stdenv: change hardening flags

 * remove relro/bindnow from compile flags as they break clang
 * use fstackprotector-strong instead of fstackprotector-all for speed

1 files changed, 1 insertions, 3 deletions

diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix
index 5a5550ebb0497..4f092ee1d97cc 100644
--- a/pkgs/stdenv/adapters.nix
+++ b/pkgs/stdenv/adapters.nix
@@ -241,11 +241,9 @@ rec {
         NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "")
           + stdenv.lib.optionalString (args.hardening_all or true) (
             stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2"
-            + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all"
+            + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong"
             + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie"
             + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC"
-            + stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro"
-            + stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now"
             + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow"
             + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security"
           );