diff options
309 files changed, 365 insertions, 372 deletions
diff --git a/pkgs/applications/audio/QmidiNet/default.nix b/pkgs/applications/audio/QmidiNet/default.nix index c0879e58aca6d..42c98cbb11015 100644 --- a/pkgs/applications/audio/QmidiNet/default.nix +++ b/pkgs/applications/audio/QmidiNet/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ qt4 alsaLib libjack2 ]; diff --git a/pkgs/applications/audio/aacgain/default.nix b/pkgs/applications/audio/aacgain/default.nix index 80e3c5dc40a7a..a22866dc031ab 100644 --- a/pkgs/applications/audio/aacgain/default.nix +++ b/pkgs/applications/audio/aacgain/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = '' cd mp4v2 diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix index 9de3bef62ad3f..abe679f10bc5d 100644 --- a/pkgs/applications/audio/cdparanoia/default.nix +++ b/pkgs/applications/audio/cdparanoia/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = "unset CC"; diff --git a/pkgs/applications/audio/csound/default.nix b/pkgs/applications/audio/csound/default.nix index 1cc0e56fe7e6b..e1c063d823d6e 100644 --- a/pkgs/applications/audio/csound/default.nix +++ b/pkgs/applications/audio/csound/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; src = fetchurl { url = mirror://sourceforge/csound/Csound6.04.tar.gz; diff --git a/pkgs/applications/audio/freewheeling/default.nix b/pkgs/applications/audio/freewheeling/default.nix index eae7ce390c01d..1611975182bcf 100644 --- a/pkgs/applications/audio/freewheeling/default.nix +++ b/pkgs/applications/audio/freewheeling/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation { patches = [ ./am_path_sdl.patch ./xml.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A live looping instrument with JACK and MIDI support"; diff --git a/pkgs/applications/audio/jack-capture/default.nix b/pkgs/applications/audio/jack-capture/default.nix index 7a5095f37887a..ec7f7a5c32dbc 100644 --- a/pkgs/applications/audio/jack-capture/default.nix +++ b/pkgs/applications/audio/jack-capture/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { cp jack_capture $out/bin/ ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "A program for recording soundfiles with jack"; diff --git a/pkgs/applications/audio/lingot/default.nix b/pkgs/applications/audio/lingot/default.nix index 92e39f7bb114f..22ab37dc98af2 100644 --- a/pkgs/applications/audio/lingot/default.nix +++ b/pkgs/applications/audio/lingot/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ pkgconfig intltool gtk alsaLib libglade ]; diff --git a/pkgs/applications/audio/mi2ly/default.nix b/pkgs/applications/audio/mi2ly/default.nix index 67ac74f5f5a21..fa4ea6343e915 100644 --- a/pkgs/applications/audio/mi2ly/default.nix +++ b/pkgs/applications/audio/mi2ly/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { sourceRoot="."; - hardening_format = false; + hardeningDisable = [ "format" ]; buildPhase = "./cc"; installPhase = '' diff --git a/pkgs/applications/audio/mp3info/default.nix b/pkgs/applications/audio/mp3info/default.nix index f2434619c4757..d28cd7c9e06d1 100644 --- a/pkgs/applications/audio/mp3info/default.nix +++ b/pkgs/applications/audio/mp3info/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses pkgconfig gtk ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = '' sed -i Makefile \ diff --git a/pkgs/applications/audio/mp3val/default.nix b/pkgs/applications/audio/mp3val/default.nix index abea552157154..7477bea7602c4 100644 --- a/pkgs/applications/audio/mp3val/default.nix +++ b/pkgs/applications/audio/mp3val/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { install -Dv mp3val "$out/bin/mp3val" ''; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = { description = "A tool for validating and repairing MPEG audio streams"; diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix index c5bcd5ab4e41e..b68c44278ee1e 100644 --- a/pkgs/applications/audio/mpg321/default.nix +++ b/pkgs/applications/audio/mpg321/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no")) diff --git a/pkgs/applications/audio/musescore/default.nix b/pkgs/applications/audio/musescore/default.nix index b6a98268a9bce..b89278a7fd9ab 100644 --- a/pkgs/applications/audio/musescore/default.nix +++ b/pkgs/applications/audio/musescore/default.nix @@ -13,8 +13,7 @@ stdenv.mkDerivation rec { sha256 = "12a83v4i830gj76z5744034y1vvwzgy27mjbjp508yh9bd328yqw"; }; - hardening_bindnow = false; - hardening_relro = false; + hardeningDisable = [ "relro" "bindnow" ]; makeFlags = [ "PREFIX=$(out)" diff --git a/pkgs/applications/audio/pd-plugins/cyclone/default.nix b/pkgs/applications/audio/pd-plugins/cyclone/default.nix index 460745ddddb85..e4ec281cacb85 100644 --- a/pkgs/applications/audio/pd-plugins/cyclone/default.nix +++ b/pkgs/applications/audio/pd-plugins/cyclone/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' for file in `grep -r -l g_canvas.h` diff --git a/pkgs/applications/audio/pd-plugins/maxlib/default.nix b/pkgs/applications/audio/pd-plugins/maxlib/default.nix index 1eb0e1be65477..3b836d9eb3304 100644 --- a/pkgs/applications/audio/pd-plugins/maxlib/default.nix +++ b/pkgs/applications/audio/pd-plugins/maxlib/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' for i in ${puredata}/include/pd/*; do diff --git a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix index 207967a978f5f..972a162b73f44 100644 --- a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix +++ b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' for D in net osc diff --git a/pkgs/applications/audio/rakarrack/default.nix b/pkgs/applications/audio/rakarrack/default.nix index 647ed9036dc24..822e0d5548ba0 100644 --- a/pkgs/applications/audio/rakarrack/default.nix +++ b/pkgs/applications/audio/rakarrack/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./fltk-path.patch ]; diff --git a/pkgs/applications/audio/zynaddsubfx/default.nix b/pkgs/applications/audio/zynaddsubfx/default.nix index c784b33700e71..ece3cbef59604 100644 --- a/pkgs/applications/audio/zynaddsubfx/default.nix +++ b/pkgs/applications/audio/zynaddsubfx/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ]; nativeBuildInputs = [ cmake pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "High quality software synthesizer"; diff --git a/pkgs/applications/editors/ht/default.nix b/pkgs/applications/editors/ht/default.nix index 5ddcf34995f7e..2817bd168dee7 100644 --- a/pkgs/applications/editors/ht/default.nix +++ b/pkgs/applications/editors/ht/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { ncurses ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with lib; { description = "File editor/viewer/analyzer for executables"; diff --git a/pkgs/applications/editors/leafpad/default.nix b/pkgs/applications/editors/leafpad/default.nix index f3755db448cd3..a5b0f2e400a42 100644 --- a/pkgs/applications/editors/leafpad/default.nix +++ b/pkgs/applications/editors/leafpad/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ intltool pkgconfig gtk ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--enable-chooser" diff --git a/pkgs/applications/graphics/cinepaint/default.nix b/pkgs/applications/graphics/cinepaint/default.nix index 7b8281b4e3c61..4866ba92addd4 100644 --- a/pkgs/applications/graphics/cinepaint/default.nix +++ b/pkgs/applications/graphics/cinepaint/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./install.patch ]; diff --git a/pkgs/applications/graphics/giv/default.nix b/pkgs/applications/graphics/giv/default.nix index c33da65522207..bd1a8d03ec491 100644 --- a/pkgs/applications/graphics/giv/default.nix +++ b/pkgs/applications/graphics/giv/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1q0806b66ajppxbv1i71wx5d3ydc1h3hsz23m6g4g80dhiai7dly"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = '' sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl diff --git a/pkgs/applications/graphics/gqview/default.nix b/pkgs/applications/graphics/gqview/default.nix index ff069d0d97277..822ef8ad4353b 100644 --- a/pkgs/applications/graphics/gqview/default.nix +++ b/pkgs/applications/graphics/gqview/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation { buildInputs = [pkgconfig gtk libpng]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A fast image viewer"; diff --git a/pkgs/applications/graphics/meshlab/default.nix b/pkgs/applications/graphics/meshlab/default.nix index c3aed10d00ca0..fa1958059b80e 100644 --- a/pkgs/applications/graphics/meshlab/default.nix +++ b/pkgs/applications/graphics/meshlab/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { patches = [ ./include-unistd.diff ]; - hardening_format = false; + hardeningDisable = [ "format" ]; buildPhase = '' mkdir -p "$out/include" diff --git a/pkgs/applications/graphics/qtpfsgui/default.nix b/pkgs/applications/graphics/qtpfsgui/default.nix index da6521199c5a1..e6a0453e533a0 100644 --- a/pkgs/applications/graphics/qtpfsgui/default.nix +++ b/pkgs/applications/graphics/qtpfsgui/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = '' export CPATH="${ilmbase}/include/OpenEXR:$CPATH" diff --git a/pkgs/applications/graphics/tesseract/default.nix b/pkgs/applications/graphics/tesseract/default.nix index b3db2fde4cb27..375b09995488f 100644 --- a/pkgs/applications/graphics/tesseract/default.nix +++ b/pkgs/applications/graphics/tesseract/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool leptonica libpng libtiff ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' ./autogen.sh diff --git a/pkgs/applications/graphics/xfig/default.nix b/pkgs/applications/graphics/xfig/default.nix index 4f8f3ac16f4b0..6903837e5ad57 100644 --- a/pkgs/applications/graphics/xfig/default.nix +++ b/pkgs/applications/graphics/xfig/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { nativeBuildInputs = [ imake makeWrapper ]; - hardening_format = false; + hardeningDisable = [ "format" ]; NIX_CFLAGS_COMPILE = "-I${libXpm}/include/X11"; diff --git a/pkgs/applications/inferno/default.nix b/pkgs/applications/inferno/default.nix index 3c970e40b4822..b1574ea6963b2 100644 --- a/pkgs/applications/inferno/default.nix +++ b/pkgs/applications/inferno/default.nix @@ -46,7 +46,7 @@ stdenv.mkDerivation rec { --set INFERNO_ROOT "$out/share/inferno" ''; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = { description = "A compact distributed operating system for building cross-platform distributed systems"; diff --git a/pkgs/applications/misc/epdfview/default.nix b/pkgs/applications/misc/epdfview/default.nix index 7810284973f3c..782ef4ae36609 100644 --- a/pkgs/applications/misc/epdfview/default.nix +++ b/pkgs/applications/misc/epdfview/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig gtk poppler ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ (fetchpatch { name = "epdfview-0.1.8-glib2-headers.patch"; diff --git a/pkgs/applications/misc/gkrellm/default.nix b/pkgs/applications/misc/gkrellm/default.nix index 7c755a4f3d3ef..cf7fdafd74298 100644 --- a/pkgs/applications/misc/gkrellm/default.nix +++ b/pkgs/applications/misc/gkrellm/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Makefiles are patched to fix references to `/usr/X11R6' and to add # `-lX11' to make sure libX11's store path is in the RPATH. diff --git a/pkgs/applications/misc/grip/default.nix b/pkgs/applications/misc/grip/default.nix index 86127d56b01cf..e0ece09db1802 100644 --- a/pkgs/applications/misc/grip/default.nix +++ b/pkgs/applications/misc/grip/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia libid3tag ncurses libtool ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "GTK+-based audio CD player/ripper"; diff --git a/pkgs/applications/misc/k2pdfopt/default.nix b/pkgs/applications/misc/k2pdfopt/default.nix index dac597fe67cdd..7c0d615f36633 100644 --- a/pkgs/applications/misc/k2pdfopt/default.nix +++ b/pkgs/applications/misc/k2pdfopt/default.nix @@ -31,7 +31,7 @@ in stdenv.mkDerivation rec { openjpeg freetype jbig2dec djvulibre openssl ]; NIX_LDFLAGS = "-lX11 -lXext"; - hardening_format = false; + hardeningDisable = [ "format" ]; k2_pa = ./k2pdfopt.patch; tess_pa = ./tesseract.patch; diff --git a/pkgs/applications/misc/navit/default.nix b/pkgs/applications/misc/navit/default.nix index 67f474cefac8c..5f70d4b5c4491 100644 --- a/pkgs/applications/misc/navit/default.nix +++ b/pkgs/applications/misc/navit/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # 'cvs' is only for the autogen buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa diff --git a/pkgs/applications/misc/posterazor/default.nix b/pkgs/applications/misc/posterazor/default.nix index 43da0c92a42f3..b6d46cf9ed13f 100644 --- a/pkgs/applications/misc/posterazor/default.nix +++ b/pkgs/applications/misc/posterazor/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ]; diff --git a/pkgs/applications/misc/sdcv/default.nix b/pkgs/applications/misc/sdcv/default.nix index 6a768d449582a..8e781cd1c0265 100644 --- a/pkgs/applications/misc/sdcv/default.nix +++ b/pkgs/applications/misc/sdcv/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = ( if stdenv.isDarwin then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ] diff --git a/pkgs/applications/misc/tasknc/default.nix b/pkgs/applications/misc/tasknc/default.nix index d725bba030793..b7b9d36b4cb88 100644 --- a/pkgs/applications/misc/tasknc/default.nix +++ b/pkgs/applications/misc/tasknc/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # # I know this is ugly, but the Makefile does strange things in this package, diff --git a/pkgs/applications/misc/vym/default.nix b/pkgs/applications/misc/vym/default.nix index a62f7cd2aa662..e595d771ec0cc 100644 --- a/pkgs/applications/misc/vym/default.nix +++ b/pkgs/applications/misc/vym/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig qt4 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = '' qmake PREFIX="$out" diff --git a/pkgs/applications/misc/wordnet/default.nix b/pkgs/applications/misc/wordnet/default.nix index d5edf2a4d584d..2f98bc66e9b34 100644 --- a/pkgs/applications/misc/wordnet/default.nix +++ b/pkgs/applications/misc/wordnet/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [tcl tk xlibsWrapper makeWrapper]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c diff --git a/pkgs/applications/networking/browsers/vimprobable2/default.nix b/pkgs/applications/networking/browsers/vimprobable2/default.nix index 3d40aa1f60cc2..2415c06dba42a 100644 --- a/pkgs/applications/networking/browsers/vimprobable2/default.nix +++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ]; - hardening_format = false; + hardeningDisable = [ "format" ]; installFlags = "PREFIX=/ DESTDIR=$(out)"; diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index cc3e55f02e91c..ae1bf5bffea9e 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { ln -s $out/libexec/w3m/w3mimgdisplay $out/bin ''; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}" + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; diff --git a/pkgs/applications/networking/instant-messengers/silc-client/default.nix b/pkgs/applications/networking/instant-messengers/silc-client/default.nix index 156b138f290fc..b765c97fb8e7c 100644 --- a/pkgs/applications/networking/instant-messengers/silc-client/default.nix +++ b/pkgs/applications/networking/instant-messengers/silc-client/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation { dontDisableStatic = true; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--with-ncurses=${ncurses}"; diff --git a/pkgs/applications/networking/instant-messengers/vacuum/default.nix b/pkgs/applications/networking/instant-messengers/vacuum/default.nix