diff options
| author | John Ericson <John.Ericson@Obsidian.Systems> | 2017-08-03 15:34:23 -0400 |
|---|---|---|
| committer | John Ericson <John.Ericson@Obsidian.Systems> | 2017-08-07 03:05:51 -0400 |
| commit | 2493454e13c25ff990d06deb38b1024e4a0a99f8 (patch) | |
| tree | eb61a13198aea3837e41cbee38274eea91cd415f /pkgs/build-support | |
| parent | a8bd415fa06a100b29297db86aadb6f00da70bbf (diff) | |
| download | nixpkgs-2493454e13c25ff990d06deb38b1024e4a0a99f8.tar nixpkgs-2493454e13c25ff990d06deb38b1024e4a0a99f8.tar.gz nixpkgs-2493454e13c25ff990d06deb38b1024e4a0a99f8.tar.bz2 nixpkgs-2493454e13c25ff990d06deb38b1024e4a0a99f8.tar.lz nixpkgs-2493454e13c25ff990d06deb38b1024e4a0a99f8.tar.xz nixpkgs-2493454e13c25ff990d06deb38b1024e4a0a99f8.tar.zst nixpkgs-2493454e13c25ff990d06deb38b1024e4a0a99f8.zip | |
cc-wrapper: Use `set -u` throughout
Now is an opportune time to do this, as the infixSalt conversion in `add-flags.sh` ensures that all the relevant `NIX_*` vars will be defined even if empty.
Diffstat (limited to 'pkgs/build-support')
| -rw-r--r-- | pkgs/build-support/cc-wrapper/add-hardening.sh | 40 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/cc-wrapper.sh | 21 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/gnat-wrapper.sh | 17 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh | 7 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/ld-wrapper.sh | 31 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/utils.sh | 2 |
6 files changed, 68 insertions, 50 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index c91ff0a9d0b..aa8eb720486 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,67 +1,69 @@ hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) -# Intentionally word-split in case 'hardeningEnable' is defined in Nix. -hardeningFlags+=(${hardeningEnable[@]}) +# Intentionally word-split in case 'hardeningEnable' is defined in +# Nix. Also, our bootstrap tools version of bash is old enough that +# undefined arrays trip `set -u`. +if [[ -v hardeningEnable[@] ]]; then + hardeningFlags+=(${hardeningEnable[@]}) +fi hardeningCFlags=() hardeningLDFlags=() declare -A hardeningDisableMap -# Intentionally word-split in case 'hardeningDisable' is defined in Nix. The -# array expansion also prevents undefined variables from causing trouble with -# `set -u`. -for flag in ${hardeningDisable[@]} @hardening_unsupported_flags@ +# Intentionally word-split in case 'hardeningDisable' is defined in Nix. +for flag in ${hardeningDisable[@]:-IGNORED_KEY} @hardening_unsupported_flags@ do hardeningDisableMap[$flag]=1 done -if [[ -n "$NIX_DEBUG" ]]; then +if [[ -n "${NIX_DEBUG:-}" ]]; then printf 'HARDENING: disabled flags:' >&2 (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2 echo >&2 fi -if [[ -z "${hardeningDisableMap[all]}" ]]; then - if [[ -n "$NIX_DEBUG" ]]; then +if [[ -z "${hardeningDisableMap[all]:-}" ]]; then + if [[ -n "${NIX_DEBUG:-}" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi for flag in "${hardeningFlags[@]}" do - if [[ -z "${hardeningDisableMap[$flag]}" ]]; then + if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then case $flag in fortify) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling fortify >&2; fi hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') ;; stackprotector) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling stackprotector >&2; fi hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') ;; pie) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi hardeningCFlags+=('-fPIE') if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi hardeningLDFlags+=('-pie') fi ;; pic) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling pic >&2; fi hardeningCFlags+=('-fPIC') ;; strictoverflow) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling strictoverflow >&2; fi hardeningCFlags+=('-fno-strict-overflow') ;; format) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling format >&2; fi hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') ;; relro) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling relro >&2; fi hardeningLDFlags+=('-z' 'relro') ;; bindnow) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling bindnow >&2; fi hardeningLDFlags+=('-z' 'now') ;; *) diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index ef9df4f968d..e5a3a581851 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -1,5 +1,5 @@ #! @shell@ -set -e -o pipefail +set -eu -o pipefail