pkgs/build-support/bintools-wrapper/add-hardening.sh at devShellTools-shell

tjh.dev / nixpkgs

fork atom

nixpkgs mirror (for testing) github.com/NixOS/nixpkgs

nix

fork atom

nixpkgs / pkgs / build-support / bintools-wrapper / add-hardening.sh

at devShellTools-shell 62 lines 1.9 kB view raw

wrap content

 1declare -a hardeningLDFlags=()
 2
 3declare -A hardeningEnableMap=()
 4
 5# Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The
 6# array expansion also prevents undefined variables from causing trouble with
 7# `set -u`.
 8for flag in ${NIX_HARDENING_ENABLE_@suffixSalt@-}; do
 9  hardeningEnableMap["$flag"]=1
10done
11
12# Remove unsupported flags.
13for flag in @hardening_unsupported_flags@; do
14  unset -v "hardeningEnableMap[$flag]"
15done
16
17if (( "${NIX_DEBUG:-0}" >= 1 )); then
18  declare -a allHardeningFlags=(pie relro bindnow)
19  declare -A hardeningDisableMap=()
20
21  # Determine which flags were effectively disabled so we can report below.
22  for flag in "${allHardeningFlags[@]}"; do
23    if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then
24      hardeningDisableMap[$flag]=1
25    fi
26  done
27
28  printf 'HARDENING: disabled flags:' >&2
29  (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
30  echo >&2
31
32  if (( "${#hardeningEnableMap[@]}" )); then
33    echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
34  fi
35fi
36
37for flag in "${!hardeningEnableMap[@]}"; do
38  case $flag in
39    pie)
40      if [[ ! (" ${params[*]} " =~ " -shared " \
41            || " ${params[*]} " =~ " -static " \
42            || " ${params[*]} " =~ " -r " \
43            || " ${params[*]} " =~ " -Ur " \
44            || " ${params[*]} " =~ " -i ") ]]; then
45        if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
46        hardeningLDFlags+=('-pie')
47      fi
48      ;;
49    relro)
50      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling relro >&2; fi
51      hardeningLDFlags+=('-z' 'relro')
52      ;;
53    bindnow)
54      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling bindnow >&2; fi
55      hardeningLDFlags+=('-z' 'now')
56      ;;
57    *)
58      # Ignore unsupported. Checked in Nix that at least *some*
59      # tool supports each flag.
60      ;;
61  esac
62done