switch hardening flags

author: Robin Gloster <mail@glob.in> 2016-01-23 21:19:59 +0000
committer: Robin Gloster <mail@glob.in> 2016-01-30 16:36:57 +0000
commit: f6d3b7a2ae01ccd9934a6437915acd3eade2a184 (patch)
tree: f15dfb4b4378ceed1b0225290b2562fccdea719b
parent: 954e9903adc837c201a7bd70eede50d874aadbf6 (diff)
download: nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar
nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.gz
nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.bz2
nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.lz
nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.xz
nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.zst
nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.zip
51 files changed, 68 insertions, 63 deletions
diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix
index c19b261016d..9de3bef62ad 100644
--- a/pkgs/applications/audio/cdparanoia/default.nix
+++ b/pkgs/applications/audio/cdparanoia/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   preConfigure = "unset CC";
 
diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix
index e833784ee76..c5bcd5ab4e4 100644
--- a/pkgs/applications/audio/mpg321/default.nix
+++ b/pkgs/applications/audio/mpg321/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   configureFlags = [
     ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))
diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix
index d849b10daee..cc3e55f02e9 100644
--- a/pkgs/applications/networking/browsers/w3m/default.nix
+++ b/pkgs/applications/networking/browsers/w3m/default.nix
@@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
     ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
   '';
 
-  noHardening_format = true;
+  hardening_format = false;
 
   configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}"
     + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";
diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix
index a5df0dbe08e..08905ea4881 100644
--- a/pkgs/applications/version-management/git-and-tools/git/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/git/default.nix
@@ -21,7 +21,7 @@ stdenv.mkDerivation {
     sha256 = "03bvb8s5j8i54qbi3yayl42bv0wf2fpgnh1a2lkhbj79zi7b77zs";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patches = [
     ./docbook2texi.patch
diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix
index c742ffb5002..ce6753ed165 100644
--- a/pkgs/applications/virtualization/xen/generic.nix
+++ b/pkgs/applications/virtualization/xen/generic.nix
@@ -75,7 +75,7 @@ stdenv.mkDerivation {
 
   pythonPath = [ pythonPackages.curses ];
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
 
diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
index ec7b9ff8a8b..9dc8d6f8ef1 100644
--- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patches = [ ./glib.patch ./cups_1.6.patch ];
 
diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
index 5044dbabd2f..d766957f0d7 100644
--- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
@@ -11,5 +11,5 @@ stdenv.mkDerivation {
   buildInputs = [ pkgconfig gtk gettext ];
   propagatedBuildInputs = [ libxml2 ];
 
-  noHardening_format = true;
+  hardening_format = false;
 }
diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix
index b8083c9ed6b..0ee0a622b1e 100644
--- a/pkgs/development/compilers/dev86/default.nix
+++ b/pkgs/development/compilers/dev86/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   makeFlags = "PREFIX=$(out)";
 
diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix
index 4f1b017302a..8c4afb31c50 100644
--- a/pkgs/development/compilers/gcc/4.5/default.nix
+++ b/pkgs/development/compilers/gcc/4.5/default.nix
@@ -134,7 +134,7 @@ stdenv.mkDerivation ({
     inherit langC langCC langFortran langJava langAda;
   };
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   patches =
     [ ]
diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix
index c7d63099be1..1d97a66008c 100644
--- a/pkgs/development/compilers/gcc/4.9/default.nix
+++ b/pkgs/development/compilers/gcc/4.9/default.nix
@@ -218,7 +218,7 @@ stdenv.mkDerivation ({
 
   inherit patches;
 
-  noHardening_format = true;
+  hardening_format = false;
 
   postPatch =
     if (stdenv.isGNU
diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix
index fdfc9d45646..0d2d2ae2857 100644
--- a/pkgs/development/compilers/go/1.4.nix
+++ b/pkgs/development/compilers/go/1.4.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ pcre ];
   propagatedBuildInputs = lib.optional stdenv.isDarwin Security;
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.
diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix
index 26ffabced6a..750aec567a8 100644
--- a/pkgs/development/compilers/go/1.5.nix
+++ b/pkgs/development/compilers/go/1.5.nix
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
     Security Foundation
   ];
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.
diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 1982ca21802..25f2f1b6440 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -45,7 +45,7 @@ self: super: {
   options = dontCheck super.options;
   statistics = dontCheck super.statistics;
   c2hs = let c2hs_ = pkgs.stdenv.lib.overrideDerivation super.c2hs (drv: {
-        noHardening_format = true;
+        hardening_format = false;
         doCheck = false;
       });
     in if pkgs.stdenv.isDarwin then dontCheck c2hs_ else c2hs_;
diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix
index bdd380fd4b8..be44ef62885 100644
--- a/pkgs/development/libraries/CoinMP/default.nix
+++ b/pkgs/development/libraries/CoinMP/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = with stdenv.lib; {
     homepage = https://projects.coin-or.org/CoinMP/;
diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix
index e9a13b6ff87..4a64bc260bd 100644
--- a/pkgs/development/libraries/audio/libbs2b/default.nix
+++ b/pkgs/development/libraries/audio/libbs2b/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig libsndfile ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = {
     homepage = "http://bs2b.sourceforge.net/";
diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix
index 5d0e451c54c..09828665541 100644
--- a/pkgs/development/libraries/fribidi/default.nix
+++ b/pkgs/development/libraries/fribidi/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = with stdenv.lib; {
     homepage = http://fribidi.org/;
diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix
index 5ca1de273b4..a24a8416866 100644
--- a/pkgs/development/libraries/gd/default.nix
+++ b/pkgs/development/libraries/gd/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation {
 