shopt -s nullglob path_backup="$PATH" @@ -11,12 +11,12 @@ if [[ -n "@coreutils_bin@" && -n "@gnugrep_bin@" ]]; then PATH="@coreutils_bin@/bin:@gnugrep_bin@/bin" fi -if [ -n "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK" ]; then - source "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK" +if [ -z "${NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET:-}" ]; then + source @out@/nix-support/add-flags.sh fi -if [ -z "$NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET" ]; then - source @out@/nix-support/add-flags.sh +if [ -n "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK" ]; then + source "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK" fi source @out@/nix-support/utils.sh @@ -36,7 +36,7 @@ declare -i n=0 nParams=${#params[@]} while [ "$n" -lt "$nParams" ]; do p=${params[n]} - p2=${params[n+1]} + p2=${params[n+1]:-} # handle `p` being last one if [ "$p" = -c ]; then dontLink=1 elif [ "$p" = -S ]; then @@ -79,13 +79,13 @@ if [ "$nonFlagArgs" = 0 ]; then fi # Optionally filter out paths not refering to the store. -if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE" ]]; then +if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE" ]]; then rest=() nParams=${#params[@]} declare -i n=0 while [ "$n" -lt "$nParams" ]; do p=${params[n]} - p2=${params[n+1]} + p2=${params[n+1]:-} # handle `p` being last one if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then skip "${p:2}" elif [ "$p" = -L ] && badPath "$p2"; then @@ -162,13 +162,15 @@ if [ "$*" = -v ]; then fi # Optionally print debug info. -if [ -n "$NIX_DEBUG" ]; then +if [ -n "${NIX_DEBUG:-}" ]; then + set +u # Old bash workaround, see ld-wrapper for explanation. echo "extra flags before to @prog@:" >&2 printf " %q\n" "${extraBefore[@]}" >&2 echo "original flags to @prog@:" >&2 printf " %q\n" "${params[@]}" >&2 echo "extra flags after to @prog@:" >&2 printf " %q\n" "${extraAfter[@]}" >&2 + set -u fi if [ -n "$NIX_CC_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then @@ -176,4 +178,5 @@ if [ -n "$NIX_CC_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then fi PATH="$path_backup" +set +u # Old bash workaround, see above. exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}" diff --git a/pkgs/build-support/cc-wrapper/gnat-wrapper.sh b/pkgs/build-support/cc-wrapper/gnat-wrapper.sh index 33272ba5345..1a09f484109 100644 --- a/pkgs/build-support/cc-wrapper/gnat-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/gnat-wrapper.sh @@ -1,7 +1,10 @@ #! @shell@ -set -e -o pipefail +set -eu -o pipefail shopt -s nullglob +# N.B. Gnat is not used during bootstrapping, so we don't need to +# worry about the old bash empty array `set -u` workarounds. + path_backup="$PATH" # phase separation makes this look useless @@ -10,12 +13,12 @@ if [ -n "@coreutils_bin@" ]; then PATH="@coreutils_bin@/bin" fi -if [ -n "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK" ]; then - source "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK" +if [ -z "${NIX_@infixSalt@_GNAT_WRAPPER_FLAGS_SET:-}" ]; then + source @out@/nix-support/add-flags.sh fi -if [ -z "$NIX_@infixSalt@_GNAT_WRAPPER_FLAGS_SET" ]; then - source @out@/nix-support/add-flags.sh +if [ -n "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK" ]; then + source "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK" fi source @out@/nix-support/utils.sh @@ -52,7 +55,7 @@ fi # Optionally filter out paths not refering to the store. params=("$@") -if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE" ]]; then +if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE" ]]; then rest=() for p in "${params[@]}"; do if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then @@ -110,7 +113,7 @@ fi #fi # Optionally print debug info. -if [ -n "$NIX_DEBUG" ]; then +if [ -n "${NIX_DEBUG:-}" ]; then echo "extra flags before to @prog@:" >&2 printf " %q\n" "${extraBefore[@]}" >&2 echo "original flags to @prog@:" >&2 diff --git a/pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh b/pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh index c8493302852..ee973d3270f 100644 --- a/pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh @@ -1,7 +1,10 @@ #! @shell@ -set -e -o pipefail +set -eu -o pipefail shopt -s nullglob +# N.B. Gnat is not used during bootstrapping, so we don't need to +# worry about the old bash empty array `set -u` workarounds. + # Add the flags for the GNAT compiler