public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use a hardened stdenv by default

Browse Source
This commit is contained in:
Franz Pletz 2015-12-23 02:59:47 +01:00 committed by Robin Gloster
parent c5f092c6a7
commit 954e9903ad
51 changed files with 131 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkgs/applications/audio/cdparanoia/default.nix
View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80"; sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
}; };
noHardening_format = true;
preConfigure = "unset CC"; preConfigure = "unset CC";
patches = stdenv.lib.optionals stdenv.isDarwin [ patches = stdenv.lib.optionals stdenv.isDarwin [

2
pkgs/applications/audio/mpg321/default.nix
View File

@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"; sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
}; };
noHardening_format = true;
configureFlags = [ configureFlags = [
("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no")) ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))
]; ];

2
pkgs/applications/networking/browsers/w3m/default.nix
View File

@ -50,6 +50,8 @@ stdenv.mkDerivation rec {
ln -s $out/libexec/w3m/w3mimgdisplay $out/bin ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
''; '';
noHardening_format = true;
configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}" configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}"
+ optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";

2
pkgs/applications/version-management/git-and-tools/git/default.nix
View File

@ -21,6 +21,8 @@ stdenv.mkDerivation {
sha256 = "03bvb8s5j8i54qbi3yayl42bv0wf2fpgnh1a2lkhbj79zi7b77zs"; sha256 = "03bvb8s5j8i54qbi3yayl42bv0wf2fpgnh1a2lkhbj79zi7b77zs";
}; };
noHardening_format = true;
patches = [ patches = [
./docbook2texi.patch ./docbook2texi.patch
./symlinks-in-bin.patch ./symlinks-in-bin.patch

2
pkgs/applications/virtualization/xen/generic.nix
View File

@ -75,6 +75,8 @@ stdenv.mkDerivation {
pythonPath = [ pythonPackages.curses ]; pythonPath = [ pythonPackages.curses ];
noHardening_all = true;
patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
postPatch = '' postPatch = ''

2
pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71"; sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71";
}; };
noHardening_format = true;
patches = [ ./glib.patch ./cups_1.6.patch ]; patches = [ ./glib.patch ./cups_1.6.patch ];
buildInputs = [ pkgconfig gtk gettext intltool libart_lgpl ]; buildInputs = [ pkgconfig gtk gettext intltool libart_lgpl ];

2
pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
View File

@ -10,4 +10,6 @@ stdenv.mkDerivation {
buildInputs = [ pkgconfig gtk gettext ]; buildInputs = [ pkgconfig gtk gettext ];
propagatedBuildInputs = [ libxml2 ]; propagatedBuildInputs = [ libxml2 ];
noHardening_format = true;
} }

2
pkgs/development/compilers/dev86/default.nix
View File

@ -8,6 +8,8 @@ stdenv.mkDerivation {
sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e"; sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e";
}; };
noHardening_format = true;
makeFlags = "PREFIX=$(out)"; makeFlags = "PREFIX=$(out)";
# Awful hackery to get dev86 to compile with recent gcc/binutils. # Awful hackery to get dev86 to compile with recent gcc/binutils.

2
pkgs/development/compilers/gcc/4.5/default.nix
View File

@ -134,6 +134,8 @@ stdenv.mkDerivation ({
inherit langC langCC langFortran langJava langAda; inherit langC langCC langFortran langJava langAda;
}; };
noHardening_all = true;
patches = patches =
[ ] [ ]
++ optional (cross != null) ../libstdc++-target.patch ++ optional (cross != null) ../libstdc++-target.patch

2
pkgs/development/compilers/gcc/4.9/default.nix
View File

@ -218,6 +218,8 @@ stdenv.mkDerivation ({
inherit patches; inherit patches;
noHardening_format = true;
postPatch = postPatch =
if (stdenv.isGNU if (stdenv.isGNU
|| (libcCross != null # e.g., building `gcc.crossDrv' || (libcCross != null # e.g., building `gcc.crossDrv'

2
pkgs/development/compilers/go/1.4.nix
View File

@ -20,6 +20,8 @@ stdenv.mkDerivation rec {
buildInputs = [ pcre ]; buildInputs = [ pcre ];
propagatedBuildInputs = lib.optional stdenv.isDarwin Security; propagatedBuildInputs = lib.optional stdenv.isDarwin Security;
noHardening_all = true;
# I'm not sure what go wants from its 'src', but the go installation manual # I'm not sure what go wants from its 'src', but the go installation manual
# describes an installation keeping the src. # describes an installation keeping the src.
preUnpack = '' preUnpack = ''

2
pkgs/development/compilers/go/1.5.nix
View File

@ -29,6 +29,8 @@ stdenv.mkDerivation rec {
Security Foundation Security Foundation
]; ];
noHardening_all = true;
# I'm not sure what go wants from its 'src', but the go installation manual # I'm not sure what go wants from its 'src', but the go installation manual
# describes an installation keeping the src. # describes an installation keeping the src.
preUnpack = '' preUnpack = ''

