2018-04-11 19:00:13 +01:00
|
|
|
declare -a hardeningCFlags=()
|
|
|
|
|
|
|
|
declare -A hardeningEnableMap=()
|
2016-03-07 20:39:26 +00:00
|
|
|
|
2018-04-11 19:00:13 +01:00
|
|
|
# Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The
|
|
|
|
# array expansion also prevents undefined variables from causing trouble with
|
|
|
|
# `set -u`.
|
2020-04-28 05:08:48 +01:00
|
|
|
for flag in ${NIX_HARDENING_ENABLE_@suffixSalt@-}; do
|
2018-04-11 19:00:13 +01:00
|
|
|
hardeningEnableMap["$flag"]=1
|
|
|
|
done
|
2016-02-26 17:38:15 +00:00
|
|
|
|
2018-04-11 19:00:13 +01:00
|
|
|
# Remove unsupported flags.
|
|
|
|
for flag in @hardening_unsupported_flags@; do
|
2018-04-14 15:16:34 +01:00
|
|
|
unset -v "hardeningEnableMap[$flag]"
|
2017-08-02 17:48:51 +01:00
|
|
|
done
|
2016-03-11 13:02:07 +00:00
|
|
|
|
2017-09-20 00:10:49 +01:00
|
|
|
if (( "${NIX_DEBUG:-0}" >= 1 )); then
|
2018-04-11 19:00:13 +01:00
|
|
|
declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format)
|
|
|
|
declare -A hardeningDisableMap=()
|
|
|
|
|
|
|
|
# Determine which flags were effectively disabled so we can report below.
|
|
|
|
for flag in "${allHardeningFlags[@]}"; do
|
|
|
|
if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then
|
|
|
|
hardeningDisableMap["$flag"]=1
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
2017-08-02 17:48:51 +01:00
|
|
|
printf 'HARDENING: disabled flags:' >&2
|
|
|
|
(( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
|
|
|
|
echo >&2
|
|
|
|
|
2018-04-11 19:00:13 +01:00
|
|
|
if (( "${#hardeningEnableMap[@]}" )); then
|
2017-08-02 17:48:51 +01:00
|
|
|
echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
|
|
|
|
fi
|
2016-02-26 17:38:15 +00:00
|
|
|
fi
|
2018-04-11 19:00:13 +01:00
|
|
|
|
|
|
|
for flag in "${!hardeningEnableMap[@]}"; do
|
|
|
|
case $flag in
|
|
|
|
fortify)
|
|
|
|
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
|
2022-10-01 08:27:38 +01:00
|
|
|
# Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly
|
|
|
|
# set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address').
|
|
|
|
hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE' '-D_FORTIFY_SOURCE=2')
|
2018-04-11 19:00:13 +01:00
|
|
|
;;
|
|
|
|
stackprotector)
|
|
|
|
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
|
|
|
|
hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
|
|
|
|
;;
|
|
|
|
pie)
|
2021-08-24 08:21:04 +01:00
|
|
|
# NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
|
2018-04-11 19:00:13 +01:00
|
|
|
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
|
2021-08-24 08:21:04 +01:00
|
|
|
hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}")
|
2021-09-21 01:24:04 +01:00
|
|
|
if [[ ! (" $* " =~ " -shared " || " $* " =~ " -static ") ]]; then
|
2018-04-11 19:00:13 +01:00
|
|
|
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
|
2021-08-24 08:21:04 +01:00
|
|
|
hardeningCFlags=('-pie' "${hardeningCFlags[@]}")
|
2018-04-11 19:00:13 +01:00
|
|
|
fi
|
|
|
|
;;
|
|
|
|
pic)
|
|
|
|
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi
|
|
|
|
hardeningCFlags+=('-fPIC')
|
|
|
|
;;
|
|
|
|
strictoverflow)
|
|
|
|
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi
|
|
|
|
hardeningCFlags+=('-fno-strict-overflow')
|
|
|
|
;;
|
|
|
|
format)
|
|
|
|
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi
|
|
|
|
hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
# Ignore unsupported. Checked in Nix that at least *some*
|
|
|
|
# tool supports each flag.
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|