diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-02-26 18:38:15 +0100 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2016-03-05 18:55:26 +0100 |
commit | aff1f4ab948b921ceaf2b81610f2f82454302b4b (patch) | |
tree | 6e51e90a41409d56cfa084b9ca64921f2611fafc /pkgs/tools | |
parent | a2e449e43e82e258b94c723d92a5e9af641967e7 (diff) |
Use general hardening flag toggle lists
The following parameters are now available: * hardeningDisable To disable specific hardening flags * hardeningEnable To enable specific hardening flags Only the cc-wrapper supports this right now, but these may be reused by other wrappers, builders or setup hooks. cc-wrapper supports the following flags: * fortify * stackprotector * pie (disabled by default) * pic * strictoverflow * format * relro * bindnow
Diffstat (limited to 'pkgs/tools')
74 files changed, 76 insertions, 80 deletions
diff --git a/pkgs/tools/X11/xbindkeys-config/default.nix b/pkgs/tools/X11/xbindkeys-config/default.nix index b4fc755bd84a9..cef071bb3b61b 100644 --- a/pkgs/tools/X11/xbindkeys-config/default.nix +++ b/pkgs/tools/X11/xbindkeys-config/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "1rs3li2hyig6cdzvgqlbz0vw6x7rmgr59qd6m0cvrai8xhqqykda"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = https://packages.debian.org/source/xbindkeys-config; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 24fec4e33bbdd..e7164bf07b6c3 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index d1f13b77f0c16..41043cda5b65a 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index 20f7038067dbe..da0983fc09709 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./CVE-2014-8139.diff diff --git a/pkgs/tools/archivers/xarchive/default.nix b/pkgs/tools/archivers/xarchive/default.nix index 6407fe4f350bb..115fc8e3aff13 100644 --- a/pkgs/tools/archivers/xarchive/default.nix +++ b/pkgs/tools/archivers/xarchive/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ gtk2 pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A GTK+ front-end for command line archiving tools"; diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index 8be743c8dd0a7..145b81c95bc80 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; diff --git a/pkgs/tools/bootloaders/refind/default.nix b/pkgs/tools/bootloaders/refind/default.nix index f27dd3c5be674..f38b24c0fc077 100644 --- a/pkgs/tools/bootloaders/refind/default.nix +++ b/pkgs/tools/bootloaders/refind/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ unzip gnu-efi efibootmgr dosfstools imagemagick ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; HOSTARCH = if stdenv.system == "x86_64-linux" then "x64" diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix index 2de5736a4c220..7e7558f69e697 100644 --- a/pkgs/tools/cd-dvd/cdrdao/default.nix +++ b/pkgs/tools/cd-dvd/cdrdao/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { buildInputs = [ lame libvorbis libmad pkgconfig libao ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Adjust some headers to match glibc 2.12 ... patch is a diff between # the cdrdao CVS head and the 1.2.3 release. diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index 34bb109a17153..0b10f30497d22 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; - hardening_format = false; + hardeningDisable = [ "format" ]; # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/cd-dvd/dvdisaster/default.nix b/pkgs/tools/cd-dvd/dvdisaster/default.nix index 38e86c8ff1f2e..7db35e2b80e28 100644 --- a/pkgs/tools/cd-dvd/dvdisaster/default.nix +++ b/pkgs/tools/cd-dvd/dvdisaster/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "0f8gjnia2fxcbmhl8b3qkr5b7idl8m855dw7xw2fnmbqwvcm6k4w"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; nativeBuildInputs = [ gettext pkgconfig which ]; buildInputs = [ glib gtk2 ]; diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 6ddebe6b99d01..986f940b9069f 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { postInstall = "rm -rf $out/share/doc"; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = with stdenv.lib; { homepage = http://tukaani.org/xz/; diff --git a/pkgs/tools/filesystems/fusesmb/default.nix b/pkgs/tools/filesystems/fusesmb/default.nix index c53400e6afdda..5a3451810a127 100644 --- a/pkgs/tools/filesystems/fusesmb/default.nix +++ b/pkgs/tools/filesystems/fusesmb/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { ln -fs ${samba}/lib/libsmbclient.so $out/lib/libsmbclient.so.0 ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Samba mounted via FUSE"; diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix index d3964b1e42751..5613bac9b1a59 100644 --- a/pkgs/tools/filesystems/udftools/default.nix +++ b/pkgs/tools/filesystems/udftools/default.nix @@ -11,7 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; patches = [ ./gcc5.patch ]; - hardening_fortify = false; + + hardeningDisable = [ "fortify" ]; preConfigure = '' sed -e '1i#include <limits.h>' -i cdrwtool/cdrwtool.c -i pktsetup/pktsetup.c diff --git a/pkgs/tools/graphics/barcode/default.nix b/pkgs/tools/graphics/barcode/default.nix index 7e6c99313418a..d6a31bd5c7f7d 100644 --- a/pkgs/tools/graphics/barcode/default.nix +++ b/pkgs/tools/graphics/barcode/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1indapql5fjz0bysyc88cmc54y8phqrbi7c76p71fgjp45jcyzp8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "GNU barcode generator"; diff --git a/pkgs/tools/graphics/editres/default.nix b/pkgs/tools/graphics/editres/default.nix index c3d9a859f3ff0..cdf38d1218ad4 100644 --- a/pkgs/tools/graphics/editres/default.nix +++ b/pkgs/tools/graphics/editres/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-appdefaultdir=$(out)/share/X11/app-defaults/editres"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://cgit.freedesktop.org/xorg/app/editres/"; diff --git a/pkgs/tools/graphics/ggobi/default.nix b/pkgs/tools/graphics/ggobi/default.nix index 03326aa4562fe..e7fb3e773c1df 100644 --- a/pkgs/tools/graphics/ggobi/default.nix +++ b/pkgs/tools/graphics/ggobi/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-all-plugins"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Visualization program for exploring high-dimensional data"; diff --git a/pkgs/tools/graphics/graphviz/2.0.nix b/pkgs/tools/graphics/graphviz/2.0.nix index e08b1309d4147..6f236509a310b 100644 --- a/pkgs/tools/graphics/graphviz/2.0.nix +++ b/pkgs/tools/graphics/graphviz/2.0.nix @@ -14,8 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc libtool fontconfig pango gd]; - hardening_format = false; - hardening_fortify = false; + hardeningDisable = [ "format" "fortify" ]; configureFlags = [ "--with-pngincludedir=${libpng}/include" diff --git a/pkgs/tools/graphics/graphviz/2.32.nix b/pkgs/tools/graphics/graphviz/2.32.nix index 7f11f076dcc83..ede6624ac59de 100644 --- a/pkgs/tools/graphics/graphviz/2.32.nix +++ b/pkgs/tools/graphics/graphviz/2.32.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { ] ++ stdenv.lib.optional (xorg == null) "--without-x"; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; preBuild = '' sed -e 's@am__append_5 *=.*@am_append_5 =@' -i lib/gvc/Makefile diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 9a9621dd784ec..82f958321bdd4 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch diff --git a/pkgs/tools/graphics/nifskope/default.nix b/pkgs/tools/graphics/nifskope/default.nix index e28a2e1648856..392527a21198d 100644 --- a/pkgs/tools/graphics/nifskope/default.nix +++ b/pkgs/tools/graphics/nifskope/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; # Inspired by linux-install/nifskope.spec.in. installPhase = diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix index dc145a0d86234..abcbabea596ce 100644 --- a/pkgs/tools/graphics/plotutils/default.nix +++ b/pkgs/tools/graphics/plotutils/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { configureFlags = "--enable-libplotter"; # required for pstoedit - hardening_format = false; + hardeningDisable = [ "format" ]; doCheck = true; diff --git a/pkgs/tools/graphics/pngcheck/default.nix b/pkgs/tools/graphics/pngcheck/default.nix index f67e7202521b5..496b1d3557296 100644 --- a/pkgs/tools/graphics/pngcheck/default.nix +++ b/pkgs/tools/graphics/pngcheck/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0pzkj1bb4kdybk6vbfq9s0wzdm5szmrgixkas3xmbpv4mhws1w3p"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makefile = "Makefile.unx"; makeFlags = "ZPATH=${zlib}/lib"; diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix index a1aefbff33c67..f2a85c73c2afa 100644 --- a/pkgs/tools/graphics/qrcode/default.nix +++ b/pkgs/tools/graphics/qrcode/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { inherit (s) rev url sha256; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -p "$out"/{bin,share/doc/qrcode} diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index c584ed282d6b8..898031cbaf3fc 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix