summary refs log tree commit diff
path: root/pkgs/build-support/bintools-wrapper
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/build-support/bintools-wrapper')
-rw-r--r--pkgs/build-support/bintools-wrapper/add-flags.sh16
-rw-r--r--pkgs/build-support/bintools-wrapper/add-hardening.sh87
-rw-r--r--pkgs/build-support/bintools-wrapper/default.nix14
-rw-r--r--pkgs/build-support/bintools-wrapper/ld-wrapper.sh6
-rw-r--r--pkgs/build-support/bintools-wrapper/setup-hook.sh44
5 files changed, 76 insertions, 91 deletions
diff --git a/pkgs/build-support/bintools-wrapper/add-flags.sh b/pkgs/build-support/bintools-wrapper/add-flags.sh
index 7d118d20fc68..e5c0556556c7 100644
--- a/pkgs/build-support/bintools-wrapper/add-flags.sh
+++ b/pkgs/build-support/bintools-wrapper/add-flags.sh
@@ -5,28 +5,20 @@ var_templates_list=(
     NIX+LDFLAGS_BEFORE
     NIX+LDFLAGS_AFTER
     NIX+LDFLAGS_HARDEN
+    NIX+HARDENING_ENABLE
 )
 var_templates_bool=(
     NIX+SET_BUILD_ID
     NIX+DONT_SET_RPATH
 )
 
-declare -a role_infixes=()
-if [ "${NIX_BINTOOLS_WRAPPER_@infixSalt@_TARGET_BUILD:-}" ]; then
-    role_infixes+=(_BUILD_)
-fi
-if [ "${NIX_BINTOOLS_WRAPPER_@infixSalt@_TARGET_HOST:-}" ]; then
-    role_infixes+=(_)
-fi
-if [ "${NIX_BINTOOLS_WRAPPER_@infixSalt@_TARGET_TARGET:-}" ]; then
-    role_infixes+=(_TARGET_)
-fi
+accumulateRoles
 
 for var in "${var_templates_list[@]}"; do
-    mangleVarList "$var" "${role_infixes[@]}"
+    mangleVarList "$var" ${role_infixes[@]+"${role_infixes[@]}"}
 done
 for var in "${var_templates_bool[@]}"; do
-    mangleVarBool "$var" "${role_infixes[@]}"
+    mangleVarBool "$var" ${role_infixes[@]+"${role_infixes[@]}"}
 done
 
 if [ -e @out@/nix-support/libc-ldflags ]; then
diff --git a/pkgs/build-support/bintools-wrapper/add-hardening.sh b/pkgs/build-support/bintools-wrapper/add-hardening.sh
index 5282d17fce27..b7180870860a 100644
--- a/pkgs/build-support/bintools-wrapper/add-hardening.sh
+++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh
@@ -1,53 +1,58 @@
-hardeningFlags=(relro bindnow)
-# Intentionally word-split in case 'hardeningEnable' is defined in
-# Nix. Also, our bootstrap tools version of bash is old enough that
-# undefined arrays trip `set -u`.
-if [[ -v hardeningEnable[@] ]]; then
-  hardeningFlags+=(${hardeningEnable[@]})
-fi
-hardeningLDFlags=()
+declare -a hardeningLDFlags=()
+
+declare -A hardeningEnableMap=()
 
-declare -A hardeningDisableMap
+# Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The
+# array expansion also prevents undefined variables from causing trouble with
+# `set -u`.
+for flag in ${NIX_@infixSalt@_HARDENING_ENABLE-}; do
+  hardeningEnableMap["$flag"]=1
+done
 
-# Intentionally word-split in case 'hardeningDisable' is defined in Nix.
-for flag in ${hardeningDisable[@]:-IGNORED_KEY} @hardening_unsupported_flags@
-do
-  hardeningDisableMap[$flag]=1
+# Remove unsupported flags.
+for flag in @hardening_unsupported_flags@; do
+  unset -v "hardeningEnableMap[$flag]"
 done
 