index 181cd3301e389..12466379bf940 100644 --- a/pkgs/applications/networking/instant-messengers/vacuum/default.nix +++ b/pkgs/applications/networking/instant-messengers/vacuum/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { configurePhase = "qmake INSTALL_PREFIX=$out -recursive vacuum.pro"; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ qt4 openssl xproto libX11 libXScrnSaver scrnsaverproto xz diff --git a/pkgs/applications/networking/iptraf-ng/default.nix b/pkgs/applications/networking/iptraf-ng/default.nix index 8084d5133f16a..746d79805f5c6 100644 --- a/pkgs/applications/networking/iptraf-ng/default.nix +++ b/pkgs/applications/networking/iptraf-ng/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { --localstatedir=$out/var --sbindir=$out/bin ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A console-based network monitoring utility (fork of iptraf)"; diff --git a/pkgs/applications/networking/mailreaders/alpine/default.nix b/pkgs/applications/networking/mailreaders/alpine/default.nix index c77b51d70648c..b86de98f950de 100644 --- a/pkgs/applications/networking/mailreaders/alpine/default.nix +++ b/pkgs/applications/networking/mailreaders/alpine/default.nix @@ -18,8 +18,7 @@ stdenv.mkDerivation { ncurses tcl openssl pam kerberos openldap ]; - hardening_format = false; - hardening_fortify = false; + hardeningDisable = [ "format" "fortify" ]; configureFlags = [ "--with-ssl-include-dir=${openssl}/include/openssl" diff --git a/pkgs/applications/networking/mailreaders/realpine/default.nix b/pkgs/applications/networking/mailreaders/realpine/default.nix index 1ee4253146501..3ff690a244bc9 100644 --- a/pkgs/applications/networking/mailreaders/realpine/default.nix +++ b/pkgs/applications/networking/mailreaders/realpine/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation { ncurses tcl openssl pam kerberos openldap ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--with-ssl-include-dir=${openssl}/include/openssl" diff --git a/pkgs/applications/networking/remote/ssvnc/default.nix b/pkgs/applications/networking/remote/ssvnc/default.nix index 681ace6ab8fc7..ed64629fe244d 100644 --- a/pkgs/applications/networking/remote/ssvnc/default.nix +++ b/pkgs/applications/networking/remote/ssvnc/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { configurePhase = "makeFlags=PREFIX=$out"; - hardening_format = false; + hardeningDisable = [ "format" ]; postInstall = '' sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl diff --git a/pkgs/applications/science/electronics/caneda/default.nix b/pkgs/applications/science/electronics/caneda/default.nix index 152aec27d8334..dc00cef889824 100644 --- a/pkgs/applications/science/electronics/caneda/default.nix +++ b/pkgs/applications/science/electronics/caneda/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ cmake qt4 libxml2 libxslt ]; diff --git a/pkgs/applications/science/geometry/drgeo/default.nix b/pkgs/applications/science/geometry/drgeo/default.nix index c5c2cee62e81e..22e64ee0566b1 100644 --- a/pkgs/applications/science/geometry/drgeo/default.nix +++ b/pkgs/applications/science/geometry/drgeo/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation rec { name = "drgeo-${version}"; version = "1.1.0"; - hardening_format = false; + hardeningDisable = [ "format" ]; src = fetchurl { url = "mirror://sourceforge/ofset/${name}.tar.gz"; diff --git a/pkgs/applications/science/logic/ltl2ba/default.nix b/pkgs/applications/science/logic/ltl2ba/default.nix index cb0c308b12918..8eedafcd68bbe 100644 --- a/pkgs/applications/science/logic/ltl2ba/default.nix +++ b/pkgs/applications/science/logic/ltl2ba/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' substituteInPlace Makefile \ diff --git a/pkgs/applications/science/logic/otter/default.nix b/pkgs/applications/science/logic/otter/default.nix index b0b001f7b3c40..dd383f1fff649 100644 --- a/pkgs/applications/science/logic/otter/default.nix +++ b/pkgs/applications/science/logic/otter/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation { inherit (s) url sha256; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildPhase = '' find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g" diff --git a/pkgs/applications/science/logic/prover9/default.nix b/pkgs/applications/science/logic/prover9/default.nix index f6ec3b840ac59..9c09ea3db980b 100644 --- a/pkgs/applications/science/logic/prover9/default.nix +++ b/pkgs/applications/science/logic/prover9/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' RM=$(type -tp rm) diff --git a/pkgs/applications/science/math/cbc/default.nix b/pkgs/applications/science/math/cbc/default.nix index f294750928edf..7643c912db4b9 100644 --- a/pkgs/applications/science/math/cbc/default.nix +++ b/pkgs/applications/science/math/cbc/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ zlib bzip2 ]; diff --git a/pkgs/applications/science/math/perseus/default.nix b/pkgs/applications/science/math/perseus/default.nix index d2694392efaeb..ae63716f106d7 100644 --- a/pkgs/applications/science/math/perseus/default.nix +++ b/pkgs/applications/science/math/perseus/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation { version = "4-beta"; buildInputs = [unzip gcc48]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; src = fetchurl { url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip"; diff --git a/pkgs/applications/science/math/qalculate-gtk/default.nix b/pkgs/applications/science/math/qalculate-gtk/default.nix index 77026eb490a15..d27f998b79322 100644 --- a/pkgs/applications/science/math/qalculate-gtk/default.nix +++ b/pkgs/applications/science/math/qalculate-gtk/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b986x5yny9vrzgxlbyg80b23mxylxv2zz8ppd9svhva6vi8xsm4"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; nativeBuildInputs = [ intltool pkgconfig ]; buildInputs = [ libqalculate gtk gnome2.libglade gnome2.libgnome gnome2.scrollkeeper ]; diff --git a/pkgs/applications/science/math/yacas/default.nix b/pkgs/applications/science/math/yacas/default.nix index af284a2f82e0d..adf87c4ee5ba2 100644 --- a/pkgs/applications/science/math/yacas/default.nix +++ b/pkgs/applications/science/math/yacas/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # Perl is only for the documentation nativeBuildInputs = [ perl ]; diff --git a/pkgs/applications/version-management/cvs/default.nix b/pkgs/applications/version-management/cvs/default.nix index 4912ce0b3e68d..20d027da1f3c9 100644 --- a/pkgs/applications/version-management/cvs/default.nix +++ b/pkgs/applications/version-management/cvs/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { patches = [ ./getcwd-chroot.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' # Apply the Debian patches. diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 2799c25527bb1..4e86e9328c8ab 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { sha256 = "1zkbdmh5gvxalr8l1cwnirqq5raijmp2d0s36s6qabrlvqvq2yj7"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./docbook2texi.patch diff --git a/pkgs/applications/version-management/git-and-tools/qgit/default.nix b/pkgs/applications/version-management/git-and-tools/qgit/default.nix index 6240baac8f19a..6cafe4f962416 100644 --- a/pkgs/applications/version-management/git-and-tools/qgit/default.nix +++ b/pkgs/applications/version-management/git-and-tools/qgit/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [qt libXext libX11]; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = "qmake PREFIX=$out"; diff --git a/pkgs/applications/version-management/redmine/default.nix b/pkgs/applications/version-management/redmine/default.nix index 982dcb1d56bfa..2f03d582a94cf 100644 --- a/pkgs/applications/version-management/redmine/default.nix +++ b/pkgs/applications/version-management/redmine/default.nix @@ -11,7 +11,7 @@ in stdenv.mkDerivation rec { sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports # needed to separate run-time and build-time directories diff --git a/pkgs/applications/video/aegisub/default.nix b/pkgs/applications/video/aegisub/default.nix index 49e2662adb41d..cbaea3eb18b2c 100644 --- a/pkgs/applications/video/aegisub/default.nix +++ b/pkgs/applications/video/aegisub/default.nix @@ -43,8 +43,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_bindnow = false; - hardening_relro = false; + hardeningDisable = [ "bindnow" "relro" ]; postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub"; diff --git a/pkgs/applications/virtualization/OVMF/default.nix b/pkgs/applications/virtualization/OVMF/default.nix index 513242271a186..fc3c679d414d5 100644 --- a/pkgs/applications/virtualization/OVMF/default.nix +++ b/pkgs/applications/virtualization/OVMF/default.nix @@ -17,9 +17,7 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" { # TODO: properly include openssl for secureBoot buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ]; - hardening_stackprotector = false; - hardening_pic = false; - hardening_fortify = false; + hardeningDisable = [ "stackprotector" "pic" "fortify" ]; unpackPhase = '' for file in \ diff --git a/pkgs/applications/virtualization/bochs/default.nix b/pkgs/applications/virtualization/bochs/default.nix index 705691b168261..952ae1f922d29 100644 --- a/pkgs/applications/virtualization/bochs/default.nix +++ b/pkgs/applications/virtualization/bochs/default.nix @@ -146,7 +146,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE="-I${gtk}/include/gtk-2.0/ -I${libtool}/include/"; NIX_LDFLAGS="-L${libtool}/lib"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "An open-source IA-32 (x86) PC emulator"; diff --git a/pkgs/applications/virtualization/cbfstool/default.nix b/pkgs/applications/virtualization/cbfstool/default.nix index 01832b5529251..dc78236677fc9 100644 --- a/pkgs/applications/virtualization/cbfstool/default.nix +++ b/pkgs/applications/virtualization/cbfstool/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ iasl flex bison ]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; buildPhase = '' export LEX=${flex}/bin/flex diff --git a/pkgs/applications/virtualization/seabios/default.nix b/pkgs/applications/virtualization/seabios/default.nix index a06523973b72b..3bc95a1c392f7 100644 --- a/pkgs/applications/virtualization/seabios/default.nix +++ b/pkgs/applications/virtualization/seabios/default.nix @@ -12,8 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ iasl python ]; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; configurePhase = '' # build SeaBIOS for CSM diff --git a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix index d579a6445d12c..1c85723c39581 100644 --- a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix +++ b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation { KERN_DIR = "${kernel.dev}/lib/modules/*/build"; - hardening_pic = false; + hardeningDisable = [ "pic" ]; buildInputs = [ patchelf cdrkit makeWrapper dbus ]; diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index 0a3bd3898c2c5..23c4f34a55349 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -75,9 +75,7 @@ stdenv.mkDerivation { pythonPath = [ pythonPackages.curses ]; - hardening_stackprotector = false; - hardening_fortify = false; - hardening_pic = false; + hardeningDisable = [ "stackprotector" "fortify" "pic" ]; patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; diff --git a/pkgs/applications/window-managers/stalonetray/default.nix b/pkgs/applications/window-managers/stalonetray/default.nix index 43d0804222c73..3b5af42a8be26 100644 --- a/pkgs/applications/window-managers/stalonetray/default.nix +++ b/pkgs/applications/window-managers/stalonetray/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ libX11 xproto ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Stand alone tray"; diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening new file mode 100644 index 0000000000000..08fdd52be08a8 --- /dev/null +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -0,0 +1,41 @@ +hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) +hardeningFlags+=("${hardeningEnable[@]}") +hardeningCFlags=() +hardeningLDFlags=() + +if [[ ! $hardeningDisable == "all" ]]; then + for flag in "${hardeningFlags[@]}" + do + if [[ ! "$hardeningDisable" =~ "$flag" ]]; then + case $flag in + fortify) + hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') + ;; + stackprotector) + hardeningCFlags+=('-fstack-protector-strong') + ;; + pie) + hardeningCFlags+=('-fPIE' '-pie') + ;; + pic) + hardeningCFlags+=('-fPIC') + ;; + strictoverflow) + hardeningCFlags+=('-fno-strict-overflow') + ;; + format) + hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') + ;; + relro) + hardeningLDFlags+=('-z relro') + ;; + bindnow) + hardeningLDFlags+=('-z now') + ;; + *) + echo "Hardening flag unknown: $flag" + ;; + esac + fi + done +fi diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 6e12a0d8bc8fa..a8a08e5e14435 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -56,7 +56,6 @@ if [ "$nonFlagArgs" = 0 ]; then dontLink=1 fi - # Optionally filter out paths not refering to the store. params=("$@") if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then @@ -90,16 +89,17 @@ if [[ "@prog@" = *++ ]]; then fi fi +source @out@/nix-support/add-hardening.sh + # Add the flags for the C compiler proper. -extraAfter=($NIX_CFLAGS_COMPILE) +extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]}) extraBefore=() - if [ "$dontLink" != 1 ]; then # Add the flags that should only be passed to the compiler when # linking. - extraAfter+=($NIX_CFLAGS_LINK) + extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]}) # Add the flags that should be passed to the linker (and prevent # `ld-wrapper' from adding NIX_LDFLAGS again). diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 110f51891417f..2bf07747337f6 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -234,6 +234,7 @@ stdenv.mkDerivation { rm $out/nix-support/setup-hook.tmp substituteAll ${./add-flags} $out/nix-support/add-flags.sh + cp -p ${./add-hardening} $out/nix-support/add-hardening.sh cp -p ${./utils.sh} $out/nix-support/utils.sh '' + extraBuildCommands; diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh index 6ef06eb703483..12c0709570b0c 100644 --- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh @@ -47,8 +47,9 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \ params=("${rest[@]}") fi +source @out@/nix-support/add-hardening.sh -extra=() +extra=(${hardeningLDFlags[@]}) extraBefore=() if [ -z "$NIX_LDFLAGS_SET" ]; then @@ -56,7 +57,7 @@ if [ -z "$NIX_LDFLAGS_SET" ]; then extraBefore+=($NIX_LDFLAGS_BEFORE) fi -extra+=($NIX_LDFLAGS_AFTER) +extra+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN) # Add all used dynamic libraries to the rpath. diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix index 9dc8d6f8ef1b5..7eef5af0adcb9 100644 --- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./glib.patch ./cups_1.6.patch ]; diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix index d766957f0d795..be288b809d43a 100644 --- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix @@ -11,5 +11,5 @@ stdenv.mkDerivation { buildInputs = [ pkgconfig gtk gettext ]; propagatedBuildInputs = [ libxml2 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; } diff --git a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix index 6f10f6ea9203e..5c13260aac9e2 100644 --- a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix +++ b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix @@ -17,7 +17,7 @@ in stdenv.mkDerivation rec { "--enable-gi-system-install=no" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; enableParallelBuilding = true; diff --git a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix index c80bd67f404f6..ed83dd03eca1c 100644 --- a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix +++ b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix @@ -8,7 +8,7 @@ kde { nativeBuildInputs = [ cmake ]; - hardening_all = false; + hardeningDisable = [ "all" ]; # The patch is not ready for upstream submmission. # I should add an option() instead. diff --git a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix index 415c6bc6cfb7e..4426907060949 100644 --- a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix +++ b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}"; diff --git a/pkgs/development/compilers/clean/default.nix b/pkgs/development/compilers/clean/default.nix index dcb7350fbbb2c..3fed2289f9549 100644 --- a/pkgs/development/compilers/clean/default.nix +++ b/pkgs/development/compilers/clean/default.nix @@ -14,8 +14,7 @@ stdenv.mkDerivation rec { }) else throw "Architecture not supported"; - hardening_format = false; - hardening_pic = false; + hardeningDisable = [ "format" "pic" ]; # clm uses timestamps of dcl, icl, abc and o files to decide what must be rebuild # and for chroot builds all of the library files will have equal timestamps. This diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix index 0ee0a622b1e64..900cb92ab8075 100644 --- a/pkgs/development/compilers/dev86/default.nix +++ b/pkgs/development/compilers/dev86/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makeFlags = "PREFIX=$(out)"; diff --git a/pkgs/development/compilers/ecl/default.nix b/pkgs/development/compilers/ecl/default.nix index 2208d8440497f..1b8b8d862cf34 100644 --- a/pkgs/development/compilers/ecl/default.nix +++ b/pkgs/development/compilers/ecl/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation { "--enable-unicode") ; - hardening_format = false; + hardeningDisable = [ "format" ]; postInstall = '' sed -e 's/@[-a-zA-Z_]*@//g' -i $out/bin/ecl-config diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix index cf4d0e4f02aad..da178e80a1a49 100644 --- a/pkgs/development/compilers/edk2/default.nix +++ b/pkgs/development/compilers/edk2/default.nix @@ -22,8 +22,7 @@ edk2 = stdenv.mkDerivation { makeFlags = "-C BaseTools"; - hardening_fortify = false; - hardening_format = false; + hardeningDisable = [ "format" "fortify" ]; installPhase = '' mkdir -vp $out diff --git a/pkgs/development/compilers/gcc/4.3/default.nix b/pkgs/development/compilers/gcc/4.3/default.nix index 6114c960ffdd7..ecd841ca6369d 100644 --- a/pkgs/development/compilers/gcc/4.3/default.nix +++ b/pkgs/development/compilers/gcc/4.3/default.nix @@ -95,8 +95,7 @@ stdenv.mkDerivation ({ ++ (optionals langVhdl [gnat]) ; - hardening_format = false; - hardening_stackprotector = false; + hardeningDisable = [ "format" "stackprotector" ]; configureFlags = " ${if enableMultilib then "" else "--disable-multilib"} diff --git a/pkgs/development/compilers/gcc/4.4/default.nix b/pkgs/development/compilers/gcc/4.4/default.nix index fe79e9bcd72bc..7f8b38e1ee681 100644 --- a/pkgs/development/compilers/gcc/4.4/default.nix +++ b/pkgs/development/compilers/gcc/4.4/default.nix @@ -103,7 +103,7 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./pass-cxxcpp.patch diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index 2493593f35758..7d84cb2451641 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -134,8 +134,7 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; - hardening_format = false; - hardening_all = name != "gnat"; + hardeningDisable = [ "format" ] ++ optional (name != "gnat") "all"; patches = [ ] diff --git a/pkgs/development/compilers/gcc/4.6/default.nix b/pkgs/development/compilers/gcc/4.6/default.nix index 323fd8b921b3a..d630754244380 100644 --- a/pkgs/development/compilers/gcc/4.6/default.nix +++ b/pkgs/development/compilers/gcc/4.6/default.nix @@ -189,7 +189,7 @@ stdenv.mkDerivation ({ inherit patches enableMultilib; - hardening_format = false; + hardeningDisable = [ "format" ]; postPatch = if (stdenv.isGNU diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index 58074e173aed1..649312b1c1b1f 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -218,7 +218,7 @@ stdenv.mkDerivation ({ inherit patches; - hardening_format = false; + hardeningDisable = [ "format" ]; postPatch = if (stdenv.isGNU diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index fe1f4066110ef..d4c8d018ff2b4 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -220,9 +220,8 @@ stdenv.mkDerivation ({ inherit patches; - # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; - hardening_format = false; + # FIXME stackprotector needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "format" "stackprotector" ]; postPatch = if (stdenv.isGNU diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix index 47a272ac534e3..ca6b6c52d99ea 100644 --- a/pkgs/development/compilers/gcc/5/default.nix +++ b/pkgs/development/compilers/gcc/5/default.nix @@ -216,7 +216,7 @@ stdenv.mkDerivation ({ sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; inherit patches; diff --git a/pkgs/development/compilers/gcl/default.nix b/pkgs/development/compilers/gcl/default.nix index 008f426d74a1a..e57abec2c1ba8 100644 --- a/pkgs/development/compilers/gcl/default.nix +++ b/pkgs/development/compilers/gcl/default.nix @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { "--enable-ansi" ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; meta = { description = "GNU Common Lisp compiler working via GCC"; diff --git a/pkgs/development/compilers/ghc/6.10.4.nix b/pkgs/development/compilers/ghc/6.10.4.nix index 4f95e859292a8..def807971c017 100644 --- a/pkgs/development/compilers/ghc/6.10.4.nix +++ b/pkgs/development/compilers/ghc/6.10.4.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ghc libedit perl gmp]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--with-gmp-libraries=${gmp}/lib" diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index 0d3a60b9100ea..f25e6244768e3 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { buildInputs = [ pcre ]; propagatedBuildInputs = lib.optional stdenv.isDarwin Security; - hardening_all = false; + hardeningDisable = [ "all" ]; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index 9f84768fb931a..7f7abd8a6e755 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { Security Foundation ]; - hardening_all = false; + hardeningDisable = [ "all" ]; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/compilers/go/1.6.nix b/pkgs/development/compilers/go/1.6.nix index 807d7424920d3..d3739ddef5c26 100644 --- a/pkgs/development/compilers/go/1.6.nix +++ b/pkgs/development/compilers/go/1.6.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { Security Foundation ]; - hardening_all = false; + hardeningDisable = [ "all" ]; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/compilers/mkcl/default.nix b/pkgs/development/compilers/mkcl/default.nix index e57151b077faa..4299b50ea6da7 100644 --- a/pkgs/development/compilers/mkcl/default.nix +++ b/pkgs/development/compilers/mkcl/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper ]; propagatedBuildInputs = [ gmp ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "GMP_CFLAGS=-I${gmp}/include" diff --git a/pkgs/development/compilers/squeak/default.nix b/pkgs/development/compilers/squeak/default.nix index 341b8155c4174..69529ab762b0a 100644 --- a/pkgs/development/compilers/squeak/default.nix +++ b/pkgs/development/compilers/squeak/default.nix @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Smalltalk programming language and environment"; diff --git a/pkgs/development/compilers/swi-prolog/default.nix b/pkgs/development/compilers/swi-prolog/default.nix index 3c257dfc7df6f..954ef69246235 100644 --- a/pkgs/development/compilers/swi-prolog/default.nix +++ b/pkgs/development/compilers/swi-prolog/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation { buildInputs = [ gmp readline openssl libjpeg unixODBC libXinerama libXft libXpm libSM libXt zlib freetype pkgconfig fontconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--with-world --enable-gmp --enable-shared"; diff --git a/pkgs/development/compilers/teyjus/default.nix b/pkgs/development/compilers/teyjus/default.nix index 1e63b2d2be0be..301915b7a26b7 100644 --- a/pkgs/development/compilers/teyjus/default.nix +++ b/pkgs/development/compilers/teyjus/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { buildInputs = [ omake ocaml flex bison ]; - hardening_format = false; + hardeningDisable = [ "format" ]; buildPhase = "omake all"; diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index e948d1833b833..9dbb08737aa51 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -41,11 +41,9 @@ self: super: { options_1_2 = dontCheck super.options_1_2; options = dontCheck super.options; statistics = dontCheck super.statistics; - c2hs = pkgs.lib.overrideDerivation (dontCheck super.c2hs) (drv: { - hardening_format = false; - }); - epanet-haskell = pkgs.lib.overrideDerivation super.epanet-haskell (drv: { - hardening_format = false; + c2hs = dontCheck super.c2hs; + epanet-haskell = super.epanet-haskell.overrideDerivation (drv: { + hardeningDisable = [ "format" ]; }); # The package doesn't compile with ruby 1.9, which is our default at the moment. @@ -244,9 +242,7 @@ self: super: { gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib; gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib; gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib; - glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: { - hardening_fortify = false; - }); + glib = addPkgconfigDepend super.glib pkgs.glib; gtk3 = super.gtk3.override { inherit (pkgs) gtk3; }; gtk = addPkgconfigDepend super.gtk pkgs.gtk; gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; }; diff --git a/pkgs/development/interpreters/clisp/2.44.1.nix b/pkgs/development/interpreters/clisp/2.44.1.nix index fa8c8309a7a6d..42709abc14326 100644 --- a/pkgs/development/interpreters/clisp/2.44.1.nix +++ b/pkgs/development/interpreters/clisp/2.44.1.nix @@ -45,7 +45,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE="-O0"; - hardening_format = false; + hardeningDisable = [ "format" ]; # TODO : make mod-check fails doCheck = false; diff --git a/pkgs/development/interpreters/erlang/R14.nix b/pkgs/development/interpreters/erlang/R14.nix index e77300c0f84dd..cf4355a38e16f 100644 --- a/pkgs/development/interpreters/erlang/R14.nix +++ b/pkgs/development/interpreters/erlang/R14.nix @@ -22,7 +22,7 @@ stdenv.mkDerivation { configureFlags = "--with-ssl=${openssl}"; - hardening_format = false; + hardeningDisable = [ "format" ]; postInstall = let manpages = fetchurl { diff --git a/pkgs/development/interpreters/lush/default.nix b/pkgs/development/interpreters/lush/default.nix index 7a4e5c1a336db..dcfdc11c7a9e8 100644 --- a/pkgs/development/interpreters/lush/default.nix +++ b/pkgs/development/interpreters/lush/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { intltool gettext zlib ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; NIX_LDFLAGS=" -lz "; diff --git a/pkgs/development/interpreters/perl/default.nix b/pkgs/development/interpreters/perl/default.nix index 6e416a3515067..1e14d386b1387 100644 --- a/pkgs/development/interpreters/perl/default.nix +++ b/pkgs/development/interpreters/perl/default.nix @@ -72,7 +72,7 @@ let enableParallelBuilding = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; preConfigure = '' diff --git a/pkgs/development/interpreters/spidermonkey/default.nix b/pkgs/development/interpreters/spidermonkey/default.nix index 81071aafe4eef..a7482f269dbf9 100644 --- a/pkgs/development/interpreters/spidermonkey/default.nix +++ b/pkgs/development/interpreters/spidermonkey/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "12v6v2ccw1y6ng3kny3xw0lfs58d1klylqq707k0x04m707kydj4"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ readline ]; diff --git a/pkgs/development/interpreters/supercollider/default.nix b/pkgs/development/interpreters/supercollider/default.nix index cb60a41a6903d..c1a4c17707c8e 100644 --- a/pkgs/development/interpreters/supercollider/default.nix +++ b/pkgs/development/interpreters/supercollider/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { sha256 = "11khrv6jchs0vv0lv43am8lp0x1rr3h6l2xj9dmwrxcpdayfbalr"; }; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # QGtkStyle unavailable patchPhase = '' diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix index be44ef628853c..079c0a5cf6f7c 100644 --- a/pkgs/development/libraries/CoinMP/default.nix +++ b/pkgs/development/libraries/CoinMP/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = https://projects.coin-or.org/CoinMP/; diff --git a/pkgs/development/libraries/accelio/default.nix b/pkgs/development/libraries/accelio/default.nix index 9ca9db1e45116..faf3a0c73255d 100644 --- a/pkgs/development/libraries/accelio/default.nix +++ b/pkgs/development/libraries/accelio/default.nix @@ -15,8 +15,7 @@ stdenv.mkDerivation rec { sha256 = "172frqk2n43g0arhazgcwfvj0syf861vdzdpxl7idr142bb0ykf7"; }; - hardening_pic = false; - hardening_format = false; + hardeningDisable = [ "format" "pic" ]; patches = [ ./fix-printfs.patch ]; diff --git a/pkgs/development/libraries/allegro/default.nix b/pkgs/development/libraries/allegro/default.nix index 50d3eec4f3f7e..997a8d223054e 100644 --- a/pkgs/development/libraries/allegro/default.nix +++ b/pkgs/development/libraries/allegro/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { xf86dgaproto xf86miscproto xf86vidmodeproto libXxf86vm openal mesa ]; - hardening_format = false; + hardeningDisable = [ "format" ]; cmakeFlags = [ "-DCMAKE_SKIP_RPATH=ON" ]; diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix index 4a64bc260bd8e..7195110b0bb9a 100644 --- a/pkgs/development/libraries/audio/libbs2b/default.nix +++ b/pkgs/development/libraries/audio/libbs2b/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libsndfile ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://bs2b.sourceforge.net/"; diff --git a/pkgs/development/libraries/cgui/default.nix b/pkgs/development/libraries/cgui/default.nix index 3e5076d2509d9..da9d1122cc54a 100644 --- a/pkgs/development/libraries/cgui/default.nix +++ b/pkgs/development/libraries/cgui/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { sh fix.sh unix ''; - hardening_format = false; + hardeningDisable = [ "format" ]; makeFlags = [ "SYSTEM_DIR=$(out)" ]; diff --git a/pkgs/development/libraries/cloog/0.18.0.nix b/pkgs/development/libraries/cloog/0.18.0.nix index 3dc9587c9215c..359bde2e0582a 100644 --- a/pkgs/development/libraries/cloog/0.18.0.nix +++ b/pkgs/development/libraries/cloog/0.18.0.