index f0e53696fc5c5..b96c469e3468c 100644 --- a/pkgs/tools/graphics/zbar/default.nix +++ b/pkgs/tools/graphics/zbar/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--disable-video" ]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = with stdenv.lib; { description = "Bar code reader"; diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 6e7c6daca56d6..a06d3d0729a15 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -20,7 +20,7 @@ let }; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; patches = optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch; diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix index d537c0f506fc0..132707106af0a 100644 --- a/pkgs/tools/misc/ddccontrol/default.nix +++ b/pkgs/tools/misc/ddccontrol/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { ddccontrol-db ]; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = '' newPath=$(echo "${ddccontrol-db}/share/ddccontrol-db" | sed "s/\\//\\\\\\//g") diff --git a/pkgs/tools/misc/detox/default.nix b/pkgs/tools/misc/detox/default.nix index 4475010f3b855..7d17dee8b53c2 100644 --- a/pkgs/tools/misc/detox/default.nix +++ b/pkgs/tools/misc/detox/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [flex]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://detox.sourceforge.net/; diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index f99b83a2a0a5e..80fb3c6a694c2 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure diff --git a/pkgs/tools/misc/gbdfed/default.nix b/pkgs/tools/misc/gbdfed/default.nix index d3b62149bdf31..1ba4bceb7876c 100644 --- a/pkgs/tools/misc/gbdfed/default.nix +++ b/pkgs/tools/misc/gbdfed/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { patches = [ ./Makefile.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Bitmap Font Editor"; diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index f3c09ef686a92..d56f9b3ce0f0f 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,7 +52,7 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; - hardening_all = false; + hardeningDisable = [ "all" ]; preConfigure = '' for i in "tests/util/"*.in diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix index c0579b9181641..a690ef2084b27 100644 --- a/pkgs/tools/misc/grub/default.nix +++ b/pkgs/tools/misc/grub/default.nix @@ -36,7 +36,7 @@ stdenv.mkDerivation { # autoreconfHook required for the splashimage patch. buildInputs = [ autoreconfHook texinfo ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; prePatch = '' unpackFile $gentooPatches diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix index 39c1ce9c0c11a..fc8784decc5ff 100644 --- a/pkgs/tools/misc/grub/trusted.nix +++ b/pkgs/tools/misc/grub/trusted.nix @@ -47,8 +47,7 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses libusb freetype gettext devicemapper ] ++ optional doCheck qemu; - hardening_stackprotector = false; - hardening_pic = false; + hardeningDisable = [ "stackprotector" "pic" ]; preConfigure = '' for i in "tests/util/"*.in diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix index b73d83201e0ef..7946a3b062fc9 100644 --- a/pkgs/tools/misc/gummiboot/default.nix +++ b/pkgs/tools/misc/gummiboot/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # Sigh, gummiboot should be able to find this in buildInputs configureFlags = [ diff --git a/pkgs/tools/misc/ipxe/default.nix b/pkgs/tools/misc/ipxe/default.nix index 0830eb51b3ca7..78f49588e8c3e 100644 --- a/pkgs/tools/misc/ipxe/default.nix +++ b/pkgs/tools/misc/ipxe/default.nix @@ -19,8 +19,7 @@ stdenv.mkDerivation { preConfigure = "cd src"; # not possible due to assembler code - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; makeFlags = [ "ECHO_E_BIN_ECHO=echo" "ECHO_E_BIN_ECHO_E=echo" # No /bin/echo here. diff --git a/pkgs/tools/misc/memtest86+/default.nix b/pkgs/tools/misc/memtest86+/default.nix index 097c26071fcfd..62d490ea4f9ef 100644 --- a/pkgs/tools/misc/memtest86+/default.nix +++ b/pkgs/tools/misc/memtest86+/default.nix @@ -22,8 +22,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-I. -std=gnu90"; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" "pic" ]; buildFlags = "memtest.bin"; diff --git a/pkgs/tools/misc/pal/default.nix b/pkgs/tools/misc/pal/default.nix index a65bd1fe8ec1a..f92069e7b9f50 100644 --- a/pkgs/tools/misc/pal/default.nix +++ b/pkgs/tools/misc/pal/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ glib gettext readline pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://palcal.sourceforge.net/; diff --git a/pkgs/tools/misc/sutils/default.nix b/pkgs/tools/misc/sutils/default.nix index 48c47cc3d8db6..8d4f00ee84786 100644 --- a/pkgs/tools/misc/sutils/default.nix +++ b/pkgs/tools/misc/sutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0xqk42vl82chy458d64fj68a4md4bxaip8n3xw9skxz0a1sgvks8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = ''sed -i "s@/usr/local@$out@" Makefile''; diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix index cba343863bef5..4ef050b409e59 100644 --- a/pkgs/tools/misc/uucp/default.nix +++ b/pkgs/tools/misc/uucp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b5nhl9vvif1w3wdipjsk8ckw49jj1w85xw1mmqi3zbcpazia306"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Unix-unix cp over serial line, also includes cu program"; diff --git a/pkgs/tools/misc/vorbisgain/default.nix b/pkgs/tools/misc/vorbisgain/default.nix index 292023a1b582f..567783f631384 100644 --- a/pkgs/tools/misc/vorbisgain/default.nix +++ b/pkgs/tools/misc/vorbisgain/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1v1h6mhnckmvvn7345hzi9abn5z282g4lyyl4nnbqwnrr98v0vfx"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ unzip libogg libvorbis ]; diff --git a/pkgs/tools/misc/wv/default.nix b/pkgs/tools/misc/wv/default.nix index 3d828a55121e8..debc2c239ad63 100644 --- a/pkgs/tools/misc/wv/default.nix +++ b/pkgs/tools/misc/wv/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation { buildInputs = [ zlib imagemagick libpng glib pkgconfig libgsf libxml2 bzip2 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Converter from Microsoft Word formats to human-editable ones"; diff --git a/pkgs/tools/misc/xfstests/default.nix b/pkgs/tools/misc/xfstests/default.nix index cef5fee9cf93e..31b6e74917e88 100644 --- a/pkgs/tools/misc/xfstests/default.nix +++ b/pkgs/tools/misc/xfstests/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { buildInputs = [ acl autoreconfHook attr gawk libaio libuuid libxfs openssl perl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' # Patch the destination directory diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix index 0729f35db59b8..d262f7fc9e0c5 100644 --- a/pkgs/tools/networking/chrony/default.nix +++ b/pkgs/tools/networking/chrony/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap; nativeBuildInputs = [ pkgconfig ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; configureFlags = [ "--chronyvardir=$(out)/var/lib/chrony" diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix index 915562bd77918..91232b4ffa74c 100644 --- a/pkgs/tools/networking/dhcpdump/default.nix +++ b/pkgs/tools/networking/dhcpdump/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [libpcap perl]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -pv $out/bin diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix index 6032e53f0baa2..b05f4e8e80eed 100644 --- a/pkgs/tools/networking/dnsmasq/default.nix +++ b/pkgs/tools/networking/dnsmasq/default.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { "LOCALEDIR=$(out)/share/locale" ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postBuild = optionalString stdenv.isLinux '' make -C contrib/wrt diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index 90bc8b54f28f0..a9f2419b1368e 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' prefix=$out/eggdrop diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 414ff692d10db..13f8cedc673d8 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix index 53e17e6cecdc1..140d58e3163ef 100644 --- a/pkgs/tools/networking/mailutils/default.nix +++ b/pkgs/tools/networking/mailutils/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./path-to-cat.patch ./no-gets.patch ]; diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix index 349dba12538c0..7a1eac59eeae4 100644 --- a/pkgs/tools/networking/netboot/default.nix +++ b/pkgs/tools/networking/netboot/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { buildInputs = [ yacc lzo db4 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Mini PXE server"; diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 47fa2708821a3..b2242fe545465 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ libcap openssl ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postInstall = '' rm -rf $out/share/doc diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix index 25af3e11cafbf..c1f78c911a1aa 100644 --- a/pkgs/tools/networking/openfortivpn/default.nix +++ b/pkgs/tools/networking/openfortivpn/default.nix @@ -17,7 +17,7 @@ in stdenv.mkDerivation { buildInputs = [ openssl ppp autoreconfHook ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd" diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 7ade847b97beb..6e497a0093e15 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -63,7 +63,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postInstall = '' # Install ssh-copy-id, it's very useful. diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix index 8b0b3d9a736c8..fc4ca793199d3 100644 --- a/pkgs/tools/networking/radvd/default.nix +++ b/pkgs/tools/networking/radvd/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libdaemon bison flex check ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = with stdenv.lib; { homepage = http://www.litech.org/radvd/; diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix index e59e6d4608038..36c6a2deead07 100644 --- a/pkgs/tools/networking/socat/default.nix +++ b/pkgs/tools/networking/socat/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "A utility for bidirectional data transfer between two independent data channels"; diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix index 3fe6144b72ca3..3a5117653c836 100644 --- a/pkgs/tools/networking/telnet/default.nix +++ b/pkgs/tools/networking/telnet/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ncurses]; diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix index 22f991d8fe2a3..1c8829a07b273 100644 --- a/pkgs/tools/networking/trickle/default.nix +++ b/pkgs/tools/networking/trickle/default.nix @@ -22,7 +22,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-libevent"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Lightweight userspace bandwidth shaper"; diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix index 1c7c946000ebd..e7c7716184808 100644 --- a/pkgs/tools/networking/uwimap/default.nix +++ b/pkgs/tools/networking/uwimap/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation { # -fPIC is required to compile php with imap on x86_64 systems + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC"; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ openssl ] ++ stdenv.lib.optional (!stdenv.isDarwin) pam; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index ba9552d4faea3..81d43fa501cf0 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://vde.sourceforge.net/; diff --git a/pkgs/tools/package-management/checkinstall/default.nix b/pkgs/tools/package-management/checkinstall/default.nix index f1d7985e9a507..c47f1664cd6ec 100644 --- a/pkgs/tools/package-management/checkinstall/default.nix +++ b/pkgs/tools/package-management/checkinstall/default.nix @@ -44,7 +44,7 @@ stdenv.mkDerivation { buildInputs = [gettext]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; preBuild = '' makeFlagsArray=(PREFIX=$out) diff --git a/pkgs/tools/package-management/clib/default.nix b/pkgs/tools/package-management/clib/default.nix index d52243dcea5cb..cb365b9b4f767 100644 --- a/pkgs/tools/package-management/clib/default.nix +++ b/pkgs/tools/package-management/clib/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0hbi5hf4w0iim96h89j7krxv61x92ffxjbldxp3zk92m5sgpldnm"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; makeFlags = "PREFIX=$(out)"; diff --git a/pkgs/tools/security/fprint_demo/default.nix b/pkgs/tools/security/fprint_demo/default.nix index 273d692ebaa60..8efd04690dbe1 100644 --- a/pkgs/tools/security/fprint_demo/default.nix +++ b/pkgs/tools/security/fprint_demo/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ libfprint gtk2 ]; nativeBuildInputs = [ pkgconfig autoreconfHook ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = "http://www.freedesktop.org/wiki/Software/fprint/fprint_demo/"; diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix index 1a2bc6a310829..506b1d398d54e 100644 --- a/pkgs/tools/security/tboot/default.nix +++ b/pkgs/tools/security/tboot/default.nix @@ -12,8 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ]; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; configurePhase = '' for a in lcptools utils tb_polgen; do diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 805336cfe44b1..26f088fd54a2c 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { unpackCmd = "(mkdir cron && cd cron && sh $curSrc)"; - hardening_pie = true; + hardeningEnable = [ "pie" ]; preBuild = '' substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 diff --git a/pkgs/tools/system/foremost/default.nix b/pkgs/tools/system/foremost/default.nix index 0696af07166ba..0114c1d41ff67 100644 --- a/pkgs/tools/system/foremost/default.nix +++ b/pkgs/tools/system/foremost/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; preInstall = '' mkdir -p $out/{bin,share/man/man8} diff --git a/pkgs/tools/system/gdmap/default.nix b/pkgs/tools/system/gdmap/default.nix index 1456b6fca7c45..7800bfa08313a 100644 --- a/pkgs/tools/system/gdmap/default.nix +++ b/pkgs/tools/system/gdmap/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./get_sensitive.patch ./set_flags.