pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #246244 from risicle/ris-fortify-flags-after

cc-wrapper: add fortify flags after invocation args, not before

authored by

Robert Scott and committed by
GitHub 83f8ea1f a42bbe34

+18 -13
unified split
+16 -11
pkgs/build-support/cc-wrapper/add-hardening.sh
··· 1 - declare -a hardeningCFlags=() 2 3 declare -A hardeningEnableMap=() 4 ··· 48 fortify | fortify3) 49 # Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly 50 # set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address'). 51 - hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE') 52 case $flag in 53 fortify) 54 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi 55 - hardeningCFlags+=('-D_FORTIFY_SOURCE=2') 56 ;; 57 fortify3) 58 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi 59 - hardeningCFlags+=('-D_FORTIFY_SOURCE=3') 60 ;; 61 *) 62 # Ignore unsupported. ··· 65 ;; 66 stackprotector) 67 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi 68 - hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') 69 ;; 70 pie) 71 # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags 72 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi 73 - hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}") 74 if [[ ! (" ${params[*]} " =~ " -shared " || " ${params[*]} " =~ " -static ") ]]; then 75 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi 76 - hardeningCFlags=('-pie' "${hardeningCFlags[@]}") 77 fi 78 ;; 79 pic) 80 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi 81 - hardeningCFlags+=('-fPIC') 82 ;; 83 strictoverflow) 84 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi ··· 89 # 90 # See: https://github.com/llvm/llvm-project/blob/llvmorg-16.0.6/clang/lib/Driver/ToolChains/Clang.cpp#L6315 91 # 92 - hardeningCFlags+=('-fwrapv') 93 else 94 - hardeningCFlags+=('-fno-strict-overflow') 95 fi 96 ;; 97 format) 98 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi 99 - hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') 100 ;; 101 *) 102 # Ignore unsupported. Checked in Nix that at least *some*
··· 1 + declare -a hardeningCFlagsAfter=() 2 + declare -a hardeningCFlagsBefore=() 3 4 declare -A hardeningEnableMap=() 5 ··· 49 fortify | fortify3) 50 # Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly 51 # set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address'). 52 + hardeningCFlagsBefore+=('-O2' '-U_FORTIFY_SOURCE') 53 + # Unset any _FORTIFY_SOURCE values the command-line may have set before 54 + # enforcing our own value, avoiding (potentially fatal) redefinition 55 + # warnings 56 + hardeningCFlagsAfter+=('-U_FORTIFY_SOURCE') 57 case $flag in 58 fortify) 59 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi 60 + hardeningCFlagsAfter+=('-D_FORTIFY_SOURCE=2') 61 ;; 62 fortify3) 63 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi 64 + hardeningCFlagsAfter+=('-D_FORTIFY_SOURCE=3') 65 ;; 66 *) 67 # Ignore unsupported. ··· 70 ;; 71 stackprotector) 72 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi 73 + hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') 74 ;; 75 pie) 76 # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags 77 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi 78 + hardeningCFlagsBefore=('-fPIE' "${hardeningCFlagsBefore[@]}") 79 if [[ ! (" ${params[*]} " =~ " -shared " || " ${params[*]} " =~ " -static ") ]]; then 80 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi 81 + hardeningCFlagsBefore=('-pie' "${hardeningCFlagsBefore[@]}") 82 fi 83 ;; 84 pic) 85 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi 86 + hardeningCFlagsBefore+=('-fPIC') 87 ;; 88 strictoverflow) 89 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi ··· 94 # 95 # See: https://github.com/llvm/llvm-project/blob/llvmorg-16.0.6/clang/lib/Driver/ToolChains/Clang.cpp#L6315 96 # 97 + hardeningCFlagsBefore+=('-fwrapv') 98 else 99 + hardeningCFlagsBefore+=('-fno-strict-overflow') 100 fi 101 ;; 102 format) 103 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi 104 + hardeningCFlagsBefore+=('-Wformat' '-Wformat-security' '-Werror=format-security') 105 ;; 106 *) 107 # Ignore unsupported. Checked in Nix that at least *some*
+2 -2
pkgs/build-support/cc-wrapper/cc-wrapper.sh
··· 171 source @out@/nix-support/add-hardening.sh 172 173 # Add the flags for the C compiler proper. 174 - extraAfter=($NIX_CFLAGS_COMPILE_@suffixSalt@) 175 - extraBefore=(${hardeningCFlags[@]+"${hardeningCFlags[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@) 176 177 if [ "$dontLink" != 1 ]; then 178
··· 171 source @out@/nix-support/add-hardening.sh 172 173 # Add the flags for the C compiler proper. 174 + extraAfter=(${hardeningCFlagsAfter[@]+"${hardeningCFlagsAfter[@]}"} $NIX_CFLAGS_COMPILE_@suffixSalt@) 175 + extraBefore=(${hardeningCFlagsBefore[@]+"${hardeningCFlagsBefore[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@) 176 177 if [ "$dontLink" != 1 ]; then 178