pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #246244 from risicle/ris-fortify-flags-after

cc-wrapper: add fortify flags after invocation args, not before

authored by

Robert Scott and committed by
GitHub 83f8ea1f a42bbe34

+18 -13
unified split
+16 -11
pkgs/build-support/cc-wrapper/add-hardening.sh
··· 1 - declare -a hardeningCFlags=() 1 + declare -a hardeningCFlagsAfter=() 2 + declare -a hardeningCFlagsBefore=() 2 3 3 4 declare -A hardeningEnableMap=() 4 5 ··· 48 49 fortify | fortify3) 49 50 # Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly 50 51 # set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address'). 51 - hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE') 52 + hardeningCFlagsBefore+=('-O2' '-U_FORTIFY_SOURCE') 53 + # Unset any _FORTIFY_SOURCE values the command-line may have set before 54 + # enforcing our own value, avoiding (potentially fatal) redefinition 55 + # warnings 56 + hardeningCFlagsAfter+=('-U_FORTIFY_SOURCE') 52 57 case $flag in 53 58 fortify) 54 59 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi 55 - hardeningCFlags+=('-D_FORTIFY_SOURCE=2') 60 + hardeningCFlagsAfter+=('-D_FORTIFY_SOURCE=2') 56 61 ;; 57 62 fortify3) 58 63 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi 59 - hardeningCFlags+=('-D_FORTIFY_SOURCE=3') 64 + hardeningCFlagsAfter+=('-D_FORTIFY_SOURCE=3') 60 65 ;; 61 66 *) 62 67 # Ignore unsupported. ··· 65 70 ;; 66 71 stackprotector) 67 72 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi 68 - hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') 73 + hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') 69 74 ;; 70 75 pie) 71 76 # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags 72 77 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi 73 - hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}") 78 + hardeningCFlagsBefore=('-fPIE' "${hardeningCFlagsBefore[@]}") 74 79 if [[ ! (" ${params[*]} " =~ " -shared " || " ${params[*]} " =~ " -static ") ]]; then 75 80 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi 76 - hardeningCFlags=('-pie' "${hardeningCFlags[@]}") 81 + hardeningCFlagsBefore=('-pie' "${hardeningCFlagsBefore[@]}") 77 82 fi 78 83 ;; 79 84 pic) 80 85 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi 81 - hardeningCFlags+=('-fPIC') 86 + hardeningCFlagsBefore+=('-fPIC') 82 87 ;; 83 88 strictoverflow) 84 89 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi ··· 89 94 # 90 95 # See: https://github.com/llvm/llvm-project/blob/llvmorg-16.0.6/clang/lib/Driver/ToolChains/Clang.cpp#L6315 91 96 # 92 - hardeningCFlags+=('-fwrapv') 97 + hardeningCFlagsBefore+=('-fwrapv') 93 98 else 94 - hardeningCFlags+=('-fno-strict-overflow') 99 + hardeningCFlagsBefore+=('-fno-strict-overflow') 95 100 fi 96 101 ;; 97 102 format) 98 103 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi 99 - hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') 104 + hardeningCFlagsBefore+=('-Wformat' '-Wformat-security' '-Werror=format-security') 100 105 ;; 101 106 *) 102 107 # Ignore unsupported. Checked in Nix that at least *some*
+2 -2
pkgs/build-support/cc-wrapper/cc-wrapper.sh
··· 171 171 source @out@/nix-support/add-hardening.sh 172 172 173 173 # Add the flags for the C compiler proper. 174 - extraAfter=($NIX_CFLAGS_COMPILE_@suffixSalt@) 175 - extraBefore=(${hardeningCFlags[@]+"${hardeningCFlags[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@) 174 + extraAfter=(${hardeningCFlagsAfter[@]+"${hardeningCFlagsAfter[@]}"} $NIX_CFLAGS_COMPILE_@suffixSalt@) 175 + extraBefore=(${hardeningCFlagsBefore[@]+"${hardeningCFlagsBefore[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@) 176 176 177 177 if [ "$dontLink" != 1 ]; then 178 178