   propagatedBuildInputs = [libjpeg fontconfig]; # urgh
 
-  noHardening_format = true;
+  hardening_format = false;
 
   configureFlags = "--without-x";
 
diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix
index cbdb448723a..566263c15ed 100644
--- a/pkgs/development/libraries/gettext/default.nix
+++ b/pkgs/development/libraries/gettext/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation (rec {
 
   outputs = [ "out" "doc" ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else "";
 
diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix
index 45384b825c1..1cc4ae0201b 100644
--- a/pkgs/development/libraries/giflib/libungif.nix
+++ b/pkgs/development/libraries/giflib/libungif.nix
@@ -7,6 +7,6 @@ stdenv.mkDerivation {
     md5 = "efdfcf8e32e35740288a8c5625a70ccb";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 }
 
diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index 6e9aa497f77..2c13ac59146 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -214,7 +214,7 @@ stdenv.mkDerivation ({
 }
 
 // stdenv.lib.optionalAttrs (name == "glibc-locales") {
-  noHardening_stackprotector = true;
+  hardening_stackprotector = false;
 }
 
 // stdenv.lib.optionalAttrs (hurdHeaders != null) {
diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix
index a2ecedbe7e9..f9096084bd2 100644
--- a/pkgs/development/libraries/glibc/default.nix
+++ b/pkgs/development/libraries/glibc/default.nix
@@ -25,7 +25,8 @@ in
 
     builder = ./builder.sh;
 
-    noHardening_all = true;
+    hardening_stackprotector = false;
+    hardening_fortify = false;
 
     # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for
     # any program we run, because the gcc will have been placed at a new
diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix
index e6209ad93f6..e674aae2b58 100644
--- a/pkgs/development/libraries/gnu-efi/default.nix
+++ b/pkgs/development/libraries/gnu-efi/default.nix
@@ -9,8 +9,6 @@ stdenv.mkDerivation rec {
     sha256 = "1jxlypkgb8bd1c114x96i699ib0glb5aca9dv56j377x2ldg4c65";
   };
 
-  noHardening_all = true;
-
   buildInputs = [ pciutils ];
 
   makeFlags = [
diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix
index 048902f4fc4..88bce7f8661 100644
--- a/pkgs/development/libraries/libelf/default.nix
+++ b/pkgs/development/libraries/libelf/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation (rec {
   };
 
   doCheck = true;
-  
+
   # For cross-compiling, native glibc is needed for the "gencat" program.
   crossAttrs = {
     nativeBuildInputs = [ glibc ];
diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix
index 3df793df73f..682a42e2db9 100644
--- a/pkgs/development/libraries/libgphoto2/default.nix
+++ b/pkgs/development/libraries/libgphoto2/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
   # These are mentioned in the Requires line of libgphoto's pkg-config file.
   propagatedBuildInputs = [ libexif ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = {
     homepage = http://www.gphoto.org/proj/libgphoto2/;
diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix
index a2c9c52937e..a9320f1af7b 100644
--- a/pkgs/development/libraries/libvisual/default.nix
+++ b/pkgs/development/libraries/libvisual/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig glib ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = {
     description = "An abstraction library for audio visualisations";
diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix
index 267b434da52..430a09aeede 100644
--- a/pkgs/development/libraries/pupnp/default.nix
+++ b/pkgs/development/libraries/pupnp/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k";
   };
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   meta = {
     description = "libupnp, an open source UPnP development kit for Linux";
diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix
index cbd731aef68..d94b4159e93 100644
--- a/pkgs/development/libraries/speechd/default.nix
+++ b/pkgs/development/libraries/speechd/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ dotconf glib pkgconfig ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = {
     description = "Common interface to speech synthesis";
diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix
index a412d7e537c..464ad791095 100644
--- a/pkgs/development/tools/misc/elfutils/default.nix
+++ b/pkgs/development/tools/misc/elfutils/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./glibc-2.21.patch ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   # We need bzip2 in NativeInputs because otherwise we can't unpack the src,
   # as the host-bzip2 will be in the path.
diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix
index 1187bf10d14..05a5549fae2 100644
--- a/pkgs/os-specific/linux/acpi-call/default.nix
+++ b/pkgs/os-specific/linux/acpi-call/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
     sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75";
   };
 