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { doCheck = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { description = "Library that generates loops for scanning polyhedra"; diff --git a/pkgs/development/libraries/cwiid/default.nix b/pkgs/development/libraries/cwiid/default.nix index 0b7d96b5cc187..5af34145197e9 100644 --- a/pkgs/development/libraries/cwiid/default.nix +++ b/pkgs/development/libraries/cwiid/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--without-python"; diff --git a/pkgs/development/libraries/db/db-4.4.nix b/pkgs/development/libraries/db/db-4.4.nix index 327da38e986a1..00875d73f4189 100644 --- a/pkgs/development/libraries/db/db-4.4.nix +++ b/pkgs/development/libraries/db/db-4.4.nix @@ -5,5 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.4.patch ]; sha256 = "0y9vsq8dkarx1mhhip1vaciz6imbbyv37c1dm8b20l7p064bg2i9"; branch = "4.4"; - drvArgs = { hardening_format = false; }; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.5.nix b/pkgs/development/libraries/db/db-4.5.nix index 6d3b15d256e6c..84b5ea67420ad 100644 --- a/pkgs/development/libraries/db/db-4.5.nix +++ b/pkgs/development/libraries/db/db-4.5.nix @@ -5,5 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.5.patch ./register-race-fix.patch ]; sha256 = "0bd81k0qv5i8w5gbddrvld45xi9k1gvmcrfm0393v0lrm37dab7m"; branch = "4.5"; - drvArgs = { hardening_format = false; }; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.7.nix b/pkgs/development/libraries/db/db-4.7.nix index 0735099729a67..6016d112d5171 100644 --- a/pkgs/development/libraries/db/db-4.7.nix +++ b/pkgs/development/libraries/db/db-4.7.nix @@ -4,5 +4,5 @@ import ./generic.nix (args // rec { version = "4.7.25"; sha256 = "0gi667v9cw22c03hddd6xd6374l0pczsd56b7pba25c9sdnxjkzi"; branch = "4.7"; - drvArgs = { hardening_format = false; }; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.8.nix b/pkgs/development/libraries/db/db-4.8.nix index 78c0a15c4e0b7..40869a865ae5f 100644 --- a/pkgs/development/libraries/db/db-4.8.nix +++ b/pkgs/development/libraries/db/db-4.8.nix @@ -5,5 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./clang-4.8.patch ]; sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0"; branch = "4.8"; - drvArgs = { hardening_format = false; }; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/faac/default.nix b/pkgs/development/libraries/faac/default.nix index 505f005328751..1ab01033f4df0 100644 --- a/pkgs/development/libraries/faac/default.nix +++ b/pkgs/development/libraries/faac/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { ++ optional mp4v2Support "--with-mp4v2" ++ optional drmSupport "--enable-drm"; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ ] ++ optional mp4v2Support mp4v2; diff --git a/pkgs/development/libraries/fox/default.nix b/pkgs/development/libraries/fox/default.nix index 78b7e9a63fc0f..d47a028cbf865 100644 --- a/pkgs/development/libraries/fox/default.nix +++ b/pkgs/development/libraries/fox/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "C++ based class library for building Graphical User Interfaces"; diff --git a/pkgs/development/libraries/fox/fox-1.6.nix b/pkgs/development/libraries/fox/fox-1.6.nix index 007609403e2e2..ce778e4a3473f 100644 --- a/pkgs/development/libraries/fox/fox-1.6.nix +++ b/pkgs/development/libraries/fox/fox-1.6.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { branch = "1.6"; diff --git a/pkgs/development/libraries/freetds/default.nix b/pkgs/development/libraries/freetds/default.nix index bb4aeaeee27f2..3ed308a349208 100644 --- a/pkgs/development/libraries/freetds/default.nix +++ b/pkgs/development/libraries/freetds/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "0r946axzxs0czsmr7283w7vmk5jx3jnxxc32d2ncxsrsh2yli0ba"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = stdenv.lib.optional odbcSupport [ unixODBC ]; diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix index 09828665541bf..d138015e6bb86 100644 --- a/pkgs/development/libraries/fribidi/default.nix +++ b/pkgs/development/libraries/fribidi/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://fribidi.org/; diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index a24a841686688..b581bce24b190 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { propagatedBuildInputs = [libjpeg fontconfig]; # urgh - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--without-x"; diff --git a/pkgs/development/libraries/gdal/default.nix b/pkgs/development/libraries/gdal/default.nix index 829c395cc7be7..8f00bee8911a4 100644 --- a/pkgs/development/libraries/gdal/default.nix +++ b/pkgs/development/libraries/gdal/default.nix @@ -18,7 +18,7 @@ composableDerivation.composableDerivation {} (fixed: rec { ++ (with pythonPackages; [ python numpy wrapPython ]) ++ (stdenv.lib.optionals netcdfSupport [ netcdf hdf5 curl ]); - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ # This ensures that the python package is installed into gdal's prefix, diff --git a/pkgs/development/libraries/gdal/gdal-1_11.nix b/pkgs/development/libraries/gdal/gdal-1_11.nix index 4c6ec24a16c61..2640159725a71 100644 --- a/pkgs/development/libraries/gdal/gdal-1_11.nix +++ b/pkgs/development/libraries/gdal/gdal-1_11.nix @@ -19,7 +19,7 @@ composableDerivation.composableDerivation {} (fixed: rec { ./python.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Don't use optimization for gcc >= 4.3. That's said to be causing segfaults. # Unset CC and CXX as they confuse libtool. diff --git a/pkgs/development/libraries/gdome2/default.nix b/pkgs/development/libraries/gdome2/default.nix index e9c32da206920..e9643da221ef4 100644 --- a/pkgs/development/libraries/gdome2/default.nix +++ b/pkgs/development/libraries/gdome2/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { sha256 = "0hyms5s3hziajp3qbwdwqjc2xcyhb783damqg8wxjpwfxyi81fzl"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [pkgconfig glib libxml2 gtkdoc]; propagatedBuildInputs = [glib libxml2]; diff --git a/pkgs/development/libraries/geoclue/default.nix b/pkgs/development/libraries/geoclue/default.nix index e8d43e6652f19..754c85ecf030a 100644 --- a/pkgs/development/libraries/geoclue/default.nix +++ b/pkgs/development/libraries/geoclue/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [dbus glib dbus_glib]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' sed -e '/-Werror/d' -i configure diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index 9b24ccc79e82b..2fcd5dd1a80b6 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -12,9 +12,8 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; - # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; - hardening_format = false; + # FIXME stackprotector needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "format" "stackprotector" ]; LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; diff --git a/pkgs/development/libraries/giflib/4.1.nix b/pkgs/development/libraries/giflib/4.1.nix index 114e0e587b669..59204e7e7e5aa 100644 --- a/pkgs/development/libraries/giflib/4.1.nix +++ b/pkgs/development/libraries/giflib/4.1.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1v9b7ywz7qg8hli0s9vv1b8q9xxb2xvqq2mg1zpr73xwqpcwxhg1"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { branch = "4.1"; diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix index 1cc4ae0201b91..fd9d4b7e81a9b 100644 --- a/pkgs/development/libraries/giflib/libungif.nix +++ b/pkgs/development/libraries/giflib/libungif.nix @@ -7,6 +7,6 @@ stdenv.mkDerivation { md5 = "efdfcf8e32e35740288a8c5625a70ccb"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; } diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 7bbf5562f7c2c..50be7d8a73466 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -166,7 +166,7 @@ stdenv.mkDerivation ({ preBuild = lib.optionalString withGd "unset NIX_DONT_SET_RPATH"; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = http://www.gnu.org/software/libc/; diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index 85a49999b484d..c2109bd4158df 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -22,8 +22,7 @@ in builder = ./builder.sh; - hardening_stackprotector = false; - hardening_fortify = false; + hardeningDisable = [ "stackprotector" "fortify" ]; # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for # any program we run, because the gcc will have been placed at a new diff --git a/pkgs/development/libraries/gmp/5.1.x.nix b/pkgs/development/libraries/gmp/5.1.x.nix index 0db619b365863..e803c7c56ac28 100644 --- a/pkgs/development/libraries/gmp/5.1.x.nix +++ b/pkgs/development/libraries/gmp/5.1.x.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null; diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix index 21be466a9b2dc..e2861a880c877 100644 --- a/pkgs/development/libraries/gnu-efi/default.nix +++ b/pkgs/development/libraries/gnu-efi/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pciutils ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; makeFlags = [ "PREFIX=\${out}" diff --git a/pkgs/development/libraries/isl/0.11.1.nix b/pkgs/development/libraries/isl/0.11.1.nix index c56c5b3892af7..f62d898cff742 100644 --- a/pkgs/development/libraries/isl/0.11.1.nix +++ b/pkgs/development/libraries/isl/0.11.1.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = http://www.kotnet.org/~skimo/isl/; diff --git a/pkgs/development/libraries/java/swt/default.nix b/pkgs/development/libraries/java/swt/default.nix index 855b800ba9f38..9fcffb1edb23e 100644 --- a/pkgs/development/libraries/java/swt/default.nix +++ b/pkgs/development/libraries/java/swt/default.nix @@ -28,7 +28,7 @@ in stdenv.mkDerivation rec { builder = ./builder.sh; - hardening_format = false; + hardeningDisable = [ "format" ]; # Alas, the Eclipse Project apparently doesn't produce source-only # releases of SWT. So we just grab a binary release and extract diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix index cb0c8a7f5c174..309f17b814297 100644 --- a/pkgs/development/libraries/libelf/default.nix +++ b/pkgs/development/libraries/libelf/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation (rec { doCheck = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # For cross-compiling, native glibc is needed for the "gencat" program. crossAttrs = { diff --git a/pkgs/development/libraries/libf2c/default.nix b/pkgs/development/libraries/libf2c/default.nix index 8edc53cb7eec3..0d9d89589ffb3 100644 --- a/pkgs/development/libraries/libf2c/default.nix +++ b/pkgs/development/libraries/libf2c/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { buildInputs = [ unzip ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "F2c converts Fortran 77 source code to C"; diff --git a/pkgs/development/libraries/libgeotiff/default.nix b/pkgs/development/libraries/libgeotiff/default.nix index 4d9fa09ad7524..d30ea6e5324b3 100644 --- a/pkgs/development/libraries/libgeotiff/default.nix +++ b/pkgs/development/libraries/libgeotiff/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [ libtiff ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Library implementing attempt to create a tiff based interchange format for georeferenced raster imagery"; diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix index 682a42e2db9da..a8511006d0417 100644 --- a/pkgs/development/libraries/libgphoto2/default.nix +++ b/pkgs/development/libraries/libgphoto2/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { # These are mentioned in the Requires line of libgphoto's pkg-config file. propagatedBuildInputs = [ libexif ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://www.gphoto.org/proj/libgphoto2/; diff --git a/pkgs/development/libraries/libmpc/default.nix b/pkgs/development/libraries/libmpc/default.nix index cc883ba67b29d..95e8dd9af48fa 100644 --- a/pkgs/development/libraries/libmpc/default.nix +++ b/pkgs/development/libraries/libmpc/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { doCheck = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { description = "Library for multiprecision complex arithmetic with exact rounding"; diff --git a/pkgs/development/libraries/librsync/0.9.nix b/pkgs/development/libraries/librsync/0.9.nix index d3dd293f975b8..5f249582610fb 100644 --- a/pkgs/development/libraries/librsync/0.9.nix +++ b/pkgs/development/libraries/librsync/0.9.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = if stdenv.isCygwin then "--enable-static" else "--enable-shared"; diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix index a9320f1af7b02..50a1f5ac33776 100644 --- a/pkgs/development/libraries/libvisual/default.nix +++ b/pkgs/development/libraries/libvisual/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "An abstraction library for audio visualisations"; diff --git a/pkgs/development/libraries/mp4v2/default.nix b/pkgs/development/libraries/mp4v2/default.nix index 5281ab2c480bc..ab3c3ed8c5a7b 100644 --- a/pkgs/development/libraries/mp4v2/default.nix +++ b/pkgs/development/libraries/mp4v2/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { # `faac' expects `mp4.h'. postInstall = "ln -s mp4v2/mp4v2.h $out/include/mp4.h"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://code.google.com/p/mp4v2; diff --git a/pkgs/development/libraries/mpfr/default.nix b/pkgs/development/libraries/mpfr/default.nix index 2c64388572724..c63dc2c3dee9b 100644 --- a/pkgs/development/libraries/mpfr/default.nix +++ b/pkgs/development/libraries/mpfr/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ gmp ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; configureFlags = stdenv.lib.optional stdenv.isSunOS "--disable-thread-safe" ++ diff --git a/pkgs/development/libraries/nvidia-texture-tools/default.nix b/pkgs/development/libraries/nvidia-texture-tools/default.nix index cd8268faa658d..f35d363e57557 100644 --- a/pkgs/development/libraries/nvidia-texture-tools/default.nix +++ b/pkgs/development/libraries/nvidia-texture-tools/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ cmake libpng ilmbase libtiff zlib libjpeg mesa libX11 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' # Fix build due to missing dependnecies. diff --git a/pkgs/development/libraries/opencascade/6.5.nix b/pkgs/development/libraries/opencascade/6.5.nix index a1143757c77e2..86ab85cbb9ae4 100644 --- a/pkgs/development/libraries/opencascade/6.5.nix +++ b/pkgs/development/libraries/opencascade/6.5.nix @@ -26,7 +26,7 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 + " -DGLX_GLXEXT_LEGACY"; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--with-tcl=${tcl}/lib" "--with-tk=${tk}/lib" "--with-qt=${qt4}" "--with-ftgl=${ftgl}" "--with-freetype=${freetype}" ]; diff --git a/pkgs/development/libraries/opencascade/default.nix b/pkgs/development/libraries/opencascade/default.nix index bcf1b747180ef..79c24be75146b 100644 --- a/pkgs/development/libraries/opencascade/default.nix +++ b/pkgs/development/libraries/opencascade/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 NIX_CFLAGS_COMPILE = "-DGLX_GLXEXT_LEGACY"; - hardening_format = false; + hardeningDisable = [ "format" ]; postInstall = '' mv $out/inc $out/include diff --git a/pkgs/development/libraries/opencv/3.x.nix b/pkgs/development/libraries/opencv/3.x.nix index 16765083c55ca..4f0ed3cd0ea96 100644 --- a/pkgs/development/libraries/opencv/3.x.nix +++ b/pkgs/development/libraries/opencv/3.x.nix @@ -49,8 +49,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_bindnow = false; - hardening_relro = false; + hardeningDisable = [ "bindnow" "relro" ]; meta = { description = "Open Computer Vision Library with more than 500 algorithms"; diff --git a/pkgs/development/libraries/opencv/default.nix b/pkgs/development/libraries/opencv/default.nix index d5904e742b636..4259e9d4d69fc 100644 --- a/pkgs/development/libraries/opencv/default.nix +++ b/pkgs/development/libraries/opencv/default.nix @@ -20,8 +20,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_bindnow = false; - hardening_relro = false; + hardeningDisable = [ "bindnow" "relro" ]; meta = { description = "Open Computer Vision Library with more than 500 algorithms"; diff --git a/pkgs/development/libraries/pdf2xml/default.nix b/pkgs/development/libraries/pdf2xml/default.nix index b73be06262302..2d15e632152c7 100644 --- a/pkgs/development/libraries/pdf2xml/default.nix +++ b/pkgs/development/libraries/pdf2xml/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { patches = [./pdf2xml.patch]; - hardening_format = false; + hardeningDisable = [ "format" ]; preBuild = '' cp Makefile.linux Makefile diff --git a/pkgs/development/libraries/portmidi/default.nix b/pkgs/development/libraries/portmidi/default.nix index 4b55cffe94ff4..5c056762a39b4 100644 --- a/pkgs/development/libraries/portmidi/default.nix +++ b/pkgs/development/libraries/portmidi/default.nix @@ -46,7 +46,7 @@ stdenv.mkDerivation rec { buildInputs = [ unzip cmake /*jdk*/ alsaLib ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://portmedia.sourceforge.net/portmidi/"; diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix index 22dbef1bac2d3..ad864410b16be 100644 --- a/pkgs/development/libraries/pupnp/default.nix +++ b/pkgs/development/libraries/pupnp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = { description = "libupnp, an open source UPnP development kit for Linux"; diff --git a/pkgs/development/libraries/qhull/default.nix b/pkgs/development/libraries/qhull/default.nix index e8a67d3bc42af..011e133720fb3 100644 --- a/pkgs/development/libraries/qhull/default.nix +++ b/pkgs/development/libraries/qhull/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { cmakeFlags = "-DMAN_INSTALL_DIR=share/man/man1 -DDOC_INSTALL_DIR=share/doc/qhull"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://www.qhull.org/; diff --git a/pkgs/development/libraries/qt-3/default.nix b/pkgs/development/libraries/qt-3/default.nix index 8a11cc7087bb9..728d220bb42f9 100644 --- a/pkgs/development/libraries/qt-3/default.nix +++ b/pkgs/development/libraries/qt-3/default.nix @@ -32,7 +32,7 @@ stdenv.mkDerivation { nativeBuildInputs = [ which ]; propagatedBuildInputs = [libpng xlibsWrapper libXft libXrender zlib libjpeg]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = " -v diff --git a/pkgs/development/libraries/qtscriptgenerator/default.nix b/pkgs/development/libraries/qtscriptgenerator/default.nix index de87c6b73c6fd..499c6f18453ac 100644 --- a/pkgs/development/libraries/qtscriptgenerator/default.nix +++ b/pkgs/development/libraries/qtscriptgenerator/default.nix @@ -32,7 +32,7 @@ stdenv.mkDerivation { cp -av plugins/script/* $out/lib/qt4/plugins/script ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "QtScript bindings generator"; diff --git a/pkgs/development/libraries/smpeg/default.nix b/pkgs/development/libraries/smpeg/default.nix index 49d889f8b6ac1..fe52571e1478c 100644 --- a/pkgs/development/libraries/smpeg/default.nix +++ b/pkgs/development/libraries/smpeg/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ SDL gtk mesa ]; diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix index d94b4159e93ee..94489e992a6f6 100644 --- a/pkgs/development/libraries/speechd/default.nix +++ b/pkgs/development/libraries/speechd/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ dotconf glib pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Common interface to speech synthesis"; diff --git a/pkgs/development/libraries/tidyp/default.nix b/pkgs/development/libraries/tidyp/default.nix index 818029dbb2480..ba95da77b72ce 100644 --- a/pkgs/development/libraries/tidyp/default.nix +++ b/pkgs/development/libraries/tidyp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0f5ky0ih4vap9c6j312jn73vn8m2bj69pl2yd3a5nmv35k9zmc10"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "A program that can validate your HTML, as well as modify it to be more clean and standard"; diff --git a/pkgs/development/libraries/xmlrpc-c/default.nix b/pkgs/development/libraries/xmlrpc-c/default.nix index 0d787092a3cde..0b5f08bdf9b34 100644 --- a/pkgs/development/libraries/xmlrpc-c/default.nix +++ b/pkgs/development/libraries/xmlrpc-c/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { (cd tools/xmlrpc && make && make install) ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "A lightweight RPC library based on XML and HTTP"; diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix index 2871985a08269..77ab0f8ffa9ca 100644 --- a/pkgs/development/libraries/zlib/default.nix +++ b/pkgs/development/libraries/zlib/default.nix @@ -30,7 +30,7 @@ stdenv.mkDerivation (rec { ''; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # As zlib takes part in the stdenv building, we don't want references # to the bootstrap-tools libgcc (as uses to happen on arm/mips) diff --git a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix index b27a6659004d4..108f3616e64e7 100644 --- a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix +++ b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix @@ -26,7 +26,7 @@ stdenv.mkDerivation { buildInputs = [ gmp mpfr libmpc zlib ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Make sure we don't strip the libraries in lib/gcc/avr. stripDebugList= [ "bin" "avr/bin" "libexec" ]; diff --git a/pkgs/development/pharo/vm/build-vm.nix b/pkgs/development/pharo/vm/build-vm.nix index 9665b78d3b274..8265e1dc776ff 100644 --- a/pkgs/development/pharo/vm/build-vm.nix +++ b/pkgs/development/pharo/vm/build-vm.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { mimeType = "application/x-pharo-image"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # Building preConfigure = '' diff --git a/pkgs/development/python-modules/wxPython/generic.nix b/pkgs/development/python-modules/wxPython/generic.nix index 385980b284844..36051cc2e12e7 100644 --- a/pkgs/development/python-modules/wxPython/generic.nix +++ b/pkgs/development/python-modules/wxPython/generic.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { sourceRoot = "wxPython-src-${version}/wxPython"; - hardening_format = false; + hardeningDisable = [ "format" ]; src = fetchurl { url = "mirror://sourceforge/wxpython/wxPython-src-${version}.tar.bz2"; diff --git a/pkgs/development/tools/analysis/cccc/default.nix b/pkgs/development/tools/analysis/cccc/default.nix index a4d88f5d2ea48..b63bc66fabd25 100644 --- a/pkgs/development/tools/analysis/cccc/default.nix +++ b/pkgs/development/tools/analysis/cccc/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { sha256 = "1gsdzzisrk95kajs3gfxks3bjvfd9g680fin6a9pjrism2lyrcr7"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./cccc.patch ]; diff --git a/pkgs/development/tools/analysis/radare/default.nix b/pkgs/development/tools/analysis/radare/default.nix index 8324d8991478a..d42227198ce3d 100644 --- a/pkgs/development/tools/analysis/radare/default.nix +++ b/pkgs/development/tools/analysis/radare/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { sha256 = "1qdrmcnzfvfvqb27c7pknwm8jl2hqa6c4l66wzyddwlb8yjm46hd"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [pkgconfig readline libusb perl] ++ optional useX11 [gtkdialog vte gtk] diff --git a/pkgs/development/tools/analysis/valgrind/default.nix b/pkgs/development/tools/analysis/valgrind/default.nix index 2896f4ff27161..0e0e44183f6bd 100644 --- a/pkgs/development/tools/analysis/valgrind/default.nix +++ b/pkgs/development/tools/analysis/valgrind/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # Perl is needed for `cg_annotate'. # GDB is needed to provide a sane default for `--db-command'. diff --git a/pkgs/development/tools/boost-build/default.nix b/pkgs/development/tools/boost-build/default.nix index aa590543e00e5..240d24961e001 100644 --- a/pkgs/development/tools/boost-build/default.nix +++ b/pkgs/development/tools/boost-build/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "10sbbkx2752r4i1yshyp47nw29lyi1p34sy6hj7ivvnddiliayca"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' grep -r '/usr/share/boost-build' \ diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 78adfe4875170..7ffa6ed867cc8 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -40,7 +40,7 @@ stdenv.mkDerivation rec { inherit noSysDirs; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; preConfigure = '' # Clear the default library search path. diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix index 464ad79109524..d4a2f80599f78 100644 --- a/pkgs/development/tools/misc/elfutils/default.nix +++ b/pkgs/development/tools/misc/elfutils/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./glibc-2.21.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # We need bzip2 in NativeInputs because otherwise we can't unpack the src, # as the host-bzip2 will be in the path. diff --git a/pkgs/development/tools/misc/gnum4/default.nix b/pkgs/development/tools/misc/gnum4/default.nix index e610858838de8..79f7445af4786 100644 --- a/pkgs/development/tools/misc/gnum4/default.nix +++ b/pkgs/development/tools/misc/gnum4/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { patches = [ ./s_isdir.patch ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = http://www.gnu.org/software/m4/; diff --git a/pkgs/development/tools/misc/patchelf/default.nix b/pkgs/development/tools/misc/patchelf/default.nix index 91658a5d4d9be..e999aa4eb2c66 100644 --- a/pkgs/development/tools/misc/patchelf/default.nix +++ b/pkgs/development/tools/misc/patchelf/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { setupHook = [ ./setup-hook.sh ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = http://nixos.org/patchelf.html; diff --git a/pkgs/development/tools/misc/texinfo/6.0.nix b/pkgs/development/tools/misc/texinfo/6.0.nix index 786998c6af766..cf62d906f3c77 100644 --- a/pkgs/development/tools/misc/texinfo/6.0.nix +++ b/pkgs/development/tools/misc/texinfo/6.0.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { configureFlags = stdenv.lib.optional stdenv.isSunOS "AWK=${gawk}/bin/awk"; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; preInstall = '' installFlags="TEXMF=$out/texmf-dist"; diff --git a/pkgs/development/tools/omniorb/default.nix b/pkgs/development/tools/omniorb/default.nix index 192e058521795..da6760897ad74 100644 --- a/pkgs/development/tools/omniorb/default.nix +++ b/pkgs/development/tools/omniorb/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ python ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "omniORB is a robust high performance CORBA ORB for C++ and Python. It is freely available under the terms of the GNU Lesser General Public License (for the libraries), and GNU General Public License (for the tools). omniORB is largely CORBA 2.6 compliant"; diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix index 0062bc36561b3..97a66490bf98a 100644 --- a/pkgs/development/tools/parsing/bison/3.x.nix +++ b/pkgs/development/tools/parsing/bison/3.x.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ m4 ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = "http://www.gnu.org/software/bison/"; diff --git a/pkgs/games/asc/default.nix b/pkgs/games/asc/default.nix index 82d4748a97968..e67b92afa768c 100644 --- a/pkgs/games/asc/default.nix +++ b/pkgs/games/asc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--disable-paragui" "--disable-paraguitest" ]; NIX_CFLAGS_COMPILE = "-fpermissive"; # I'm too lazy to catch all gcc47-related problems - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ SDL SDL_image SDL_mixer SDL_sound libsigcxx physfs boost expat diff --git a/pkgs/games/bsdgames/default.nix b/pkgs/games/bsdgames/default.nix index 6e138511d03dc..599588e6f0ee8 100644 --- a/pkgs/games/bsdgames/default.nix +++ b/pkgs/games/bsdgames/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation { }) ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' cat > config.params << EOF diff --git a/pkgs/games/crack-attack/default.nix b/pkgs/games/crack-attack/default.nix index 9a4b1d0491637..eb20c0b329e80 100644 --- a/pkgs/games/crack-attack/default.nix +++ b/pkgs/games/crack-attack/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [ pkgconfig gtk freeglut SDL mesa libXi libXmu ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A fast-paced puzzle game inspired by the classic Super NES title Tetris Attack!"; diff --git a/pkgs/games/lincity/ng.nix b/pkgs/games/lincity/ng.nix index 0c3fc7055b7c5..b6574eaf39e33 100644 --- a/pkgs/games/lincity/ng.nix +++ b/pkgs/games/lincity/ng.nix @@ -22,7 +22,7 @@ stdenv.mkDerivation rec { inherit (s) url sha256; }; - hardening_format = false; + hardeningDisable = [ "format" ]; inherit buildInputs; diff --git a/pkgs/games/liquidwar/default.nix b/pkgs/games/liquidwar/default.nix index d374ed85b2dbb..532c4c635fb05 100644 --- a/pkgs/games/liquidwar/default.nix +++ b/pkgs/games/liquidwar/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { libXrender libcaca cunit ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # To avoid problems finding SDL_types.h. configureFlags = [ "CFLAGS=-I${SDL}/include/SDL" ]; diff --git a/pkgs/games/pioneers/default.nix b/pkgs/games/pioneers/default.nix index 41780dd64f6d5..3f1735c31aa16 100644 --- a/pkgs/games/pioneers/default.nix +++ b/pkgs/games/pioneers/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { buildInputs = [ gtk pkgconfig intltool ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://pio.sourceforge.net/; diff --git a/pkgs/games/stardust/default.nix b/pkgs/games/stardust/default.nix index 94da81533c13d..74d9bdcb35dca 100644 --- a/pkgs/games/stardust/default.nix +++ b/pkgs/games/stardust/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { installFlags = [ "bindir=\${out}/bin" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; postConfigure = '' substituteInPlace config.h \ diff --git a/pkgs/games/torcs/default.nix b/pkgs/games/torcs/default.nix index fd320a32180ed..1b1e877d274d9 100644 --- a/pkgs/games/torcs/default.nix +++ b/pkgs/games/torcs/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { installTargets = "install datainstall"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Car racing game"; diff --git a/pkgs/games/xconq/default.nix b/pkgs/games/xconq/default.nix index cace72b5aacf1..e6e237529531d 100644 --- a/pkgs/games/xconq/default.nix +++ b/pkgs/games/xconq/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { "--with-tkconfig=${tk}/lib" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' # Fix Makefiles diff --git a/pkgs/games/zandronum/default.nix b/pkgs/games/zandronum/default.nix index fa4c17649ac2e..18abf280a81e8 100644 --- a/pkgs/games/zandronum/default.nix +++ b/pkgs/games/zandronum/default.nix @@ -33,7 +33,7 @@ in stdenv.mkDerivation { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; installPhase = '' mkdir -p $out/bin diff --git a/pkgs/misc/emulators/dosbox/default.nix b/pkgs/misc/emulators/dosbox/default.nix index bbaa565e352e1..d57ef5ae16da6 100644 --- a/pkgs/misc/emulators/dosbox/default.nix +++ b/pkgs/misc/emulators/dosbox/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { buildInputs = [ SDL ]; - hardening_format = false; + hardeningDisable = [ "format" ]; desktopItem = makeDesktopItem { name = "dosbox"; diff --git a/pkgs/misc/emulators/mupen64plus/default.nix b/pkgs/misc/emulators/mupen64plus/default.nix index dc3c141285667..1abf621fe7e06 100644 --- a/pkgs/misc/emulators/mupen64plus/default.nix +++ b/pkgs/misc/emulators/mupen64plus/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { buildInputs = [ which pkgconfig SDL gtk mesa SDL_ttf ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' # Some C++ incompatibility fixes diff --git a/pkgs/misc/emulators/nestopia/default.nix b/pkgs/misc/emulators/nestopia/default.nix index 3ed455bd350fb..6620018c33767 100644 --- a/pkgs/misc/emulators/nestopia/default.nix +++ b/pkgs/misc/emulators/nestopia/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { # nondeterministic