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://gdmap.sourceforge.net; diff --git a/pkgs/tools/system/rsyslog/default.nix b/pkgs/tools/system/rsyslog/default.nix index ef54bde3db56c..e19dbb028474e 100644 --- a/pkgs/tools/system/rsyslog/default.nix +++ b/pkgs/tools/system/rsyslog/default.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { rabbitmq-c hiredis ] ++ stdenv.lib.optional stdenv.isLinux systemd; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--sysconfdir=/etc" diff --git a/pkgs/tools/system/which/default.nix b/pkgs/tools/system/which/default.nix index 956fd590b14c9..fc0889012c2e1 100644 --- a/pkgs/tools/system/which/default.nix +++ b/pkgs/tools/system/which/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { }; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = with stdenv.lib; { homepage = http://ftp.gnu.org/gnu/which/; diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix index bcbf2b66a860b..4a32e972a5b39 100644 --- a/pkgs/tools/text/a2ps/default.nix +++ b/pkgs/tools/text/a2ps/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [ libpaper gperf file ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "An Anyithing to PostScript converter and pretty-printer"; diff --git a/pkgs/tools/text/patchutils/default.nix b/pkgs/tools/text/patchutils/default.nix index 98f9c0483c2d0..75922a6c830ca 100644 --- a/pkgs/tools/text/patchutils/default.nix +++ b/pkgs/tools/text/patchutils/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { patches = [ ./drop-comments.patch ]; # we would get into a cycle when using fetchpatch on this one - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Tools to manipulate patch files"; diff --git a/pkgs/tools/text/untex/default.nix b/pkgs/tools/text/untex/default.nix index 33f72b029a1ee..ec99e8b4a27af 100644 --- a/pkgs/tools/text/untex/default.nix +++ b/pkgs/tools/text/untex/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "07p836jydd5yjy905m5ylnnac1h4cc4jsr41panqb808mlsiwmmy"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; unpackPhase = "tar xf $src"; installTargets = "install install.man"; diff --git a/pkgs/tools/typesetting/tex/tetex/default.nix b/pkgs/tools/typesetting/tex/tetex/default.nix index cffe0b39d2297..c3d226a2acb0e 100644 --- a/pkgs/tools/typesetting/tex/tetex/default.nix +++ b/pkgs/tools/typesetting/tex/tetex/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation { buildInputs = [ flex bison zlib libpng ncurses ed ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # fixes "error: conflicting types for 'calloc'", etc. preBuild = stdenv.lib.optionalString stdenv.isDarwin '' diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index 3585c4d04af8b..2cc6739390381 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,7 +64,7 @@ core = stdenv.mkDerivation rec { perl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \ @@ -123,7 +123,7 @@ core-big = stdenv.mkDerivation { inherit (common) src; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 ]; diff --git a/pkgs/tools/video/mjpegtools/default.nix b/pkgs/tools/video/mjpegtools/default.nix index 989649c580f2e..bfffbae65b59e 100644 --- a/pkgs/tools/video/mjpegtools/default.nix +++ b/pkgs/tools/video/mjpegtools/default.nix @@ -15,5 +15,5 @@ stdenv.mkDerivation rec { buildInputs = [ gtk libdv libjpeg libpng libX11 pkgconfig SDL SDL_gfx ]; - hardening_format = false; + hardeningDisable = [ "format" ]; } diff --git a/pkgs/tools/video/vncrec/default.nix b/pkgs/tools/video/vncrec/default.nix index a16dc169b98e8..81860f22e897f 100644 --- a/pkgs/tools/video/vncrec/default.nix +++ b/pkgs/tools/video/vncrec/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "1yp6r55fqpdhc8cgrgh9i0mzxmkls16pgf8vfcpng1axr7cigyhc"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ libX11 xproto imake gccmakedep libXt libXmu libXaw |