-  noHardening_pic = true;
+  hardening_pic = false;
 
   preBuild = ''
     sed -e 's/break/true/' -i examples/turn_off_gpu.sh
diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix
index 86551f4eecb..cc3cfe2465d 100644
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
     sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patches = [ ./busybox-in-store.patch ];
 
diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix
index 38762a5f1fe..93c334b9593 100644
--- a/pkgs/os-specific/linux/gogoclient/default.nix
+++ b/pkgs/os-specific/linux/gogoclient/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   makeFlags = ["target=linux"];
   installFlags = ["installdir=$(out)"];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   buildInputs = [openssl];
 
diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix
index f5e76c0df50..7c956e3c244 100644
--- a/pkgs/os-specific/linux/jool/default.nix
+++ b/pkgs/os-specific/linux/jool/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
 
   src = sourceAttrs.src;
 
-  noHardening_pic = true;
+  hardening_pic = false;
 
   prePatch = ''
     sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index 8c537d67551..ccbd29d3d1f 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -224,15 +224,15 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe
   nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null)
     (ubootChooser stdenv.platform.uboot);
 
-  noHardening_format = true;
-  noHardening_fortify = true;
-  noHardening_stackprotector = true;
+  hardening_format = false;
+  hardening_fortify = false;
+  hardening_stackprotector = false;
 
   makeFlags = commonMakeFlags ++ [
     "ARCH=${stdenv.platform.kernelArch}"
   ];
 
-  noHardening_pic = true;
+  hardening_pic = false;
 
   karch = stdenv.platform.kernelArch;
 
diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix
index 5255b331bb1..98593ea85a9 100644
--- a/pkgs/os-specific/linux/kexectools/default.nix
+++ b/pkgs/os-specific/linux/kexectools/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
     sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   buildInputs = [ zlib ];
 
diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix
index fa7e5110de9..959de19ead2 100644
--- a/pkgs/os-specific/linux/numad/default.nix
+++ b/pkgs/os-specific/linux/numad/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patches = [
     ./numad-linker-flags.patch
diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix
index c496ff3fdbb..99b6ce2a832 100644
--- a/pkgs/servers/gpm/default.nix
+++ b/pkgs/servers/gpm/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ];
   buildInputs = [ ncurses ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   preConfigure = ''
     ./autogen.sh
diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix
index ab49613a39c..ba6a076f1f0 100644
--- a/pkgs/shells/dash/default.nix
+++ b/pkgs/shells/dash/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = {
     homepage = http://gondor.apana.org.au/~herbert/dash/;
diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix
index 58e1c157b93..5a5550ebb04 100644
--- a/pkgs/stdenv/adapters.nix
+++ b/pkgs/stdenv/adapters.nix
@@ -239,16 +239,22 @@ rec {
   useHardenFlags = stdenv: stdenv //
     { mkDerivation = args: stdenv.mkDerivation (args // {
         NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "")
-          + stdenv.lib.optionalString (!(args.noHardening_all or false)) (
-            stdenv.lib.optionalString (!(args.noHardening_fortify or false)) " -O2 -D_FORTIFY_SOURCE=2"
-            + stdenv.lib.optionalString (!(args.noHardening_stackprotector or false)) " -fstack-protector-all"
-            + stdenv.lib.optionalString ((args.noHardening_pie or false) && true) " -fPIE -pie"
-            + stdenv.lib.optionalString (!(args.noHardening_pic or false)) " -fPIC"
-            + stdenv.lib.optionalString (!(args.noHardening_relro or false)) " -z relro"
-            + stdenv.lib.optionalString ((args.noHardening_bindnow or false) && true) " -z now"
-            + stdenv.lib.optionalString (!(args.noHardening_strictoverflow or false)) " -fno-strict-overflow"
-            + stdenv.lib.optionalString (!(args.noHardening_format or false)) " -Wformat -Wformat-security -Werror=format-security"
+          + stdenv.lib.optionalString (args.hardening_all or true) (
+            stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2"
+            + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all"
+            + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie"
+            + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC"
+            + stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro"
+            + stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now"
+            + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow"
+            + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security"
           );
+        NIX_LDFLAGS = toString (args.NIX_LDFLAGS or "")
+          + stdenv.lib.optionalString (args.hardening_all or true) (
+              stdenv.lib.optionalString (args.hardening_relro or true) " -z relro"
+            + stdenv.lib.optionalString (args.hardening_bindnow or true) " -z now"
+          );
+
       });
     };
 
diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix
index 1e562ee3ecf..24fec4e33bb 100644
--- a/pkgs/tools/admin/tightvnc/default.nix
+++ b/pkgs/tools/admin/tightvnc/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
   inherit xauth fontDirectories perl;
   gcc = stdenv.cc.cc;
 
