diff options
309 files changed, 365 insertions, 372 deletions
diff --git a/pkgs/applications/audio/QmidiNet/default.nix b/pkgs/applications/audio/QmidiNet/default.nix index c0879e58aca..42c98cbb110 100644 --- a/pkgs/applications/audio/QmidiNet/default.nix +++ b/pkgs/applications/audio/QmidiNet/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ qt4 alsaLib libjack2 ]; diff --git a/pkgs/applications/audio/aacgain/default.nix b/pkgs/applications/audio/aacgain/default.nix index 80e3c5dc40a..a22866dc031 100644 --- a/pkgs/applications/audio/aacgain/default.nix +++ b/pkgs/applications/audio/aacgain/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = '' cd mp4v2 diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix index 9de3bef62ad..abe679f10bc 100644 --- a/pkgs/applications/audio/cdparanoia/default.nix +++ b/pkgs/applications/audio/cdparanoia/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = "unset CC"; diff --git a/pkgs/applications/audio/csound/default.nix b/pkgs/applications/audio/csound/default.nix index 1cc0e56fe7e..e1c063d823d 100644 --- a/pkgs/applications/audio/csound/default.nix +++ b/pkgs/applications/audio/csound/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; src = fetchurl { url = mirror://sourceforge/csound/Csound6.04.tar.gz; diff --git a/pkgs/applications/audio/freewheeling/default.nix b/pkgs/applications/audio/freewheeling/default.nix index eae7ce390c0..1611975182b 100644 --- a/pkgs/applications/audio/freewheeling/default.nix +++ b/pkgs/applications/audio/freewheeling/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation { patches = [ ./am_path_sdl.patch ./xml.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A live looping instrument with JACK and MIDI support"; diff --git a/pkgs/applications/audio/jack-capture/default.nix b/pkgs/applications/audio/jack-capture/default.nix index 7a5095f3788..ec7f7a5c32d 100644 --- a/pkgs/applications/audio/jack-capture/default.nix +++ b/pkgs/applications/audio/jack-capture/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { cp jack_capture $out/bin/ ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "A program for recording soundfiles with jack"; diff --git a/pkgs/applications/audio/lingot/default.nix b/pkgs/applications/audio/lingot/default.nix index 92e39f7bb11..22ab37dc98a 100644 --- a/pkgs/applications/audio/lingot/default.nix +++ b/pkgs/applications/audio/lingot/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ pkgconfig intltool gtk alsaLib libglade ]; diff --git a/pkgs/applications/audio/mi2ly/default.nix b/pkgs/applications/audio/mi2ly/default.nix index 67ac74f5f5a..fa4ea6343e9 100644 --- a/pkgs/applications/audio/mi2ly/default.nix +++ b/pkgs/applications/audio/mi2ly/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { sourceRoot="."; - hardening_format = false; + hardeningDisable = [ "format" ]; buildPhase = "./cc"; installPhase = '' diff --git a/pkgs/applications/audio/mp3info/default.nix b/pkgs/applications/audio/mp3info/default.nix index f2434619c47..d28cd7c9e06 100644 --- a/pkgs/applications/audio/mp3info/default.nix +++ b/pkgs/applications/audio/mp3info/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses pkgconfig gtk ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = '' sed -i Makefile \ diff --git a/pkgs/applications/audio/mp3val/default.nix b/pkgs/applications/audio/mp3val/default.nix index abea5521571..7477bea7602 100644 --- a/pkgs/applications/audio/mp3val/default.nix +++ b/pkgs/applications/audio/mp3val/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { install -Dv mp3val "$out/bin/mp3val" ''; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = { description = "A tool for validating and repairing MPEG audio streams"; diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix index c5bcd5ab4e4..b68c44278ee 100644 --- a/pkgs/applications/audio/mpg321/default.nix +++ b/pkgs/applications/audio/mpg321/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no")) diff --git a/pkgs/applications/audio/musescore/default.nix b/pkgs/applications/audio/musescore/default.nix index b6a98268a9b..b89278a7fd9 100644 --- a/pkgs/applications/audio/musescore/default.nix +++ b/pkgs/applications/audio/musescore/default.nix @@ -13,8 +13,7 @@ stdenv.mkDerivation rec { sha256 = "12a83v4i830gj76z5744034y1vvwzgy27mjbjp508yh9bd328yqw"; }; - hardening_bindnow = false; - hardening_relro = false; + hardeningDisable = [ "relro" "bindnow" ]; makeFlags = [ "PREFIX=$(out)" diff --git a/pkgs/applications/audio/pd-plugins/cyclone/default.nix b/pkgs/applications/audio/pd-plugins/cyclone/default.nix index 460745ddddb..e4ec281cacb 100644 --- a/pkgs/applications/audio/pd-plugins/cyclone/default.nix +++ b/pkgs/applications/audio/pd-plugins/cyclone/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' for file in `grep -r -l g_canvas.h` diff --git a/pkgs/applications/audio/pd-plugins/maxlib/default.nix b/pkgs/applications/audio/pd-plugins/maxlib/default.nix index 1eb0e1be654..3b836d9eb33 100644 --- a/pkgs/applications/audio/pd-plugins/maxlib/default.nix +++ b/pkgs/applications/audio/pd-plugins/maxlib/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' for i in ${puredata}/include/pd/*; do diff --git a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix index 207967a978f..972a162b73f 100644 --- a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix +++ b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' for D in net osc diff --git a/pkgs/applications/audio/rakarrack/default.nix b/pkgs/applications/audio/rakarrack/default.nix index 647ed9036dc..822e0d5548b 100644 --- a/pkgs/applications/audio/rakarrack/default.nix +++ b/pkgs/applications/audio/rakarrack/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./fltk-path.patch ]; diff --git a/pkgs/applications/audio/zynaddsubfx/default.nix b/pkgs/applications/audio/zynaddsubfx/default.nix index c784b33700e..ece3cbef596 100644 --- a/pkgs/applications/audio/zynaddsubfx/default.nix +++ b/pkgs/applications/audio/zynaddsubfx/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ]; nativeBuildInputs = [ cmake pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "High quality software synthesizer"; diff --git a/pkgs/applications/editors/ht/default.nix b/pkgs/applications/editors/ht/default.nix index 5ddcf34995f..2817bd168de 100644 --- a/pkgs/applications/editors/ht/default.nix +++ b/pkgs/applications/editors/ht/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { ncurses ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with lib; { description = "File editor/viewer/analyzer for executables"; diff --git a/pkgs/applications/editors/leafpad/default.nix b/pkgs/applications/editors/leafpad/default.nix index f3755db448c..a5b0f2e400a 100644 --- a/pkgs/applications/editors/leafpad/default.nix +++ b/pkgs/applications/editors/leafpad/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ intltool pkgconfig gtk ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--enable-chooser" diff --git a/pkgs/applications/graphics/cinepaint/default.nix b/pkgs/applications/graphics/cinepaint/default.nix index 7b8281b4e3c..4866ba92add 100644 --- a/pkgs/applications/graphics/cinepaint/default.nix +++ b/pkgs/applications/graphics/cinepaint/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./install.patch ]; diff --git a/pkgs/applications/graphics/giv/default.nix b/pkgs/applications/graphics/giv/default.nix index c33da655222..bd1a8d03ec4 100644 --- a/pkgs/applications/graphics/giv/default.nix +++ b/pkgs/applications/graphics/giv/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1q0806b66ajppxbv1i71wx5d3ydc1h3hsz23m6g4g80dhiai7dly"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = '' sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl diff --git a/pkgs/applications/graphics/gqview/default.nix b/pkgs/applications/graphics/gqview/default.nix index ff069d0d972..822ef8ad435 100644 --- a/pkgs/applications/graphics/gqview/default.nix +++ b/pkgs/applications/graphics/gqview/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation { buildInputs = [pkgconfig gtk libpng]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A fast image viewer"; diff --git a/pkgs/applications/graphics/meshlab/default.nix b/pkgs/applications/graphics/meshlab/default.nix index c3aed10d00c..fa1958059b8 100644 --- a/pkgs/applications/graphics/meshlab/default.nix +++ b/pkgs/applications/graphics/meshlab/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { patches = [ ./include-unistd.diff ]; - hardening_format = false; + hardeningDisable = [ "format" ]; buildPhase = '' mkdir -p "$out/include" diff --git a/pkgs/applications/graphics/qtpfsgui/default.nix b/pkgs/applications/graphics/qtpfsgui/default.nix index da6521199c5..e6a0453e533 100644 --- a/pkgs/applications/graphics/qtpfsgui/default.nix +++ b/pkgs/applications/graphics/qtpfsgui/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = '' export CPATH="${ilmbase}/include/OpenEXR:$CPATH" diff --git a/pkgs/applications/graphics/tesseract/default.nix b/pkgs/applications/graphics/tesseract/default.nix index b3db2fde4cb..375b0999548 100644 --- a/pkgs/applications/graphics/tesseract/default.nix +++ b/pkgs/applications/graphics/tesseract/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool leptonica libpng libtiff ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' ./autogen.sh diff --git a/pkgs/applications/graphics/xfig/default.nix b/pkgs/applications/graphics/xfig/default.nix index 4f8f3ac16f4..6903837e5ad 100644 --- a/pkgs/applications/graphics/xfig/default.nix +++ b/pkgs/applications/graphics/xfig/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { nativeBuildInputs = [ imake makeWrapper ]; - hardening_format = false; + hardeningDisable = [ "format" ]; NIX_CFLAGS_COMPILE = "-I${libXpm}/include/X11"; diff --git a/pkgs/applications/inferno/default.nix b/pkgs/applications/inferno/default.nix index 3c970e40b48..b1574ea6963 100644 --- a/pkgs/applications/inferno/default.nix +++ b/pkgs/applications/inferno/default.nix @@ -46,7 +46,7 @@ stdenv.mkDerivation rec { --set INFERNO_ROOT "$out/share/inferno" ''; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = { description = "A compact distributed operating system for building cross-platform distributed systems"; diff --git a/pkgs/applications/misc/epdfview/default.nix b/pkgs/applications/misc/epdfview/default.nix index 7810284973f..782ef4ae366 100644 --- a/pkgs/applications/misc/epdfview/default.nix +++ b/pkgs/applications/misc/epdfview/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig gtk poppler ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ (fetchpatch { name = "epdfview-0.1.8-glib2-headers.patch"; diff --git a/pkgs/applications/misc/gkrellm/default.nix b/pkgs/applications/misc/gkrellm/default.nix index 7c755a4f3d3..cf7fdafd742 100644 --- a/pkgs/applications/misc/gkrellm/default.nix +++ b/pkgs/applications/misc/gkrellm/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Makefiles are patched to fix references to `/usr/X11R6' and to add # `-lX11' to make sure libX11's store path is in the RPATH. diff --git a/pkgs/applications/misc/grip/default.nix b/pkgs/applications/misc/grip/default.nix index 86127d56b01..e0ece09db18 100644 --- a/pkgs/applications/misc/grip/default.nix +++ b/pkgs/applications/misc/grip/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia libid3tag ncurses libtool ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "GTK+-based audio CD player/ripper"; diff --git a/pkgs/applications/misc/k2pdfopt/default.nix b/pkgs/applications/misc/k2pdfopt/default.nix index dac597fe67c..7c0d615f366 100644 --- a/pkgs/applications/misc/k2pdfopt/default.nix +++ b/pkgs/applications/misc/k2pdfopt/default.nix @@ -31,7 +31,7 @@ in stdenv.mkDerivation rec { openjpeg freetype jbig2dec djvulibre openssl ]; NIX_LDFLAGS = "-lX11 -lXext"; - hardening_format = false; + hardeningDisable = [ "format" ]; k2_pa = ./k2pdfopt.patch; tess_pa = ./tesseract.patch; diff --git a/pkgs/applications/misc/navit/default.nix b/pkgs/applications/misc/navit/default.nix index 67f474cefac..5f70d4b5c44 100644 --- a/pkgs/applications/misc/navit/default.nix +++ b/pkgs/applications/misc/navit/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # 'cvs' is only for the autogen buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa diff --git a/pkgs/applications/misc/posterazor/default.nix b/pkgs/applications/misc/posterazor/default.nix index 43da0c92a42..b6d46cf9ed1 100644 --- a/pkgs/applications/misc/posterazor/default.nix +++ b/pkgs/applications/misc/posterazor/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ]; diff --git a/pkgs/applications/misc/sdcv/default.nix b/pkgs/applications/misc/sdcv/default.nix index 6a768d44958..8e781cd1c02 100644 --- a/pkgs/applications/misc/sdcv/default.nix +++ b/pkgs/applications/misc/sdcv/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = ( if stdenv.isDarwin then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ] diff --git a/pkgs/applications/misc/tasknc/default.nix b/pkgs/applications/misc/tasknc/default.nix index d725bba0307..b7b9d36b4cb 100644 --- a/pkgs/applications/misc/tasknc/default.nix +++ b/pkgs/applications/misc/tasknc/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # # I know this is ugly, but the Makefile does strange things in this package, diff --git a/pkgs/applications/misc/vym/default.nix b/pkgs/applications/misc/vym/default.nix index a62f7cd2aa6..e595d771ec0 100644 --- a/pkgs/applications/misc/vym/default.nix +++ b/pkgs/applications/misc/vym/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig qt4 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = '' qmake PREFIX="$out" diff --git a/pkgs/applications/misc/wordnet/default.nix b/pkgs/applications/misc/wordnet/default.nix index d5edf2a4d58..2f98bc66e9b 100644 --- a/pkgs/applications/misc/wordnet/default.nix +++ b/pkgs/applications/misc/wordnet/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [tcl tk xlibsWrapper makeWrapper]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c diff --git a/pkgs/applications/networking/browsers/vimprobable2/default.nix b/pkgs/applications/networking/browsers/vimprobable2/default.nix index 3d40aa1f60c..2415c06dba4 100644 --- a/pkgs/applications/networking/browsers/vimprobable2/default.nix +++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ]; - hardening_format = false; + hardeningDisable = [ "format" ]; installFlags = "PREFIX=/ DESTDIR=$(out)"; diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index cc3e55f02e9..ae1bf5bffea 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { ln -s $out/libexec/w3m/w3mimgdisplay $out/bin ''; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}" + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; diff --git a/pkgs/applications/networking/instant-messengers/silc-client/default.nix b/pkgs/applications/networking/instant-messengers/silc-client/default.nix index 156b138f290..b765c97fb8e 100644 --- a/pkgs/applications/networking/instant-messengers/silc-client/default.nix +++ b/pkgs/applications/networking/instant-messengers/silc-client/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation { dontDisableStatic = true; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--with-ncurses=${ncurses}"; diff --git a/pkgs/applications/networking/instant-messengers/vacuum/default.nix b/pkgs/applications/networking/instant-messengers/vacuum/default.nix