mkDerivation, cc-wrapper: Check hardening flag validity in Nix
This becomes necessary if more wrappers besides cc-wrapper start supporting hardening flags. Also good to make the warning into an error. Also ensure interface is being used right: Not as a string, not just in bash.
This commit is contained in:
parent
822a8d0148
commit
97a48835b7
5 changed files with 19 additions and 4 deletions
|
@ -68,7 +68,8 @@ if [[ -z "${hardeningDisableMap[all]:-}" ]]; then
|
|||
hardeningLDFlags+=('-z' 'now')
|
||||
;;
|
||||
*)
|
||||
echo "Hardening flag unknown: $flag" >&2
|
||||
# Ignore unsupported. Checked in Nix that at least *some*
|
||||
# tool supports each flag.
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
|
|
@ -8,8 +8,9 @@ stdenv.mkDerivation rec {
|
|||
sha256 = "14f1k7v6i1yaxg4xcaaf5i4aqn0yabba857zjnbg9wiymy82qf7c";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ]; # fix compile error
|
||||
|
||||
buildCommand = ''
|
||||
export hardeningDisable=format # fix compile error
|
||||
cc "$src" -o devmem2
|
||||
install -D devmem2 "$out/bin/devmem2"
|
||||
'';
|
||||
|
|
|
@ -17,7 +17,7 @@ let version = "8"; in
|
|||
buildInputs = [ gnu-efi libsmbios popt pkgconfig gettext ];
|
||||
propagatedBuildInputs = [ efivar ];
|
||||
# TODO: Just apply the disable to the efi subdir
|
||||
hardeningDisable = "all";
|
||||
hardeningDisable = [ "all" ];
|
||||
patchPhase = ''
|
||||
sed -i 's|/usr/include/smbios_c/token.h|smbios_c/token.h|' \
|
||||
linux/libfwup.c
|
||||
|
|
|
@ -41,7 +41,20 @@ rec {
|
|||
, __propagatedImpureHostDeps ? []
|
||||
, sandboxProfile ? ""
|
||||
, propagatedSandboxProfile ? ""
|
||||
|
||||
, hardeningEnable ? []
|
||||
, hardeningDisable ? []
|
||||
, ... } @ attrs:
|
||||
|
||||
# TODO(@Ericson2314): Make this more modular, and not O(n^2).
|
||||
let allHardeningFlags = [
|
||||
"fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro"
|
||||
"bindnow"
|
||||
];
|
||||
in assert lib.all
|
||||
(flag: lib.elem flag allHardeningFlags)
|
||||
(hardeningEnable ++ hardeningDisable);
|
||||
|
||||
let
|
||||
dependencies = map lib.chooseDevOutputs [
|
||||
(map (drv: drv.nativeDrv or drv) nativeBuildInputs
|
||||
|
|
|
@ -233,7 +233,7 @@ stdenv.mkDerivation rec {
|
|||
|
||||
patches = [ ./nixos.patch ];
|
||||
|
||||
hardeningDisable = "all";
|
||||
hardeningDisable = [ "all" ];
|
||||
dontPatchELF = true;
|
||||
dontStrip = true;
|
||||
|
||||
|
|
Loading…
Reference in a new issue