diff options
| author | John Ericson <Ericson2314@yahoo.com> | 2017-08-04 14:19:56 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-08-04 14:19:56 -0400 |
| commit | fdd07f62e8eb4e80b47172707ee7c8a0d7dbf428 (patch) | |
| tree | 5ecfdc5fac8ea65946b386152c802ffc01db6d7f /pkgs/build-support/cc-wrapper/add-hardening.sh | |
| parent | dd61dbf50d890f348ad501efd66b819207c3935a (diff) | |
| parent | 6463fd3d7e9b0131ba22603a764b4b35ab215e66 (diff) | |
| download | nixpkgs-fdd07f62e8eb4e80b47172707ee7c8a0d7dbf428.tar nixpkgs-fdd07f62e8eb4e80b47172707ee7c8a0d7dbf428.tar.gz nixpkgs-fdd07f62e8eb4e80b47172707ee7c8a0d7dbf428.tar.bz2 nixpkgs-fdd07f62e8eb4e80b47172707ee7c8a0d7dbf428.tar.lz nixpkgs-fdd07f62e8eb4e80b47172707ee7c8a0d7dbf428.tar.xz nixpkgs-fdd07f62e8eb4e80b47172707ee7c8a0d7dbf428.tar.zst nixpkgs-fdd07f62e8eb4e80b47172707ee7c8a0d7dbf428.zip | |
Merge pull request #27879 from obsidiansystems/cc-wrapper-shellcheck
cc-wrapper: Pass shellcheck and other cleanups
Diffstat (limited to 'pkgs/build-support/cc-wrapper/add-hardening.sh')
| -rw-r--r-- | pkgs/build-support/cc-wrapper/add-hardening.sh | 30 |
1 files changed, 22 insertions, 8 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index b98833b3513..c91ff0a9d0b 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,18 +1,32 @@ hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) -hardeningFlags+=("${hardeningEnable[@]}") +# Intentionally word-split in case 'hardeningEnable' is defined in Nix. +hardeningFlags+=(${hardeningEnable[@]}) hardeningCFlags=() hardeningLDFlags=() -hardeningDisable=${hardeningDisable:-""} -hardeningDisable+=" @hardening_unsupported_flags@" +declare -A hardeningDisableMap -if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi +# Intentionally word-split in case 'hardeningDisable' is defined in Nix. The +# array expansion also prevents undefined variables from causing trouble with +# `set -u`. +for flag in ${hardeningDisable[@]} @hardening_unsupported_flags@ +do + hardeningDisableMap[$flag]=1 +done -if [[ ! $hardeningDisable =~ "all" ]]; then - if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi +if [[ -n "$NIX_DEBUG" ]]; then + printf 'HARDENING: disabled flags:' >&2 + (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2 + echo >&2 +fi + +if [[ -z "${hardeningDisableMap[all]}" ]]; then + if [[ -n "$NIX_DEBUG" ]]; then + echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; + fi for flag in "${hardeningFlags[@]}" do - if [[ ! "${hardeningDisable}" =~ "$flag" ]]; then + if [[ -z "${hardeningDisableMap[$flag]}" ]]; then case $flag in fortify) if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi @@ -20,7 +34,7 @@ if [[ ! $hardeningDisable =~ "all" ]]; then ;; stackprotector) if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi - hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4') + hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') ;; pie) if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi |