nixpkgs-suyu/pkgs/build-support/cc-wrapper/cc-wrapper.sh
obadz 24a9183f90 Merge branch 'hardened-stdenv' into staging
Closes #12895

Amazing work by @globin & @fpletz getting hardened compiler flags by
enabled default on the whole package set
2016-08-22 01:19:35 +01:00

177 lines
4.8 KiB
Bash

#! @shell@ -e
path_backup="$PATH"
if [ -n "@coreutils_bin@" ]; then
PATH="@coreutils_bin@/bin:@gnugrep_bin@/bin"
fi
if [ -n "$NIX_CC_WRAPPER_START_HOOK" ]; then
source "$NIX_CC_WRAPPER_START_HOOK"
fi
if [ -z "$NIX_CC_WRAPPER_FLAGS_SET" ]; then
source @out@/nix-support/add-flags.sh
fi
source @out@/nix-support/utils.sh
# Parse command line options and set several variables.
# For instance, figure out if linker flags should be passed.
# GCC prints annoying warnings when they are not needed.
dontLink=0
getVersion=0
nonFlagArgs=0
[[ "@prog@" = *++ ]] && isCpp=1 || isCpp=0
cppInclude=1
params=("$@")
n=0
while [ $n -lt ${#params[*]} ]; do
p=${params[n]}
p2=${params[$((n+1))]}
if [ "$p" = -c ]; then
dontLink=1
elif [ "$p" = -S ]; then
dontLink=1
elif [ "$p" = -E ]; then
dontLink=1
elif [ "$p" = -E ]; then
dontLink=1
elif [ "$p" = -M ]; then
dontLink=1
elif [ "$p" = -MM ]; then
dontLink=1
elif [[ "$p" = -x && "$p2" = *-header ]]; then
dontLink=1
elif [[ "$p" = -x && "$p2" = c++* && "$isCpp" = 0 ]]; then
isCpp=1
elif [ "$p" = -nostdlib ]; then
isCpp=-1
elif [ "$p" = -nostdinc ]; then
cppInclude=0
elif [ "$p" = -nostdinc++ ]; then
cppInclude=0
elif [ "${p:0:1}" != - ]; then
nonFlagArgs=1
elif [ "$p" = -m32 ]; then
if [ -e @out@/nix-support/dynamic-linker-m32 ]; then
NIX_LDFLAGS="$NIX_LDFLAGS -dynamic-linker $(cat @out@/nix-support/dynamic-linker-m32)"
fi
fi
n=$((n + 1))
done
# If we pass a flag like -Wl, then gcc will call the linker unless it
# can figure out that it has to do something else (e.g., because of a
# "-c" flag). So if no non-flag arguments are given, don't pass any
# linker flags. This catches cases like "gcc" (should just print
# "gcc: no input files") and "gcc -v" (should print the version).
if [ "$nonFlagArgs" = 0 ]; then
dontLink=1
fi
# Optionally filter out paths not refering to the store.
if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then
rest=()
n=0
while [ $n -lt ${#params[*]} ]; do
p=${params[n]}
p2=${params[$((n+1))]}
if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then
skip $p
elif [ "$p" = -L ] && badPath "$p2"; then
n=$((n + 1)); skip $p2
elif [ "${p:0:3}" = -I/ ] && badPath "${p:2}"; then
skip $p
elif [ "$p" = -I ] && badPath "$p2"; then
n=$((n + 1)); skip $p2
elif [ "$p" = -isystem ] && badPath "$p2"; then
n=$((n + 1)); skip $p2
else
rest+=("$p")
fi
n=$((n + 1))
done
params=("${rest[@]}")
fi
# Clear march/mtune=native -- they bring impurity.
if [ "$NIX_ENFORCE_NO_NATIVE" = 1 ]; then
rest=()
for i in "${params[@]}"; do
if [[ "$i" = -m*=native ]]; then
skip $i
else
rest+=("$i")
fi
done
params=("${rest[@]}")
fi
if [[ "$isCpp" = 1 ]]; then
if [[ "$cppInclude" = 1 ]]; then
NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE ${NIX_CXXSTDLIB_COMPILE-@default_cxx_stdlib_compile@}"
fi
NIX_CFLAGS_LINK="$NIX_CFLAGS_LINK $NIX_CXXSTDLIB_LINK"
fi
LD=@ldPath@/ld
source @out@/nix-support/add-hardening.sh
# Add the flags for the C compiler proper.
extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]})
extraBefore=()
if [ "$dontLink" != 1 ]; then
# Add the flags that should only be passed to the compiler when
# linking.
extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]})
# Add the flags that should be passed to the linker (and prevent
# `ld-wrapper' from adding NIX_LDFLAGS again).
for i in $NIX_LDFLAGS_BEFORE; do
extraBefore=(${extraBefore[@]} "-Wl,$i")
done
for i in $NIX_LDFLAGS; do
if [ "${i:0:3}" = -L/ ]; then
extraAfter+=("$i")
else
extraAfter+=("-Wl,$i")
fi
done
export NIX_LDFLAGS_SET=1
fi
# As a very special hack, if the arguments are just `-v', then don't
# add anything. This is to prevent `gcc -v' (which normally prints
# out the version number and returns exit code 0) from printing out
# `No input files specified' and returning exit code 1.
if [ "$*" = -v ]; then
extraAfter=()
extraBefore=()
fi
# Optionally print debug info.
if [ -n "$NIX_DEBUG" ]; then
echo "original flags to @prog@:" >&2
for i in "${params[@]}"; do
echo " $i" >&2
done
echo "extraBefore flags to @prog@:" >&2
for i in ${extraBefore[@]}; do
echo " $i" >&2
done
echo "extraAfter flags to @prog@:" >&2
for i in ${extraAfter[@]}; do
echo " $i" >&2
done
fi
if [ -n "$NIX_CC_WRAPPER_EXEC_HOOK" ]; then
source "$NIX_CC_WRAPPER_EXEC_HOOK"
fi
PATH="$path_backup"
exec @prog@ ${extraBefore[@]} "${params[@]}" "${extraAfter[@]}"