proper. extraAfter=("--GCC=@out@/bin/gcc") extraBefore=() @@ -21,7 +24,7 @@ extraBefore=() #export NIX_@infixSalt@_LDFLAGS_SET=1 # Optionally print debug info. -if [ -n "$NIX_DEBUG" ]; then +if [ -n "${NIX_DEBUG:-}" ]; then echo "extra flags before to @prog@:" >&2 printf " %q\n" "${extraBefore[@]}" >&2 echo "original flags to @prog@:" >&2 diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh index fa8875e00b6..e47a6bfec86 100644 --- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh @@ -10,12 +10,12 @@ if [ -n "@coreutils_bin@" ]; then PATH="@coreutils_bin@/bin" fi -if [ -n "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK" ]; then - source "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK" +if [ -z "${NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET:-}" ]; then + source @out@/nix-support/add-flags.sh fi -if [ -z "$NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET" ]; then - source @out@/nix-support/add-flags.sh +if [ -n "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK" ]; then + source "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK" fi source @out@/nix-support/utils.sh @@ -23,14 +23,14 @@ source @out@/nix-support/utils.sh # Optionally filter out paths not refering to the store. expandResponseParams "$@" -if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE" - && ( -z "$NIX_@infixSalt@_IGNORE_LD_THROUGH_GCC" || -z "$NIX_@infixSalt@_LDFLAGS_SET" ) ]]; then +if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE" + && ( -z "$NIX_@infixSalt@_IGNORE_LD_THROUGH_GCC" || -z "${NIX_@infixSalt@_LDFLAGS_SET:-}" ) ]]; then rest=() nParams=${#params[@]} declare -i n=0 while [ "$n" -lt "$nParams" ]; do p=${params[n]} - p2=${params[n+1]} + p2=${params[n+1]:-} # handle `p` being last one if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then skip "${p:2}" elif [ "$p" = -L ] && badPath "$p2"; then @@ -59,7 +59,7 @@ source @out@/nix-support/add-hardening.sh extraAfter=("${hardeningLDFlags[@]}") extraBefore=() -if [ -z "$NIX_@infixSalt@_LDFLAGS_SET" ]; then +if [ -z "${NIX_@infixSalt@_LDFLAGS_SET:-}" ]; then extraAfter+=($NIX_@infixSalt@_LDFLAGS) extraBefore+=($NIX_@infixSalt@_LDFLAGS_BEFORE) fi @@ -73,7 +73,11 @@ relocatable= # Find all -L... switches for rpath, and relocatable flags for build id. if [ "$NIX_@infixSalt@_DONT_SET_RPATH" != 1 ] || [ "$NIX_@infixSalt@_SET_BUILD_ID" = 1 ]; then prev= + # Old bash thinks empty arrays are undefined, ugh, so temporarily disable + # `set -u`. + set +u for p in "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"; do + set -u case "$prev" in -L) libDirs+=("$p") @@ -119,7 +123,7 @@ if [ "$NIX_@infixSalt@_DONT_SET_RPATH" != 1 ]; then if [[ "$dir" =~ [/.][/.] ]] && dir2=$(readlink -f "$dir"); then dir="$dir2" fi - if [ "${rpaths[$dir]}" ] || [[ "$dir" != "$NIX_STORE"/* ]]; then + if [ -n "${rpaths[$dir]:-}" ] || [[ "$dir" != "$NIX_STORE"/* ]]; then # If the path is not in the store, don't add it to the rpath. # This typically happens for libraries in /tmp that are later # copied to $out/lib. If not, we're screwed. @@ -127,9 +131,9 @@ if [ "$NIX_@infixSalt@_DONT_SET_RPATH" != 1 ]; then fi for path in "$dir"/lib*.so; do file="${path##*/}" - if [ "${libs[$file]}" ]; then + if [ "${libs[$file]:-}" ]; then libs["$file"]= - if [ ! "${rpaths[$dir]}" ]; then + if [ -z "${rpaths[$dir]:-}" ]; then rpaths["$dir"]=1 extraAfter+=(-rpath "$dir") fi @@ -147,13 +151,15 @@ fi # Optionally print debug info. -if [ -n "$NIX_DEBUG" ]; then +if [ -n "${NIX_DEBUG:-}" ]; then + set +u # Old bash workaround, see above. echo "extra flags before to @prog@:" >&2 printf " %q\n" "${extraBefore[@]}" >&2 echo "original flags to @prog@:" >&2 printf " %q\n" "${params[@]}" >&2 echo "extra flags after to @prog@:" >&2 printf " %q\n" "${extraAfter[@]}" >&2 + set -u fi if [ -n "$NIX_LD_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then @@ -161,4 +167,5 @@ if [ -n "$NIX_LD_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then fi PATH="$path_backup" +set +u # Old bash workaround, see above. exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}" diff --git a/pkgs/build-support/cc-wrapper/utils.sh b/pkgs/build-support/cc-wrapper/utils.sh index 267044b2c4f..5a70c2d9ccf 100644 --- a/pkgs/build-support/cc-wrapper/utils.sh +++ b/pkgs/build-support/cc-wrapper/utils.sh @@ -1,5 +1,5 @@ skip () { - if [ -n "$NIX_DEBUG" ]; then + if [ -n "${NIX_DEBUG:-}" ]; then echo "skipping impure path $1" >&2 fi } |