff --git a/pkgs/tools/package-management/checkinstall/default.nix b/pkgs/tools/package-management/checkinstall/default.nix index f1d7985e9a50..c47f1664cd6e 100644 --- a/pkgs/tools/package-management/checkinstall/default.nix +++ b/pkgs/tools/package-management/checkinstall/default.nix @@ -44,7 +44,7 @@ stdenv.mkDerivation { buildInputs = [gettext]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; preBuild = '' makeFlagsArray=(PREFIX=$out) diff --git a/pkgs/tools/package-management/clib/default.nix b/pkgs/tools/package-management/clib/default.nix index d52243dcea5c..cb365b9b4f76 100644 --- a/pkgs/tools/package-management/clib/default.nix +++ b/pkgs/tools/package-management/clib/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0hbi5hf4w0iim96h89j7krxv61x92ffxjbldxp3zk92m5sgpldnm"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; makeFlags = "PREFIX=$(out)"; diff --git a/pkgs/tools/security/fprint_demo/default.nix b/pkgs/tools/security/fprint_demo/default.nix index 273d692ebaa6..8efd04690dbe 100644 --- a/pkgs/tools/security/fprint_demo/default.nix +++ b/pkgs/tools/security/fprint_demo/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ libfprint gtk2 ]; nativeBuildInputs = [ pkgconfig autoreconfHook ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = "http://www.freedesktop.org/wiki/Software/fprint/fprint_demo/"; diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix index 1a2bc6a31082..506b1d398d54 100644 --- a/pkgs/tools/security/tboot/default.nix +++ b/pkgs/tools/security/tboot/default.nix @@ -12,8 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ]; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; configurePhase = '' for a in lcptools utils tb_polgen; do diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 805336cfe44b..26f088fd54a2 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { unpackCmd = "(mkdir cron && cd cron && sh $curSrc)"; - hardening_pie = true; + hardeningEnable = [ "pie" ]; preBuild = '' substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 diff --git a/pkgs/tools/system/foremost/default.nix b/pkgs/tools/system/foremost/default.nix index 0696af07166b..0114c1d41ff6 100644 --- a/pkgs/tools/system/foremost/default.nix +++ b/pkgs/tools/system/foremost/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; preInstall = '' mkdir -p $out/{bin,share/man/man8} diff --git a/pkgs/tools/system/gdmap/default.nix b/pkgs/tools/system/gdmap/default.nix index 1456b6fca7c4..7800bfa08313 100644 --- a/pkgs/tools/system/gdmap/default.nix +++ b/pkgs/tools/system/gdmap/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./get_sensitive.patch ./set_flags.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://gdmap.sourceforge.net; diff --git a/pkgs/tools/system/rsyslog/default.nix b/pkgs/tools/system/rsyslog/default.nix index ef54bde3db56..e19dbb028474 100644 --- a/pkgs/tools/system/rsyslog/default.nix +++ b/pkgs/tools/system/rsyslog/default.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { rabbitmq-c hiredis ] ++ stdenv.lib.optional stdenv.isLinux systemd; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--sysconfdir=/etc" diff --git a/pkgs/tools/system/which/default.nix b/pkgs/tools/system/which/default.nix index 956fd590b14c..fc0889012c2e 100644 --- a/pkgs/tools/system/which/default.nix +++ b/pkgs/tools/system/which/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { }; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = with stdenv.lib; { homepage = http://ftp.gnu.org/gnu/which/; diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix index bcbf2b66a860..4a32e972a5b3 100644 --- a/pkgs/tools/text/a2ps/default.nix +++ b/pkgs/tools/text/a2ps/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [ libpaper gperf file ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "An Anyithing to PostScript converter and pretty-printer"; diff --git a/pkgs/tools/text/patchutils/default.nix b/pkgs/tools/text/patchutils/default.nix index 98f9c0483c2d..75922a6c830c 100644 --- a/pkgs/tools/text/patchutils/default.nix +++ b/pkgs/tools/text/patchutils/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { patches = [ ./drop-comments.patch ]; # we would get into a cycle when using fetchpatch on this one - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Tools to manipulate patch files"; diff --git a/pkgs/tools/text/untex/default.nix b/pkgs/tools/text/untex/default.nix index 33f72b029a1e..ec99e8b4a27a 100644 --- a/pkgs/tools/text/untex/default.nix +++ b/pkgs/tools/text/untex/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "07p836jydd5yjy905m5ylnnac1h4cc4jsr41panqb808mlsiwmmy"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; unpackPhase = "tar xf $src"; installTargets = "install install.man"; diff --git a/pkgs/tools/typesetting/tex/tetex/default.nix b/pkgs/tools/typesetting/tex/tetex/default.nix index cffe0b39d229..c3d226a2acb0 100644 --- a/pkgs/tools/typesetting/tex/tetex/default.nix +++ b/pkgs/tools/typesetting/tex/tetex/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation { buildInputs = [ flex bison zlib libpng ncurses ed ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # fixes "error: conflicting types for 'calloc'", etc. preBuild = stdenv.lib.optionalString stdenv.isDarwin '' diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index 3585c4d04af8..2cc673939038 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,7 +64,7 @@ core = stdenv.mkDerivation rec { perl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \ @@ -123,7 +123,7 @@ core-big = stdenv.mkDerivation { inherit (common) src; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 ]; diff --git a/pkgs/tools/video/mjpegtools/default.nix b/pkgs/tools/video/mjpegtools/default.nix index 989649c580f2..bfffbae65b59 100644 --- a/pkgs/tools/video/mjpegtools/default.nix +++ b/pkgs/tools/video/mjpegtools/default.nix @@ -15,5 +15,5 @@ stdenv.mkDerivation rec { buildInputs = [ gtk libdv libjpeg libpng libX11 pkgconfig SDL SDL_gfx ]; - hardening_format = false; + hardeningDisable = [ "format" ]; } diff --git a/pkgs/tools/video/vncrec/default.nix b/pkgs/tools/video/vncrec/default.nix index a16dc169b98e..81860f22e897 100644 --- a/pkgs/tools/video/vncrec/default.nix +++ b/pkgs/tools/video/vncrec/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "1yp6r55fqpdhc8cgrgh9i0mzxmkls16pgf8vfcpng1axr7cigyhc"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ libX11 xproto imake gccmakedep libXt libXmu libXaw |