Merge pull request #253194 from risicle/ris-nix-hardening-enable-fortify3-imply-fortify

cc-wrapper: ensure `NIX_HARDENING_ENABLE` `fortify3` implies `fortify` too
author: Robert Scott <code@humanleg.org.uk> 2023-10-23 19:23:02 +0100
committer: GitHub <noreply@github.com> 2023-10-23 19:23:02 +0100
commit: 25920d8de2f828907aa4059e9330a1edfecceeb8 (patch)
tree: 109e9b6ec637a5d7efba0e045a94bf351f044a66 /pkgs/build-support/cc-wrapper
parent: 2c2c0379b759c234413de63478847266cdc8ed93 (diff)
parent: 4c6fd59fcd6a3c5235ed4f946313329cefbed818 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index 8d02b4e5124d8..8cd63e4609518 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -10,6 +10,13 @@ for flag in ${NIX_HARDENING_ENABLE_@suffixSalt@-}; do
   hardeningEnableMap["$flag"]=1
 done
 
+# fortify3 implies fortify enablement - make explicit before
+# we filter unsupported flags because unsupporting fortify3
+# doesn't mean we should unsupport fortify too
+if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
+  hardeningEnableMap["fortify"]=1
+fi
+
 # Remove unsupported flags.
 for flag in @hardening_unsupported_flags@; do
   unset -v "hardeningEnableMap[$flag]"
@@ -19,7 +26,7 @@ for flag in @hardening_unsupported_flags@; do
   fi
 done
 
-# make fortify and fortify3 mutually exclusive
+# now make fortify and fortify3 mutually exclusive
 if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
   unset -v "hardeningEnableMap['fortify']"
 fi
author	Robert Scott <code@humanleg.org.uk>	2023-10-23 19:23:02 +0100
committer	GitHub <noreply@github.com>	2023-10-23 19:23:02 +0100
commit	25920d8de2f828907aa4059e9330a1edfecceeb8 (patch)
tree	109e9b6ec637a5d7efba0e045a94bf351f044a66 /pkgs/build-support/cc-wrapper
parent	2c2c0379b759c234413de63478847266cdc8ed93 (diff)
parent	4c6fd59fcd6a3c5235ed4f946313329cefbed818 (diff)