From 57d6a38ed513e80fbd4135b7c2d3a9326a2649fc Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 18:31:04 +0000
Subject: [PATCH] stdenv: change hardening flags

 * remove relro/bindnow from compile flags as they break clang
 * use fstackprotector-strong instead of fstackprotector-all for speed
---
 pkgs/stdenv/adapters.nix | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix
index 5a5550ebb04..4f092ee1d97 100644
--- a/pkgs/stdenv/adapters.nix
+++ b/pkgs/stdenv/adapters.nix
@@ -241,11 +241,9 @@ rec {
         NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "")
           + stdenv.lib.optionalString (args.hardening_all or true) (
             stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2"
-            + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all"
+            + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong"
             + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie"
             + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC"
-            + stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro"
-            + stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now"
             + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow"
             + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security"
           );