index 181cd3301e3..12466379bf9 100644 --- a/pkgs/applications/networking/instant-messengers/vacuum/default.nix +++ b/pkgs/applications/networking/instant-messengers/vacuum/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { configurePhase = "qmake INSTALL_PREFIX=$out -recursive vacuum.pro"; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ qt4 openssl xproto libX11 libXScrnSaver scrnsaverproto xz diff --git a/pkgs/applications/networking/iptraf-ng/default.nix b/pkgs/applications/networking/iptraf-ng/default.nix index 8084d5133f1..746d79805f5 100644 --- a/pkgs/applications/networking/iptraf-ng/default.nix +++ b/pkgs/applications/networking/iptraf-ng/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { --localstatedir=$out/var --sbindir=$out/bin ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A console-based network monitoring utility (fork of iptraf)"; diff --git a/pkgs/applications/networking/mailreaders/alpine/default.nix b/pkgs/applications/networking/mailreaders/alpine/default.nix index c77b51d7064..b86de98f950 100644 --- a/pkgs/applications/networking/mailreaders/alpine/default.nix +++ b/pkgs/applications/networking/mailreaders/alpine/default.nix @@ -18,8 +18,7 @@ stdenv.mkDerivation { ncurses tcl openssl pam kerberos openldap ]; - hardening_format = false; - hardening_fortify = false; + hardeningDisable = [ "format" "fortify" ]; configureFlags = [ "--with-ssl-include-dir=${openssl}/include/openssl" diff --git a/pkgs/applications/networking/mailreaders/realpine/default.nix b/pkgs/applications/networking/mailreaders/realpine/default.nix index 1ee42531465..3ff690a244b 100644 --- a/pkgs/applications/networking/mailreaders/realpine/default.nix +++ b/pkgs/applications/networking/mailreaders/realpine/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation { ncurses tcl openssl pam kerberos openldap ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--with-ssl-include-dir=${openssl}/include/openssl" diff --git a/pkgs/applications/networking/remote/ssvnc/default.nix b/pkgs/applications/networking/remote/ssvnc/default.nix index 681ace6ab8f..ed64629fe24 100644 --- a/pkgs/applications/networking/remote/ssvnc/default.nix +++ b/pkgs/applications/networking/remote/ssvnc/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { configurePhase = "makeFlags=PREFIX=$out"; - hardening_format = false; + hardeningDisable = [ "format" ]; postInstall = '' sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl diff --git a/pkgs/applications/science/electronics/caneda/default.nix b/pkgs/applications/science/electronics/caneda/default.nix index 152aec27d83..dc00cef8898 100644 --- a/pkgs/applications/science/electronics/caneda/default.nix +++ b/pkgs/applications/science/electronics/caneda/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ cmake qt4 libxml2 libxslt ]; diff --git a/pkgs/applications/science/geometry/drgeo/default.nix b/pkgs/applications/science/geometry/drgeo/default.nix index c5c2cee62e8..22e64ee0566 100644 --- a/pkgs/applications/science/geometry/drgeo/default.nix +++ b/pkgs/applications/science/geometry/drgeo/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation rec { name = "drgeo-${version}"; version = "1.1.0"; - hardening_format = false; + hardeningDisable = [ "format" ]; src = fetchurl { url = "mirror://sourceforge/ofset/${name}.tar.gz"; diff --git a/pkgs/applications/science/logic/ltl2ba/default.nix b/pkgs/applications/science/logic/ltl2ba/default.nix index cb0c308b129..8eedafcd68b 100644 --- a/pkgs/applications/science/logic/ltl2ba/default.nix +++ b/pkgs/applications/science/logic/ltl2ba/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' substituteInPlace Makefile \ diff --git a/pkgs/applications/science/logic/otter/default.nix b/pkgs/applications/science/logic/otter/default.nix index b0b001f7b3c..dd383f1fff6 100644 --- a/pkgs/applications/science/logic/otter/default.nix +++ b/pkgs/applications/science/logic/otter/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation { inherit (s) url sha256; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildPhase = '' find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g" diff --git a/pkgs/applications/science/logic/prover9/default.nix b/pkgs/applications/science/logic/prover9/default.nix index f6ec3b840ac..9c09ea3db98 100644 --- a/pkgs/applications/science/logic/prover9/default.nix +++ b/pkgs/applications/science/logic/prover9/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' RM=$(type -tp rm) diff --git a/pkgs/applications/science/math/cbc/default.nix b/pkgs/applications/science/math/cbc/default.nix index f294750928e..7643c912db4 100644 --- a/pkgs/applications/science/math/cbc/default.nix +++ b/pkgs/applications/science/math/cbc/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ zlib bzip2 ]; diff --git a/pkgs/applications/science/math/perseus/default.nix b/pkgs/applications/science/math/perseus/default.nix index d2694392efa..ae63716f106 100644 --- a/pkgs/applications/science/math/perseus/default.nix +++ b/pkgs/applications/science/math/perseus/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation { version = "4-beta"; buildInputs = [unzip gcc48]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; src = fetchurl { url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip"; diff --git a/pkgs/applications/science/math/qalculate-gtk/default.nix b/pkgs/applications/science/math/qalculate-gtk/default.nix index 77026eb490a..d27f998b793 100644 --- a/pkgs/applications/science/math/qalculate-gtk/default.nix +++ b/pkgs/applications/science/math/qalculate-gtk/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b986x5yny9vrzgxlbyg80b23mxylxv2zz8ppd9svhva6vi8xsm4"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; nativeBuildInputs = [ intltool pkgconfig ]; buildInputs = [ libqalculate gtk gnome2.libglade gnome2.libgnome gnome2.scrollkeeper ]; diff --git a/pkgs/applications/science/math/yacas/default.nix b/pkgs/applications/science/math/yacas/default.nix index af284a2f82e..adf87c4ee5b 100644 --- a/pkgs/applications/science/math/yacas/default.nix +++ b/pkgs/applications/science/math/yacas/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # Perl is only for the documentation nativeBuildInputs = [ perl ]; diff --git a/pkgs/applications/version-management/cvs/default.nix b/pkgs/applications/version-management/cvs/default.nix index 4912ce0b3e6..20d027da1f3 100644 --- a/pkgs/applications/version-management/cvs/default.nix +++ b/pkgs/applications/version-management/cvs/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { patches = [ ./getcwd-chroot.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' # Apply the Debian patches. diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 2799c25527b..4e86e9328c8 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { sha256 = "1zkbdmh5gvxalr8l1cwnirqq5raijmp2d0s36s6qabrlvqvq2yj7"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./docbook2texi.patch diff --git a/pkgs/applications/version-management/git-and-tools/qgit/default.nix b/pkgs/applications/version-management/git-and-tools/qgit/default.nix index 6240baac8f1..6cafe4f9624 100644 --- a/pkgs/applications/version-management/git-and-tools/qgit/default.nix +++ b/pkgs/applications/version-management/git-and-tools/qgit/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [qt libXext libX11]; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = "qmake PREFIX=$out"; diff --git a/pkgs/applications/version-management/redmine/default.nix b/pkgs/applications/version-management/redmine/default.nix index 982dcb1d56b..2f03d582a94 100644 --- a/pkgs/applications/version-management/redmine/default.nix +++ b/pkgs/applications/version-management/redmine/default.nix @@ -11,7 +11,7 @@ in stdenv.mkDerivation rec { sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports # needed to separate run-time and build-time directories diff --git a/pkgs/applications/video/aegisub/default.nix b/pkgs/applications/video/aegisub/default.nix index 49e2662adb4..cbaea3eb18b 100644 --- a/pkgs/applications/video/aegisub/default.nix +++ b/pkgs/applications/video/aegisub/default.nix @@ -43,8 +43,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_bindnow = false; - hardening_relro = false; + hardeningDisable = [ "bindnow" "relro" ]; postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub"; diff --git a/pkgs/applications/virtualization/OVMF/default.nix b/pkgs/applications/virtualization/OVMF/default.nix index 513242271a1..fc3c679d414 100644 --- a/pkgs/applications/virtualization/OVMF/default.nix +++ b/pkgs/applications/virtualization/OVMF/default.nix @@ -17,9 +17,7 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" { # TODO: properly include openssl for secureBoot buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ]; - hardening_stackprotector = false; - hardening_pic = false; - hardening_fortify = false; + hardeningDisable = [ "stackprotector" "pic" "fortify" ]; unpackPhase = '' for file in \ diff --git a/pkgs/applications/virtualization/bochs/default.nix b/pkgs/applications/virtualization/bochs/default.nix index 705691b1682..952ae1f922d 100644 --- a/pkgs/applications/virtualization/bochs/default.nix +++ b/pkgs/applications/virtualization/bochs/default.nix @@ -146,7 +146,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE="-I${gtk}/include/gtk-2.0/ -I${libtool}/include/"; NIX_LDFLAGS="-L${libtool}/lib"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "An open-source IA-32 (x86) PC emulator"; diff --git a/pkgs/applications/virtualization/cbfstool/default.nix b/pkgs/applications/virtualization/cbfstool/default.nix index 01832b55292..dc78236677f 100644 --- a/pkgs/applications/virtualization/cbfstool/default.nix +++ b/pkgs/applications/virtualization/cbfstool/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ iasl flex bison ]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; buildPhase = '' export LEX=${flex}/bin/flex diff --git a/pkgs/applications/virtualization/seabios/default.nix b/pkgs/applications/virtualization/seabios/default.nix index a06523973b7..3bc95a1c392 100644 --- a/pkgs/applications/virtualization/seabios/default.nix +++ b/pkgs/applications/virtualization/seabios/default.nix @@ -12,8 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ iasl python ]; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; configurePhase = '' # build SeaBIOS for CSM diff --git a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix index d579a6445d1..1c85723c395 100644 --- a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix +++ b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation { KERN_DIR = "${kernel.dev}/lib/modules/*/build"; - hardening_pic = false; + hardeningDisable = [ "pic" ]; buildInputs = [ patchelf cdrkit makeWrapper dbus ]; diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index 0a3bd3898c2..23c4f34a553 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -75,9 +75,7 @@ stdenv.mkDerivation { pythonPath = [ pythonPackages.curses ]; - hardening_stackprotector = false; - hardening_fortify = false; - hardening_pic = false; + hardeningDisable = [ "stackprotector" "fortify" "pic" ]; patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; diff --git a/pkgs/applications/window-managers/stalonetray/default.nix b/pkgs/applications/window-managers/stalonetray/default.nix index 43d0804222c..3b5af42a8be 100644 --- a/pkgs/applications/window-managers/stalonetray/default.nix +++ b/pkgs/applications/window-managers/stalonetray/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ libX11 xproto ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Stand alone tray"; diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening new file mode 100644 index 00000000000..08fdd52be08 --- /dev/null +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -0,0 +1,41 @@ +hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) +hardeningFlags+=("${hardeningEnable[@]}") +hardeningCFlags=() +hardeningLDFlags=() + +if [[ ! $hardeningDisable == "all" ]]; then + for flag in "${hardeningFlags[@]}" + do + if [[ ! "$hardeningDisable" =~ "$flag" ]]; then + case $flag in + fortify) + hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') + ;; + stackprotector) + hardeningCFlags+=('-fstack-protector-strong') + ;; + pie) + hardeningCFlags+=('-fPIE' '-pie') + ;; + pic) + hardeningCFlags+=('-fPIC') + ;; + strictoverflow) + hardeningCFlags+=('-fno-strict-overflow') + ;; + format) + hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') + ;; + relro) + hardeningLDFlags+=('-z relro') + ;; + bindnow) + hardeningLDFlags+=('-z now') + ;; + *) + echo "Hardening flag unknown: $flag" + ;; + esac + fi + done +fi diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 6e12a0d8bc8..a8a08e5e144 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -56,7 +56,6 @@ if [ "$nonFlagArgs" = 0 ]; then dontLink=1 fi - # Optionally filter out paths not refering to the store. params=("$@") if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then @@ -90,16 +89,17 @@ if [[ "@prog@" = *++ ]]; then fi fi +source @out@/nix-support/add-hardening.sh + # Add the flags for the C compiler proper. -extraAfter=($NIX_CFLAGS_COMPILE) +extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]}) extraBefore=() - if [ "$dontLink" != 1 ]; then # Add the flags that should only be passed to the compiler when # linking. - extraAfter+=($NIX_CFLAGS_LINK) + extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]}) # Add the flags that should be passed to the linker (and prevent # `ld-wrapper' from adding NIX_LDFLAGS again). diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 110f5189141..2bf07747337 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -234,6 +234,7 @@ stdenv.mkDerivation { rm $out/nix-support/setup-hook.tmp substituteAll ${./add-flags} $out/nix-support/add-flags.sh + cp -p ${./add-hardening} $out/nix-support/add-hardening.sh cp -p ${./utils.sh} $out/nix-support/utils.sh '' + extraBuildCommands; diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh index 6ef06eb7034..12c0709570b 100644 --- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh @@ -47,8 +47,9 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \ params=("${rest[@]}") fi +source @out@/nix-support/add-hardening.sh -extra=() +extra=(${hardeningLDFlags[@]}) extraBefore=() if [ -z "$NIX_LDFLAGS_SET" ]; then @@ -56,7 +57,7 @@ if [ -z "$NIX_LDFLAGS_SET" ]; then extraBefore+=($NIX_LDFLAGS_BEFORE) fi -extra+=($NIX_LDFLAGS_AFTER) +extra+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN) # Add all used dynamic libraries to the rpath. diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix index 9dc8d6f8ef1..7eef5af0adc 100644 --- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./glib.patch ./cups_1.6.patch ]; diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix index d766957f0d7..be288b809d4 100644 --- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix @@ -11,5 +11,5 @@ stdenv.mkDerivation { buildInputs = [ pkgconfig gtk gettext ]; propagatedBuildInputs = [ libxml2 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; } diff --git a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix index 6f10f6ea920..5c13260aac9 100644 --- a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix +++ b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix @@ -17,7 +17,7 @@ in stdenv.mkDerivation rec { "--enable-gi-system-install=no" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; enableParallelBuilding = true; diff --git a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix index c80bd67f404..ed83dd03eca 100644 --- a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix +++ b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix @@ -8,7 +8,7 @@ kde { nativeBuildInputs = [ cmake ]; - hardening_all = false; + hardeningDisable = [ "all" ]; # The patch is not ready for upstream submmission. # I should add an option() instead. diff --git a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix index 415c6bc6cfb..44269070609 100644 --- a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix +++ b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}"; diff --git a/pkgs/development/compilers/clean/default.nix b/pkgs/development/compilers/clean/default.nix index dcb7350fbbb..3fed2289f95 100644 --- a/pkgs/development/compilers/clean/default.nix +++ b/pkgs/development/compilers/clean/default.nix @@ -14,8 +14,7 @@ stdenv.mkDerivation rec { }) else throw "Architecture not supported"; - hardening_format = false; - hardening_pic = false; + hardeningDisable = [ "format" "pic" ]; # clm uses timestamps of dcl, icl, abc and o files to decide what must be rebuild # and for chroot builds all of the library files will have equal timestamps. This diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix index 0ee0a622b1e..900cb92ab80 100644 --- a/pkgs/development/compilers/dev86/default.nix +++ b/pkgs/development/compilers/dev86/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makeFlags = "PREFIX=$(out)"; diff --git a/pkgs/development/compilers/ecl/default.nix b/pkgs/development/compilers/ecl/default.nix index 2208d844049..1b8b8d862cf 100644 --- a/pkgs/development/compilers/ecl/default.nix +++ b/pkgs/development/compilers/ecl/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation { "--enable-unicode") ; - hardening_format = false; + hardeningDisable = [ "format" ]; postInstall = '' sed -e 's/@[-a-zA-Z_]*@//g' -i $out/bin/ecl-config diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix index cf4d0e4f02a..da178e80a1a 100644 --- a/pkgs/development/compilers/edk2/default.nix +++ b/pkgs/development/compilers/edk2/default.nix @@ -22,8 +22,7 @@ edk2 = stdenv.mkDerivation { makeFlags = "-C BaseTools"; - hardening_fortify = false; - hardening_format = false; + hardeningDisable = [ "format" "fortify" ]; installPhase = '' mkdir -vp $out diff --git a/pkgs/development/compilers/gcc/4.3/default.nix b/pkgs/development/compilers/gcc/4.3/default.nix index 6114c960ffd..ecd841ca636 100644 --- a/pkgs/development/compilers/gcc/4.3/default.nix +++ b/pkgs/development/compilers/gcc/4.3/default.nix @@ -95,8 +95,7 @@ stdenv.mkDerivation ({ ++ (optionals langVhdl [gnat]) ; - hardening_format = false; - hardening_stackprotector = false; + hardeningDisable = [ "format" "stackprotector" ]; configureFlags = " ${if enableMultilib then "" else "--disable-multilib"} diff --git a/pkgs/development/compilers/gcc/4.4/default.nix b/pkgs/development/compilers/gcc/4.4/default.nix index fe79e9bcd72..7f8b38e1ee6 100644 --- a/pkgs/development/compilers/gcc/4.4/default.nix +++ b/pkgs/development/compilers/gcc/4.4/default.nix @@ -103,7 +103,7 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./pass-cxxcpp.patch diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index 2493593f357..7d84cb24516 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -134,8 +134,7 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; - hardening_format = false; - hardening_all = name != "gnat"; + hardeningDisable = [ "format" ] ++ optional (name != "gnat") "all"; patches = [ ] diff --git a/pkgs/development/compilers/gcc/4.6/default.nix b/pkgs/development/compilers/gcc/4.6/default.nix index 323fd8b921b..d6307542443 100644 --- a/pkgs/development/compilers/gcc/4.6/default.nix +++ b/pkgs/development/compilers/gcc/4.6/default.nix @@ -189,7 +189,7 @@ stdenv.mkDerivation ({ inherit patches enableMultilib; - hardening_format = false; + hardeningDisable = [ "format" ]; postPatch = if (stdenv.isGNU diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index 58074e173ae..649312b1c1b 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -218,7 +218,7 @@ stdenv.mkDerivation ({ inherit patches; - hardening_format = false; + hardeningDisable = [ "format" ]; postPatch = if (stdenv.isGNU diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index fe1f4066110..d4c8d018ff2 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -220,9 +220,8 @@ stdenv.mkDerivation ({ inherit patches; - # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; - hardening_format = false; + # FIXME stackprotector needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "format" "stackprotector" ]; postPatch = if (stdenv.isGNU diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix index 47a272ac534..ca6b6c52d99 100644 --- a/pkgs/development/compilers/gcc/5/default.nix +++ b/pkgs/development/compilers/gcc/5/default.nix @@ -216,7 +216,7 @@ stdenv.mkDerivation ({ sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; inherit patches; diff --git a/pkgs/development/compilers/gcl/default.nix b/pkgs/development/compilers/gcl/default.nix index 008f426d74a..e57abec2c1b 100644 --- a/pkgs/development/compilers/gcl/default.nix +++ b/pkgs/development/compilers/gcl/default.nix @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { "--enable-ansi" ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; meta = { description = "GNU Common Lisp compiler working via GCC"; diff --git a/pkgs/development/compilers/ghc/6.10.4.nix b/pkgs/development/compilers/ghc/6.10.4.nix index 4f95e859292..def807971c0 100644 --- a/pkgs/development/compilers/ghc/6.10.4.nix +++ b/pkgs/development/compilers/ghc/6.10.4.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ghc libedit perl gmp]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--with-gmp-libraries=${gmp}/lib" diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index 0d3a60b9100..f25e6244768 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { buildInputs = [ pcre ]; propagatedBuildInputs = lib.optional stdenv.isDarwin Security; - hardening_all = false; + hardeningDisable = [ "all" ]; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index 9f84768fb93..7f7abd8a6e7 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { Security Foundation ]; - hardening_all = false; + hardeningDisable = [ "all" ]; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/compilers/go/1.6.nix b/pkgs/development/compilers/go/1.6.nix index 807d7424920..d3739ddef5c 100644 --- a/pkgs/development/compilers/go/1.6.nix +++ b/pkgs/development/compilers/go/1.6.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { Security Foundation ]; - hardening_all = false; + hardeningDisable = [ "all" ]; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/compilers/mkcl/default.nix b/pkgs/development/compilers/mkcl/default.nix index e57151b077f..4299b50ea6d 100644 --- a/pkgs/development/compilers/mkcl/default.nix +++ b/pkgs/development/compilers/mkcl/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper ]; propagatedBuildInputs = [ gmp ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "GMP_CFLAGS=-I${gmp}/include" diff --git a/pkgs/development/compilers/squeak/default.nix b/pkgs/development/compilers/squeak/default.nix index 341b8155c41..69529ab762b 100644 --- a/pkgs/development/compilers/squeak/default.nix +++ b/pkgs/development/compilers/squeak/default.nix @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Smalltalk programming language and environment"; diff --git a/pkgs/development/compilers/swi-prolog/default.nix b/pkgs/development/compilers/swi-prolog/default.nix index 3c257dfc7df..954ef692462 100644 --- a/pkgs/development/compilers/swi-prolog/default.nix +++ b/pkgs/development/compilers/swi-prolog/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation { buildInputs = [ gmp readline openssl libjpeg unixODBC libXinerama libXft libXpm libSM libXt zlib freetype pkgconfig fontconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--with-world --enable-gmp --enable-shared"; diff --git a/pkgs/development/compilers/teyjus/default.nix b/pkgs/development/compilers/teyjus/default.nix index 1e63b2d2be0..301915b7a26 100644 --- a/pkgs/development/compilers/teyjus/default.nix +++ b/pkgs/development/compilers/teyjus/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { buildInputs = [ omake ocaml flex bison ]; - hardening_format = false; + hardeningDisable = [ "format" ]; buildPhase = "omake all"; diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index e948d1833b8..9dbb08737aa 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -41,11 +41,9 @@ self: super: { options_1_2 = dontCheck super.options_1_2; options = dontCheck super.options; statistics = dontCheck super.statistics; - c2hs = pkgs.lib.overrideDerivation (dontCheck super.c2hs) (drv: { - hardening_format = false; - }); - epanet-haskell = pkgs.lib.overrideDerivation super.epanet-haskell (drv: { - hardening_format = false; + c2hs = dontCheck super.c2hs; + epanet-haskell = super.epanet-haskell.overrideDerivation (drv: { + hardeningDisable = [ "format" ]; }); # The package doesn't compile with ruby 1.9, which is our default at the moment. @@ -244,9 +242,7 @@ self: super: { gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib; gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib; gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib; - glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: { - hardening_fortify = false; - }); + glib = addPkgconfigDepend super.glib pkgs.glib; gtk3 = super.gtk3.override { inherit (pkgs) gtk3; }; gtk = addPkgconfigDepend super.gtk pkgs.gtk; gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; }; diff --git a/pkgs/development/interpreters/clisp/2.44.1.nix b/pkgs/development/interpreters/clisp/2.44.1.nix index fa8c8309a7a..42709abc143 100644 --- a/pkgs/development/interpreters/clisp/2.44.1.nix +++ b/pkgs/development/interpreters/clisp/2.44.1.nix @@ -45,7 +45,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE="-O0"; - hardening_format = false; + hardeningDisable = [ "format" ]; # TODO : make mod-check fails doCheck = false; diff --git a/pkgs/development/interpreters/erlang/R14.nix b/pkgs/development/interpreters/erlang/R14.nix index e77300c0f84..cf4355a38e1 100644 --- a/pkgs/development/interpreters/erlang/R14.nix +++ b/pkgs/development/interpreters/erlang/R14.nix @@ -22,7 +22,7 @@ stdenv.mkDerivation { configureFlags = "--with-ssl=${openssl}"; - hardening_format = false; + hardeningDisable = [ "format" ]; postInstall = let manpages = fetchurl { diff --git a/pkgs/development/interpreters/lush/default.nix b/pkgs/development/interpreters/lush/default.nix index 7a4e5c1a336..dcfdc11c7a9 100644 --- a/pkgs/development/interpreters/lush/default.nix +++ b/pkgs/development/interpreters/lush/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { intltool gettext zlib ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; NIX_LDFLAGS=" -lz "; diff --git a/pkgs/development/interpreters/perl/default.nix b/pkgs/development/interpreters/perl/default.nix index 6e416a35150..1e14d386b13 100644 --- a/pkgs/development/interpreters/perl/default.nix +++ b/pkgs/development/interpreters/perl/default.nix @@ -72,7 +72,7 @@ let enableParallelBuilding = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; preConfigure = '' diff --git a/pkgs/development/interpreters/spidermonkey/default.nix b/pkgs/development/interpreters/spidermonkey/default.nix index 81071aafe4e..a7482f269db 100644 --- a/pkgs/development/interpreters/spidermonkey/default.nix +++ b/pkgs/development/interpreters/spidermonkey/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "12v6v2ccw1y6ng3kny3xw0lfs58d1klylqq707k0x04m707kydj4"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ readline ]; diff --git a/pkgs/development/interpreters/supercollider/default.nix b/pkgs/development/interpreters/supercollider/default.nix index cb60a41a690..c1a4c17707c 100644 --- a/pkgs/development/interpreters/supercollider/default.nix +++ b/pkgs/development/interpreters/supercollider/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { sha256 = "11khrv6jchs0vv0lv43am8lp0x1rr3h6l2xj9dmwrxcpdayfbalr"; }; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # QGtkStyle unavailable patchPhase = '' diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix index be44ef62885..079c0a5cf6f 100644 --- a/pkgs/development/libraries/CoinMP/default.nix +++ b/pkgs/development/libraries/CoinMP/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = https://projects.coin-or.org/CoinMP/; diff --git a/pkgs/development/libraries/accelio/default.nix b/pkgs/development/libraries/accelio/default.nix index 9ca9db1e451..faf3a0c7325 100644 --- a/pkgs/development/libraries/accelio/default.nix +++ b/pkgs/development/libraries/accelio/default.nix @@ -15,8 +15,7 @@ stdenv.mkDerivation rec { sha256 = "172frqk2n43g0arhazgcwfvj0syf861vdzdpxl7idr142bb0ykf7"; }; - hardening_pic = false; - hardening_format = false; + hardeningDisable = [ "format" "pic" ]; patches = [ ./fix-printfs.patch ]; diff --git a/pkgs/development/libraries/allegro/default.nix b/pkgs/development/libraries/allegro/default.nix index 50d3eec4f3f..997a8d22305 100644 --- a/pkgs/development/libraries/allegro/default.nix +++ b/pkgs/development/libraries/allegro/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { xf86dgaproto xf86miscproto xf86vidmodeproto libXxf86vm openal mesa ]; - hardening_format = false; + hardeningDisable = [ "format" ]; cmakeFlags = [ "-DCMAKE_SKIP_RPATH=ON" ]; diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix index 4a64bc260bd..7195110b0bb 100644 --- a/pkgs/development/libraries/audio/libbs2b/default.nix +++ b/pkgs/development/libraries/audio/libbs2b/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libsndfile ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://bs2b.sourceforge.net/"; diff --git a/pkgs/development/libraries/cgui/default.nix b/pkgs/development/libraries/cgui/default.nix index 3e5076d2509..da9d1122cc5 100644 --- a/pkgs/development/libraries/cgui/default.nix +++ b/pkgs/development/libraries/cgui/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { sh fix.sh unix ''; - hardening_format = false; + hardeningDisable = [ "format" ]; makeFlags = [ "SYSTEM_DIR=$(out)" ]; diff --git a/pkgs/development/libraries/cloog/0.18.0.nix b/pkgs/development/libraries/cloog/0.18.0.nix index 3dc9587c921..359bde2e058 100644 --- a/pkgs/development/libraries/cloog/0.18.0.nix +++ b/pkgs/development/libraries/cloog/0.18.0.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { doCheck = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { description = "Library that generates loops for scanning polyhedra"; diff --git a/pkgs/development/libraries/cwiid/default.nix b/pkgs/development/libraries/cwiid/default.nix index 0b7d96b5cc1..5af34145197 100644 --- a/pkgs/development/libraries/cwiid/default.nix +++ b/pkgs/development/libraries/cwiid/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--without-python"; diff --git a/pkgs/development/libraries/db/db-4.4.nix b/pkgs/development/libraries/db/db-4.4.nix index 327da38e986..00875d73f41 100644 --- a/pkgs/development/libraries/db/db-4.4.nix +++ b/pkgs/development/libraries/db/db-4.4.nix @@ -5,5 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.4.patch ]; sha256 = "0y9vsq8dkarx1mhhip1vaciz6imbbyv37c1dm8b20l7p064bg2i9"; branch = "4.4"; - drvArgs = { hardening_format = false; }; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.5.nix b/pkgs/development/libraries/db/db-4.5.nix index 6d3b15d256e..84b5ea67420 100644 --- a/pkgs/development/libraries/db/db-4.5.nix +++ b/pkgs/development/libraries/db/db-4.5.nix @@ -5,5 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.5.patch ./register-race-fix.patch ]; sha256 = "0bd81k0qv5i8w5gbddrvld45xi9k1gvmcrfm0393v0lrm37dab7m"; branch = "4.5"; - drvArgs = { hardening_format = false; }; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.7.nix b/pkgs/development/libraries/db/db-4.7.nix index 0735099729a..6016d112d51 100644 --- a/pkgs/development/libraries/db/db-4.7.nix +++ b/pkgs/development/libraries/db/db-4.7.nix @@ -4,5 +4,5 @@ import ./generic.nix (args // rec { version = "4.7.25"; sha256 = "0gi667v9cw22c03hddd6xd6374l0pczsd56b7pba25c9sdnxjkzi"; branch = "4.7"; - drvArgs = { hardening_format = false; }; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.8.nix b/pkgs/development/libraries/db/db-4.8.nix index 78c0a15c4e0..40869a865ae 100644 --- a/pkgs/development/libraries/db/db-4.8.nix +++ b/pkgs/development/libraries/db/db-4.8.nix @@ -5,5 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./clang-4.8.patch ]; sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0"; branch = "4.8"; - drvArgs = { hardening_format = false; }; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/faac/default.nix b/pkgs/development/libraries/faac/default.nix index 505f0053287..1ab01033f4d 100644 --- a/pkgs/development/libraries/faac/default.nix +++ b/pkgs/development/libraries/faac/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { ++ optional mp4v2Support "--with-mp4v2" ++ optional drmSupport "--enable-drm"; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ ] ++ optional mp4v2Support mp4v2; diff --git a/pkgs/development/libraries/fox/default.nix b/pkgs/development/libraries/fox/default.nix index 78b7e9a63fc..d47a028cbf8 100644 --- a/pkgs/development/libraries/fox/default.nix +++ b/pkgs/development/libraries/fox/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "C++ based class library for building Graphical User Interfaces"; diff --git a/pkgs/development/libraries/fox/fox-1.6.nix b/pkgs/development/libraries/fox/fox-1.6.nix index 007609403e2..ce778e4a347 100644 --- a/pkgs/development/libraries/fox/fox-1.6.nix +++ b/pkgs/development/libraries/fox/fox-1.6.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { branch = "1.6"; diff --git a/pkgs/development/libraries/freetds/default.nix b/pkgs/development/libraries/freetds/default.nix index bb4aeaeee27..3ed308a3492 100644 --- a/pkgs/development/libraries/freetds/default.nix +++ b/pkgs/development/libraries/freetds/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "0r946axzxs0czsmr7283w7vmk5jx3jnxxc32d2ncxsrsh2yli0ba"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = stdenv.lib.optional odbcSupport [ unixODBC ]; diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix index 09828665541..d138015e6bb 100644 --- a/pkgs/development/libraries/fribidi/default.nix +++ b/pkgs/development/libraries/fribidi/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://fribidi.org/; diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index a24a8416866..b581bce24b1 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { propagatedBuildInputs = [libjpeg fontconfig]; # urgh - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--without-x"; diff --git a/pkgs/development/libraries/gdal/default.nix b/pkgs/development/libraries/gdal/default.nix index 829c395cc7b..8f00bee8911 100644 --- a/pkgs/development/libraries/gdal/default.nix +++ b/pkgs/development/libraries/gdal/default.nix @@ -18,7 +18,7 @@ composableDerivation.composableDerivation {} (fixed: rec { ++ (with pythonPackages; [ python numpy wrapPython ]) ++ (stdenv.lib.optionals netcdfSupport [ netcdf hdf5 curl ]); - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ # This ensures that the python package is installed into gdal's prefix, diff --git a/pkgs/development/libraries/gdal/gdal-1_11.nix b/pkgs/development/libraries/gdal/gdal-1_11.nix index 4c6ec24a16c..2640159725a 100644 --- a/pkgs/development/libraries/gdal/gdal-1_11.nix +++ b/pkgs/development/libraries/gdal/gdal-1_11.nix @@ -19,7 +19,7 @@ composableDerivation.composableDerivation {} (fixed: rec { ./python.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Don't use optimization for gcc >= 4.3. That's said to be causing segfaults. # Unset CC and CXX as they confuse libtool. diff --git a/pkgs/development/libraries/gdome2/default.nix b/pkgs/development/libraries/gdome2/default.nix index e9c32da2069..e9643da221e 100644 --- a/pkgs/development/libraries/gdome2/default.nix +++ b/pkgs/development/libraries/gdome2/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { sha256 = "0hyms5s3hziajp3qbwdwqjc2xcyhb783damqg8wxjpwfxyi81fzl"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [pkgconfig glib libxml2 gtkdoc]; propagatedBuildInputs = [glib libxml2]; diff --git a/pkgs/development/libraries/geoclue/default.nix b/pkgs/development/libraries/geoclue/default.nix index e8d43e6652f..754c85ecf03 100644 --- a/pkgs/development/libraries/geoclue/default.nix +++ b/pkgs/development/libraries/geoclue/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [dbus glib dbus_glib]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' sed -e '/-Werror/d' -i configure diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index 9b24ccc79e8..2fcd5dd1a80 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -12,9 +12,8 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; - # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; - hardening_format = false; + # FIXME stackprotector needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "format" "stackprotector" ]; LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; diff --git a/pkgs/development/libraries/giflib/4.1.nix b/pkgs/development/libraries/giflib/4.1.nix index 114e0e587b6..59204e7e7e5 100644 --- a/pkgs/development/libraries/giflib/4.1.nix +++ b/pkgs/development/libraries/giflib/4.1.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1v9b7ywz7qg8hli0s9vv1b8q9xxb2xvqq2mg1zpr73xwqpcwxhg1"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { branch = "4.1"; diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix index 1cc4ae0201b..fd9d4b7e81a 100644 --- a/pkgs/development/libraries/giflib/libungif.nix +++ b/pkgs/development/libraries/giflib/libungif.nix @@ -7,6 +7,6 @@ stdenv.mkDerivation { md5 = "efdfcf8e32e35740288a8c5625a70ccb"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; } diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 7bbf5562f7c..50be7d8a734 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -166,7 +166,7 @@ stdenv.mkDerivation ({ preBuild = lib.optionalString withGd "unset NIX_DONT_SET_RPATH"; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = http://www.gnu.org/software/libc/; diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index 85a49999b48..c2109bd4158 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -22,8 +22,7 @@ in builder = ./builder.sh; - hardening_stackprotector = false; - hardening_fortify = false; + hardeningDisable = [ "stackprotector" "fortify" ]; # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for # any program we run, because the gcc will have been placed at a new diff --git a/pkgs/development/libraries/gmp/5.1.x.nix b/pkgs/development/libraries/gmp/5.1.x.nix index 0db619b3658..e803c7c56ac 100644 --- a/pkgs/development/libraries/gmp/5.1.x.nix +++ b/pkgs/development/libraries/gmp/5.1.x.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null; diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix index 21be466a9b2..e2861a880c8 100644 --- a/pkgs/development/libraries/gnu-efi/default.nix +++ b/pkgs/development/libraries/gnu-efi/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pciutils ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; makeFlags = [ "PREFIX=\${out}" diff --git a/pkgs/development/libraries/isl/0.11.1.nix b/pkgs/development/libraries/isl/0.11.1.nix index c56c5b3892a..f62d898cff7 100644 --- a/pkgs/development/libraries/isl/0.11.1.nix +++ b/pkgs/development/libraries/isl/0.11.1.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = http://www.kotnet.org/~skimo/isl/; diff --git a/pkgs/development/libraries/java/swt/default.nix b/pkgs/development/libraries/java/swt/default.nix index 855b800ba9f..9fcffb1edb2 100644 --- a/pkgs/development/libraries/java/swt/default.nix +++ b/pkgs/development/libraries/java/swt/default.nix @@ -28,7 +28,7 @@ in stdenv.mkDerivation rec { builder = ./builder.sh; - hardening_format = false; + hardeningDisable = [ "format" ]; # Alas, the Eclipse Project apparently doesn't produce source-only # releases of SWT. So we just grab a binary release and extract diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix index cb0c8a7f5c1..309f17b8142 100644 --- a/pkgs/development/libraries/libelf/default.nix +++ b/pkgs/development/libraries/libelf/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation (rec { doCheck = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # For cross-compiling, native glibc is needed for the "gencat" program. crossAttrs = { diff --git a/pkgs/development/libraries/libf2c/default.nix b/pkgs/development/libraries/libf2c/default.nix index 8edc53cb7ee..0d9d89589ff 100644 --- a/pkgs/development/libraries/libf2c/default.nix +++ b/pkgs/development/libraries/libf2c/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { buildInputs = [ unzip ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "F2c converts Fortran 77 source code to C"; diff --git a/pkgs/development/libraries/libgeotiff/default.nix b/pkgs/development/libraries/libgeotiff/default.nix index 4d9fa09ad75..d30ea6e5324 100644 --- a/pkgs/development/libraries/libgeotiff/default.nix +++ b/pkgs/development/libraries/libgeotiff/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [ libtiff ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Library implementing attempt to create a tiff based interchange format for georeferenced raster imagery"; diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix index 682a42e2db9..a8511006d04 100644 --- a/pkgs/development/libraries/libgphoto2/default.nix +++ b/pkgs/development/libraries/libgphoto2/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { # These are mentioned in the Requires line of libgphoto's pkg-config file. propagatedBuildInputs = [ libexif ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://www.gphoto.org/proj/libgphoto2/; diff --git a/pkgs/development/libraries/libmpc/default.nix b/pkgs/development/libraries/libmpc/default.nix index cc883ba67b2..95e8dd9af48 100644 --- a/pkgs/development/libraries/libmpc/default.nix +++ b/pkgs/development/libraries/libmpc/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { doCheck = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { description = "Library for multiprecision complex arithmetic with exact rounding"; diff --git a/pkgs/development/libraries/librsync/0.9.nix b/pkgs/development/libraries/librsync/0.9.nix index d3dd293f975..5f249582610 100644 --- a/pkgs/development/libraries/librsync/0.9.nix +++ b/pkgs/development/libraries/librsync/0.9.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = if stdenv.isCygwin then "--enable-static" else "--enable-shared"; diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix index a9320f1af7b..50a1f5ac337 100644 --- a/pkgs/development/libraries/libvisual/default.nix +++ b/pkgs/development/libraries/libvisual/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "An abstraction library for audio visualisations"; diff --git a/pkgs/development/libraries/mp4v2/default.nix b/pkgs/development/libraries/mp4v2/default.nix index 5281ab2c480..ab3c3ed8c5a 100644 --- a/pkgs/development/libraries/mp4v2/default.nix +++ b/pkgs/development/libraries/mp4v2/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { # `faac' expects `mp4.h'. postInstall = "ln -s mp4v2/mp4v2.h $out/include/mp4.h"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://code.google.com/p/mp4v2; diff --git a/pkgs/development/libraries/mpfr/default.nix b/pkgs/development/libraries/mpfr/default.nix index 2c643885727..c63dc2c3dee 100644 --- a/pkgs/development/libraries/mpfr/default.nix +++ b/pkgs/development/libraries/mpfr/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ gmp ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; configureFlags = stdenv.lib.optional stdenv.isSunOS "--disable-thread-safe" ++ diff --git a/pkgs/development/libraries/nvidia-texture-tools/default.nix b/pkgs/development/libraries/nvidia-texture-tools/default.nix index cd8268faa65..f35d363e575 100644 --- a/pkgs/development/libraries/nvidia-texture-tools/default.nix +++ b/pkgs/development/libraries/nvidia-texture-tools/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ cmake libpng ilmbase libtiff zlib libjpeg mesa libX11 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' # Fix build due to missing dependnecies. diff --git a/pkgs/development/libraries/opencascade/6.5.nix b/pkgs/development/libraries/opencascade/6.5.nix index a1143757c77..86ab85cbb9a 100644 --- a/pkgs/development/libraries/opencascade/6.5.nix +++ b/pkgs/development/libraries/opencascade/6.5.nix @@ -26,7 +26,7 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 + " -DGLX_GLXEXT_LEGACY"; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--with-tcl=${tcl}/lib" "--with-tk=${tk}/lib" "--with-qt=${qt4}" "--with-ftgl=${ftgl}" "--with-freetype=${freetype}" ]; diff --git a/pkgs/development/libraries/opencascade/default.nix b/pkgs/development/libraries/opencascade/default.nix index bcf1b747180..79c24be7514 100644 --- a/pkgs/development/libraries/opencascade/default.nix +++ b/pkgs/development/libraries/opencascade/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 NIX_CFLAGS_COMPILE = "-DGLX_GLXEXT_LEGACY"; - hardening_format = false; + hardeningDisable = [ "format" ]; postInstall = '' mv $out/inc $out/include diff --git a/pkgs/development/libraries/opencv/3.x.nix b/pkgs/development/libraries/opencv/3.x.nix index 16765083c55..4f0ed3cd0ea 100644 --- a/pkgs/development/libraries/opencv/3.x.nix +++ b/pkgs/development/libraries/opencv/3.x.nix @@ -49,8 +49,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_bindnow = false; - hardening_relro = false; + hardeningDisable = [ "bindnow" "relro" ]; meta = { description = "Open Computer Vision Library with more than 500 algorithms"; diff --git a/pkgs/development/libraries/opencv/default.nix b/pkgs/development/libraries/opencv/default.nix index d5904e742b6..4259e9d4d69 100644 --- a/pkgs/development/libraries/opencv/default.nix +++ b/pkgs/development/libraries/opencv/default.nix @@ -20,8 +20,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_bindnow = false; - hardening_relro = false; + hardeningDisable = [ "bindnow" "relro" ]; meta = { description = "Open Computer Vision Library with more than 500 algorithms"; diff --git a/pkgs/development/libraries/pdf2xml/default.nix b/pkgs/development/libraries/pdf2xml/default.nix index b73be062623..2d15e632152 100644 --- a/pkgs/development/libraries/pdf2xml/default.nix +++ b/pkgs/development/libraries/pdf2xml/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { patches = [./pdf2xml.patch]; - hardening_format = false; + hardeningDisable = [ "format" ]; preBuild = '' cp Makefile.linux Makefile diff --git a/pkgs/development/libraries/portmidi/default.nix b/pkgs/development/libraries/portmidi/default.nix index 4b55cffe94f..5c056762a39 100644 --- a/pkgs/development/libraries/portmidi/default.nix +++ b/pkgs/development/libraries/portmidi/default.nix @@ -46,7 +46,7 @@ stdenv.mkDerivation rec { buildInputs = [ unzip cmake /*jdk*/ alsaLib ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://portmedia.sourceforge.net/portmidi/"; diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix index 22dbef1bac2..ad864410b16 100644 --- a/pkgs/development/libraries/pupnp/default.nix +++ b/pkgs/development/libraries/pupnp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = { description = "libupnp, an open source UPnP development kit for Linux"; diff --git a/pkgs/development/libraries/qhull/default.nix b/pkgs/development/libraries/qhull/default.nix index e8a67d3bc42..011e133720f 100644 --- a/pkgs/development/libraries/qhull/default.nix +++ b/pkgs/development/libraries/qhull/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { cmakeFlags = "-DMAN_INSTALL_DIR=share/man/man1 -DDOC_INSTALL_DIR=share/doc/qhull"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://www.qhull.org/; diff --git a/pkgs/development/libraries/qt-3/default.nix b/pkgs/development/libraries/qt-3/default.nix index 8a11cc7087b..728d220bb42 100644 --- a/pkgs/development/libraries/qt-3/default.nix +++ b/pkgs/development/libraries/qt-3/default.nix @@ -32,7 +32,7 @@ stdenv.mkDerivation { nativeBuildInputs = [ which ]; propagatedBuildInputs = [libpng xlibsWrapper libXft libXrender zlib libjpeg]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = " -v diff --git a/pkgs/development/libraries/qtscriptgenerator/default.nix b/pkgs/development/libraries/qtscriptgenerator/default.nix index de87c6b73c6..499c6f18453 100644 --- a/pkgs/development/libraries/qtscriptgenerator/default.nix +++ b/pkgs/development/libraries/qtscriptgenerator/default.nix @@ -32,7 +32,7 @@ stdenv.mkDerivation { cp -av plugins/script/* $out/lib/qt4/plugins/script ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "QtScript bindings generator"; diff --git a/pkgs/development/libraries/smpeg/default.nix b/pkgs/development/libraries/smpeg/default.nix index 49d889f8b6a..fe52571e147 100644 --- a/pkgs/development/libraries/smpeg/default.nix +++ b/pkgs/development/libraries/smpeg/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ SDL gtk mesa ]; diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix index d94b4159e93..94489e992a6 100644 --- a/pkgs/development/libraries/speechd/default.nix +++ b/pkgs/development/libraries/speechd/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ dotconf glib pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Common interface to speech synthesis"; diff --git a/pkgs/development/libraries/tidyp/default.nix b/pkgs/development/libraries/tidyp/default.nix index 818029dbb24..ba95da77b72 100644 --- a/pkgs/development/libraries/tidyp/default.nix +++ b/pkgs/development/libraries/tidyp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0f5ky0ih4vap9c6j312jn73vn8m2bj69pl2yd3a5nmv35k9zmc10"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "A program that can validate your HTML, as well as modify it to be more clean and standard"; diff --git a/pkgs/development/libraries/xmlrpc-c/default.nix b/pkgs/development/libraries/xmlrpc-c/default.nix index 0d787092a3c..0b5f08bdf9b 100644 --- a/pkgs/development/libraries/xmlrpc-c/default.nix +++ b/pkgs/development/libraries/xmlrpc-c/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { (cd tools/xmlrpc && make && make install) ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "A lightweight RPC library based on XML and HTTP"; diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix index 2871985a082..77ab0f8ffa9 100644 --- a/pkgs/development/libraries/zlib/default.nix +++ b/pkgs/development/libraries/zlib/default.nix @@ -30,7 +30,7 @@ stdenv.mkDerivation (rec { ''; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # As zlib takes part in the stdenv building, we don't want references # to the bootstrap-tools libgcc (as uses to happen on arm/mips) diff --git a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix index b27a6659004..108f3616e64 100644 --- a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix +++ b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix @@ -26,7 +26,7 @@ stdenv.mkDerivation { buildInputs = [ gmp mpfr libmpc zlib ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Make sure we don't strip the libraries in lib/gcc/avr. stripDebugList= [ "bin" "avr/bin" "libexec" ]; diff --git a/pkgs/development/pharo/vm/build-vm.nix b/pkgs/development/pharo/vm/build-vm.nix index 9665b78d3b2..8265e1dc776 100644 --- a/pkgs/development/pharo/vm/build-vm.nix +++ b/pkgs/development/pharo/vm/build-vm.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { mimeType = "application/x-pharo-image"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # Building preConfigure = '' diff --git a/pkgs/development/python-modules/wxPython/generic.nix b/pkgs/development/python-modules/wxPython/generic.nix index 385980b2848..36051cc2e12 100644 --- a/pkgs/development/python-modules/wxPython/generic.nix +++ b/pkgs/development/python-modules/wxPython/generic.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { sourceRoot = "wxPython-src-${version}/wxPython"; - hardening_format = false; + hardeningDisable = [ "format" ]; src = fetchurl { url = "mirror://sourceforge/wxpython/wxPython-src-${version}.tar.bz2"; diff --git a/pkgs/development/tools/analysis/cccc/default.nix b/pkgs/development/tools/analysis/cccc/default.nix index a4d88f5d2ea..b63bc66fabd 100644 --- a/pkgs/development/tools/analysis/cccc/default.nix +++ b/pkgs/development/tools/analysis/cccc/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { sha256 = "1gsdzzisrk95kajs3gfxks3bjvfd9g680fin6a9pjrism2lyrcr7"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./cccc.patch ]; diff --git a/pkgs/development/tools/analysis/radare/default.nix b/pkgs/development/tools/analysis/radare/default.nix index 8324d899147..d42227198ce 100644 --- a/pkgs/development/tools/analysis/radare/default.nix +++ b/pkgs/development/tools/analysis/radare/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { sha256 = "1qdrmcnzfvfvqb27c7pknwm8jl2hqa6c4l66wzyddwlb8yjm46hd"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [pkgconfig readline libusb perl] ++ optional useX11 [gtkdialog vte gtk] diff --git a/pkgs/development/tools/analysis/valgrind/default.nix b/pkgs/development/tools/analysis/valgrind/default.nix index 2896f4ff271..0e0e44183f6 100644 --- a/pkgs/development/tools/analysis/valgrind/default.nix +++ b/pkgs/development/tools/analysis/valgrind/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # Perl is needed for `cg_annotate'. # GDB is needed to provide a sane default for `--db-command'. diff --git a/pkgs/development/tools/boost-build/default.nix b/pkgs/development/tools/boost-build/default.nix index aa590543e00..240d24961e0 100644 --- a/pkgs/development/tools/boost-build/default.nix +++ b/pkgs/development/tools/boost-build/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "10sbbkx2752r4i1yshyp47nw29lyi1p34sy6hj7ivvnddiliayca"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' grep -r '/usr/share/boost-build' \ diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 78adfe48751..7ffa6ed867c 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -40,7 +40,7 @@ stdenv.mkDerivation rec { inherit noSysDirs; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; preConfigure = '' # Clear the default library search path. diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix index 464ad791095..d4a2f80599f 100644 --- a/pkgs/development/tools/misc/elfutils/default.nix +++ b/pkgs/development/tools/misc/elfutils/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./glibc-2.21.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # We need bzip2 in NativeInputs because otherwise we can't unpack the src, # as the host-bzip2 will be in the path. diff --git a/pkgs/development/tools/misc/gnum4/default.nix b/pkgs/development/tools/misc/gnum4/default.nix index e610858838d..79f7445af47 100644 --- a/pkgs/development/tools/misc/gnum4/default.nix +++ b/pkgs/development/tools/misc/gnum4/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { patches = [ ./s_isdir.patch ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = http://www.gnu.org/software/m4/; diff --git a/pkgs/development/tools/misc/patchelf/default.nix b/pkgs/development/tools/misc/patchelf/default.nix index 91658a5d4d9..e999aa4eb2c 100644 --- a/pkgs/development/tools/misc/patchelf/default.nix +++ b/pkgs/development/tools/misc/patchelf/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { setupHook = [ ./setup-hook.sh ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = http://nixos.org/patchelf.html; diff --git a/pkgs/development/tools/misc/texinfo/6.0.nix b/pkgs/development/tools/misc/texinfo/6.0.nix index 786998c6af7..cf62d906f3c 100644 --- a/pkgs/development/tools/misc/texinfo/6.0.nix +++ b/pkgs/development/tools/misc/texinfo/6.0.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { configureFlags = stdenv.lib.optional stdenv.isSunOS "AWK=${gawk}/bin/awk"; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; preInstall = '' installFlags="TEXMF=$out/texmf-dist"; diff --git a/pkgs/development/tools/omniorb/default.nix b/pkgs/development/tools/omniorb/default.nix index 192e0585217..da6760897ad 100644 --- a/pkgs/development/tools/omniorb/default.nix +++ b/pkgs/development/tools/omniorb/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ python ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "omniORB is a robust high performance CORBA ORB for C++ and Python. It is freely available under the terms of the GNU Lesser General Public License (for the libraries), and GNU General Public License (for the tools). omniORB is largely CORBA 2.6 compliant"; diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix index 0062bc36561..97a66490bf9 100644 --- a/pkgs/development/tools/parsing/bison/3.x.nix +++ b/pkgs/development/tools/parsing/bison/3.x.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ m4 ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = "http://www.gnu.org/software/bison/"; diff --git a/pkgs/games/asc/default.nix b/pkgs/games/asc/default.nix index 82d4748a979..e67b92afa76 100644 --- a/pkgs/games/asc/default.nix +++ b/pkgs/games/asc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--disable-paragui" "--disable-paraguitest" ]; NIX_CFLAGS_COMPILE = "-fpermissive"; # I'm too lazy to catch all gcc47-related problems - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ SDL SDL_image SDL_mixer SDL_sound libsigcxx physfs boost expat diff --git a/pkgs/games/bsdgames/default.nix b/pkgs/games/bsdgames/default.nix index 6e138511d03..599588e6f0e 100644 --- a/pkgs/games/bsdgames/default.nix +++ b/pkgs/games/bsdgames/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation { }) ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' cat > config.params << EOF diff --git a/pkgs/games/crack-attack/default.nix b/pkgs/games/crack-attack/default.nix index 9a4b1d04916..eb20c0b329e 100644 --- a/pkgs/games/crack-attack/default.nix +++ b/pkgs/games/crack-attack/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [ pkgconfig gtk freeglut SDL mesa libXi libXmu ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A fast-paced puzzle game inspired by the classic Super NES title Tetris Attack!"; diff --git a/pkgs/games/lincity/ng.nix b/pkgs/games/lincity/ng.nix index 0c3fc7055b7..b6574eaf39e 100644 --- a/pkgs/games/lincity/ng.nix +++ b/pkgs/games/lincity/ng.nix @@ -22,7 +22,7 @@ stdenv.mkDerivation rec { inherit (s) url sha256; }; - hardening_format = false; + hardeningDisable = [ "format" ]; inherit buildInputs; diff --git a/pkgs/games/liquidwar/default.nix b/pkgs/games/liquidwar/default.nix index d374ed85b2d..532c4c635fb 100644 --- a/pkgs/games/liquidwar/default.nix +++ b/pkgs/games/liquidwar/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { libXrender libcaca cunit ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # To avoid problems finding SDL_types.h. configureFlags = [ "CFLAGS=-I${SDL}/include/SDL" ]; diff --git a/pkgs/games/pioneers/default.nix b/pkgs/games/pioneers/default.nix index 41780dd64f6..3f1735c31aa 100644 --- a/pkgs/games/pioneers/default.nix +++ b/pkgs/games/pioneers/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { buildInputs = [ gtk pkgconfig intltool ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://pio.sourceforge.net/; diff --git a/pkgs/games/stardust/default.nix b/pkgs/games/stardust/default.nix index 94da81533c1..74d9bdcb35d 100644 --- a/pkgs/games/stardust/default.nix +++ b/pkgs/games/stardust/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { installFlags = [ "bindir=\${out}/bin" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; postConfigure = '' substituteInPlace config.h \ diff --git a/pkgs/games/torcs/default.nix b/pkgs/games/torcs/default.nix index fd320a32180..1b1e877d274 100644 --- a/pkgs/games/torcs/default.nix +++ b/pkgs/games/torcs/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { installTargets = "install datainstall"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Car racing game"; diff --git a/pkgs/games/xconq/default.nix b/pkgs/games/xconq/default.nix index cace72b5aac..e6e23752953 100644 --- a/pkgs/games/xconq/default.nix +++ b/pkgs/games/xconq/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { "--with-tkconfig=${tk}/lib" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' # Fix Makefiles diff --git a/pkgs/games/zandronum/default.nix b/pkgs/games/zandronum/default.nix index fa4c17649ac..18abf280a81 100644 --- a/pkgs/games/zandronum/default.nix +++ b/pkgs/games/zandronum/default.nix @@ -33,7 +33,7 @@ in stdenv.mkDerivation { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; installPhase = '' mkdir -p $out/bin diff --git a/pkgs/misc/emulators/dosbox/default.nix b/pkgs/misc/emulators/dosbox/default.nix index bbaa565e352..d57ef5ae16d 100644 --- a/pkgs/misc/emulators/dosbox/default.nix +++ b/pkgs/misc/emulators/dosbox/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { buildInputs = [ SDL ]; - hardening_format = false; + hardeningDisable = [ "format" ]; desktopItem = makeDesktopItem { name = "dosbox"; diff --git a/pkgs/misc/emulators/mupen64plus/default.nix b/pkgs/misc/emulators/mupen64plus/default.nix index dc3c1412856..1abf621fe7e 100644 --- a/pkgs/misc/emulators/mupen64plus/default.nix +++ b/pkgs/misc/emulators/mupen64plus/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { buildInputs = [ which pkgconfig SDL gtk mesa SDL_ttf ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' # Some C++ incompatibility fixes diff --git a/pkgs/misc/emulators/nestopia/default.nix b/pkgs/misc/emulators/nestopia/default.nix index 3ed455bd350..6620018c337 100644 --- a/pkgs/misc/emulators/nestopia/default.nix +++ b/pkgs/misc/emulators/nestopia/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { # nondeterministic failures when creating directories enableParallelBuilding = false; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ pkgconfig SDL2 alsaLib gtk3 mesa_glu mesa makeWrapper libarchive libao unzip xdg_utils gsettings_desktop_schemas ]; diff --git a/pkgs/misc/emulators/uae/default.nix b/pkgs/misc/emulators/uae/default.nix index 54620699f2d..9e773b18f7d 100644 --- a/pkgs/misc/emulators/uae/default.nix +++ b/pkgs/misc/emulators/uae/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig gtk alsaLib SDL ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Ultimate/Unix/Unusable Amiga Emulator"; diff --git a/pkgs/misc/mxt-app/default.nix b/pkgs/misc/mxt-app/default.nix index e1db07bfff2..2873225b26f 100644 --- a/pkgs/misc/mxt-app/default.nix +++ b/pkgs/misc/mxt-app/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec{ buildInputs = [ autoconf automake libtool ]; preConfigure = "./autogen.sh"; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = with stdenv.lib; { description = "Command line utility for Atmel maXTouch devices"; diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix index 05a5549fae2..65223a32bad 100644 --- a/pkgs/os-specific/linux/acpi-call/default.nix +++ b/pkgs/os-specific/linux/acpi-call/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preBuild = '' sed -e 's/break/true/' -i examples/turn_off_gpu.sh diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix index 41c4f48ddb8..aabd36f945f 100644 --- a/pkgs/os-specific/linux/batman-adv/default.nix +++ b/pkgs/os-specific/linux/batman-adv/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "0r5faf12ifpj8h1fklkzvy4ck359cadk8xh1l3n7vimh67hxbxbz"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preBuild = '' makeFlags="KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix index 2c91bfbd10f..67b843fac4d 100644 --- a/pkgs/os-specific/linux/bbswitch/default.nix +++ b/pkgs/os-specific/linux/bbswitch/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation { sha256 = "1lbr6pyyby4k9rn2ry5qc38kc738d0442jhhq57vmdjb6hxjya7m"; }) ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/linux/blcr/default.nix b/pkgs/os-specific/linux/blcr/default.nix index 78a576234ac..c2e3fa4b9e1 100644 --- a/pkgs/os-specific/linux/blcr/default.nix +++ b/pkgs/os-specific/linux/blcr/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation { buildInputs = [ perl makeWrapper ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' configureFlagsArray=( diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index cc3cfe2465d..2785a57ac8a 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -33,7 +33,7 @@ stdenv.mkDerivation rec { sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./busybox-in-store.patch ]; diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix index aacdfc496ee..6567e478636 100644 --- a/pkgs/os-specific/linux/criu/default.nix +++ b/pkgs/os-specific/linux/criu/default.nix @@ -23,7 +23,8 @@ stdenv.mkDerivation rec { configurePhase = "make config PREFIX=$out"; makeFlags = "PREFIX=$(out)"; - hardening_stackprotector = false; + + hardeningDisable = [ "stackprotector" ]; installPhase = '' mkdir -p $out/etc/logrotate.d diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix index 09d7651c249..7a2d94100fa 100644 --- a/pkgs/os-specific/linux/dietlibc/default.nix +++ b/pkgs/os-specific/linux/dietlibc/default.nix @@ -12,7 +12,8 @@ stdenv.mkDerivation { inherit glibc; kernelHeaders = glibc.linuxHeaders; - hardening_stackprotector = false; + + hardeningDisable = [ "stackprotector" ]; patches = [ diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix index 8eba742ebfb..4c2d0c88576 100644 --- a/pkgs/os-specific/linux/disk-indicator/default.nix +++ b/pkgs/os-specific/linux/disk-indicator/default.nix @@ -19,7 +19,8 @@ stdenv.mkDerivation { buildPhase = "make -f makefile"; NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; - hardening_fortify = false; + + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -p "$out/bin" diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix index 48494bd6b18..b25a65b2ab4 100644 --- a/pkgs/os-specific/linux/facetimehd/default.nix +++ b/pkgs/os-specific/linux/facetimehd/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { export INSTALL_MOD_PATH="$out" ''; - hardening_pic = false; + hardeningDisable = [ "pic" ]; makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix index 93c334b9593..e86c751331b 100644 --- a/pkgs/os-specific/linux/gogoclient/default.nix +++ b/pkgs/os-specific/linux/gogoclient/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { makeFlags = ["target=linux"]; installFlags = ["installdir=$(out)"]; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [openssl]; diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix index a5cd2411819..b9390d1d589 100644 --- a/pkgs/os-specific/linux/ifenslave/default.nix +++ b/pkgs/os-specific/linux/ifenslave/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { cp -a ifenslave $out/bin ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Utility for enslaving networking interfaces under a bond"; diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index 7c956e3c244..79094ebb3e3 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { src = sourceAttrs.src; - hardening_pic = false; + hardeningDisable = [ "pic" ]; prePatch = '' sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile diff --git a/pkgs/os-specific/linux/kernel-headers/3.18.nix b/pkgs/os-specific/linux/kernel-headers/3.18.nix index be54d7a4e6a..22650747ba2 100644 --- a/pkgs/os-specific/linux/kernel-headers/3.18.nix +++ b/pkgs/os-specific/linux/kernel-headers/3.18.nix @@ -35,7 +35,7 @@ stdenv.mkDerivation { buildInputs = [perl]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; extraIncludeDirs = if cross != null then diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 5a22b5e2432..85a4b98982a 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -225,16 +225,12 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); - hardening_format = false; - hardening_fortify = false; - hardening_stackprotector = false; + hardeningDisable = [ "format" "fortify" "stackprotector" "pic" ]; makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" ]; - hardening_pic = false; - karch = stdenv.platform.kernelArch; crossAttrs = let cp = stdenv.cross.platform; in diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index 98593ea85a9..d1a2fabf814 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ zlib ]; diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix index b05b0dc4463..ffa381d0f29 100644 --- a/pkgs/os-specific/linux/klibc/default.nix +++ b/pkgs/os-specific/linux/klibc/default.nix @@ -21,8 +21,7 @@ stdenv.mkDerivation { nativeBuildInputs = [ perl ]; - hardening_format = false; - hardening_stackprotector = false; + hardeningDisable = [ "format" "stackprotector" ]; makeFlags = commonMakeFlags ++ [ "KLIBCARCH=${stdenv.platform.kernelArch}" diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix index f6a5e30afa0..0bcc6dd5143 100644 --- a/pkgs/os-specific/linux/lttng-modules/default.nix +++ b/pkgs/os-specific/linux/lttng-modules/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "0sk7cyjf5ylmxqrrrz5zmmw4c0dmxh1f98aj870gmcnxfa76y4mx"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix index 8aee4b73fdd..409eb31e14f 100644 --- a/pkgs/os-specific/linux/multipath-tools/default.nix +++ b/pkgs/os-specific/linux/multipath-tools/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1yd6l1l1c62xjr1xnij2x49kr416anbgfs4y06r86kp9hkmz2g7i"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; postPatch = '' sed -i -re ' diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix index e95cd4e133c..35781dc7f95 100644 --- a/pkgs/os-specific/linux/netatop/default.nix +++ b/pkgs/os-specific/linux/netatop/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation { buildInputs = [ zlib ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' patchShebangs mkversion diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix index 959de19ead2..7310e7e36ad 100644 --- a/pkgs/os-specific/linux/numad/default.nix +++ b/pkgs/os-specific/linux/numad/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./numad-linker-flags.patch diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix index 50aa77104c2..7ef98eb2353 100644 --- a/pkgs/os-specific/linux/paxctl/default.nix +++ b/pkgs/os-specific/linux/paxctl/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; setupHook = ./setup-hook.sh; diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix index 56ff6c473b4..56c12e9a4f0 100644 --- a/pkgs/os-specific/linux/phc-intel/default.nix +++ b/pkgs/os-specific/linux/phc-intel/default.nix @@ -21,7 +21,7 @@ in stdenv.mkDerivation rec { buildInputs = [ which ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; makeFlags = with kernel; [ "DESTDIR=$(out)" diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix index 5a03df98346..102b935be29 100644 --- a/pkgs/os-specific/linux/rtl8812au/default.nix +++ b/pkgs/os-specific/linux/rtl8812au/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "14ifhplawipfd6971mxw76dv3ygwc0n8sbz2l3f0vvkin6x88bsj"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; patchPhase = '' substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/" diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix index 6e8d9d3cf7a..5f539b9a97e 100644 --- a/pkgs/os-specific/linux/setools/default.nix +++ b/pkgs/os-specific/linux/setools/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { "--with-tcl=${tcl}/lib" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; NIX_CFLAGS_COMPILE = "-fstack-protector-all"; NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib"; diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix index 67e2f16848b..3fbfa4fdc53 100644 --- a/pkgs/os-specific/linux/spl/default.nix +++ b/pkgs/os-specific/linux/spl/default.nix @@ -30,7 +30,7 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' ./autogen.sh diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix index 00f9a66f0cd..358f7d38efa 100644 --- a/pkgs/os-specific/linux/sysdig/default.nix +++ b/pkgs/os-specific/linux/sysdig/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; cmakeFlags = [ "-DUSE_BUNDLED_DEPS=OFF" diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix index 3ace0f5c5ed..a68ab9c478c 100644 --- a/pkgs/os-specific/linux/syslinux/default.nix +++ b/pkgs/os-specific/linux/syslinux/default.nix @@ -16,8 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ libuuid makeWrapper ]; enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...' - hardening_stackprotector = false; - hardening_pic = false; + hardeningDisable = [ "pic" "stackprotector" ]; preBuild = '' substituteInPlace Makefile --replace /bin/pwd $(type -P pwd) diff --git a/pkgs/os-specific/linux/tp_smapi/default.nix b/pkgs/os-specific/linux/tp_smapi/default.nix index 116a0344450..dceb777ad72 100644 --- a/pkgs/os-specific/linux/tp_smapi/default.nix +++ b/pkgs/os-specific/linux/tp_smapi/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "6aef02b92d10360ac9be0db29ae390636be55017990063a092a285c70b54e666"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; makeFlags = [ "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}" diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix index 8b44f3388d3..376a407d993 100644 --- a/pkgs/os-specific/linux/v4l2loopback/default.nix +++ b/pkgs/os-specific/linux/v4l2loopback/default.nix @@ -9,8 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1crkhxlnskqrfj3f7jmiiyi5m75zmj7n0s26xz07wcwdzdf2p568"; }; - hardening_pic = false; - hardening_format = false; + hardeningDisable = [ "format" "pic" ]; preBuild = '' substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install" diff --git a/pkgs/os-specific/linux/v86d/default.nix b/pkgs/os-specific/linux/v86d/default.nix index 17255aa1283..073a6ded998 100644 --- a/pkgs/os-specific/linux/v86d/default.nix +++ b/pkgs/os-specific/linux/v86d/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--with-klibc" "--with-x86emu" ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source" diff --git a/pkgs/os-specific/linux/xf86-video-nested/default.nix b/pkgs/os-specific/linux/xf86-video-nested/default.nix index 96f353a64da..8b712553be9 100644 --- a/pkgs/os-specific/linux/xf86-video-nested/default.nix +++ b/pkgs/os-specific/linux/xf86-video-nested/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { pkgconfig renderproto utilmacros xorgserver ]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; CFLAGS = "-I${pixman}/include/pixman-1"; diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index 0a61bdcea85..c49f393dd16 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation rec { # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work NIX_CFLAGS_LINK = "-lgcc_s"; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' substituteInPlace ./module/zfs/zfs_ctldir.c --replace "umount -t zfs" "${utillinux}/bin/umount -t zfs" diff --git a/pkgs/servers/beanstalkd/default.nix b/pkgs/servers/beanstalkd/default.nix index f5693e45168..ef4621fb9a6 100644 --- a/pkgs/servers/beanstalkd/default.nix +++ b/pkgs/servers/beanstalkd/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "0n9dlmiddcfl7i0f1lwfhqiwyvf26493fxfcmn8jm30nbqciwfwj"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = with stdenv.lib; { homepage = http://kr.github.io/beanstalkd/; diff --git a/pkgs/servers/firebird/default.nix b/pkgs/servers/firebird/default.nix index e557a2a0061..414582b69ef 100644 --- a/pkgs/servers/firebird/default.nix +++ b/pkgs/servers/firebird/default.nix @@ -65,7 +65,7 @@ stdenv.mkDerivation rec { sha256 = "0887a813wffp44hnc2gmwbc4ylpqw3fh3hz3bf6q3648344a9fdv"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # configurePhase = '' # sed -i 's@cp /usr/share/automake-.