pyrox.dev
treewide: Use `(( "${NIX_DEBUG:-0}" >= 1) ))` consistently
+11
-11
pkgs/build-support/cc-wrapper/add-hardening.sh
+11
-11
pkgs/build-support/cc-wrapper/add-hardening.sh
···
16
hardeningDisableMap[$flag]=1
17
done
18
19
-
if [[ -n "${NIX_DEBUG:-}" ]]; then
20
printf 'HARDENING: disabled flags:' >&2
21
(( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
22
echo >&2
23
fi
24
25
if [[ -z "${hardeningDisableMap[all]:-}" ]]; then
26
-
if [[ -n "${NIX_DEBUG:-}" ]]; then
27
echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
28
fi
29
for flag in "${hardeningFlags[@]}"
···
31
if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then
32
case $flag in
33
fortify)
34
-
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling fortify >&2; fi
35
hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
36
;;
37
stackprotector)
38
-
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling stackprotector >&2; fi
39
hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
40
;;
41
pie)
42
-
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi
43
hardeningCFlags+=('-fPIE')
44
if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
45
-
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi
46
hardeningCFlags+=('-pie')
47
hardeningLDFlags+=('-pie')
48
fi
49
;;
50
pic)
51
-
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling pic >&2; fi
52
hardeningCFlags+=('-fPIC')
53
;;
54
strictoverflow)
55
-
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling strictoverflow >&2; fi
56
hardeningCFlags+=('-fno-strict-overflow')
57
;;
58
format)
59
-
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling format >&2; fi
60
hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
61
;;
62
relro)
63
-
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling relro >&2; fi
64
hardeningLDFlags+=('-z' 'relro')
65
;;
66
bindnow)
67
-
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling bindnow >&2; fi
68
hardeningLDFlags+=('-z' 'now')
69
;;
70
*)
···
16
hardeningDisableMap[$flag]=1
17
done
18
19
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then
20
printf 'HARDENING: disabled flags:' >&2
21
(( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
22
echo >&2
23
fi
24
25
if [[ -z "${hardeningDisableMap[all]:-}" ]]; then
26
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then
27
echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
28
fi
29
for flag in "${hardeningFlags[@]}"
···
31
if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then
32
case $flag in
33
fortify)
34
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
35
hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
36
;;
37
stackprotector)
38
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
39
hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
40
;;
41
pie)
42
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
43
hardeningCFlags+=('-fPIE')
44
if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
45
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
46
hardeningCFlags+=('-pie')
47
hardeningLDFlags+=('-pie')
48
fi
49
;;
50
pic)
51
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi
52
hardeningCFlags+=('-fPIC')
53
;;
54
strictoverflow)
55
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi
56
hardeningCFlags+=('-fno-strict-overflow')
57
;;
58
format)
59
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi
60
hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
61
;;
62
relro)
63
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling relro >&2; fi
64
hardeningLDFlags+=('-z' 'relro')
65
;;
66
bindnow)
67
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling bindnow >&2; fi
68
hardeningLDFlags+=('-z' 'now')
69
;;
70
*)
+1
-1
pkgs/build-support/cc-wrapper/cc-wrapper.sh
+1
-1
pkgs/build-support/cc-wrapper/cc-wrapper.sh
+1
-1
pkgs/build-support/cc-wrapper/gnat-wrapper.sh
+1
-1
pkgs/build-support/cc-wrapper/gnat-wrapper.sh
+1
-1
pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh
+1
-1
pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh
+1
-1
pkgs/build-support/cc-wrapper/ld-wrapper.sh
+1
-1
pkgs/build-support/cc-wrapper/ld-wrapper.sh
+1
-1
pkgs/build-support/cc-wrapper/utils.sh
+1
-1
pkgs/build-support/cc-wrapper/utils.sh
+3
-3
pkgs/stdenv/generic/setup.sh
+3
-3
pkgs/stdenv/generic/setup.sh
···
269
addToSearchPath PATH "$i/bin"
270
done
271
272
-
if [ "${NIX_DEBUG:-}" = 1 ]; then
273
echo "initial path: $PATH"
274
fi
275
···
429
430
431
PATH="${_PATH-}${_PATH:+${PATH:+:}}$PATH"
432
-
if [ "${NIX_DEBUG:-}" = 1 ]; then
433
echo "final path: $PATH"
434
fi
435
···
539
local -a args=()
540
541
for varName in $(awk 'BEGIN { for (v in ENVIRON) if (v ~ /^[a-z][a-zA-Z0-9_]*$/) print v }'); do
542
-
if [ "${NIX_DEBUG:-}" = "1" ]; then
543
printf "@%s@ -> %q\n" "${varName}" "${!varName}"
544
fi
545
args+=("--subst-var" "$varName")
···
269
addToSearchPath PATH "$i/bin"
270
done
271
272
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then
273
echo "initial path: $PATH"
274
fi
275
···
429
430
431
PATH="${_PATH-}${_PATH:+${PATH:+:}}$PATH"
432
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then
433
echo "final path: $PATH"
434
fi
435
···
539
local -a args=()
540
541
for varName in $(awk 'BEGIN { for (v in ENVIRON) if (v ~ /^[a-z][a-zA-Z0-9_]*$/) print v }'); do
542
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then
543
printf "@%s@ -> %q\n" "${varName}" "${!varName}"
544
fi
545
args+=("--subst-var" "$varName")