pyrox.dev
cc-wrapper: add trivialautovarinit hardening flag support
this equates to -ftrivial-auto-var-init=pattern
clang has removed support for -ftrivial-auto-var-init=zero and
are unlikely to re-add it, so use -ftrivial-auto-var-init=pattern
on both compilers if only to make behaviour more consistent
between the two.
add to pkgsExtraHardening's defaultHardeningFlags.
+2
nixos/doc/manual/release-notes/rl-2405.section.md
+2
nixos/doc/manual/release-notes/rl-2405.section.md
···
310
311
- A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`.
312
313
- New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.).
314
The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime.
315
···
310
311
- A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`.
312
313
+
- A new hardening flag, `trivialautovarinit` was made available, corresponding to the gcc/clang option `-ftrivial-auto-var-init=pattern`.
314
+
315
- New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.).
316
The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime.
317
+5
-1
pkgs/build-support/cc-wrapper/add-hardening.sh
+5
-1
pkgs/build-support/cc-wrapper/add-hardening.sh
···
32
fi
33
34
if (( "${NIX_DEBUG:-0}" >= 1 )); then
35
-
declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format zerocallusedregs)
36
declare -A hardeningDisableMap=()
37
38
# Determine which flags were effectively disabled so we can report below.
···
105
else
106
hardeningCFlagsBefore+=('-fno-strict-overflow')
107
fi
108
;;
109
format)
110
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi
···
32
fi
33
34
if (( "${NIX_DEBUG:-0}" >= 1 )); then
35
+
declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format trivialautovarinit zerocallusedregs)
36
declare -A hardeningDisableMap=()
37
38
# Determine which flags were effectively disabled so we can report below.
···
105
else
106
hardeningCFlagsBefore+=('-fno-strict-overflow')
107
fi
108
+
;;
109
+
trivialautovarinit)
110
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling trivialautovarinit >&2; fi
111
+
hardeningCFlagsBefore+=('-ftrivial-auto-var-init=pattern')
112
;;
113
format)
114
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi
+1
-1
pkgs/development/compilers/gcc/default.nix
+1
-1
pkgs/development/compilers/gcc/default.nix
+1
pkgs/stdenv/generic/make-derivation.nix
+1
pkgs/stdenv/generic/make-derivation.nix
+1
-1
pkgs/stdenv/linux/bootstrap-tools-musl/default.nix
+1
-1
pkgs/stdenv/linux/bootstrap-tools-musl/default.nix
+1
-1
pkgs/stdenv/linux/bootstrap-tools/default.nix
+1
-1
pkgs/stdenv/linux/bootstrap-tools/default.nix
+1
pkgs/top-level/stage.nix
+1
pkgs/top-level/stage.nix