-  noHardening_format = true;
+  hardening_format = false;
 
   buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw
                   libXpm libXp xauth openssh ];
diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix
index 5d60c449173..d1f13b77f0c 100644
--- a/pkgs/tools/archivers/sharutils/default.nix
+++ b/pkgs/tools/archivers/sharutils/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   preConfigure = ''
      # Fix for building on Glibc 2.16.  Won't be needed once the
diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix
index dcc51320bbd..20f7038067d 100644
--- a/pkgs/tools/archivers/unzip/default.nix
+++ b/pkgs/tools/archivers/unzip/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
     sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patches = [
     ./CVE-2014-8139.diff
diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix
index f9349937b8f..8be743c8dd0 100644
--- a/pkgs/tools/archivers/zip/default.nix
+++ b/pkgs/tools/archivers/zip/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
     sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   makefile = "unix/Makefile";
   buildFlags = if stdenv.isCygwin then "cygwin" else "generic";
diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix
index 5fcccbee02c..34bb109a171 100644
--- a/pkgs/tools/cd-dvd/cdrkit/default.nix
+++ b/pkgs/tools/cd-dvd/cdrkit/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [cmake libcap zlib bzip2];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244
   patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ];
diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix
index 090af09fca0..bb0d54a7ec2 100644
--- a/pkgs/tools/graphics/graphviz/default.nix
+++ b/pkgs/tools/graphics/graphviz/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
     sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1";
   };
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   patches =
     [ ./0001-vimdot-lookup-vim-in-PATH.patch
diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix
index bcbbe71b897..c584ed282d6 100644
--- a/pkgs/tools/graphics/transfig/default.nix
+++ b/pkgs/tools/graphics/transfig/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
   buildInputs = [zlib libjpeg libpng imake];
   inherit libpng;
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch];
 
diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix
index 4efa9461232..f99b83a2a0a 100644
--- a/pkgs/tools/misc/expect/default.nix
+++ b/pkgs/tools/misc/expect/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ tcl ];
   nativeBuildInputs = [ makeWrapper ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patchPhase = ''
     sed -i "s,/bin/stty,$(type -p stty),g" configure
diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix
index abe690ca0e4..f3c09ef686a 100644
--- a/pkgs/tools/misc/grub/2.0x.nix
+++ b/pkgs/tools/misc/grub/2.0x.nix
@@ -52,7 +52,7 @@ stdenv.mkDerivation rec {
     ++ optional doCheck qemu
     ++ optional zfsSupport zfs;
 
-  noHardening_all = true;
+  hardening_all = false;
 
   preConfigure =
     '' for i in "tests/util/"*.in
diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix
index e831bbdab6f..d25b4f65ad7 100644
--- a/pkgs/tools/misc/gummiboot/default.nix
+++ b/pkgs/tools/misc/gummiboot/default.nix
@@ -5,7 +5,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ gnu-efi pkgconfig libxslt utillinux ];
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   # Sigh, gummiboot should be able to find this in buildInputs
   configureFlags = [
diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix
index 6d9fe64f169..414ff692d10 100644
--- a/pkgs/tools/networking/iperf/2.nix
+++ b/pkgs/tools/networking/iperf/2.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = with stdenv.lib; {
     homepage = "http://sourceforge.net/projects/iperf/"; 
diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix
index 4aecc41aa3d..ba9552d4fae 100644
--- a/pkgs/tools/networking/vde2/default.nix
+++ b/pkgs/tools/networking/vde2/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ openssl libpcap python ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = {
     homepage = http://vde.sourceforge.net/;
diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix
index 37c19319ef7..4a788cfa8fe 100644
--- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix
+++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix
@@ -64,7 +64,7 @@ core = stdenv.mkDerivation rec {
     perl
   ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   preConfigure = ''
     rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \
author	Robin Gloster <mail@glob.in>	2016-01-23 21:19:59 +0000
committer	Robin Gloster <mail@glob.in>	2016-01-30 16:36:57 +0000
commit	f6d3b7a2ae01ccd9934a6437915acd3eade2a184 (patch)
tree	f15dfb4b4378ceed1b0225290b2562fccdea719b
parent	954e9903adc837c201a7bd70eede50d874aadbf6 (diff)
download	nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.gz nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.bz2 nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.lz nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.xz nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.zst nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.zip