public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

stdenv: change hardening flags

Browse Source 
* remove relro/bindnow from compile flags as they break clang
 * use fstackprotector-strong instead of fstackprotector-all for speed
This commit is contained in:
Robin Gloster 2016-02-22 18:31:04 +00:00
parent 35f92d9810
commit 57d6a38ed5
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkgs/stdenv/adapters.nix
View File

@ -241,11 +241,9 @@ rec {
NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "")
+ stdenv.lib.optionalString (args.hardening_all or true) ( + stdenv.lib.optionalString (args.hardening_all or true) (
stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2" stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2"
+ stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all" + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong"
+ stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie" + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie"
+ stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC" + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC"
+ stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro"
+ stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now"
+ stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow" + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow"
+ stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security" + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security"
); );