diff options
author | Robin Gloster <mail@glob.in> | 2016-02-22 18:31:04 +0000 |
---|---|---|
committer | Robin Gloster <mail@glob.in> | 2016-02-22 18:31:04 +0000 |
commit | 57d6a38ed513e80fbd4135b7c2d3a9326a2649fc (patch) | |
tree | 632ccf609e266d2fe1cca21824db4f401c7e7387 /pkgs/stdenv | |
parent | 35f92d9810f334cd16e4cb5f2a5f968a4a7c2093 (diff) |
stdenv: change hardening flags
* remove relro/bindnow from compile flags as they break clang * use fstackprotector-strong instead of fstackprotector-all for speed
Diffstat (limited to 'pkgs/stdenv')
-rw-r--r-- | pkgs/stdenv/adapters.nix | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix index 5a5550ebb0497..4f092ee1d97cc 100644 --- a/pkgs/stdenv/adapters.nix +++ b/pkgs/stdenv/adapters.nix @@ -241,11 +241,9 @@ rec { NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + stdenv.lib.optionalString (args.hardening_all or true) ( stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2" - + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all" + + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong" + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie" + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC" - + stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro" - + stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now" + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow" + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security" ); |