failures when creating directories enableParallelBuilding = false; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ pkgconfig SDL2 alsaLib gtk3 mesa_glu mesa makeWrapper libarchive libao unzip xdg_utils gsettings_desktop_schemas ]; diff --git a/pkgs/misc/emulators/uae/default.nix b/pkgs/misc/emulators/uae/default.nix index 54620699f2d89..9e773b18f7dbf 100644 --- a/pkgs/misc/emulators/uae/default.nix +++ b/pkgs/misc/emulators/uae/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig gtk alsaLib SDL ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Ultimate/Unix/Unusable Amiga Emulator"; diff --git a/pkgs/misc/mxt-app/default.nix b/pkgs/misc/mxt-app/default.nix index e1db07bfff2b4..2873225b26f13 100644 --- a/pkgs/misc/mxt-app/default.nix +++ b/pkgs/misc/mxt-app/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec{ buildInputs = [ autoconf automake libtool ]; preConfigure = "./autogen.sh"; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = with stdenv.lib; { description = "Command line utility for Atmel maXTouch devices"; diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix index 05a5549fae280..65223a32bad67 100644 --- a/pkgs/os-specific/linux/acpi-call/default.nix +++ b/pkgs/os-specific/linux/acpi-call/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preBuild = '' sed -e 's/break/true/' -i examples/turn_off_gpu.sh diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix index 41c4f48ddb82b..aabd36f945f56 100644 --- a/pkgs/os-specific/linux/batman-adv/default.nix +++ b/pkgs/os-specific/linux/batman-adv/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "0r5faf12ifpj8h1fklkzvy4ck359cadk8xh1l3n7vimh67hxbxbz"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preBuild = '' makeFlags="KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix index 2c91bfbd10fb7..67b843fac4dcb 100644 --- a/pkgs/os-specific/linux/bbswitch/default.nix +++ b/pkgs/os-specific/linux/bbswitch/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation { sha256 = "1lbr6pyyby4k9rn2ry5qc38kc738d0442jhhq57vmdjb6hxjya7m"; }) ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/linux/blcr/default.nix b/pkgs/os-specific/linux/blcr/default.nix index 78a576234acad..c2e3fa4b9e1f5 100644 --- a/pkgs/os-specific/linux/blcr/default.nix +++ b/pkgs/os-specific/linux/blcr/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation { buildInputs = [ perl makeWrapper ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' configureFlagsArray=( diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index cc3cfe2465d57..2785a57ac8a7a 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -33,7 +33,7 @@ stdenv.mkDerivation rec { sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./busybox-in-store.patch ]; diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix index aacdfc496ee88..6567e47863669 100644 --- a/pkgs/os-specific/linux/criu/default.nix +++ b/pkgs/os-specific/linux/criu/default.nix @@ -23,7 +23,8 @@ stdenv.mkDerivation rec { configurePhase = "make config PREFIX=$out"; makeFlags = "PREFIX=$(out)"; - hardening_stackprotector = false; + + hardeningDisable = [ "stackprotector" ]; installPhase = '' mkdir -p $out/etc/logrotate.d diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix index 09d7651c249d7..7a2d94100fa5f 100644 --- a/pkgs/os-specific/linux/dietlibc/default.nix +++ b/pkgs/os-specific/linux/dietlibc/default.nix @@ -12,7 +12,8 @@ stdenv.mkDerivation { inherit glibc; kernelHeaders = glibc.linuxHeaders; - hardening_stackprotector = false; + + hardeningDisable = [ "stackprotector" ]; patches = [ diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix index 8eba742ebfb86..4c2d0c8857685 100644 --- a/pkgs/os-specific/linux/disk-indicator/default.nix +++ b/pkgs/os-specific/linux/disk-indicator/default.nix @@ -19,7 +19,8 @@ stdenv.mkDerivation { buildPhase = "make -f makefile"; NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; - hardening_fortify = false; + + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -p "$out/bin" diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix index 48494bd6b1870..b25a65b2ab47e 100644 --- a/pkgs/os-specific/linux/facetimehd/default.nix +++ b/pkgs/os-specific/linux/facetimehd/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { export INSTALL_MOD_PATH="$out" ''; - hardening_pic = false; + hardeningDisable = [ "pic" ]; makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix index 93c334b959377..e86c751331b2a 100644 --- a/pkgs/os-specific/linux/gogoclient/default.nix +++ b/pkgs/os-specific/linux/gogoclient/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { makeFlags = ["target=linux"]; installFlags = ["installdir=$(out)"]; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [openssl]; diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix index a5cd241181918..b9390d1d58934 100644 --- a/pkgs/os-specific/linux/ifenslave/default.nix +++ b/pkgs/os-specific/linux/ifenslave/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { cp -a ifenslave $out/bin ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Utility for enslaving networking interfaces under a bond"; diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index 7c956e3c24422..79094ebb3e380 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { src = sourceAttrs.src; - hardening_pic = false; + hardeningDisable = [ "pic" ]; prePatch = '' sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile diff --git a/pkgs/os-specific/linux/kernel-headers/3.18.nix b/pkgs/os-specific/linux/kernel-headers/3.18.nix index be54d7a4e6a7e..22650747ba210 100644 --- a/pkgs/os-specific/linux/kernel-headers/3.18.nix +++ b/pkgs/os-specific/linux/kernel-headers/3.18.nix @@ -35,7 +35,7 @@ stdenv.mkDerivation { buildInputs = [perl]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; extraIncludeDirs = if cross != null then diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 5a22b5e2432df..85a4b98982a4b 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -225,16 +225,12 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); - hardening_format = false; - hardening_fortify = false; - hardening_stackprotector = false; + hardeningDisable = [ "format" "fortify" "stackprotector" "pic" ]; makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" ]; - hardening_pic = false; - karch = stdenv.platform.kernelArch; crossAttrs = let cp = stdenv.cross.platform; in diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index 98593ea85a9cb..d1a2fabf8140a 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ zlib ]; diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix index b05b0dc44637e..ffa381d0f2971 100644 --- a/pkgs/os-specific/linux/klibc/default.nix +++ b/pkgs/os-specific/linux/klibc/default.nix @@ -21,8 +21,7 @@ stdenv.mkDerivation { nativeBuildInputs = [ perl ]; - hardening_format = false; - hardening_stackprotector = false; + hardeningDisable = [ "format" "stackprotector" ]; makeFlags = commonMakeFlags ++ [ "KLIBCARCH=${stdenv.platform.kernelArch}" diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix index f6a5e30afa081..0bcc6dd5143cd 100644 --- a/pkgs/os-specific/linux/lttng-modules/default.nix +++ b/pkgs/os-specific/linux/lttng-modules/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "0sk7cyjf5ylmxqrrrz5zmmw4c0dmxh1f98aj870gmcnxfa76y4mx"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix index 8aee4b73fdde3..409eb31e14f70 100644 --- a/pkgs/os-specific/linux/multipath-tools/default.nix +++ b/pkgs/os-specific/linux/multipath-tools/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1yd6l1l1c62xjr1xnij2x49kr416anbgfs4y06r86kp9hkmz2g7i"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; postPatch = '' sed -i -re ' diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix index e95cd4e133cfa..35781dc7f95c3 100644 --- a/pkgs/os-specific/linux/netatop/default.nix +++ b/pkgs/os-specific/linux/netatop/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation { buildInputs = [ zlib ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' patchShebangs mkversion diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix index 959de19ead261..7310e7e36add9 100644 --- a/pkgs/os-specific/linux/numad/default.nix +++ b/pkgs/os-specific/linux/numad/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./numad-linker-flags.patch diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix index 50aa77104c283..7ef98eb235368 100644 --- a/pkgs/os-specific/linux/paxctl/default.nix +++ b/pkgs/os-specific/linux/paxctl/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; setupHook = ./setup-hook.sh; diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix index 56ff6c473b40b..56c12e9a4f0a2 100644 --- a/pkgs/os-specific/linux/phc-intel/default.nix +++ b/pkgs/os-specific/linux/phc-intel/default.nix @@ -21,7 +21,7 @@ in stdenv.mkDerivation rec { buildInputs = [ which ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; makeFlags = with kernel; [ "DESTDIR=$(out)" diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix index 5a03df9834607..102b935be296a 100644 --- a/pkgs/os-specific/linux/rtl8812au/default.nix +++ b/pkgs/os-specific/linux/rtl8812au/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "14ifhplawipfd6971mxw76dv3ygwc0n8sbz2l3f0vvkin6x88bsj"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; patchPhase = '' substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/" diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix index 6e8d9d3cf7a6f..5f539b9a97e54 100644 --- a/pkgs/os-specific/linux/setools/default.nix +++ b/pkgs/os-specific/linux/setools/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { "--with-tcl=${tcl}/lib" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; NIX_CFLAGS_COMPILE = "-fstack-protector-all"; NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib"; diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix index 67e2f16848bd6..3fbfa4fdc531b 100644 --- a/pkgs/os-specific/linux/spl/default.nix +++ b/pkgs/os-specific/linux/spl/default.nix @@ -30,7 +30,7 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' ./autogen.sh diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix index 00f9a66f0cd43..358f7d38efa4b 100644 --- a/pkgs/os-specific/linux/sysdig/default.nix +++ b/pkgs/os-specific/linux/sysdig/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; cmakeFlags = [ "-DUSE_BUNDLED_DEPS=OFF" diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix index 3ace0f5c5edc1..a68ab9c478ca8 100644 --- a/pkgs/os-specific/linux/syslinux/default.nix +++ b/pkgs/os-specific/linux/syslinux/default.nix @@ -16,8 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ libuuid makeWrapper ]; enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...' - hardening_stackprotector = false; - hardening_pic = false; + hardeningDisable = [ "pic" "stackprotector" ]; preBuild = '' substituteInPlace Makefile --replace /bin/pwd $(type -P pwd) diff --git a/pkgs/os-specific/linux/tp_smapi/default.nix b/pkgs/os-specific/linux/tp_smapi/default.nix index 116a03444507b..dceb777ad7203 100644 --- a/pkgs/os-specific/linux/tp_smapi/default.nix +++ b/pkgs/os-specific/linux/tp_smapi/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "6aef02b92d10360ac9be0db29ae390636be55017990063a092a285c70b54e666"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; makeFlags = [ "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}" diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix index 8b44f3388d3f1..376a407d99330 100644 --- a/pkgs/os-specific/linux/v4l2loopback/default.nix +++ b/pkgs/os-specific/linux/v4l2loopback/default.nix @@ -9,8 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1crkhxlnskqrfj3f7jmiiyi5m75zmj7n0s26xz07wcwdzdf2p568"; }; - hardening_pic = false; - hardening_format = false; + hardeningDisable = [ "format" "pic" ]; preBuild = '' substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install" diff --git a/pkgs/os-specific/linux/v86d/default.nix b/pkgs/os-specific/linux/v86d/default.nix index 17255aa128314..073a6ded998b3 100644 --- a/pkgs/os-specific/linux/v86d/default.nix +++ b/pkgs/os-specific/linux/v86d/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--with-klibc" "--with-x86emu" ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source" diff --git a/pkgs/os-specific/linux/xf86-video-nested/default.nix b/pkgs/os-specific/linux/xf86-video-nested/default.nix index 96f353a64da20..8b712553be9e9 100644 --- a/pkgs/os-specific/linux/xf86-video-nested/default.nix +++ b/pkgs/os-specific/linux/xf86-video-nested/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { pkgconfig renderproto utilmacros xorgserver ]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; CFLAGS = "-I${pixman}/include/pixman-1"; diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index 0a61bdcea8500..c49f393dd1655 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation rec { # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work NIX_CFLAGS_LINK = "-lgcc_s"; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' substituteInPlace ./module/zfs/zfs_ctldir.c --replace "umount -t zfs" "${utillinux}/bin/umount -t zfs" diff --git a/pkgs/servers/beanstalkd/default.nix b/pkgs/servers/beanstalkd/default.nix index f5693e451684a..ef4621fb9a654 100644 --- a/pkgs/servers/beanstalkd/default.nix +++ b/pkgs/servers/beanstalkd/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "0n9dlmiddcfl7i0f1lwfhqiwyvf26493fxfcmn8jm30nbqciwfwj"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = with stdenv.lib; { homepage = http://kr.github.io/beanstalkd/; diff --git a/pkgs/servers/firebird/default.nix b/pkgs/servers/firebird/default.nix index e557a2a0061c5..414582b69ef53 100644 --- a/pkgs/servers/firebird/default.nix +++ b/pkgs/servers/firebird/default.nix @@ -65,7 +65,7 @@ stdenv.mkDerivation rec { sha256 = "0887a813wffp44hnc2gmwbc4ylpqw3fh3hz3bf6q3648344a9fdv"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # configurePhase = '' # sed -i 's@cp /usr/share/automake-.