diff options
author | John Ericson <John.Ericson@Obsidian.Systems> | 2017-08-28 14:56:08 -0400 |
---|---|---|
committer | Robin Gloster <mail@glob.in> | 2017-08-30 17:53:42 +0200 |
commit | 97a48835b7d7124b3c218a6be7ca4536ac0360a8 (patch) | |
tree | 4d9236d77b20167286a74c0860df371f75085853 /pkgs/stdenv | |
parent | 822a8d01481e4cb2bab7e82a01637eceddaba5a2 (diff) |
mkDerivation, cc-wrapper: Check hardening flag validity in Nix
This becomes necessary if more wrappers besides cc-wrapper start supporting hardening flags. Also good to make the warning into an error. Also ensure interface is being used right: Not as a string, not just in bash.
Diffstat (limited to 'pkgs/stdenv')
-rw-r--r-- | pkgs/stdenv/generic/make-derivation.nix | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 2fbaa76c6a432..b9d8b2d31175c 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -41,7 +41,20 @@ rec { , __propagatedImpureHostDeps ? [] , sandboxProfile ? "" , propagatedSandboxProfile ? "" + + , hardeningEnable ? [] + , hardeningDisable ? [] , ... } @ attrs: + + # TODO(@Ericson2314): Make this more modular, and not O(n^2). + let allHardeningFlags = [ + "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" + "bindnow" + ]; + in assert lib.all + (flag: lib.elem flag allHardeningFlags) + (hardeningEnable ++ hardeningDisable); + let dependencies = map lib.chooseDevOutputs [ (map (drv: drv.nativeDrv or drv) nativeBuildInputs |