pyrox.dev
lol
cc-wrapper: add support for fortify3 flag
+24
-3
+24
-3
pkgs/build-support/cc-wrapper/add-hardening.sh
+24
-3
pkgs/build-support/cc-wrapper/add-hardening.sh
···
12
12
# Remove unsupported flags.
13
13
for flag in @hardening_unsupported_flags@; do
14
14
unset -v "hardeningEnableMap[$flag]"
15
+
# fortify being unsupported implies fortify3 is unsupported
16
+
if [[ "$flag" = 'fortify' ]] ; then
17
+
unset -v "hardeningEnableMap['fortify3']"
18
+
fi
15
19
done
20
+
21
+
# make fortify and fortify3 mutually exclusive
22
+
if [[ -z "${hardeningEnableMap[fortify3]-}" ]]; then
23
+
unset -v "hardeningEnableMap['fortify']"
24
+
fi
16
25
17
26
if (( "${NIX_DEBUG:-0}" >= 1 )); then
18
27
declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format)
···
36
45
37
46
for flag in "${!hardeningEnableMap[@]}"; do
38
47
case $flag in
39
-
fortify)
40
-
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
48
+
fortify | fortify3)
41
49
# Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly
42
50
# set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address').
43
-
hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE' '-D_FORTIFY_SOURCE=2')
51
+
hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE')
52
+
case $flag in
53
+
fortify)
54
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
55
+
hardeningCFlags+=('-D_FORTIFY_SOURCE=2')
56
+
;;
57
+
fortify3)
58
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi
59
+
hardeningCFlags+=('-D_FORTIFY_SOURCE=3')
60
+
;;
61
+
*)
62
+
# Ignore unsupported.
63
+
;;
64
+
esac
44
65
;;
45
66
stackprotector)
46
67
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi