diff options
Diffstat (limited to 'pkgs')
-rw-r--r-- | pkgs/build-support/cc-wrapper/add-hardening | 7 | ||||
-rw-r--r-- | pkgs/build-support/cc-wrapper/cc-wrapper.sh | 1 | ||||
-rw-r--r-- | pkgs/build-support/cc-wrapper/ld-wrapper.sh | 1 | ||||
-rw-r--r-- | pkgs/development/libraries/gmp/5.1.x.nix | 2 | ||||
-rw-r--r-- | pkgs/shells/bash/default.nix | 2 |
5 files changed, 11 insertions, 2 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening index 966d68e1948..ab8ce610e27 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -2,11 +2,16 @@ hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) hardeningFlags+=("${hardeningEnable[@]}") hardeningCFlags=() hardeningLDFlags=() +hardeningDisable=(${hardeningDisable[@]}) + +if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then + hardeningDisable+=(bindnow relro) +fi if [[ ! $hardeningDisable == "all" ]]; then for flag in "${hardeningFlags[@]}" do - if [[ ! "$hardeningDisable" =~ "$flag" ]]; then + if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then case $flag in fortify) hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index a8a08e5e144..e07eb8b41dc 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -89,6 +89,7 @@ if [[ "@prog@" = *++ ]]; then fi fi +LD=@ldPath@/ld source @out@/nix-support/add-hardening.sh # Add the flags for the C compiler proper. diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh index 12c0709570b..09e87975437 100644 --- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh @@ -47,6 +47,7 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \ params=("${rest[@]}") fi +LD=@prog@ source @out@/nix-support/add-hardening.sh extra=(${hardeningLDFlags[@]}) diff --git a/pkgs/development/libraries/gmp/5.1.x.nix b/pkgs/development/libraries/gmp/5.1.x.nix index e803c7c56ac..5f20d66768e 100644 --- a/pkgs/development/libraries/gmp/5.1.x.nix +++ b/pkgs/development/libraries/gmp/5.1.x.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 ]; # FIXME needs gcc 4.9 in bootstrap tools - hardeningDisable = [ "stackprotector" ]; + hardeningDisable = [ "format" "stackprotector" ]; patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null; diff --git a/pkgs/shells/bash/default.nix b/pkgs/shells/bash/default.nix index 60504ecaa9b..c9eee56b905 100644 --- a/pkgs/shells/bash/default.nix +++ b/pkgs/shells/bash/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { inherit sha256; }; + hardeningDisable = [ "format" ]; + outputs = [ "out" "doc" ]; NIX_CFLAGS_COMPILE = '' |