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
+  declare -a allHardeningFlags=(pie relro bindnow)
+  declare -A hardeningDisableMap=()
+
+  # Determine which flags were effectively disabled so we can report below.
+  for flag in "${allHardeningFlags[@]}"; do
+    if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then
+      hardeningDisableMap[$flag]=1
+    fi
+  done
+
   printf 'HARDENING: disabled flags:' >&2
   (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
   echo >&2
-fi
 
-if [[ -z "${hardeningDisableMap[all]:-}" ]]; then
-  if (( "${NIX_DEBUG:-0}" >= 1 )); then
+  if (( "${#hardeningEnableMap[@]}" )); then
     echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
   fi
-  for flag in "${hardeningFlags[@]}"
-  do
-    if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then
-      case $flag in
-        pie)
-          if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
-            if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
-            hardeningLDFlags+=('-pie')
-          fi
-          ;;
-        relro)
-          if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling relro >&2; fi
-          hardeningLDFlags+=('-z' 'relro')
-          ;;
-        bindnow)
-          if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling bindnow >&2; fi
-          hardeningLDFlags+=('-z' 'now')
-          ;;
-        *)
-          # Ignore unsupported. Checked in Nix that at least *some*
-          # tool supports each flag.
-          ;;
-      esac
-    fi
-  done
 fi
+
+for flag in "${!hardeningEnableMap[@]}"; do
+  case $flag in
+    pie)
+      if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
+        if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
+        hardeningLDFlags+=('-pie')
+      fi
+      ;;
+    relro)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling relro >&2; fi
+      hardeningLDFlags+=('-z' 'relro')
+      ;;
+    bindnow)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling bindnow >&2; fi
+      hardeningLDFlags+=('-z' 'now')
+      ;;
+    *)
+      # Ignore unsupported. Checked in Nix that at least *some*
+      # tool supports each flag.
+      ;;
+  esac
+done
diff --git a/pkgs/build-support/bintools-wrapper/default.nix b/pkgs/build-support/bintools-wrapper/default.nix
index 47301bbdde69..2739537c25dc 100644
--- a/pkgs/build-support/bintools-wrapper/default.nix
+++ b/pkgs/build-support/bintools-wrapper/default.nix
@@ -74,7 +74,7 @@ in
 
 stdenv.mkDerivation {
   name = targetPrefix
-    + (if name != "" then name else "${bintoolsName}-wrapper")
+    + (if name != "" then name else stdenv.lib.removePrefix targetPrefix "${bintoolsName}-wrapper")
     + (stdenv.lib.optionalString (bintools != null && bintoolsVersion != "") "-${bintoolsVersion}");
 
   preferLocalBuild = true;
@@ -188,9 +188,15 @@ stdenv.mkDerivation {
       else throw "unknown emulation for platform: " + targetPlatform.config;
     in targetPlatform.platform.bfdEmulation or (fmt + sep + arch);
 
+  strictDeps = true;
   depsTargetTargetPropagated = extraPackages;
 
-  setupHook = ./setup-hook.sh;
+  wrapperName = "BINTOOLS_WRAPPER";
+
+  setupHooks = [
+    ../setup-hooks/role.bash
+    ./setup-hook.sh
+  ];
 
   postFixup =
     ''
@@ -289,7 +295,7 @@ stdenv.mkDerivation {
       set +u
       substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh
       substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh
-      substituteAll ${../cc-wrapper/utils.sh} $out/nix-support/utils.sh
+      substituteAll ${../wrapper-common/utils.bash} $out/nix-support/utils.bash
 
       ##
       ## Extra custom steps
@@ -300,7 +306,7 @@ stdenv.mkDerivation {
 
   inherit dynamicLinker expand-response-params;
 
