pyrox.dev / nixpkgs
lol
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

cc-wrapper: Use `set -u` throughout

Now is an opportune time to do this, as the infixSalt conversion in
`add-flags.sh` ensures that all the relevant `NIX_*` vars will be
defined even if empty.

John Ericson 2493454e a8bd415f

+68 -50
+21 -19
pkgs/build-support/cc-wrapper/add-hardening.sh
··· 1 1 hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) 2 - # Intentionally word-split in case 'hardeningEnable' is defined in Nix. 3 - hardeningFlags+=(${hardeningEnable[@]}) 2 + # Intentionally word-split in case 'hardeningEnable' is defined in 3 + # Nix. Also, our bootstrap tools version of bash is old enough that 4 + # undefined arrays trip `set -u`. 5 + if [[ -v hardeningEnable[@] ]]; then 6 + hardeningFlags+=(${hardeningEnable[@]}) 7 + fi 4 8 hardeningCFlags=() 5 9 hardeningLDFlags=() 6 10 7 11 declare -A hardeningDisableMap 8 12 9 - # Intentionally word-split in case 'hardeningDisable' is defined in Nix. The 10 - # array expansion also prevents undefined variables from causing trouble with 11 - # `set -u`. 12 - for flag in ${hardeningDisable[@]} @hardening_unsupported_flags@ 13 + # Intentionally word-split in case 'hardeningDisable' is defined in Nix. 14 + for flag in ${hardeningDisable[@]:-IGNORED_KEY} @hardening_unsupported_flags@ 13 15 do 14 16 hardeningDisableMap[$flag]=1 15 17 done 16 18 17 - if [[ -n "$NIX_DEBUG" ]]; then 19 + if [[ -n "${NIX_DEBUG:-}" ]]; then 18 20 printf 'HARDENING: disabled flags:' >&2 19 21 (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2 20 22 echo >&2 21 23 fi 22 24 23 - if [[ -z "${hardeningDisableMap[all]}" ]]; then 24 - if [[ -n "$NIX_DEBUG" ]]; then 25 + if [[ -z "${hardeningDisableMap[all]:-}" ]]; then 26 + if [[ -n "${NIX_DEBUG:-}" ]]; then 25 27 echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; 26 28 fi 27 29 for flag in "${hardeningFlags[@]}" 28 30 do 29 - if [[ -z "${hardeningDisableMap[$flag]}" ]]; then 31 + if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then 30 32 case $flag in 31 33 fortify) 32 - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi 34 + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling fortify >&2; fi 33 35 hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') 34 36 ;; 35 37 stackprotector) 36 - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi 38 + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling stackprotector >&2; fi 37 39 hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') 38 40 ;; 39 41 pie) 40 - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi 42 + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi 41 43 hardeningCFlags+=('-fPIE') 42 44 if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then 43 - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi 45 + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi 44 46 hardeningLDFlags+=('-pie') 45 47 fi 46 48 ;; 47 49 pic) 48 - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi 50 + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling pic >&2; fi 49 51 hardeningCFlags+=('-fPIC') 50 52 ;; 51 53 strictoverflow) 52 - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi 54 + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling strictoverflow >&2; fi 53 55 hardeningCFlags+=('-fno-strict-overflow') 54 56 ;; 55 57 format) 56 - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi 58 + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling format >&2; fi 57 59 hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') 58 60 ;; 59 61 relro) 60 - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi 62 + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling relro >&2; fi 61 63 hardeningLDFlags+=('-z' 'relro') 62 64 ;; 63 65 bindnow) 64 - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi 66 + if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling bindnow >&2; fi 65 67 hardeningLDFlags+=('-z' 'now') 66 68 ;; 67 69 *)