*@@' autogen.sh diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix index 99b6ce2a832..ac5e0b7c1b1 100644 --- a/pkgs/servers/gpm/default.nix +++ b/pkgs/servers/gpm/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ]; buildInputs = [ ncurses ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' ./autogen.sh diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix index 3dbb34f9b02..aaa858e302c 100644 --- a/pkgs/servers/http/nginx/default.nix +++ b/pkgs/servers/http/nginx/default.nix @@ -55,7 +55,7 @@ stdenv.mkDerivation rec { preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "A reverse proxy and lightweight webserver"; diff --git a/pkgs/servers/icecast/default.nix b/pkgs/servers/icecast/default.nix index d0e238786e2..dc3fef6125c 100644 --- a/pkgs/servers/icecast/default.nix +++ b/pkgs/servers/icecast/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ libxml2 libxslt curl libvorbis libtheora speex libkate libopus ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "Server software for streaming multimedia"; diff --git a/pkgs/servers/irc/charybdis/default.nix b/pkgs/servers/irc/charybdis/default.nix index d42f69d078b..d00bcb7ef1a 100644 --- a/pkgs/servers/irc/charybdis/default.nix +++ b/pkgs/servers/irc/charybdis/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { "--with-program-prefix=charybdis-" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ bison flex openssl ]; diff --git a/pkgs/servers/mail/postfix/3.0.nix b/pkgs/servers/mail/postfix/3.0.nix index 3a0f2e0954d..9d208e8af4d 100644 --- a/pkgs/servers/mail/postfix/3.0.nix +++ b/pkgs/servers/mail/postfix/3.0.nix @@ -41,7 +41,7 @@ in stdenv.mkDerivation rec { ./relative-symlinks.patch ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; preBuild = '' sed -e '/^PATH=/d' -i postfix-install diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix index 42355b46021..886412b24cd 100644 --- a/pkgs/servers/mail/postfix/default.nix +++ b/pkgs/servers/mail/postfix/default.nix @@ -14,8 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [db openssl cyrus_sasl bison perl]; - hardening_format = false; - hardening_pie = true; + hardeningDisable = [ "format" ]; + hardeningEnable = [ "pie" ]; patches = [ ./postfix-2.2.9-db.patch diff --git a/pkgs/servers/memcached/default.nix b/pkgs/servers/memcached/default.nix index cac568f8fc9..5e4edd0b032 100644 --- a/pkgs/servers/memcached/default.nix +++ b/pkgs/servers/memcached/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [cyrus_sasl libevent]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = with stdenv.lib; { description = "A distributed memory object caching system"; diff --git a/pkgs/servers/nosql/mongodb/default.nix b/pkgs/servers/nosql/mongodb/default.nix index 141e8e0929d..913b312a54a 100644 --- a/pkgs/servers/nosql/mongodb/default.nix +++ b/pkgs/servers/nosql/mongodb/default.nix @@ -80,7 +80,7 @@ in stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "a scalable, high-performance, open source NoSQL database"; diff --git a/pkgs/servers/nosql/riak/1.3.1.nix b/pkgs/servers/nosql/riak/1.3.1.nix index ffa2056d5a9..565ed226ab4 100644 --- a/pkgs/servers/nosql/riak/1.3.1.nix +++ b/pkgs/servers/nosql/riak/1.3.1.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { patches = [ ./riak-1.3.1.patch ./riak-admin-1.3.1.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; postUnpack = '' mkdir -p $sourceRoot/deps/eleveldb/c_src/leveldb diff --git a/pkgs/servers/nosql/riak/2.1.1.nix b/pkgs/servers/nosql/riak/2.1.1.nix index 05cf4270f9f..b66e99f0afb 100644 --- a/pkgs/servers/nosql/riak/2.1.1.nix +++ b/pkgs/servers/nosql/riak/2.1.1.nix @@ -34,7 +34,7 @@ stdenv.mkDerivation rec { src = srcs.riak; - hardening_format = false; + hardeningDisable = [ "format" ]; postPatch = '' sed -i deps/node_package/priv/base/env.sh \ diff --git a/pkgs/servers/openafs-client/default.nix b/pkgs/servers/openafs-client/default.nix index 1ff9b79e383..aab4ee9059f 100644 --- a/pkgs/servers/openafs-client/default.nix +++ b/pkgs/servers/openafs-client/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation { buildInputs = [ autoconf automake flex yacc ncurses perl which ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' ln -s "${kernel.dev}/lib/modules/"*/build $TMP/linux diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix index cb77ebd9c89..e4e1d393a52 100644 --- a/pkgs/servers/sip/freeswitch/default.nix +++ b/pkgs/servers/sip/freeswitch/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Cross-Platform Scalable FREE Multi-Protocol Soft Switch"; diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix index ba6a076f1f0..0d685a3f4d3 100644 --- a/pkgs/shells/dash/default.nix +++ b/pkgs/shells/dash/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://gondor.apana.org.au/~herbert/dash/; diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix index 4f092ee1d97..836dedf1cb1 100644 --- a/pkgs/stdenv/adapters.nix +++ b/pkgs/stdenv/adapters.nix @@ -236,26 +236,6 @@ rec { }); }; - useHardenFlags = stdenv: stdenv // - { mkDerivation = args: stdenv.mkDerivation (args // { - NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") - + stdenv.lib.optionalString (args.hardening_all or true) ( - stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2" - + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong" - + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie" - + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC" - + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow" - + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security" - ); - NIX_LDFLAGS = toString (args.NIX_LDFLAGS or "") - + stdenv.lib.optionalString (args.hardening_all or true) ( - stdenv.lib.optionalString (args.hardening_relro or true) " -z relro" - + stdenv.lib.optionalString (args.hardening_bindnow or true) " -z now" - ); - - }); - }; - dropCxx = drv: drv.override { stdenv = if pkgs.stdenv.isDarwin then pkgs.allStdenvs.stdenvDarwinNaked diff --git a/pkgs/tools/X11/xbindkeys-config/default.nix b/pkgs/tools/X11/xbindkeys-config/default.nix index b4fc755bd84..cef071bb3b6 100644 --- a/pkgs/tools/X11/xbindkeys-config/default.nix +++ b/pkgs/tools/X11/xbindkeys-config/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "1rs3li2hyig6cdzvgqlbz0vw6x7rmgr59qd6m0cvrai8xhqqykda"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = https://packages.debian.org/source/xbindkeys-config; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 24fec4e33bb..e7164bf07b6 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index d1f13b77f0c..41043cda5b6 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index 20f7038067d..da0983fc097 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./CVE-2014-8139.diff diff --git a/pkgs/tools/archivers/xarchive/default.nix b/pkgs/tools/archivers/xarchive/default.nix index 6407fe4f350..115fc8e3aff 100644 --- a/pkgs/tools/archivers/xarchive/default.nix +++ b/pkgs/tools/archivers/xarchive/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ gtk2 pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A GTK+ front-end for command line archiving tools"; diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index 8be743c8dd0..145b81c95bc 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; diff --git a/pkgs/tools/bootloaders/refind/default.nix b/pkgs/tools/bootloaders/refind/default.nix index f27dd3c5be6..f38b24c0fc0 100644 --- a/pkgs/tools/bootloaders/refind/default.nix +++ b/pkgs/tools/bootloaders/refind/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ unzip gnu-efi efibootmgr dosfstools imagemagick ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; HOSTARCH = if stdenv.system == "x86_64-linux" then "x64" diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix index 2de5736a4c2..7e7558f69e6 100644 --- a/pkgs/tools/cd-dvd/cdrdao/default.nix +++ b/pkgs/tools/cd-dvd/cdrdao/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { buildInputs = [ lame libvorbis libmad pkgconfig libao ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Adjust some headers to match glibc 2.12 ... patch is a diff between # the cdrdao CVS head and the 1.2.3 release. diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index 34bb109a171..0b10f30497d 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; - hardening_format = false; + hardeningDisable = [ "format" ]; # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/cd-dvd/dvdisaster/default.nix b/pkgs/tools/cd-dvd/dvdisaster/default.nix index 38e86c8ff1f..7db35e2b80e 100644 --- a/pkgs/tools/cd-dvd/dvdisaster/default.nix +++ b/pkgs/tools/cd-dvd/dvdisaster/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "0f8gjnia2fxcbmhl8b3qkr5b7idl8m855dw7xw2fnmbqwvcm6k4w"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; nativeBuildInputs = [ gettext pkgconfig which ]; buildInputs = [ glib gtk2 ]; diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 6ddebe6b99d..986f940b906 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { postInstall = "rm -rf $out/share/doc"; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = with stdenv.lib; { homepage = http://tukaani.org/xz/; diff --git a/pkgs/tools/filesystems/fusesmb/default.nix b/pkgs/tools/filesystems/fusesmb/default.nix index c53400e6afd..5a3451810a1 100644 --- a/pkgs/tools/filesystems/fusesmb/default.nix +++ b/pkgs/tools/filesystems/fusesmb/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { ln -fs ${samba}/lib/libsmbclient.so $out/lib/libsmbclient.so.0 ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Samba mounted via FUSE"; diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix index d3964b1e427..5613bac9b1a 100644 --- a/pkgs/tools/filesystems/udftools/default.nix +++ b/pkgs/tools/filesystems/udftools/default.nix @@ -11,7 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; patches = [ ./gcc5.patch ]; - hardening_fortify = false; + + hardeningDisable = [ "fortify" ]; preConfigure = '' sed -e '1i#include <limits.h>' -i cdrwtool/cdrwtool.c -i pktsetup/pktsetup.c diff --git a/pkgs/tools/graphics/barcode/default.nix b/pkgs/tools/graphics/barcode/default.nix index 7e6c9931341..d6a31bd5c7f 100644 --- a/pkgs/tools/graphics/barcode/default.nix +++ b/pkgs/tools/graphics/barcode/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1indapql5fjz0bysyc88cmc54y8phqrbi7c76p71fgjp45jcyzp8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "GNU barcode generator"; diff --git a/pkgs/tools/graphics/editres/default.nix b/pkgs/tools/graphics/editres/default.nix index c3d9a859f3f..cdf38d1218a 100644 --- a/pkgs/tools/graphics/editres/default.nix +++ b/pkgs/tools/graphics/editres/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-appdefaultdir=$(out)/share/X11/app-defaults/editres"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://cgit.freedesktop.org/xorg/app/editres/"; diff --git a/pkgs/tools/graphics/ggobi/default.nix b/pkgs/tools/graphics/ggobi/default.nix index 03326aa4562..e7fb3e773c1 100644 --- a/pkgs/tools/graphics/ggobi/default.nix +++ b/pkgs/tools/graphics/ggobi/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-all-plugins"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Visualization program for exploring high-dimensional data"; diff --git a/pkgs/tools/graphics/graphviz/2.0.nix b/pkgs/tools/graphics/graphviz/2.0.nix index e08b1309d41..6f236509a31 100644 --- a/pkgs/tools/graphics/graphviz/2.0.nix +++ b/pkgs/tools/graphics/graphviz/2.0.nix @@ -14,8 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc libtool fontconfig pango gd]; - hardening_format = false; - hardening_fortify = false; + hardeningDisable = [ "format" "fortify" ]; configureFlags = [ "--with-pngincludedir=${libpng}/include" diff --git a/pkgs/tools/graphics/graphviz/2.32.nix b/pkgs/tools/graphics/graphviz/2.32.nix index 7f11f076dcc..ede6624ac59 100644 --- a/pkgs/tools/graphics/graphviz/2.32.nix +++ b/pkgs/tools/graphics/graphviz/2.32.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { ] ++ stdenv.lib.optional (xorg == null) "--without-x"; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; preBuild = '' sed -e 's@am__append_5 *=.*@am_append_5 =@' -i lib/gvc/Makefile diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 9a9621dd784..82f958321bd 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch diff --git a/pkgs/tools/graphics/nifskope/default.nix b/pkgs/tools/graphics/nifskope/default.nix index e28a2e16488..392527a2119 100644 --- a/pkgs/tools/graphics/nifskope/default.nix +++ b/pkgs/tools/graphics/nifskope/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; # Inspired by linux-install/nifskope.spec.in. installPhase = diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix index dc145a0d862..abcbabea596 100644 --- a/pkgs/tools/graphics/plotutils/default.nix +++ b/pkgs/tools/graphics/plotutils/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { configureFlags = "--enable-libplotter"; # required for pstoedit - hardening_format = false; + hardeningDisable = [ "format" ]; doCheck = true; diff --git a/pkgs/tools/graphics/pngcheck/default.nix b/pkgs/tools/graphics/pngcheck/default.nix index f67e7202521..496b1d35572 100644 --- a/pkgs/tools/graphics/pngcheck/default.nix +++ b/pkgs/tools/graphics/pngcheck/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0pzkj1bb4kdybk6vbfq9s0wzdm5szmrgixkas3xmbpv4mhws1w3p"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makefile = "Makefile.unx"; makeFlags = "ZPATH=${zlib}/lib"; diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix index a1aefbff33c..f2a85c73c2a 100644 --- a/pkgs/tools/graphics/qrcode/default.nix +++ b/pkgs/tools/graphics/qrcode/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { inherit (s) rev url sha256; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -p "$out"/{bin,share/doc/qrcode} diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index c584ed282d6..898031cbaf3 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix index f0e53696fc5..b96c469e346 100644 --- a/pkgs/tools/graphics/zbar/default.nix +++ b/pkgs/tools/graphics/zbar/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--disable-video" ]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = with stdenv.lib; { description = "Bar code reader"; diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 6e7c6daca56..a06d3d0729a 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -20,7 +20,7 @@ let }; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; patches = optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch; diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix index d537c0f506f..132707106af 100644 --- a/pkgs/tools/misc/ddccontrol/default.nix +++ b/pkgs/tools/misc/ddccontrol/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { ddccontrol-db ]; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = '' newPath=$(echo "${ddccontrol-db}/share/ddccontrol-db" | sed "s/\\//\\\\\\//g") diff --git a/pkgs/tools/misc/detox/default.nix b/pkgs/tools/misc/detox/default.nix index 4475010f3b8..7d17dee8b53 100644 --- a/pkgs/tools/misc/detox/default.nix +++ b/pkgs/tools/misc/detox/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [flex]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://detox.sourceforge.net/; diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index f99b83a2a0a..80fb3c6a694 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure diff --git a/pkgs/tools/misc/gbdfed/default.nix b/pkgs/tools/misc/gbdfed/default.nix index d3b62149bdf..1ba4bceb787 100644 --- a/pkgs/tools/misc/gbdfed/default.nix +++ b/pkgs/tools/misc/gbdfed/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { patches = [ ./Makefile.