diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 60e62ffad608..b98833b3513b 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -4,17 +4,11 @@ hardeningCFlags=() hardeningLDFlags=() hardeningDisable=${hardeningDisable:-""} -if [[ -z "@ld_supports_bindnow@" ]]; then - hardeningDisable+=" bindnow" -fi - -if [[ -z "@ld_supports_relro@" ]]; then - hardeningDisable+=" relro" -fi +hardeningDisable+=" @hardening_unsupported_flags@" if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi -if [[ ! $hardeningDisable == "all" ]]; then +if [[ ! $hardeningDisable =~ "all" ]]; then if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi for flag in "${hardeningFlags[@]}" do diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 08ca8195b68b..8a746ea016ef 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -237,9 +237,14 @@ stdenv.mkDerivation { cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook rm $out/nix-support/setup-hook.tmp - # some linkers on some platforms don't support -z - export ld_supports_bindnow=$([[ "$($ldPath/ld -z now 2>&1 || true)" =~ "un(known|recognized) option" ]]) - export ld_supports_relro=$([[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "un(known|recognized) option" ]]) + # some linkers on some platforms don't support specific -z flags + hardening_unsupported_flags="" + if [[ "$($ldPath/ld -z now 2>&1 || true)" =~ "unknown option" ]]; then + hardening_unsupported_flags+=" bindnow" + fi + if [[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "unknown option" ]]; then + hardening_unsupported_flags+=" relro" + fi substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh