diff options
author | Robert Scott <code@humanleg.org.uk> | 2023-04-05 15:08:10 +0100 |
---|---|---|
committer | Robert Scott <code@humanleg.org.uk> | 2023-06-25 11:50:46 +0100 |
commit | db3e94c3b2046108932442d0b9c77711d4588574 (patch) | |
tree | f921ca6338e1a62f02b39376d17d1b15a616b420 /pkgs/stdenv | |
parent | da7359f8c71a23afa66b4cc2a0972c0c9730e420 (diff) |
hardening flags: enable fortify3 by default
Diffstat (limited to 'pkgs/stdenv')
-rw-r--r-- | pkgs/stdenv/generic/make-derivation.nix | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 232ba2f8a8ac7..2ae603049d415 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -195,16 +195,13 @@ let # Musl-based platforms will keep "pie", other platforms will not. # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` # in the nixpkgs manual to inform users about the defaults. - defaultHardeningFlags = let - # not ready for this by default - supportedHardeningFlags' = lib.remove "fortify3" supportedHardeningFlags; - in if stdenv.hostPlatform.isMusl && + defaultHardeningFlags = if stdenv.hostPlatform.isMusl && # Except when: # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. # - static armv7l, where compilation fails. !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) - then supportedHardeningFlags' - else lib.remove "pie" supportedHardeningFlags'; + then supportedHardeningFlags + else lib.remove "pie" supportedHardeningFlags; enabledHardeningOptions = if builtins.elem "all" hardeningDisable' then [] |