diff options
author | Robert Scott <code@humanleg.org.uk> | 2023-02-16 21:19:30 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-02-16 21:19:30 +0000 |
commit | 0eedcfc3f4570ae3df43116d5d1e3f586fc36f7d (patch) | |
tree | 07ff452e2aa56b17ce1c3d971c2e0dee4c374d03 /pkgs/build-support/cc-wrapper | |
parent | 8997f4a4db9b9e9dc68a5fdb0ae9d23cfd0d85b1 (diff) | |
parent | 4e49c5d2e3550e072a34aa2c761cb7beb82e1309 (diff) |
Merge pull request #212498 from risicle/ris-fortify3
hardening flags: add `FORTIFY_SOURCE=3` support
Diffstat (limited to 'pkgs/build-support/cc-wrapper')
-rw-r--r-- | pkgs/build-support/cc-wrapper/add-hardening.sh | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index b23fda1fed756..3a7513a9f0137 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -12,8 +12,17 @@ done # Remove unsupported flags. for flag in @hardening_unsupported_flags@; do unset -v "hardeningEnableMap[$flag]" + # fortify being unsupported implies fortify3 is unsupported + if [[ "$flag" = 'fortify' ]] ; then + unset -v "hardeningEnableMap['fortify3']" + fi done +# make fortify and fortify3 mutually exclusive +if [[ -z "${hardeningEnableMap[fortify3]-}" ]]; then + unset -v "hardeningEnableMap['fortify']" +fi + if (( "${NIX_DEBUG:-0}" >= 1 )); then declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) declare -A hardeningDisableMap=() @@ -36,11 +45,23 @@ fi for flag in "${!hardeningEnableMap[@]}"; do case $flag in - fortify) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi + fortify | fortify3) # Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly # set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address'). - hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE' '-D_FORTIFY_SOURCE=2') + hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE') + case $flag in + fortify) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi + hardeningCFlags+=('-D_FORTIFY_SOURCE=2') + ;; + fortify3) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi + hardeningCFlags+=('-D_FORTIFY_SOURCE=3') + ;; + *) + # Ignore unsupported. + ;; + esac ;; stackprotector) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi |