about summary refs log tree commit diff
path: root/nixpkgs/pkgs/build-support/cc-wrapper
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/pkgs/build-support/cc-wrapper')
-rw-r--r--nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh27
-rw-r--r--nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh4
-rw-r--r--nixpkgs/pkgs/build-support/cc-wrapper/default.nix2
3 files changed, 19 insertions, 14 deletions
diff --git a/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh b/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh
index 7f5cd4cf4af3..8d02b4e5124d 100644
--- a/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -1,4 +1,5 @@
-declare -a hardeningCFlags=()
+declare -a hardeningCFlagsAfter=()
+declare -a hardeningCFlagsBefore=()
 
 declare -A hardeningEnableMap=()
 
@@ -48,15 +49,19 @@ for flag in "${!hardeningEnableMap[@]}"; do
     fortify | fortify3)
       # Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly
       # set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address').
-      hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE')
+      hardeningCFlagsBefore+=('-O2' '-U_FORTIFY_SOURCE')
+      # Unset any _FORTIFY_SOURCE values the command-line may have set before
+      # enforcing our own value, avoiding (potentially fatal) redefinition
+      # warnings
+      hardeningCFlagsAfter+=('-U_FORTIFY_SOURCE')
       case $flag in
         fortify)
           if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
-          hardeningCFlags+=('-D_FORTIFY_SOURCE=2')
+          hardeningCFlagsAfter+=('-D_FORTIFY_SOURCE=2')
         ;;
         fortify3)
           if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi
-          hardeningCFlags+=('-D_FORTIFY_SOURCE=3')
+          hardeningCFlagsAfter+=('-D_FORTIFY_SOURCE=3')
         ;;
         *)
           # Ignore unsupported.
@@ -65,20 +70,20 @@ for flag in "${!hardeningEnableMap[@]}"; do
       ;;
     stackprotector)
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
-      hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
+      hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
       ;;
     pie)
       # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
-      hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}")
+      hardeningCFlagsBefore=('-fPIE' "${hardeningCFlagsBefore[@]}")
       if [[ ! (" ${params[*]} " =~ " -shared " || " ${params[*]} " =~ " -static ") ]]; then
         if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
-        hardeningCFlags=('-pie' "${hardeningCFlags[@]}")
+        hardeningCFlagsBefore=('-pie' "${hardeningCFlagsBefore[@]}")
       fi
       ;;
     pic)
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi
-      hardeningCFlags+=('-fPIC')
+      hardeningCFlagsBefore+=('-fPIC')
       ;;
     strictoverflow)
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi
@@ -89,14 +94,14 @@ for flag in "${!hardeningEnableMap[@]}"; do
         #
         # See: https://github.com/llvm/llvm-project/blob/llvmorg-16.0.6/clang/lib/Driver/ToolChains/Clang.cpp#L6315
         #
-        hardeningCFlags+=('-fwrapv')
+        hardeningCFlagsBefore+=('-fwrapv')
       else
-        hardeningCFlags+=('-fno-strict-overflow')
+        hardeningCFlagsBefore+=('-fno-strict-overflow')
       fi
       ;;
     format)
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi
-      hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
+      hardeningCFlagsBefore+=('-Wformat' '-Wformat-security' '-Werror=format-security')
       ;;
     *)
       # Ignore unsupported. Checked in Nix that at least *some*
diff --git a/nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh
index 244a0bb6623b..9dcd29c64431 100644
--- a/nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh
+++ b/nixpkgs/pkgs/build-support/cc-wrapper/cc-wrapper.sh
@@ -171,8 +171,8 @@ fi
 source @out@/nix-support/add-hardening.sh
 
 # Add the flags for the C compiler proper.
-extraAfter=($NIX_CFLAGS_COMPILE_@suffixSalt@)
-extraBefore=(${hardeningCFlags[@]+"${hardeningCFlags[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@)
+extraAfter=(${hardeningCFlagsAfter[@]+"${hardeningCFlagsAfter[@]}"} $NIX_CFLAGS_COMPILE_@suffixSalt@)
+extraBefore=(${hardeningCFlagsBefore[@]+"${hardeningCFlagsBefore[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@)
 
 if [ "$dontLink" != 1 ]; then
 
diff --git a/nixpkgs/pkgs/build-support/cc-wrapper/default.nix b/nixpkgs/pkgs/build-support/cc-wrapper/default.nix
index c7c733a427aa..f52ac48a1a87 100644
--- a/nixpkgs/pkgs/build-support/cc-wrapper/default.nix
+++ b/nixpkgs/pkgs/build-support/cc-wrapper/default.nix
@@ -69,7 +69,7 @@ let
 
   includeFortifyHeaders' = if includeFortifyHeaders != null
     then includeFortifyHeaders
-    else targetPlatform.libc == "musl";
+    else (targetPlatform.libc == "musl" && isGNU);
 
   # Prefix for binaries. Customarily ends with a dash separator.
   #
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-22 10:55:37 +0000