cc-wrapper: fix detection of unsupported linker flags

pkgs/build-support/cc-wrapper/add-hardening.sh

@@ -4,17 +4,11 @@ hardeningCFlags=()
 hardeningLDFlags=()
 hardeningDisable=${hardeningDisable:-""}
 
-if [[ -z "@ld_supports_bindnow@" ]]; then
+hardeningDisable+=" @hardening_unsupported_flags@"
-  hardeningDisable+=" bindnow"
-fi
-
-if [[ -z "@ld_supports_relro@" ]]; then
-  hardeningDisable+=" relro"
-fi
 
 if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi
 
-if [[ ! $hardeningDisable == "all" ]]; then
+if [[ ! $hardeningDisable =~ "all" ]]; then
   if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi
   for flag in "${hardeningFlags[@]}"
   do

pkgs/build-support/cc-wrapper/default.nix

@@ -237,9 +237,14 @@ stdenv.mkDerivation {
       cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook
       rm $out/nix-support/setup-hook.tmp
 
-      # some linkers on some platforms don't support -z
+      # some linkers on some platforms don't support specific -z flags
-      export ld_supports_bindnow=$([[ "$($ldPath/ld -z now 2>&1 || true)" =~ "un(known|recognized) option" ]])
+      hardening_unsupported_flags=""
-      export ld_supports_relro=$([[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "un(known|recognized) option" ]])
+      if [[ "$($ldPath/ld -z now 2>&1 || true)" =~ "unknown option" ]]; then
+        hardening_unsupported_flags+=" bindnow"
+      fi
+      if [[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "unknown option" ]]; then
+        hardening_unsupported_flags+=" relro"
+      fi
 
       substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh
       substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh