hardenning: Rejigger ifs and explicit declare and unset -v

2018-04-10 15:42:05 -04:00 · 2018-04-10 15:42:05 -04:00 · 4c76d87871
commit 4c76d87871
parent 386e77dae9
2 changed files with 14 additions and 16 deletions
--- a/pkgs/build-support/bintools-wrapper/add-hardening.sh
+++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh
@ -1,4 +1,4 @@
-hardeningFlags=()
+declare -a hardeningLDFlags=()
 declare -A hardeningEnableMap=()
@ -11,14 +11,14 @@ done
 # Remove unsupported flags.
 for flag in @hardening_unsupported_flags@; do
-  unset hardeningEnableMap[$flag]
+  unset -v hardeningEnableMap["$flag"]
 done
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
  # Determine which flags were effectively disabled so we can report below.
-  allHardeningFlags=(pie relro bindnow)
+  declare -a allHardeningFlags=(pie relro bindnow)
  declare -A hardeningDisableMap=()
-  for flag in ${allHardeningFlags[@]}; do
+  for flag in "${allHardeningFlags[@]}"; do
    if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then
      hardeningDisableMap[$flag]=1
    fi
@ -27,12 +27,12 @@ if (( "${NIX_DEBUG:-0}" >= 1 )); then
  printf 'HARDENING: disabled flags:' >&2
  (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
  echo >&2
 fi
  if (( "${#hardeningEnableMap[@]}" )); then
  if (( "${NIX_DEBUG:-0}" >= 1 )); then
    echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
  fi
 fi
  for flag in "${!hardeningEnableMap[@]}"; do
      case $flag in
        pie)
@ -55,4 +55,3 @@ if (( "${#hardeningEnableMap[@]}" )); then
          ;;
      esac
  done
 fi
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@ -1,4 +1,4 @@
-hardeningCFlags=()
+declare -a hardeningCFlags=()
 declare -A hardeningEnableMap=()
@ -11,14 +11,14 @@ done
 # Remove unsupported flags.
 for flag in @hardening_unsupported_flags@; do
-  unset hardeningEnableMap[$flag]
+  unset -v hardeningEnableMap["$flag"]
 done
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
  # Determine which flags were effectively disabled so we can report below.
-  allHardeningFlags=(fortify stackprotector pie pic strictoverflow format)
+  declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format)
  declare -A hardeningDisableMap=()
-  for flag in ${allHardeningFlags[@]}; do
+  for flag in "${allHardeningFlags[@]}"; do
    if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then
      hardeningDisableMap[$flag]=1
    fi
@ -27,12 +27,12 @@ if (( "${NIX_DEBUG:-0}" >= 1 )); then
  printf 'HARDENING: disabled flags:' >&2
  (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
  echo >&2
 fi
  if (( "${#hardeningEnableMap[@]}" )); then
  if (( "${NIX_DEBUG:-0}" >= 1 )); then
    echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
  fi
 fi
  for flag in "${!hardeningEnableMap[@]}"; do
      case $flag in
        fortify)
@ -69,4 +69,3 @@ if (( "${#hardeningEnableMap[@]}" )); then
          ;;
      esac
  done
 fi