-  # for substitution in utils.sh
+  # for substitution in utils.bash
   expandResponseParams = "${expand-response-params}/bin/expand-response-params";
 
   meta =
diff --git a/pkgs/build-support/bintools-wrapper/ld-wrapper.sh b/pkgs/build-support/bintools-wrapper/ld-wrapper.sh
index 991ed0fe263c..ed2f00a8974e 100644
--- a/pkgs/build-support/bintools-wrapper/ld-wrapper.sh
+++ b/pkgs/build-support/bintools-wrapper/ld-wrapper.sh
@@ -14,7 +14,7 @@ if [ -n "@coreutils_bin@" ]; then
     PATH="@coreutils_bin@/bin"
 fi
 
-source @out@/nix-support/utils.sh
+source @out@/nix-support/utils.bash
 
 if [ -z "${NIX_BINTOOLS_WRAPPER_@infixSalt@_FLAGS_SET:-}" ]; then
     source @out@/nix-support/add-flags.sh
@@ -57,8 +57,8 @@ fi
 
 source @out@/nix-support/add-hardening.sh
 
-extraAfter=("${hardeningLDFlags[@]}")
-extraBefore=()
+extraAfter=()
+extraBefore=(${hardeningLDFlags[@]+"${hardeningLDFlags[@]}"})
 
 if [ -z "${NIX_@infixSalt@_LDFLAGS_SET:-}" ]; then
     extraAfter+=($NIX_@infixSalt@_LDFLAGS)
diff --git a/pkgs/build-support/bintools-wrapper/setup-hook.sh b/pkgs/build-support/bintools-wrapper/setup-hook.sh
index 48a00b0b9b07..34e853226501 100644
--- a/pkgs/build-support/bintools-wrapper/setup-hook.sh
+++ b/pkgs/build-support/bintools-wrapper/setup-hook.sh
@@ -8,47 +8,25 @@ set -u
 # native compile.
 #
 # TODO(@Ericson2314): No native exception
-[[ -z ${crossConfig-} ]] || (( "$hostOffset" < 0 )) || return 0
+[[ -z ${strictDeps-} ]] || (( "$hostOffset" < 0 )) || return 0
 
 bintoolsWrapper_addLDVars () {
-    case $depHostOffset in
-        -1) local role='BUILD_' ;;
-        0)  local role='' ;;
-        1)  local role='TARGET_' ;;
-        *)  echo "bintools-wrapper: Error: Cannot be used with $depHostOffset-offset deps" >2;
-            return 1 ;;
-    esac
+    # See ../setup-hooks/role.bash
+    local role_post role_pre
+    getTargetRoleEnvHook
 
     if [[ -d "$1/lib64" && ! -L "$1/lib64" ]]; then
-        export NIX_${role}LDFLAGS+=" -L$1/lib64"
+        export NIX_${role_pre}LDFLAGS+=" -L$1/lib64"
     fi
 
     if [[ -d "$1/lib" ]]; then
-        export NIX_${role}LDFLAGS+=" -L$1/lib"
+        export NIX_${role_pre}LDFLAGS+=" -L$1/lib"
     fi
 }
 
-case $targetOffset in
-    -1)
-        export NIX_BINTOOLS_WRAPPER_@infixSalt@_TARGET_BUILD=1
-        role_pre='BUILD_'
-        role_post='_FOR_BUILD'
-        ;;
-    0)
-        export NIX_BINTOOLS_WRAPPER_@infixSalt@_TARGET_HOST=1
-        role_pre=''
-        role_post=''
-        ;;
-    1)
-        export NIX_BINTOOLS_WRAPPER_@infixSalt@_TARGET_TARGET=1
-        role_pre='TARGET_'
-        role_post='_FOR_TARGET'
-        ;;
-    *)
-        echo "cc-wrapper: used as improper sort of dependency" >2;
-        return 1
-        ;;
-esac
+# See ../setup-hooks/role.bash
+getTargetRole
+getTargetRoleWrapper
 
 addEnvHooks "$targetOffset" bintoolsWrapper_addLDVars
 
@@ -83,6 +61,10 @@ do
     fi
 done
 
+# If unset, assume the default hardening flags.
+: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"}
+export NIX_HARDENING_ENABLE
+
 # No local scope in sourced file
 unset -v role_pre role_post cmd upper_case
 set +u
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-06 23:09:08 +0000