diff options
author | Robin Gloster <mail@glob.in> | 2016-01-23 21:19:59 +0000 |
---|---|---|
committer | Robin Gloster <mail@glob.in> | 2016-01-30 16:36:57 +0000 |
commit | f6d3b7a2ae01ccd9934a6437915acd3eade2a184 (patch) | |
tree | f15dfb4b4378ceed1b0225290b2562fccdea719b | |
parent | 954e9903adc837c201a7bd70eede50d874aadbf6 (diff) | |
download | nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.gz nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.bz2 nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.lz nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.xz nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.tar.zst nixpkgs-f6d3b7a2ae01ccd9934a6437915acd3eade2a184.zip |
switch hardening flags
51 files changed, 68 insertions, 63 deletions
diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix index c19b261016d..9de3bef62ad 100644 --- a/pkgs/applications/audio/cdparanoia/default.nix +++ b/pkgs/applications/audio/cdparanoia/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80"; }; - noHardening_format = true; + hardening_format = false; preConfigure = "unset CC"; diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix index e833784ee76..c5bcd5ab4e4 100644 --- a/pkgs/applications/audio/mpg321/default.nix +++ b/pkgs/applications/audio/mpg321/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"; }; - noHardening_format = true; + hardening_format = false; configureFlags = [ ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no")) diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index d849b10daee..cc3e55f02e9 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { ln -s $out/libexec/w3m/w3mimgdisplay $out/bin ''; - noHardening_format = true; + hardening_format = false; configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}" + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index a5df0dbe08e..08905ea4881 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { sha256 = "03bvb8s5j8i54qbi3yayl42bv0wf2fpgnh1a2lkhbj79zi7b77zs"; }; - noHardening_format = true; + hardening_format = false; patches = [ ./docbook2texi.patch diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index c742ffb5002..ce6753ed165 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -75,7 +75,7 @@ stdenv.mkDerivation { pythonPath = [ pythonPackages.curses ]; - noHardening_all = true; + #hardening_all = false; patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix index ec7b9ff8a8b..9dc8d6f8ef1 100644 --- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71"; }; - noHardening_format = true; + hardening_format = false; patches = [ ./glib.patch ./cups_1.6.patch ]; diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix index 5044dbabd2f..d766957f0d7 100644 --- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix @@ -11,5 +11,5 @@ stdenv.mkDerivation { buildInputs = [ pkgconfig gtk gettext ]; propagatedBuildInputs = [ libxml2 ]; - noHardening_format = true; + hardening_format = false; } diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix index b8083c9ed6b..0ee0a622b1e 100644 --- a/pkgs/development/compilers/dev86/default.nix +++ b/pkgs/development/compilers/dev86/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e"; }; - noHardening_format = true; + hardening_format = false; makeFlags = "PREFIX=$(out)"; diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index 4f1b017302a..8c4afb31c50 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -134,7 +134,7 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; - noHardening_all = true; + #hardening_all = false; patches = [ ] diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index c7d63099be1..1d97a66008c 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -218,7 +218,7 @@ stdenv.mkDerivation ({ inherit patches; - noHardening_format = true; + hardening_format = false; postPatch = if (stdenv.isGNU diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index fdfc9d45646..0d2d2ae2857 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { buildInputs = [ pcre ]; propagatedBuildInputs = lib.optional stdenv.isDarwin Security; - noHardening_all = true; + #hardening_all = false; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index 26ffabced6a..750aec567a8 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { Security Foundation ]; - noHardening_all = true; + #hardening_all = false; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 1982ca21802..25f2f1b6440 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -45,7 +45,7 @@ self: super: { options = dontCheck super.options; statistics = dontCheck super.statistics; c2hs = let c2hs_ = pkgs.stdenv.lib.overrideDerivation super.c2hs (drv: { - noHardening_format = true; + hardening_format = false; doCheck = false; }); in if pkgs.stdenv.isDarwin then dontCheck c2hs_ else c2hs_; diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix index bdd380fd4b8..be44ef62885 100644 --- a/pkgs/development/libraries/CoinMP/default.nix +++ b/pkgs/development/libraries/CoinMP/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6"; }; - noHardening_format = true; + hardening_format = false; meta = with stdenv.lib; { homepage = https://projects.coin-or.org/CoinMP/; diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix index e9a13b6ff87..4a64bc260bd 100644 --- a/pkgs/development/libraries/audio/libbs2b/default.nix +++ b/pkgs/development/libraries/audio/libbs2b/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libsndfile ]; - noHardening_format = true; + hardening_format = false; meta = { homepage = "http://bs2b.sourceforge.net/"; diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix index 5d0e451c54c..09828665541 100644 --- a/pkgs/development/libraries/fribidi/default.nix +++ b/pkgs/development/libraries/fribidi/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b"; }; - noHardening_format = true; + hardening_format = false; meta = with stdenv.lib; { homepage = http://fribidi.org/; diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index 5ca1de273b4..a24a8416866 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { propagatedBuildInputs = [libjpeg fontconfig]; # urgh - noHardening_format = true; + hardening_format = false; configureFlags = "--without-x"; diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index cbdb448723a..566263c15ed 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation (rec { outputs = [ "out" "doc" ]; - noHardening_format = true; + hardening_format = false; LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix index 45384b825c1..1cc4ae0201b 100644 --- a/pkgs/development/libraries/giflib/libungif.nix +++ b/pkgs/development/libraries/giflib/libungif.nix @@ -7,6 +7,6 @@ stdenv.mkDerivation { md5 = "efdfcf8e32e35740288a8c5625a70ccb"; }; - noHardening_format = true; + hardening_format = false; } diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 6e9aa497f77..2c13ac59146 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -214,7 +214,7 @@ stdenv.mkDerivation ({ } // stdenv.lib.optionalAttrs (name == "glibc-locales") { - noHardening_stackprotector = true; + hardening_stackprotector = false; } // stdenv.lib.optionalAttrs (hurdHeaders != null) { diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index a2ecedbe7e9..f9096084bd2 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -25,7 +25,8 @@ in builder = ./builder.sh; - noHardening_all = true; + hardening_stackprotector = false; + hardening_fortify = false; # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for # any program we run, because the gcc will have been placed at a new diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix index e6209ad93f6..e674aae2b58 100644 --- a/pkgs/development/libraries/gnu-efi/default.nix +++ b/pkgs/development/libraries/gnu-efi/default.nix @@ -9,8 +9,6 @@ stdenv.mkDerivation rec { sha256 = "1jxlypkgb8bd1c114x96i699ib0glb5aca9dv56j377x2ldg4c65"; }; - noHardening_all = true; - buildInputs = [ pciutils ]; makeFlags = [ diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix index 048902f4fc4..88bce7f8661 100644 --- a/pkgs/development/libraries/libelf/default.nix +++ b/pkgs/development/libraries/libelf/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation (rec { }; doCheck = true; - + # For cross-compiling, native glibc is needed for the "gencat" program. crossAttrs = { nativeBuildInputs = [ glibc ]; diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix index 3df793df73f..682a42e2db9 100644 --- a/pkgs/development/libraries/libgphoto2/default.nix +++ b/pkgs/development/libraries/libgphoto2/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { # These are mentioned in the Requires line of libgphoto's pkg-config file. propagatedBuildInputs = [ libexif ]; - noHardening_format = true; + hardening_format = false; meta = { homepage = http://www.gphoto.org/proj/libgphoto2/; diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix index a2c9c52937e..a9320f1af7b 100644 --- a/pkgs/development/libraries/libvisual/default.nix +++ b/pkgs/development/libraries/libvisual/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib ]; - noHardening_format = true; + hardening_format = false; meta = { description = "An abstraction library for audio visualisations"; diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix index 267b434da52..430a09aeede 100644 --- a/pkgs/development/libraries/pupnp/default.nix +++ b/pkgs/development/libraries/pupnp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k"; }; - noHardening_all = true; + #hardening_all = false; meta = { description = "libupnp, an open source UPnP development kit for Linux"; diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix index cbd731aef68..d94b4159e93 100644 --- a/pkgs/development/libraries/speechd/default.nix +++ b/pkgs/development/libraries/speechd/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ dotconf glib pkgconfig ]; - noHardening_format = true; + hardening_format = false; meta = { description = "Common interface to speech synthesis"; diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix index a412d7e537c..464ad791095 100644 --- a/pkgs/development/tools/misc/elfutils/default.nix +++ b/pkgs/development/tools/misc/elfutils/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./glibc-2.21.patch ]; - noHardening_format = true; + hardening_format = false; # We need bzip2 in NativeInputs because otherwise we can't unpack the src, # as the host-bzip2 will be in the path. diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix index 1187bf10d14..05a5549fae2 100644 --- a/pkgs/os-specific/linux/acpi-call/default.nix +++ b/pkgs/os-specific/linux/acpi-call/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75"; }; - noHardening_pic = true; + hardening_pic = false; preBuild = '' sed -e 's/break/true/' -i examples/turn_off_gpu.sh diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index 86551f4eecb..cc3cfe2465d 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -33,7 +33,7 @@ stdenv.mkDerivation rec { sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5"; }; - noHardening_format = true; + hardening_format = false; patches = [ ./busybox-in-store.patch ]; diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix index 38762a5f1fe..93c334b9593 100644 --- a/pkgs/os-specific/linux/gogoclient/default.nix +++ b/pkgs/os-specific/linux/gogoclient/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { makeFlags = ["target=linux"]; installFlags = ["installdir=$(out)"]; - noHardening_format = true; + hardening_format = false; buildInputs = [openssl]; diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index f5e76c0df50..7c956e3c244 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { src = sourceAttrs.src; - noHardening_pic = true; + hardening_pic = false; prePatch = '' sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 8c537d67551..ccbd29d3d1f 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -224,15 +224,15 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); - noHardening_format = true; - noHardening_fortify = true; - noHardening_stackprotector = true; + hardening_format = false; + hardening_fortify = false; + hardening_stackprotector = false; makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" ]; - noHardening_pic = true; + hardening_pic = false; karch = stdenv.platform.kernelArch; diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index 