+12 -9
pkgs/build-support/cc-wrapper/cc-wrapper.sh
··· 1 1 #! @shell@ 2 - set -e -o pipefail 2 + set -eu -o pipefail 3 3 shopt -s nullglob 4 4 5 5 path_backup="$PATH" ··· 11 11 PATH="@coreutils_bin@/bin:@gnugrep_bin@/bin" 12 12 fi 13 13 14 - if [ -n "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK" ]; then 15 - source "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK" 14 + if [ -z "${NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET:-}" ]; then 15 + source @out@/nix-support/add-flags.sh 16 16 fi 17 17 18 - if [ -z "$NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET" ]; then 19 - source @out@/nix-support/add-flags.sh 18 + if [ -n "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK" ]; then 19 + source "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK" 20 20 fi 21 21 22 22 source @out@/nix-support/utils.sh ··· 36 36 nParams=${#params[@]} 37 37 while [ "$n" -lt "$nParams" ]; do 38 38 p=${params[n]} 39 - p2=${params[n+1]} 39 + p2=${params[n+1]:-} # handle `p` being last one 40 40 if [ "$p" = -c ]; then 41 41 dontLink=1 42 42 elif [ "$p" = -S ]; then ··· 79 79 fi 80 80 81 81 # Optionally filter out paths not refering to the store. 82 - if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE" ]]; then 82 + if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE" ]]; then 83 83 rest=() 84 84 nParams=${#params[@]} 85 85 declare -i n=0 86 86 while [ "$n" -lt "$nParams" ]; do 87 87 p=${params[n]} 88 - p2=${params[n+1]} 88 + p2=${params[n+1]:-} # handle `p` being last one 89 89 if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then 90 90 skip "${p:2}" 91 91 elif [ "$p" = -L ] && badPath "$p2"; then ··· 162 162 fi 163 163 164 164 # Optionally print debug info. 165 - if [ -n "$NIX_DEBUG" ]; then 165 + if [ -n "${NIX_DEBUG:-}" ]; then 166 + set +u # Old bash workaround, see ld-wrapper for explanation. 166 167 echo "extra flags before to @prog@:" >&2 167 168 printf " %q\n" "${extraBefore[@]}" >&2 168 169 echo "original flags to @prog@:" >&2 169 170 printf " %q\n" "${params[@]}" >&2 170 171 echo "extra flags after to @prog@:" >&2 171 172 printf " %q\n" "${extraAfter[@]}" >&2 173 + set -u 172 174 fi 173 175 174 176 if [ -n "$NIX_CC_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then ··· 176 178 fi 177 179 178 180 PATH="$path_backup" 181 + set +u # Old bash workaround, see above. 179 182 exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"
+10 -7
pkgs/build-support/cc-wrapper/gnat-wrapper.sh
··· 1 1 #! @shell@ 2 - set -e -o pipefail 2 + set -eu -o pipefail 3 3 shopt -s nullglob 4 + 5 + # N.B. Gnat is not used during bootstrapping, so we don't need to 6 + # worry about the old bash empty array `set -u` workarounds. 4 7 5 8 path_backup="$PATH" 6 9 ··· 8 11 # shellcheck disable=SC2157 9 12 if [ -n "@coreutils_bin@" ]; then 10 13 PATH="@coreutils_bin@/bin" 14 + fi 15 + 16 + if [ -z "${NIX_@infixSalt@_GNAT_WRAPPER_FLAGS_SET:-}" ]; then 17 + source @out@/nix-support/add-flags.sh 11 18 fi 12 19 13 20 if [ -n "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK" ]; then 14 21 source "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK" 15 22 fi 16 23 17 - if [ -z "$NIX_@infixSalt@_GNAT_WRAPPER_FLAGS_SET" ]; then 18 - source @out@/nix-support/add-flags.sh 19 - fi 20 - 21 24 source @out@/nix-support/utils.sh 22 25 23 26 ··· 52 55 53 56 # Optionally filter out paths not refering to the store. 54 57 params=("$@") 55 - if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE" ]]; then 58 + if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE" ]]; then 56 59 rest=() 57 60 for p in "${params[@]}"; do 58 61 if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then ··· 110 113 #fi 111 114 112 115 # Optionally print debug info. 113 - if [ -n "$NIX_DEBUG" ]; then 116 + if [ -n "${NIX_DEBUG:-}" ]; then 114 117 echo "extra flags before to @prog@:" >&2 115 118 printf " %q\n" "${extraBefore[@]}" >&2 116 119 echo "original flags to @prog@:" >&2
+19 -12
pkgs/build-support/cc-wrapper/ld-wrapper.sh
··· 10 10 PATH="@coreutils_bin@/bin" 11 11 fi 12 12 13 - if [ -n "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK" ]; then 14 - source "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK" 13 + if [ -z "${NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET:-}" ]; then 14 + source @out@/nix-support/add-flags.sh 15 15 fi 16 16 17 - if [ -z "$NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET" ]; then 18 - source @out@/nix-support/add-flags.sh 17 + if [ -n "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK" ]; then 18 + source "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK" 19 19 fi 20 20 21 21 source @out@/nix-support/utils.sh ··· 23 23 24 24 # Optionally filter out paths not refering to the store. 25 25 expandResponseParams "$@" 26 - if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE" 27 - && ( -z "$NIX_@infixSalt@_IGNORE_LD_THROUGH_GCC" || -z "$NIX_@infixSalt@_LDFLAGS_SET" ) ]]; then 26 + if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE" 27 + && ( -z "$NIX_@infixSalt@_IGNORE_LD_THROUGH_GCC" || -z "${NIX_@infixSalt@_LDFLAGS_SET:-}" ) ]]; then 28 28 rest=() 29 29 nParams=${#params[@]} 30 30 declare -i n=0 31 31 while [ "$n" -lt "$nParams" ]; do 32 32 p=${params[n]} 33 - p2=${params[n+1]} 33 + p2=${params[n+1]:-} # handle `p` being last one 34 34 if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then 35 35 skip "${p:2}" 36 36 elif [ "$p" = -L ] && badPath "$p2"; then ··· 59 59 extraAfter=("${hardeningLDFlags[@]}") 60 60 extraBefore=() 61 61 62 - if [ -z "$NIX_@infixSalt@_LDFLAGS_SET" ]; then 62 + if [ -z "${NIX_@infixSalt@_LDFLAGS_SET:-}" ]; then 63 63 extraAfter+=($NIX_@infixSalt@_LDFLAGS) 64 64 extraBefore+=($NIX_@infixSalt@_LDFLAGS_BEFORE) 65 65 fi ··· 73 73 # Find all -L... switches for rpath, and relocatable flags for build id. 74 74 if [ "$NIX_@infixSalt@_DONT_SET_RPATH" != 1 ] || [ "$NIX_@infixSalt@_SET_BUILD_ID" = 1 ]; then 75 75 prev= 76 + # Old bash thinks empty arrays are undefined, ugh, so temporarily disable 77 + # `set -u`. 78 + set +u 76 79 for p in "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"; do 80 + set -u 77 81 case "$prev" in 78 82 -L) 79 83 libDirs+=("$p") ··· 119 123 if [[ "$dir" =~ [/.][/.] ]] && dir2=$(readlink -f "$dir"); then 120 124 dir="$dir2" 121 125 fi 122 - if [ "${rpaths[$dir]}" ] || [[ "$dir" != "$NIX_STORE"/* ]]; then 126 + if [ -n "${rpaths[$dir]:-}" ] || [[ "$dir" != "$NIX_STORE"/* ]]; then 123 127 # If the path is not in the store, don't add it to the rpath. 124 128 # This typically happens for libraries in /tmp that are later 125 129 # copied to $out/lib. If not, we're screwed. ··· 127 131 fi 128 132 for path in "$dir"/lib*.so; do 129 133 file="${path##*/}" 130 - if [ "${libs[$file]}" ]; then 134 + if [ "${libs[$file]:-}" ]; then 131 135 libs["$file"]= 132 - if [ ! "${rpaths[$dir]}" ]; then 136 + if [ -z "${rpaths[$dir]:-}" ]; then 133 137 rpaths["$dir"]=1 134 138 extraAfter+=(-rpath "$dir") 135 139 fi ··· 147 151 148 152 149 153 # Optionally print debug info. 150 - if [ -n "$NIX_DEBUG" ]; then 154 + if [ -n "${NIX_DEBUG:-}" ]; then 155 + set +u # Old bash workaround, see above. 151 156 echo "extra flags before to @prog@:" >&2 152 157 printf " %q\n" "${extraBefore[@]}" >&2 153 158 echo "original flags to @prog@:" >&2 154 159 printf " %q\n" "${params[@]}" >&2 155 160 echo "extra flags after to @prog@:" >&2 156 161 printf " %q\n" "${extraAfter[@]}" >&2 162 + set -u 157 163 fi 158 164 159 165 if [ -n "$NIX_LD_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then ··· 161 167 fi 162 168 163 169 PATH="$path_backup" 170 + set +u # Old bash workaround, see above. 164 171 exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"
+1 -1
pkgs/build-support/cc-wrapper/utils.sh
··· 1 1 skip () { 2 - if [ -n "$NIX_DEBUG" ]; then 2 + if [ -n "${NIX_DEBUG:-}" ]; then 3 3 echo "skipping impure path $1" >&2 4 4 fi 5 5 }