diff options
author | Charles Strahan <charles@cstrahan.com> | 2018-03-05 21:06:07 -0500 |
---|---|---|
committer | Charles Strahan <charles@cstrahan.com> | 2018-03-06 00:30:09 -0500 |
commit | cc7ce57f86b0cff87ac74074d45c993cf4ccf6ab (patch) | |
tree | b0fe2a928bcfc28f5faf10cdc54e76e05d00f8b6 /pkgs | |
parent | 9920923cdeed74386182feb84861746847d0114e (diff) | |
download | nixlib-cc7ce57f86b0cff87ac74074d45c993cf4ccf6ab.tar nixlib-cc7ce57f86b0cff87ac74074d45c993cf4ccf6ab.tar.gz nixlib-cc7ce57f86b0cff87ac74074d45c993cf4ccf6ab.tar.bz2 nixlib-cc7ce57f86b0cff87ac74074d45c993cf4ccf6ab.tar.lz nixlib-cc7ce57f86b0cff87ac74074d45c993cf4ccf6ab.tar.xz nixlib-cc7ce57f86b0cff87ac74074d45c993cf4ccf6ab.tar.zst nixlib-cc7ce57f86b0cff87ac74074d45c993cf4ccf6ab.zip |
hardening: clarify the whitelist logic
Per @Ericson2314's suggestion [1], make it more clear that the active hardenings are decided via whitelist; the blacklist is merely for the debug messages. 1: https://github.com/NixOS/nixpkgs/pull/28029/commits/36d5ce41d4538e83199a000e6f849442c1cf959c#r133279731
Diffstat (limited to 'pkgs')
-rw-r--r-- | pkgs/build-support/cc-wrapper/add-hardening.sh | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 5713d93ed3f3..72221eaa28b0 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,21 +1,25 @@ allHardeningFlags=(fortify stackprotector pie pic strictoverflow format relro bindnow) hardeningCFlags=() -declare -A hardeningDisableMap=() declare -A hardeningEnableMap=() -# Create table of unsupported flags for this toolchain. -for flag in @hardening_unsupported_flags@; do - hardeningDisableMap[$flag]=1 -done - # Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The # array expansion also prevents undefined variables from causing trouble with # `set -u`. for flag in ${NIX_HARDENING_ENABLE-}; do - if [[ -z "${hardeningDisableMap[$flag]-}" ]]; then - hardeningEnableMap[$flag]=1 + hardeningEnableMap[$flag]=1 +done + +# Remove unsupported flags. +if (( "${NIX_DEBUG:-0}" >= 1 )); then + declare -A hardeningDisableMap=() +fi +for flag in @hardening_unsupported_flags@; do + [[ -n ${hardeningEnableMap[$flag]} ]] || continue + if (( "${NIX_DEBUG:-0}" >= 1 )); then + hardeningDisableMap[$flag]=1 fi + unset hardeningEnableMap[$flag] done if (( "${NIX_DEBUG:-0}" >= 1 )); then |