*@@' autogen.sh diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix index 99b6ce2a832db..ac5e0b7c1b1ce 100644 --- a/pkgs/servers/gpm/default.nix +++ b/pkgs/servers/gpm/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ]; buildInputs = [ ncurses ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' ./autogen.sh diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix index 3dbb34f9b0215..aaa858e302c94 100644 --- a/pkgs/servers/http/nginx/default.nix +++ b/pkgs/servers/http/nginx/default.nix @@ -55,7 +55,7 @@ stdenv.mkDerivation rec { preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "A reverse proxy and lightweight webserver"; diff --git a/pkgs/servers/icecast/default.nix b/pkgs/servers/icecast/default.nix index d0e238786e285..dc3fef6125ccc 100644 --- a/pkgs/servers/icecast/default.nix +++ b/pkgs/servers/icecast/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ libxml2 libxslt curl libvorbis libtheora speex libkate libopus ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "Server software for streaming multimedia"; diff --git a/pkgs/servers/irc/charybdis/default.nix b/pkgs/servers/irc/charybdis/default.nix index d42f69d078bc9..d00bcb7ef1a27 100644 --- a/pkgs/servers/irc/charybdis/default.nix +++ b/pkgs/servers/irc/charybdis/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { "--with-program-prefix=charybdis-" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ bison flex openssl ]; diff --git a/pkgs/servers/mail/postfix/3.0.nix b/pkgs/servers/mail/postfix/3.0.nix index 3a0f2e0954da5..9d208e8af4d52 100644 --- a/pkgs/servers/mail/postfix/3.0.nix +++ b/pkgs/servers/mail/postfix/3.0.nix @@ -41,7 +41,7 @@ in stdenv.mkDerivation rec { ./relative-symlinks.patch ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; preBuild = '' sed -e '/^PATH=/d' -i postfix-install diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix index 42355b46021d3..886412b24cd9c 100644 --- a/pkgs/servers/mail/postfix/default.nix +++ b/pkgs/servers/mail/postfix/default.nix @@ -14,8 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [db openssl cyrus_sasl bison perl]; - hardening_format = false; - hardening_pie = true; + hardeningDisable = [ "format" ]; + hardeningEnable = [ "pie" ]; patches = [ ./postfix-2.2.9-db.patch diff --git a/pkgs/servers/memcached/default.nix b/pkgs/servers/memcached/default.nix index cac568f8fc908..5e4edd0b03227 100644 --- a/pkgs/servers/memcached/default.nix +++ b/pkgs/servers/memcached/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [cyrus_sasl libevent]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = with stdenv.lib; { description = "A distributed memory object caching system"; diff --git a/pkgs/servers/nosql/mongodb/default.nix b/pkgs/servers/nosql/mongodb/default.nix index 141e8e0929d17..913b312a54a32 100644 --- a/pkgs/servers/nosql/mongodb/default.nix +++ b/pkgs/servers/nosql/mongodb/default.nix @@ -80,7 +80,7 @@ in stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "a scalable, high-performance, open source NoSQL database"; diff --git a/pkgs/servers/nosql/riak/1.3.1.nix b/pkgs/servers/nosql/riak/1.3.1.nix index ffa2056d5a9cd..565ed226ab4f8 100644 --- a/pkgs/servers/nosql/riak/1.3.1.nix +++ b/pkgs/servers/nosql/riak/1.3.1.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { patches = [ ./riak-1.3.1.patch ./riak-admin-1.3.1.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; postUnpack = '' mkdir -p $sourceRoot/deps/eleveldb/c_src/leveldb diff --git a/pkgs/servers/nosql/riak/2.1.1.nix b/pkgs/servers/nosql/riak/2.1.1.nix index 05cf4270f9f80..b66e99f0afbe9 100644 --- a/pkgs/servers/nosql/riak/2.1.1.nix +++ b/pkgs/servers/nosql/riak/2.1.1.nix @@ -34,7 +34,7 @@ stdenv.mkDerivation rec { src = srcs.riak; - hardening_format = false; + hardeningDisable = [ "format" ]; postPatch = '' sed -i deps/node_package/priv/base/env.sh \ diff --git a/pkgs/servers/openafs-client/default.nix b/pkgs/servers/openafs-client/default.nix index 1ff9b79e38351..aab4ee9059f9a 100644 --- a/pkgs/servers/openafs-client/default.nix +++ b/pkgs/servers/openafs-client/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation { buildInputs = [ autoconf automake flex yacc ncurses perl which ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' ln -s "${kernel.dev}/lib/modules/"*/build $TMP/linux diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix index cb77ebd9c8950..e4e1d393a52a7 100644 --- a/pkgs/servers/sip/freeswitch/default.nix +++ b/pkgs/servers/sip/freeswitch/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Cross-Platform Scalable FREE Multi-Protocol Soft Switch"; diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix index ba6a076f1f0ea..0d685a3f4d32d 100644 --- a/pkgs/shells/dash/default.nix +++ b/pkgs/shells/dash/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://gondor.apana.org.au/~herbert/dash/; diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix index 4f092ee1d97cc..836dedf1cb189 100644 --- a/pkgs/stdenv/adapters.nix +++ b/pkgs/stdenv/adapters.nix @@ -236,26 +236,6 @@ rec { }); }; - useHardenFlags = stdenv: stdenv // - { mkDerivation = args: stdenv.mkDerivation (args // { - NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") - + stdenv.lib.optionalString (args.hardening_all or true) ( - stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2" - + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong" - + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie" - + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC" - + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow" - + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security" - ); - NIX_LDFLAGS = toString (args.NIX_LDFLAGS or "") - + stdenv.lib.optionalString (args.hardening_all or true) ( - stdenv.lib.optionalString (args.hardening_relro or true) " -z relro" - + stdenv.lib.optionalString (args.hardening_bindnow or true) " -z now" - ); - - }); - }; - dropCxx = drv: drv.override { stdenv = if pkgs.stdenv.isDarwin then pkgs.allStdenvs.stdenvDarwinNaked diff --git a/pkgs/tools/X11/xbindkeys-config/default.nix b/pkgs/tools/X11/xbindkeys-config/default.nix index b4fc755bd84a9..cef071bb3b61b 100644 --- a/pkgs/tools/X11/xbindkeys-config/default.nix +++ b/pkgs/tools/X11/xbindkeys-config/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "1rs3li2hyig6cdzvgqlbz0vw6x7rmgr59qd6m0cvrai8xhqqykda"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = https://packages.debian.org/source/xbindkeys-config; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 24fec4e33bbdd..e7164bf07b6c3 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index d1f13b77f0c16..41043cda5b65a 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index 20f7038067dbe..da0983fc09709 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./CVE-2014-8139.diff diff --git a/pkgs/tools/archivers/xarchive/default.nix b/pkgs/tools/archivers/xarchive/default.nix index 6407fe4f350bb..115fc8e3aff13 100644 --- a/pkgs/tools/archivers/xarchive/default.nix +++ b/pkgs/tools/archivers/xarchive/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ gtk2 pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A GTK+ front-end for command line archiving tools"; diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index 8be743c8dd0a7..145b81c95bc80 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; diff --git a/pkgs/tools/bootloaders/refind/default.nix b/pkgs/tools/bootloaders/refind/default.nix index f27dd3c5be674..f38b24c0fc077 100644 --- a/pkgs/tools/bootloaders/refind/default.nix +++ b/pkgs/tools/bootloaders/refind/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ unzip gnu-efi efibootmgr dosfstools imagemagick ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; HOSTARCH = if stdenv.system == "x86_64-linux" then "x64" diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix index 2de5736a4c220..7e7558f69e697 100644 --- a/pkgs/tools/cd-dvd/cdrdao/default.nix +++ b/pkgs/tools/cd-dvd/cdrdao/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { buildInputs = [ lame libvorbis libmad pkgconfig libao ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Adjust some headers to match glibc 2.12 ... patch is a diff between # the cdrdao CVS head and the 1.2.3 release. diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index 34bb109a17153..0b10f30497d22 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; - hardening_format = false; + hardeningDisable = [ "format" ]; # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/cd-dvd/dvdisaster/default.nix b/pkgs/tools/cd-dvd/dvdisaster/default.nix index 38e86c8ff1f2e..7db35e2b80e28 100644 --- a/pkgs/tools/cd-dvd/dvdisaster/default.nix +++ b/pkgs/tools/cd-dvd/dvdisaster/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "0f8gjnia2fxcbmhl8b3qkr5b7idl8m855dw7xw2fnmbqwvcm6k4w"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; nativeBuildInputs = [ gettext pkgconfig which ]; buildInputs = [ glib gtk2 ]; diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 6ddebe6b99d01..986f940b9069f 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { postInstall = "rm -rf $out/share/doc"; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = with stdenv.lib; { homepage = http://tukaani.org/xz/; diff --git a/pkgs/tools/filesystems/fusesmb/default.nix b/pkgs/tools/filesystems/fusesmb/default.nix index c53400e6afdda..5a3451810a127 100644 --- a/pkgs/tools/filesystems/fusesmb/default.nix +++ b/pkgs/tools/filesystems/fusesmb/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { ln -fs ${samba}/lib/libsmbclient.so $out/lib/libsmbclient.so.0 ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Samba mounted via FUSE"; diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix index d3964b1e42751..5613bac9b1a59 100644 --- a/pkgs/tools/filesystems/udftools/default.nix +++ b/pkgs/tools/filesystems/udftools/default.nix @@ -11,7 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; patches = [ ./gcc5.patch ]; - hardening_fortify = false; + + hardeningDisable = [ "fortify" ]; preConfigure = '' sed -e '1i#include <limits.h>' -i cdrwtool/cdrwtool.c -i pktsetup/pktsetup.c diff --git a/pkgs/tools/graphics/barcode/default.nix b/pkgs/tools/graphics/barcode/default.nix index 7e6c99313418a..d6a31bd5c7f7d 100644 --- a/pkgs/tools/graphics/barcode/default.nix +++ b/pkgs/tools/graphics/barcode/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1indapql5fjz0bysyc88cmc54y8phqrbi7c76p71fgjp45jcyzp8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "GNU barcode generator"; diff --git a/pkgs/tools/graphics/editres/default.nix b/pkgs/tools/graphics/editres/default.nix index c3d9a859f3ff0..cdf38d1218ad4 100644 --- a/pkgs/tools/graphics/editres/default.nix +++ b/pkgs/tools/graphics/editres/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-appdefaultdir=$(out)/share/X11/app-defaults/editres"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://cgit.freedesktop.org/xorg/app/editres/"; diff --git a/pkgs/tools/graphics/ggobi/default.nix b/pkgs/tools/graphics/ggobi/default.nix index 03326aa4562fe..e7fb3e773c1df 100644 --- a/pkgs/tools/graphics/ggobi/default.nix +++ b/pkgs/tools/graphics/ggobi/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-all-plugins"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Visualization program for exploring high-dimensional data"; diff --git a/pkgs/tools/graphics/graphviz/2.0.nix b/pkgs/tools/graphics/graphviz/2.0.nix index e08b1309d4147..6f236509a310b 100644 --- a/pkgs/tools/graphics/graphviz/2.0.nix +++ b/pkgs/tools/graphics/graphviz/2.0.nix @@ -14,8 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc libtool fontconfig pango gd]; - hardening_format = false; - hardening_fortify = false; + hardeningDisable = [ "format" "fortify" ]; configureFlags = [ "--with-pngincludedir=${libpng}/include" diff --git a/pkgs/tools/graphics/graphviz/2.32.nix b/pkgs/tools/graphics/graphviz/2.32.nix index 7f11f076dcc83..ede6624ac59de 100644 --- a/pkgs/tools/graphics/graphviz/2.32.nix +++ b/pkgs/tools/graphics/graphviz/2.32.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { ] ++ stdenv.lib.optional (xorg == null) "--without-x"; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; preBuild = '' sed -e 's@am__append_5 *=.*@am_append_5 =@' -i lib/gvc/Makefile diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 9a9621dd784ec..82f958321bdd4 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch diff --git a/pkgs/tools/graphics/nifskope/default.nix b/pkgs/tools/graphics/nifskope/default.nix index e28a2e1648856..392527a21198d 100644 --- a/pkgs/tools/graphics/nifskope/default.nix +++ b/pkgs/tools/graphics/nifskope/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; # Inspired by linux-install/nifskope.spec.in. installPhase = diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix index dc145a0d86234..abcbabea596ce 100644 --- a/pkgs/tools/graphics/plotutils/default.nix +++ b/pkgs/tools/graphics/plotutils/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { configureFlags = "--enable-libplotter"; # required for pstoedit - hardening_format = false; + hardeningDisable = [ "format" ]; doCheck = true; diff --git a/pkgs/tools/graphics/pngcheck/default.nix b/pkgs/tools/graphics/pngcheck/default.nix index f67e7202521b5..496b1d3557296 100644 --- a/pkgs/tools/graphics/pngcheck/default.nix +++ b/pkgs/tools/graphics/pngcheck/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0pzkj1bb4kdybk6vbfq9s0wzdm5szmrgixkas3xmbpv4mhws1w3p"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makefile = "Makefile.unx"; makeFlags = "ZPATH=${zlib}/lib"; diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix index a1aefbff33c67..f2a85c73c2afa 100644 --- a/pkgs/tools/graphics/qrcode/default.nix +++ b/pkgs/tools/graphics/qrcode/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { inherit (s) rev url sha256; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -p "$out"/{bin,share/doc/qrcode} diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index c584ed282d6b8..898031cbaf3fc 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix index f0e53696fc5c5..b96c469e3468c 100644 --- a/pkgs/tools/graphics/zbar/default.nix +++ b/pkgs/tools/graphics/zbar/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--disable-video" ]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = with stdenv.lib; { description = "Bar code reader"; diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 6e7c6daca56d6..a06d3d0729a15 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -20,7 +20,7 @@ let }; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; patches = optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch; diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix index d537c0f506fc0..132707106af0a 100644 --- a/pkgs/tools/misc/ddccontrol/default.nix +++ b/pkgs/tools/misc/ddccontrol/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { ddccontrol-db ]; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = '' newPath=$(echo "${ddccontrol-db}/share/ddccontrol-db" | sed "s/\\//\\\\\\//g") diff --git a/pkgs/tools/misc/detox/default.nix b/pkgs/tools/misc/detox/default.nix index 4475010f3b855..7d17dee8b53c2 100644 --- a/pkgs/tools/misc/detox/default.nix +++ b/pkgs/tools/misc/detox/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [flex]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://detox.sourceforge.net/; diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index f99b83a2a0a5e..80fb3c6a694c2 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure diff --git a/pkgs/tools/misc/gbdfed/default.nix b/pkgs/tools/misc/gbdfed/default.nix index d3b62149bdf31..1ba4bceb7876c 100644 --- a/pkgs/tools/misc/gbdfed/default.nix +++ b/pkgs/tools/misc/gbdfed/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { patches = [ ./Makefile.