forked from mirrors/nixpkgs
Merge pull request #28806 from orivej/mkDerivation
mkDerivation: fix hardening flags check
This commit is contained in:
commit
0cdbd2d662
|
@ -37,7 +37,7 @@ stdenv.mkDerivation rec {
|
||||||
sha256 = "1pv3vs2w4l2wnw5qb0rkbpvjjdd1fwjv87miavqq0r0ynqbfajwx";
|
sha256 = "1pv3vs2w4l2wnw5qb0rkbpvjjdd1fwjv87miavqq0r0ynqbfajwx";
|
||||||
};
|
};
|
||||||
|
|
||||||
hardeningDisable = [ "format" ] ++ lib.optional enableStatic [ "fortify" ];
|
hardeningDisable = [ "format" ] ++ lib.optionals enableStatic [ "fortify" ];
|
||||||
|
|
||||||
patches = [ ./busybox-in-store.patch ];
|
patches = [ ./busybox-in-store.patch ];
|
||||||
|
|
||||||
|
|
|
@ -47,15 +47,14 @@ rec {
|
||||||
, ... } @ attrs:
|
, ... } @ attrs:
|
||||||
|
|
||||||
# TODO(@Ericson2314): Make this more modular, and not O(n^2).
|
# TODO(@Ericson2314): Make this more modular, and not O(n^2).
|
||||||
let allHardeningFlags = [
|
|
||||||
"fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro"
|
|
||||||
"bindnow"
|
|
||||||
];
|
|
||||||
in assert lib.all
|
|
||||||
(flag: lib.elem flag allHardeningFlags)
|
|
||||||
(hardeningEnable ++ hardeningDisable);
|
|
||||||
|
|
||||||
let
|
let
|
||||||
|
supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
|
||||||
|
erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable);
|
||||||
|
in if builtins.length erroneousHardeningFlags != 0
|
||||||
|
then abort ("mkDerivation was called with unsupported hardening flags: " + lib.generators.toPretty {} {
|
||||||
|
inherit erroneousHardeningFlags hardeningDisable hardeningEnable supportedHardeningFlags;
|
||||||
|
})
|
||||||
|
else let
|
||||||
dependencies = map lib.chooseDevOutputs [
|
dependencies = map lib.chooseDevOutputs [
|
||||||
(map (drv: drv.nativeDrv or drv) nativeBuildInputs
|
(map (drv: drv.nativeDrv or drv) nativeBuildInputs
|
||||||
++ lib.optional separateDebugInfo ../../build-support/setup-hooks/separate-debug-info.sh
|
++ lib.optional separateDebugInfo ../../build-support/setup-hooks/separate-debug-info.sh
|
||||||
|
|
Loading…
Reference in a new issue