diff options
| author | Franz Pletz <fpletz@fnordicwalking.de> | 2015-12-23 02:59:47 +0100 |
|---|---|---|
| committer | Robin Gloster <mail@glob.in> | 2016-01-30 16:36:57 +0000 |
| commit | 954e9903adc837c201a7bd70eede50d874aadbf6 (patch) | |
| tree | 2e73f91504f4970cb2ae6bdb08115267eb634ced /pkgs/stdenv | |
| parent | c5f092c6a7f20ddca7d1b2ddc2cb8eb6b02d2eaf (diff) | |
Use a hardened stdenv by default
Diffstat (limited to 'pkgs/stdenv')
| -rw-r--r-- | pkgs/stdenv/adapters.nix | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix index 836dedf1cb189..58e1c157b938e 100644 --- a/pkgs/stdenv/adapters.nix +++ b/pkgs/stdenv/adapters.nix @@ -236,6 +236,22 @@ rec { }); }; + useHardenFlags = stdenv: stdenv // + { mkDerivation = args: stdenv.mkDerivation (args // { + NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + + stdenv.lib.optionalString (!(args.noHardening_all or false)) ( + stdenv.lib.optionalString (!(args.noHardening_fortify or false)) " -O2 -D_FORTIFY_SOURCE=2" + + stdenv.lib.optionalString (!(args.noHardening_stackprotector or false)) " -fstack-protector-all" + + stdenv.lib.optionalString ((args.noHardening_pie or false) && true) " -fPIE -pie" + + stdenv.lib.optionalString (!(args.noHardening_pic or false)) " -fPIC" + + stdenv.lib.optionalString (!(args.noHardening_relro or false)) " -z relro" + + stdenv.lib.optionalString ((args.noHardening_bindnow or false) && true) " -z now" + + stdenv.lib.optionalString (!(args.noHardening_strictoverflow or false)) " -fno-strict-overflow" + + stdenv.lib.optionalString (!(args.noHardening_format or false)) " -Wformat -Wformat-security -Werror=format-security" + ); + }); + }; + dropCxx = drv: drv.override { stdenv = if pkgs.stdenv.isDarwin then pkgs.allStdenvs.stdenvDarwinNaked |