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Bitmap Font Editor"; diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index f3c09ef686a..d56f9b3ce0f 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,7 +52,7 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; - hardening_all = false; + hardeningDisable = [ "all" ]; preConfigure = '' for i in "tests/util/"*.in diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix index c0579b91816..a690ef2084b 100644 --- a/pkgs/tools/misc/grub/default.nix +++ b/pkgs/tools/misc/grub/default.nix @@ -36,7 +36,7 @@ stdenv.mkDerivation { # autoreconfHook required for the splashimage patch. buildInputs = [ autoreconfHook texinfo ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; prePatch = '' unpackFile $gentooPatches diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix index 39c1ce9c0c1..fc8784decc5 100644 --- a/pkgs/tools/misc/grub/trusted.nix +++ b/pkgs/tools/misc/grub/trusted.nix @@ -47,8 +47,7 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses libusb freetype gettext devicemapper ] ++ optional doCheck qemu; - hardening_stackprotector = false; - hardening_pic = false; + hardeningDisable = [ "stackprotector" "pic" ]; preConfigure = '' for i in "tests/util/"*.in diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix index b73d83201e0..7946a3b062f 100644 --- a/pkgs/tools/misc/gummiboot/default.nix +++ b/pkgs/tools/misc/gummiboot/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # Sigh, gummiboot should be able to find this in buildInputs configureFlags = [ diff --git a/pkgs/tools/misc/ipxe/default.nix b/pkgs/tools/misc/ipxe/default.nix index 0830eb51b3c..78f49588e8c 100644 --- a/pkgs/tools/misc/ipxe/default.nix +++ b/pkgs/tools/misc/ipxe/default.nix @@ -19,8 +19,7 @@ stdenv.mkDerivation { preConfigure = "cd src"; # not possible due to assembler code - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; makeFlags = [ "ECHO_E_BIN_ECHO=echo" "ECHO_E_BIN_ECHO_E=echo" # No /bin/echo here. diff --git a/pkgs/tools/misc/memtest86+/default.nix b/pkgs/tools/misc/memtest86+/default.nix index 097c26071fc..62d490ea4f9 100644 --- a/pkgs/tools/misc/memtest86+/default.nix +++ b/pkgs/tools/misc/memtest86+/default.nix @@ -22,8 +22,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-I. -std=gnu90"; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" "pic" ]; buildFlags = "memtest.bin"; diff --git a/pkgs/tools/misc/pal/default.nix b/pkgs/tools/misc/pal/default.nix index a65bd1fe8ec..f92069e7b9f 100644 --- a/pkgs/tools/misc/pal/default.nix +++ b/pkgs/tools/misc/pal/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ glib gettext readline pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://palcal.sourceforge.net/; diff --git a/pkgs/tools/misc/sutils/default.nix b/pkgs/tools/misc/sutils/default.nix index 48c47cc3d8d..8d4f00ee847 100644 --- a/pkgs/tools/misc/sutils/default.nix +++ b/pkgs/tools/misc/sutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0xqk42vl82chy458d64fj68a4md4bxaip8n3xw9skxz0a1sgvks8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = ''sed -i "s@/usr/local@$out@" Makefile''; diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix index cba343863be..4ef050b409e 100644 --- a/pkgs/tools/misc/uucp/default.nix +++ b/pkgs/tools/misc/uucp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b5nhl9vvif1w3wdipjsk8ckw49jj1w85xw1mmqi3zbcpazia306"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Unix-unix cp over serial line, also includes cu program"; diff --git a/pkgs/tools/misc/vorbisgain/default.nix b/pkgs/tools/misc/vorbisgain/default.nix index 292023a1b58..567783f6313 100644 --- a/pkgs/tools/misc/vorbisgain/default.nix +++ b/pkgs/tools/misc/vorbisgain/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1v1h6mhnckmvvn7345hzi9abn5z282g4lyyl4nnbqwnrr98v0vfx"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ unzip libogg libvorbis ]; diff --git a/pkgs/tools/misc/wv/default.nix b/pkgs/tools/misc/wv/default.nix index 3d828a55121..debc2c239ad 100644 --- a/pkgs/tools/misc/wv/default.nix +++ b/pkgs/tools/misc/wv/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation { buildInputs = [ zlib imagemagick libpng glib pkgconfig libgsf libxml2 bzip2 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Converter from Microsoft Word formats to human-editable ones"; diff --git a/pkgs/tools/misc/xfstests/default.nix b/pkgs/tools/misc/xfstests/default.nix index cef5fee9cf9..31b6e74917e 100644 --- a/pkgs/tools/misc/xfstests/default.nix +++ b/pkgs/tools/misc/xfstests/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { buildInputs = [ acl autoreconfHook attr gawk libaio libuuid libxfs openssl perl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' # Patch the destination directory diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix index 0729f35db59..d262f7fc9e0 100644 --- a/pkgs/tools/networking/chrony/default.nix +++ b/pkgs/tools/networking/chrony/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap; nativeBuildInputs = [ pkgconfig ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; configureFlags = [ "--chronyvardir=$(out)/var/lib/chrony" diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix index 915562bd779..91232b4ffa7 100644 --- a/pkgs/tools/networking/dhcpdump/default.nix +++ b/pkgs/tools/networking/dhcpdump/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [libpcap perl]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -pv $out/bin diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix index 6032e53f0ba..b05f4e8e80e 100644 --- a/pkgs/tools/networking/dnsmasq/default.nix +++ b/pkgs/tools/networking/dnsmasq/default.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { "LOCALEDIR=$(out)/share/locale" ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postBuild = optionalString stdenv.isLinux '' make -C contrib/wrt diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index 90bc8b54f28..a9f2419b136 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' prefix=$out/eggdrop diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 414ff692d10..13f8cedc673 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix index 53e17e6cecd..140d58e3163 100644 --- a/pkgs/tools/networking/mailutils/default.nix +++ b/pkgs/tools/networking/mailutils/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./path-to-cat.patch ./no-gets.patch ]; diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix index 349dba12538..7a1eac59eea 100644 --- a/pkgs/tools/networking/netboot/default.nix +++ b/pkgs/tools/networking/netboot/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { buildInputs = [ yacc lzo db4 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Mini PXE server"; diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 47fa2708821..b2242fe5454 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ libcap openssl ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postInstall = '' rm -rf $out/share/doc diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix index 25af3e11caf..c1f78c911a1 100644 --- a/pkgs/tools/networking/openfortivpn/default.nix +++ b/pkgs/tools/networking/openfortivpn/default.nix @@ -17,7 +17,7 @@ in stdenv.mkDerivation { buildInputs = [ openssl ppp autoreconfHook ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd" diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 7ade847b97b..6e497a0093e 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -63,7 +63,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postInstall = '' # Install ssh-copy-id, it's very useful. diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix index 8b0b3d9a736..fc4ca793199 100644 --- a/pkgs/tools/networking/radvd/default.nix +++ b/pkgs/tools/networking/radvd/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libdaemon bison flex check ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = with stdenv.lib; { homepage = http://www.litech.org/radvd/; diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix index e59e6d46080..36c6a2deead 100644 --- a/pkgs/tools/networking/socat/default.nix +++ b/pkgs/tools/networking/socat/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "A utility for bidirectional data transfer between two independent data channels"; diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix index 3fe6144b72c..3a5117653c8 100644 --- a/pkgs/tools/networking/telnet/default.nix +++ b/pkgs/tools/networking/telnet/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ncurses]; diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix index 22f991d8fe2..1c8829a07b2 100644 --- a/pkgs/tools/networking/trickle/default.nix +++ b/pkgs/tools/networking/trickle/default.nix @@ -22,7 +22,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-libevent"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Lightweight userspace bandwidth shaper"; diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix index 1c7c946000e..e7c77161848 100644 --- a/pkgs/tools/networking/uwimap/default.nix +++ b/pkgs/tools/networking/uwimap/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation { # -fPIC is required to compile php with imap on x86_64 systems + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC"; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ openssl ] ++ stdenv.lib.optional (!stdenv.isDarwin) pam; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index ba9552d4fae..81d43fa501c 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://vde.sourceforge.net/; diff --git a/pkgs/tools/package-management/checkinstall/default.nix b/pkgs/tools/package-management/checkinstall/default.nix index f1d7985e9a5..c47f1664cd6 100644 --- a/pkgs/tools/package-management/checkinstall/default.nix +++ b/pkgs/tools/package-management/checkinstall/default.nix @@ -44,7 +44,7 @@ stdenv.mkDerivation { buildInputs = [gettext]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; preBuild = '' makeFlagsArray=(PREFIX=$out) diff --git a/pkgs/tools/package-management/clib/default.nix b/pkgs/tools/package-management/clib/default.nix index d52243dcea5..cb365b9b4f7 100644 --- a/pkgs/tools/package-management/clib/default.nix +++ b/pkgs/tools/package-management/clib/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0hbi5hf4w0iim96h89j7krxv61x92ffxjbldxp3zk92m5sgpldnm"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; makeFlags = "PREFIX=$(out)"; diff --git a/pkgs/tools/security/fprint_demo/default.nix b/pkgs/tools/security/fprint_demo/default.nix index 273d692ebaa..8efd04690db 100644 --- a/pkgs/tools/security/fprint_demo/default.nix +++ b/pkgs/tools/security/fprint_demo/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ libfprint gtk2 ]; nativeBuildInputs = [ pkgconfig autoreconfHook ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = "http://www.freedesktop.org/wiki/Software/fprint/fprint_demo/"; diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix index 1a2bc6a3108..506b1d398d5 100644 --- a/pkgs/tools/security/tboot/default.nix +++ b/pkgs/tools/security/tboot/default.nix @@ -12,8 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ]; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; configurePhase = '' for a in lcptools utils tb_polgen; do diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 805336cfe44..26f088fd54a 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { unpackCmd = "(mkdir cron && cd cron && sh $curSrc)"; - hardening_pie = true; + hardeningEnable = [ "pie" ]; preBuild = '' substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 diff --git a/pkgs/tools/system/foremost/default.nix b/pkgs/tools/system/foremost/default.nix index 0696af07166..0114c1d41ff 100644 --- a/pkgs/tools/system/foremost/default.nix +++ b/pkgs/tools/system/foremost/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; preInstall = '' mkdir -p $out/{bin,share/man/man8} diff --git a/pkgs/tools/system/gdmap/default.nix b/pkgs/tools/system/gdmap/default.nix index 1456b6fca7c..7800bfa0831 100644 --- a/pkgs/tools/system/gdmap/default.nix +++ b/pkgs/tools/system/gdmap/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./get_sensitive.patch ./set_flags.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://gdmap.sourceforge.net; diff --git a/pkgs/tools/system/rsyslog/default.nix b/pkgs/tools/system/rsyslog/default.nix index ef54bde3db5..e19dbb02847 100644 --- a/pkgs/tools/system/rsyslog/default.nix +++ b/pkgs/tools/system/rsyslog/default.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { rabbitmq-c hiredis ] ++ stdenv.lib.optional stdenv.isLinux systemd; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--sysconfdir=/etc" diff --git a/pkgs/tools/system/which/default.nix b/pkgs/tools/system/which/default.nix index 956fd590b14..fc0889012c2 100644 --- a/pkgs/tools/system/which/default.nix +++ b/pkgs/tools/system/which/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { }; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = with stdenv.lib; { homepage = http://ftp.gnu.org/gnu/which/; diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix index bcbf2b66a86..4a32e972a5b 100644 --- a/pkgs/tools/text/a2ps/default.nix +++ b/pkgs/tools/text/a2ps/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [ libpaper gperf file ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "An Anyithing to PostScript converter and pretty-printer"; diff --git a/pkgs/tools/text/patchutils/default.nix b/pkgs/tools/text/patchutils/default.nix index 98f9c0483c2..75922a6c830 100644 --- a/pkgs/tools/text/patchutils/default.nix +++ b/pkgs/tools/text/patchutils/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { patches = [ ./drop-comments.patch ]; # we would get into a cycle when using fetchpatch on this one - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Tools to manipulate patch files"; diff --git a/pkgs/tools/text/untex/default.nix b/pkgs/tools/text/untex/default.nix index 33f72b029a1..ec99e8b4a27 100644 --- a/pkgs/tools/text/untex/default.nix +++ b/pkgs/tools/text/untex/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "07p836jydd5yjy905m5ylnnac1h4cc4jsr41panqb808mlsiwmmy"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; unpackPhase = "tar xf $src"; installTargets = "install install.man"; diff --git a/pkgs/tools/typesetting/tex/tetex/default.nix b/pkgs/tools/typesetting/tex/tetex/default.nix index cffe0b39d22..c3d226a2acb 100644 --- a/pkgs/tools/typesetting/tex/tetex/default.nix +++ b/pkgs/tools/typesetting/tex/tetex/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation { buildInputs = [ flex bison zlib libpng ncurses ed ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # fixes "error: conflicting types for 'calloc'", etc. preBuild = stdenv.lib.optionalString stdenv.isDarwin '' diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index 3585c4d04af..2cc67393903 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,7 +64,7 @@ core = stdenv.mkDerivation rec { perl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \ @@ -123,7 +123,7 @@ core-big = stdenv.mkDerivation { inherit (common) src; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 ]; diff --git a/pkgs/tools/video/mjpegtools/default.nix b/pkgs/tools/video/mjpegtools/default.nix index 989649c580f..bfffbae65b5 100644 --- a/pkgs/tools/video/mjpegtools/default.nix +++ b/pkgs/tools/video/mjpegtools/default.nix @@ -15,5 +15,5 @@ stdenv.mkDerivation rec { buildInputs = [ gtk libdv libjpeg libpng libX11 pkgconfig SDL SDL_gfx ]; - hardening_format = false; + hardeningDisable = [ "format" ]; } diff --git a/pkgs/tools/video/vncrec/default.nix b/pkgs/tools/video/vncrec/default.nix index a16dc169b98..81860f22e89 100644 --- a/pkgs/tools/video/vncrec/default.nix +++ b/pkgs/tools/video/vncrec/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "1yp6r55fqpdhc8cgrgh9i0mzxmkls16pgf8vfcpng1axr7cigyhc"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ libX11 xproto imake gccmakedep libXt libXmu libXaw diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 9a10236a419..63a8e1485d1 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -214,12 +214,12 @@ let allPackages = args: import ./all-packages.nix ({ inherit config system; } // args); }; - defaultStdenv = stdenvAdapters.useHardenFlags (allStdenvs.stdenv // { inherit platform; }); + defaultStdenv = allStdenvs.stdenv // { inherit platform; }; stdenvCross = lowPrio (makeStdenvCross defaultStdenv crossSystem binutilsCross gccCrossStageFinal); stdenv = - if bootStdenv != null then ((import ../stdenv/adapters.nix pkgs_).useHardenFlags bootStdenv // {inherit platform;}) else + if bootStdenv != null then (bootStdenv // {inherit platform;}) else if crossSystem != null then stdenvCross else |