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Bitmap Font Editor"; diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index f3c09ef686a92..d56f9b3ce0f0f 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,7 +52,7 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; - hardening_all = false; + hardeningDisable = [ "all" ]; preConfigure = '' for i in "tests/util/"*.in diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix index c0579b9181641..a690ef2084b27 100644 --- a/pkgs/tools/misc/grub/default.nix +++ b/pkgs/tools/misc/grub/default.nix @@ -36,7 +36,7 @@ stdenv.mkDerivation { # autoreconfHook required for the splashimage patch. buildInputs = [ autoreconfHook texinfo ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; prePatch = '' unpackFile $gentooPatches diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix index 39c1ce9c0c11a..fc8784decc5ff 100644 --- a/pkgs/tools/misc/grub/trusted.nix +++ b/pkgs/tools/misc/grub/trusted.nix @@ -47,8 +47,7 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses libusb freetype gettext devicemapper ] ++ optional doCheck qemu; - hardening_stackprotector = false; - hardening_pic = false; + hardeningDisable = [ "stackprotector" "pic" ]; preConfigure = '' for i in "tests/util/"*.in diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix index b73d83201e0ef..7946a3b062fc9 100644 --- a/pkgs/tools/misc/gummiboot/default.nix +++ b/pkgs/tools/misc/gummiboot/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # Sigh, gummiboot should be able to find this in buildInputs configureFlags = [ diff --git a/pkgs/tools/misc/ipxe/default.nix b/pkgs/tools/misc/ipxe/default.nix index 0830eb51b3ca7..78f49588e8c3e 100644 --- a/pkgs/tools/misc/ipxe/default.nix +++ b/pkgs/tools/misc/ipxe/default.nix @@ -19,8 +19,7 @@ stdenv.mkDerivation { preConfigure = "cd src"; # not possible due to assembler code - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; makeFlags = [ "ECHO_E_BIN_ECHO=echo" "ECHO_E_BIN_ECHO_E=echo" # No /bin/echo here. diff --git a/pkgs/tools/misc/memtest86+/default.nix b/pkgs/tools/misc/memtest86+/default.nix index 097c26071fcfd..62d490ea4f9ef 100644 --- a/pkgs/tools/misc/memtest86+/default.nix +++ b/pkgs/tools/misc/memtest86+/default.nix @@ -22,8 +22,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-I. -std=gnu90"; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" "pic" ]; buildFlags = "memtest.bin"; diff --git a/pkgs/tools/misc/pal/default.nix b/pkgs/tools/misc/pal/default.nix index a65bd1fe8ec1a..f92069e7b9f50 100644 --- a/pkgs/tools/misc/pal/default.nix +++ b/pkgs/tools/misc/pal/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ glib gettext readline pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://palcal.sourceforge.net/; diff --git a/pkgs/tools/misc/sutils/default.nix b/pkgs/tools/misc/sutils/default.nix index 48c47cc3d8db6..8d4f00ee84786 100644 --- a/pkgs/tools/misc/sutils/default.nix +++ b/pkgs/tools/misc/sutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0xqk42vl82chy458d64fj68a4md4bxaip8n3xw9skxz0a1sgvks8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = ''sed -i "s@/usr/local@$out@" Makefile''; diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix index cba343863bef5..4ef050b409e59 100644 --- a/pkgs/tools/misc/uucp/default.nix +++ b/pkgs/tools/misc/uucp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b5nhl9vvif1w3wdipjsk8ckw49jj1w85xw1mmqi3zbcpazia306"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Unix-unix cp over serial line, also includes cu program"; diff --git a/pkgs/tools/misc/vorbisgain/default.nix b/pkgs/tools/misc/vorbisgain/default.nix index 292023a1b582f..567783f631384 100644 --- a/pkgs/tools/misc/vorbisgain/default.nix +++ b/pkgs/tools/misc/vorbisgain/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1v1h6mhnckmvvn7345hzi9abn5z282g4lyyl4nnbqwnrr98v0vfx"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ unzip libogg libvorbis ]; diff --git a/pkgs/tools/misc/wv/default.nix b/pkgs/tools/misc/wv/default.nix index 3d828a55121e8..debc2c239ad63 100644 --- a/pkgs/tools/misc/wv/default.nix +++ b/pkgs/tools/misc/wv/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation { buildInputs = [ zlib imagemagick libpng glib pkgconfig libgsf libxml2 bzip2 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Converter from Microsoft Word formats to human-editable ones"; diff --git a/pkgs/tools/misc/xfstests/default.nix b/pkgs/tools/misc/xfstests/default.nix index cef5fee9cf93e..31b6e74917e88 100644 --- a/pkgs/tools/misc/xfstests/default.nix +++ b/pkgs/tools/misc/xfstests/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { buildInputs = [ acl autoreconfHook attr gawk libaio libuuid libxfs openssl perl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' # Patch the destination directory diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix index 0729f35db59b8..d262f7fc9e0c5 100644 --- a/pkgs/tools/networking/chrony/default.nix +++ b/pkgs/tools/networking/chrony/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap; nativeBuildInputs = [ pkgconfig ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; configureFlags = [ "--chronyvardir=$(out)/var/lib/chrony" diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix index 915562bd77918..91232b4ffa74c 100644 --- a/pkgs/tools/networking/dhcpdump/default.nix +++ b/pkgs/tools/networking/dhcpdump/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [libpcap perl]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -pv $out/bin diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix index 6032e53f0baa2..b05f4e8e80eed 100644 --- a/pkgs/tools/networking/dnsmasq/default.nix +++ b/pkgs/tools/networking/dnsmasq/default.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { "LOCALEDIR=$(out)/share/locale" ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postBuild = optionalString stdenv.isLinux '' make -C contrib/wrt diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index 90bc8b54f28f0..a9f2419b1368e 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' prefix=$out/eggdrop diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 414ff692d10db..13f8cedc673d8 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix index 53e17e6cecdc1..140d58e3163ef 100644 --- a/pkgs/tools/networking/mailutils/default.nix +++ b/pkgs/tools/networking/mailutils/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./path-to-cat.patch ./no-gets.patch ]; diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix index 349dba12538c0..7a1eac59eeae4 100644 --- a/pkgs/tools/networking/netboot/default.nix +++ b/pkgs/tools/networking/netboot/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { buildInputs = [ yacc lzo db4 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Mini PXE server"; diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 47fa2708821a3..b2242fe545465 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ libcap openssl ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postInstall = '' rm -rf $out/share/doc diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix index 25af3e11cafbf..c1f78c911a1aa 100644 --- a/pkgs/tools/networking/openfortivpn/default.nix +++ b/pkgs/tools/networking/openfortivpn/default.nix @@ -17,7 +17,7 @@ in stdenv.mkDerivation { buildInputs = [ openssl ppp autoreconfHook ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd" diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 7ade847b97beb..6e497a0093e15 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -63,7 +63,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postInstall = '' # Install ssh-copy-id, it's very useful. diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix index 8b0b3d9a736c8..fc4ca793199d3 100644 --- a/pkgs/tools/networking/radvd/default.nix +++ b/pkgs/tools/networking/radvd/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libdaemon bison flex check ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = with stdenv.lib; { homepage = http://www.litech.org/radvd/; diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix index e59e6d4608038..36c6a2deead07 100644 --- a/pkgs/tools/networking/socat/default.nix +++ b/pkgs/tools/networking/socat/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "A utility for bidirectional data transfer between two independent data channels"; diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix index 3fe6144b72ca3..3a5117653c836 100644 --- a/pkgs/tools/networking/telnet/default.nix +++ b/pkgs/tools/networking/telnet/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ncurses]; diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix index 22f991d8fe2a3..1c8829a07b273 100644 --- a/pkgs/tools/networking/trickle/default.nix +++ b/pkgs/tools/networking/trickle/default.nix @@ -22,7 +22,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-libevent"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Lightweight userspace bandwidth shaper"; diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix index 1c7c946000ebd..e7c7716184808 100644 --- a/pkgs/tools/networking/uwimap/default.nix +++ b/pkgs/tools/networking/uwimap/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation { # -fPIC is required to compile php with imap on x86_64 systems + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC"; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ openssl ] ++ stdenv.lib.optional (!stdenv.isDarwin) pam; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index ba9552d4faea3..81d43fa501cf0 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://vde.sourceforge.net/; diff --git a/pkgs/tools/package-management/checkinstall/default.nix b/pkgs/tools/package-management/checkinstall/default.nix index f1d7985e9a507..c47f1664cd6ec 100644 --- a/pkgs/tools/package-management/checkinstall/default.nix +++ b/pkgs/tools/package-management/checkinstall/default.nix @@ -44,7 +44,7 @@ stdenv.mkDerivation { buildInputs = [gettext]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; preBuild = '' makeFlagsArray=(PREFIX=$out) diff --git a/pkgs/tools/package-management/clib/default.nix b/pkgs/tools/package-management/clib/default.nix index d52243dcea5cb..cb365b9b4f767 100644 --- a/pkgs/tools/package-management/clib/default.nix +++ b/pkgs/tools/package-management/clib/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0hbi5hf4w0iim96h89j7krxv61x92ffxjbldxp3zk92m5sgpldnm"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; makeFlags = "PREFIX=$(out)"; diff --git a/pkgs/tools/security/fprint_demo/default.nix b/pkgs/tools/security/fprint_demo/default.nix index 273d692ebaa60..8efd04690dbe1 100644 --- a/pkgs/tools/security/fprint_demo/default.nix +++ b/pkgs/tools/security/fprint_demo/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ libfprint gtk2 ]; nativeBuildInputs = [ pkgconfig autoreconfHook ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = "http://www.freedesktop.org/wiki/Software/fprint/fprint_demo/"; diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix index 1a2bc6a310829..506b1d398d54e 100644 --- a/pkgs/tools/security/tboot/default.nix +++ b/pkgs/tools/security/tboot/default.nix @@ -12,8 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ]; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; configurePhase = '' for a in lcptools utils tb_polgen; do diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 805336cfe44b1..26f088fd54a2c 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { unpackCmd = "(mkdir cron && cd cron && sh $curSrc)"; - hardening_pie = true; + hardeningEnable = [ "pie" ]; preBuild = '' substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 diff --git a/pkgs/tools/system/foremost/default.nix b/pkgs/tools/system/foremost/default.nix index 0696af07166ba..0114c1d41ff67 100644 --- a/pkgs/tools/system/foremost/default.nix +++ b/pkgs/tools/system/foremost/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; preInstall = '' mkdir -p $out/{bin,share/man/man8} diff --git a/pkgs/tools/system/gdmap/default.nix b/pkgs/tools/system/gdmap/default.nix index 1456b6fca7c45..7800bfa08313a 100644 --- a/pkgs/tools/system/gdmap/default.nix +++ b/pkgs/tools/system/gdmap/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./get_sensitive.patch ./set_flags.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://gdmap.sourceforge.net; diff --git a/pkgs/tools/system/rsyslog/default.nix b/pkgs/tools/system/rsyslog/default.nix index ef54bde3db56c..e19dbb028474e 100644 --- a/pkgs/tools/system/rsyslog/default.nix +++ b/pkgs/tools/system/rsyslog/default.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { rabbitmq-c hiredis ] ++ stdenv.lib.optional stdenv.isLinux systemd; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--sysconfdir=/etc" diff --git a/pkgs/tools/system/which/default.nix b/pkgs/tools/system/which/default.nix index 956fd590b14c9..fc0889012c2e1 100644 --- a/pkgs/tools/system/which/default.nix +++ b/pkgs/tools/system/which/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { }; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = with stdenv.lib; { homepage = http://ftp.gnu.org/gnu/which/; diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix index bcbf2b66a860b..4a32e972a5b39 100644 --- a/pkgs/tools/text/a2ps/default.nix +++ b/pkgs/tools/text/a2ps/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [ libpaper gperf file ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "An Anyithing to PostScript converter and pretty-printer"; diff --git a/pkgs/tools/text/patchutils/default.nix b/pkgs/tools/text/patchutils/default.nix index 98f9c0483c2d0..75922a6c830ca 100644 --- a/pkgs/tools/text/patchutils/default.nix +++ b/pkgs/tools/text/patchutils/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { patches = [ ./drop-comments.patch ]; # we would get into a cycle when using fetchpatch on this one - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Tools to manipulate patch files"; diff --git a/pkgs/tools/text/untex/default.nix b/pkgs/tools/text/untex/default.nix index 33f72b029a1ee..ec99e8b4a27af 100644 --- a/pkgs/tools/text/untex/default.nix +++ b/pkgs/tools/text/untex/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "07p836jydd5yjy905m5ylnnac1h4cc4jsr41panqb808mlsiwmmy"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; unpackPhase = "tar xf $src"; installTargets = "install install.man"; diff --git a/pkgs/tools/typesetting/tex/tetex/default.nix b/pkgs/tools/typesetting/tex/tetex/default.nix index cffe0b39d2297..c3d226a2acb0e 100644 --- a/pkgs/tools/typesetting/tex/tetex/default.nix +++ b/pkgs/tools/typesetting/tex/tetex/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation { buildInputs = [ flex bison zlib libpng ncurses ed ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # fixes "error: conflicting types for 'calloc'", etc. preBuild = stdenv.lib.optionalString stdenv.isDarwin '' diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index 3585c4d04af8b..2cc6739390381 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,7 +64,7 @@ core = stdenv.mkDerivation rec { perl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \ @@ -123,7 +123,7 @@ core-big = stdenv.mkDerivation { inherit (common) src; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 ]; diff --git a/pkgs/tools/video/mjpegtools/default.nix b/pkgs/tools/video/mjpegtools/default.nix index 989649c580f2e..bfffbae65b59e 100644 --- a/pkgs/tools/video/mjpegtools/default.nix +++ b/pkgs/tools/video/mjpegtools/default.nix @@ -15,5 +15,5 @@ stdenv.mkDerivation rec { buildInputs = [ gtk libdv libjpeg libpng libX11 pkgconfig SDL SDL_gfx ]; - hardening_format = false; + hardeningDisable = [ "format" ]; } diff --git a/pkgs/tools/video/vncrec/default.nix b/pkgs/tools/video/vncrec/default.nix index a16dc169b98e8..81860f22e897f 100644 --- a/pkgs/tools/video/vncrec/default.nix +++ b/pkgs/tools/video/vncrec/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "1yp6r55fqpdhc8cgrgh9i0mzxmkls16pgf8vfcpng1axr7cigyhc"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ libX11 xproto imake gccmakedep libXt libXmu libXaw diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 9a10236a4190d..63a8e1485d13f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -214,12 +214,12 @@ let allPackages = args: import ./all-packages.nix ({ inherit config system; } // args); }; - defaultStdenv = stdenvAdapters.useHardenFlags (allStdenvs.stdenv // { inherit platform; }); + defaultStdenv = allStdenvs.stdenv // { inherit platform; }; stdenvCross = lowPrio (makeStdenvCross defaultStdenv crossSystem binutilsCross gccCrossStageFinal); stdenv = - if bootStdenv != null then ((import ../stdenv/adapters.nix pkgs_).useHardenFlags bootStdenv // {inherit platform;}) else + if bootStdenv != null then (bootStdenv // {inherit platform;}) else if crossSystem != null then stdenvCross else |