diff options
-rw-r--r-- | pkgs/os-specific/linux/busybox/default.nix | 2 | ||||
-rw-r--r-- | pkgs/stdenv/generic/make-derivation.nix | 15 |
2 files changed, 8 insertions, 9 deletions
diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index ee897fc37813..6c9c43e4e5a9 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation rec { sha256 = "1pv3vs2w4l2wnw5qb0rkbpvjjdd1fwjv87miavqq0r0ynqbfajwx"; }; - hardeningDisable = [ "format" ] ++ lib.optional enableStatic [ "fortify" ]; + hardeningDisable = [ "format" ] ++ lib.optionals enableStatic [ "fortify" ]; patches = [ ./busybox-in-store.patch ]; diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index b9d8b2d31175..c2f4f1c7b281 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -47,15 +47,14 @@ rec { , ... } @ attrs: # TODO(@Ericson2314): Make this more modular, and not O(n^2). - let allHardeningFlags = [ - "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" - "bindnow" - ]; - in assert lib.all - (flag: lib.elem flag allHardeningFlags) - (hardeningEnable ++ hardeningDisable); - let + supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; + erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable); + in if builtins.length erroneousHardeningFlags != 0 + then abort ("mkDerivation was called with unsupported hardening flags: " + lib.generators.toPretty {} { + inherit erroneousHardeningFlags hardeningDisable hardeningEnable supportedHardeningFlags; + }) + else let dependencies = map lib.chooseDevOutputs [ (map (drv: drv.nativeDrv or drv) nativeBuildInputs ++ lib.optional separateDebugInfo ../../build-support/setup-hooks/separate-debug-info.sh |