about summary refs log tree commit diff
path: root/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh')
-rw-r--r--nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh7
1 files changed, 4 insertions, 3 deletions
diff --git a/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh b/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh
index 8e2fe6c407ea..e5d296f6c9c5 100644
--- a/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -45,11 +45,12 @@ for flag in "${!hardeningEnableMap[@]}"; do
       hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
       ;;
     pie)
+      # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
-      hardeningCFlags+=('-fPIE')
-      if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
+      hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}")
+      if [[ ! (" $* " =~ " -shared " || " $* " =~ " -static ") ]]; then
         if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
-        hardeningCFlags+=('-pie')
+        hardeningCFlags=('-pie' "${hardeningCFlags[@]}")
       fi
       ;;
     pic)
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-18 06:29:46 +0000