5255b331bb1..98593ea85a9 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di"; }; - noHardening_format = true; + hardening_format = false; buildInputs = [ zlib ]; diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix index fa7e5110de9..959de19ead2 100644 --- a/pkgs/os-specific/linux/numad/default.nix +++ b/pkgs/os-specific/linux/numad/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4"; }; - noHardening_format = true; + hardening_format = false; patches = [ ./numad-linker-flags.patch diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix index c496ff3fdbb..99b6ce2a832 100644 --- a/pkgs/servers/gpm/default.nix +++ b/pkgs/servers/gpm/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ]; buildInputs = [ ncurses ]; - noHardening_format = true; + hardening_format = false; preConfigure = '' ./autogen.sh diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix index ab49613a39c..ba6a076f1f0 100644 --- a/pkgs/shells/dash/default.nix +++ b/pkgs/shells/dash/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6"; }; - noHardening_format = true; + hardening_format = false; meta = { homepage = http://gondor.apana.org.au/~herbert/dash/; diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix index 58e1c157b93..5a5550ebb04 100644 --- a/pkgs/stdenv/adapters.nix +++ b/pkgs/stdenv/adapters.nix @@ -239,16 +239,22 @@ rec { useHardenFlags = stdenv: stdenv // { mkDerivation = args: stdenv.mkDerivation (args // { NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") - + stdenv.lib.optionalString (!(args.noHardening_all or false)) ( - stdenv.lib.optionalString (!(args.noHardening_fortify or false)) " -O2 -D_FORTIFY_SOURCE=2" - + stdenv.lib.optionalString (!(args.noHardening_stackprotector or false)) " -fstack-protector-all" - + stdenv.lib.optionalString ((args.noHardening_pie or false) && true) " -fPIE -pie" - + stdenv.lib.optionalString (!(args.noHardening_pic or false)) " -fPIC" - + stdenv.lib.optionalString (!(args.noHardening_relro or false)) " -z relro" - + stdenv.lib.optionalString ((args.noHardening_bindnow or false) && true) " -z now" - + stdenv.lib.optionalString (!(args.noHardening_strictoverflow or false)) " -fno-strict-overflow" - + stdenv.lib.optionalString (!(args.noHardening_format or false)) " -Wformat -Wformat-security -Werror=format-security" + + stdenv.lib.optionalString (args.hardening_all or true) ( + stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2" + + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all" + + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie" + + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC" + + stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro" + + stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now" + + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow" + + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security" ); + NIX_LDFLAGS = toString (args.NIX_LDFLAGS or "") + + stdenv.lib.optionalString (args.hardening_all or true) ( + stdenv.lib.optionalString (args.hardening_relro or true) " -z relro" + + stdenv.lib.optionalString (args.hardening_bindnow or true) " -z now" + ); + }); }; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 1e562ee3ecf..24fec4e33bb 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; - noHardening_format = true; + hardening_format = false; buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index 5d60c449173..d1f13b77f0c 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; - noHardening_format = true; + hardening_format = false; preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index dcc51320bbd..20f7038067d 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; - noHardening_format = true; + hardening_format = false; patches = [ ./CVE-2014-8139.diff diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index f9349937b8f..8be743c8dd0 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; - noHardening_format = true; + hardening_format = false; makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index 5fcccbee02c..34bb109a171 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; - noHardening_format = true; + hardening_format = false; # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 090af09fca0..bb0d54a7ec2 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; - noHardening_all = true; + #hardening_all = false; patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index bcbbe71b897..c584ed282d6 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; - noHardening_format = true; + hardening_format = false; patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index 4efa9461232..f99b83a2a0a 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; - noHardening_format = true; + hardening_format = false; patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index abe690ca0e4..f3c09ef686a 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,7 +52,7 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; - noHardening_all = true; + hardening_all = false; preConfigure = '' for i in "tests/util/"*.in diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix index e831bbdab6f..d25b4f65ad7 100644 --- a/pkgs/tools/misc/gummiboot/default.nix +++ b/pkgs/tools/misc/gummiboot/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; - noHardening_all = true; + #hardening_all = false; # Sigh, gummiboot should be able to find this in buildInputs configureFlags = [ diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 6d9fe64f169..414ff692d10 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; - noHardening_format = true; + hardening_format = false; meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index 4aecc41aa3d..ba9552d4fae 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; - noHardening_format = true; + hardening_format = false; meta = { homepage = http://vde.sourceforge.net/; diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index 37c19319ef7..4a788cfa8fe 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,7 +64,7 @@ core = stdenv.mkDerivation rec { perl ]; - noHardening_format = true; + hardening_format = false; preConfigure = '' rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \ |