Revert "Revert "Merge pull request #28029 from cstrahan/hardening-fix""

This reverts commit 6c064e6b1f34a8416f990db0cc617a7195f71588, reapplying
PR #28029 which was supposed to have gone to staging all along.

1 files changed, 46 insertions, 41 deletions

diff --git a/pkgs/build-support/bintools-wrapper/add-hardening.sh b/pkgs/build-support/bintools-wrapper/add-hardening.sh
index 5282d17fce2..a15be821659 100644
--- a/pkgs/build-support/bintools-wrapper/add-hardening.sh
+++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh
@@ -1,53 +1,58 @@
-hardeningFlags=(relro bindnow)
-# Intentionally word-split in case 'hardeningEnable' is defined in
-# Nix. Also, our bootstrap tools version of bash is old enough that
-# undefined arrays trip `set -u`.
-if [[ -v hardeningEnable[@] ]]; then
-  hardeningFlags+=(${hardeningEnable[@]})
-fi
-hardeningLDFlags=()
+declare -a hardeningLDFlags=()
+
+declare -A hardeningEnableMap=()
 
-declare -A hardeningDisableMap
+# Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The
+# array expansion also prevents undefined variables from causing trouble with
+# `set -u`.
+for flag in ${NIX_@infixSalt@_HARDENING_ENABLE-}; do
+  hardeningEnableMap["$flag"]=1
+done
 
-# Intentionally word-split in case 'hardeningDisable' is defined in Nix.
-for flag in ${hardeningDisable[@]:-IGNORED_KEY} @hardening_unsupported_flags@
-do
-  hardeningDisableMap[$flag]=1
+# Remove unsupported flags.
+for flag in @hardening_unsupported_flags@; do
+  unset -v hardeningEnableMap["$flag"]
 done
 
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
+  declare -a allHardeningFlags=(pie relro bindnow)
+  declare -A hardeningDisableMap=()
+
+  # Determine which flags were effectively disabled so we can report below.
+  for flag in "${allHardeningFlags[@]}"; do
+    if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then
+      hardeningDisableMap[$flag]=1
+    fi
+  done
+
   printf 'HARDENING: disabled flags:' >&2
   (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
   echo >&2
-fi
 
-if [[ -z "${hardeningDisableMap[all]:-}" ]]; then
-  if (( "${NIX_DEBUG:-0}" >= 1 )); then
+  if (( "${#hardeningEnableMap[@]}" )); then
     echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
   fi
-  for flag in "${hardeningFlags[@]}"
-  do
-    if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then
-      case $flag in
-        pie)
-          if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
-            if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
-            hardeningLDFlags+=('-pie')
-          fi
-          ;;
-        relro)
-          if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling relro >&2; fi
-          hardeningLDFlags+=('-z' 'relro')
-          ;;
-        bindnow)
-          if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling bindnow >&2; fi
-          hardeningLDFlags+=('-z' 'now')
-          ;;
-        *)
-          # Ignore unsupported. Checked in Nix that at least *some*
-          # tool supports each flag.
-          ;;
-      esac
-    fi
-  done
 fi
+
+for flag in "${!hardeningEnableMap[@]}"; do
+  case $flag in
+    pie)
+      if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
+        if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
+        hardeningLDFlags+=('-pie')
+      fi
+      ;;
+    relro)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling relro >&2; fi
+      hardeningLDFlags+=('-z' 'relro')
+      ;;
+    bindnow)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling bindnow >&2; fi
+      hardeningLDFlags+=('-z' 'now')
+      ;;
+    *)
+      # Ignore unsupported. Checked in Nix that at least *some*
+      # tool supports each flag.
+      ;;
+  esac
+done