hardening: clarify the whitelist logic

Per @Ericson2314's suggestion [1], make it more clear that the active
hardenings are decided via whitelist; the blacklist is merely for the
debug messages.

1: https://github.com/NixOS/nixpkgs/pull/28029/commits/36d5ce41d4538e83199a000e6f849442c1cf959c#r133279731

1 files changed, 12 insertions, 8 deletions

diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index 5713d93ed3f3..72221eaa28b0 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -1,21 +1,25 @@
 allHardeningFlags=(fortify stackprotector pie pic strictoverflow format relro bindnow)
 hardeningCFlags=()
 
-declare -A hardeningDisableMap=()
 declare -A hardeningEnableMap=()
 
-# Create table of unsupported flags for this toolchain.
-for flag in @hardening_unsupported_flags@; do
-  hardeningDisableMap[$flag]=1
-done
-
 # Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The
 # array expansion also prevents undefined variables from causing trouble with
 # `set -u`.
 for flag in ${NIX_HARDENING_ENABLE-}; do
-  if [[ -z "${hardeningDisableMap[$flag]-}" ]]; then
-    hardeningEnableMap[$flag]=1
+  hardeningEnableMap[$flag]=1
+done
+
+# Remove unsupported flags.
+if (( "${NIX_DEBUG:-0}" >= 1 )); then
+    declare -A hardeningDisableMap=()
+fi
+for flag in @hardening_unsupported_flags@; do
+  [[ -n ${hardeningEnableMap[$flag]} ]] || continue
+  if (( "${NIX_DEBUG:-0}" >= 1 )); then
+    hardeningDisableMap[$flag]=1
   fi
+  unset hardeningEnableMap[$flag]
 done
 
 if (( "${NIX_DEBUG:-0}" >= 1 )); then