cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

cc-wrapper: ensure NIX_HARDENING_ENABLE fortify3 implies fortify too

Browse source 
even if fortify3 is in hardening_unsupported_flags
This commit is contained in:
Robert Scott 2023-09-03 21:32:36 +01:00
parent f0cf83a1a7
commit 4c6fd59fcd
1 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
pkgs/build-support/cc-wrapper/add-hardening.sh
View file

@ -10,6 +10,13 @@ for flag in ${NIX_HARDENING_ENABLE_@suffixSalt@-}; do
hardeningEnableMap["$flag"]=1 hardeningEnableMap["$flag"]=1
done done
# fortify3 implies fortify enablement - make explicit before
# we filter unsupported flags because unsupporting fortify3
# doesn't mean we should unsupport fortify too
if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
hardeningEnableMap["fortify"]=1
fi
# Remove unsupported flags. # Remove unsupported flags.
for flag in @hardening_unsupported_flags@; do for flag in @hardening_unsupported_flags@; do
unset -v "hardeningEnableMap[$flag]" unset -v "hardeningEnableMap[$flag]"
@ -19,7 +26,7 @@ for flag in @hardening_unsupported_flags@; do
fi fi
done done
# make fortify and fortify3 mutually exclusive # now make fortify and fortify3 mutually exclusive
if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
unset -v "hardeningEnableMap['fortify']" unset -v "hardeningEnableMap['fortify']"
fi fi