6
pkgs/development/haskell-modules/configuration-common.nix
View File

@ -44,7 +44,11 @@ self: super: {
options_1_2 = dontCheck super.options_1_2; options_1_2 = dontCheck super.options_1_2;
options = dontCheck super.options; options = dontCheck super.options;
statistics = dontCheck super.statistics; statistics = dontCheck super.statistics;
c2hs = if pkgs.stdenv.isDarwin then dontCheck super.c2hs else super.c2hs; c2hs = let c2hs_ = pkgs.stdenv.lib.overrideDerivation super.c2hs (drv: {
noHardening_format = true;
doCheck = false;
});
in if pkgs.stdenv.isDarwin then dontCheck c2hs_ else c2hs_;
# The package doesn't compile with ruby 1.9, which is our default at the moment. # The package doesn't compile with ruby 1.9, which is our default at the moment.
hruby = super.hruby.override { ruby = pkgs.ruby_2_1; }; hruby = super.hruby.override { ruby = pkgs.ruby_2_1; };

2
pkgs/development/libraries/CoinMP/default.nix
View File

@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6"; sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6";
}; };
noHardening_format = true;
meta = with stdenv.lib; { meta = with stdenv.lib; {
homepage = https://projects.coin-or.org/CoinMP/; homepage = https://projects.coin-or.org/CoinMP/;
description = "COIN-OR lightweight API for COIN-OR libraries CLP, CBC, and CGL"; description = "COIN-OR lightweight API for COIN-OR libraries CLP, CBC, and CGL";

2
pkgs/development/libraries/audio/libbs2b/default.nix
View File

@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
buildInputs = [ pkgconfig libsndfile ]; buildInputs = [ pkgconfig libsndfile ];
noHardening_format = true;
meta = { meta = {
homepage = "http://bs2b.sourceforge.net/"; homepage = "http://bs2b.sourceforge.net/";
description = "Bauer stereophonic-to-binaural DSP library"; description = "Bauer stereophonic-to-binaural DSP library";

2
pkgs/development/libraries/fribidi/default.nix
View File

@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b"; sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b";
}; };
noHardening_format = true;
meta = with stdenv.lib; { meta = with stdenv.lib; {
homepage = http://fribidi.org/; homepage = http://fribidi.org/;
description = "GNU implementation of the Unicode Bidirectional Algorithm (bidi)"; description = "GNU implementation of the Unicode Bidirectional Algorithm (bidi)";

2
pkgs/development/libraries/gd/default.nix
View File

@ -12,6 +12,8 @@ stdenv.mkDerivation {
propagatedBuildInputs = [libjpeg fontconfig]; # urgh propagatedBuildInputs = [libjpeg fontconfig]; # urgh
noHardening_format = true;
configureFlags = "--without-x"; configureFlags = "--without-x";
meta = { meta = {

2
pkgs/development/libraries/gettext/default.nix
View File

@ -10,6 +10,8 @@ stdenv.mkDerivation (rec {
outputs = [ "out" "doc" ]; outputs = [ "out" "doc" ];
noHardening_format = true;
LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else "";
configureFlags = [ "--disable-csharp" "--with-xz" ] configureFlags = [ "--disable-csharp" "--with-xz" ]

2
pkgs/development/libraries/giflib/libungif.nix
View File

@ -6,5 +6,7 @@ stdenv.mkDerivation {
url = mirror://sourceforge/giflib/libungif-4.1.4.tar.gz; url = mirror://sourceforge/giflib/libungif-4.1.4.tar.gz;
md5 = "efdfcf8e32e35740288a8c5625a70ccb"; md5 = "efdfcf8e32e35740288a8c5625a70ccb";
}; };
noHardening_format = true;
} }

4
pkgs/development/libraries/glibc/common.nix
View File

@ -213,6 +213,10 @@ stdenv.mkDerivation ({
preBuild = "unset NIX_DONT_SET_RPATH"; preBuild = "unset NIX_DONT_SET_RPATH";
} }
// stdenv.lib.optionalAttrs (name == "glibc-locales") {
noHardening_stackprotector = true;
}
// stdenv.lib.optionalAttrs (hurdHeaders != null) { // stdenv.lib.optionalAttrs (hurdHeaders != null) {
# Work around the fact that the configure snippet that looks for # Work around the fact that the configure snippet that looks for
# <hurd/version.h> does not honor `--with-headers=$sysheaders' and that # <hurd/version.h> does not honor `--with-headers=$sysheaders' and that

2
pkgs/development/libraries/glibc/default.nix
View File

@ -25,6 +25,8 @@ in
builder = ./builder.sh; builder = ./builder.sh;
noHardening_all = true;
# When building glibc from bootstrap-tools, we need libgcc_s at RPATH for # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for
# any program we run, because the gcc will have been placed at a new # any program we run, because the gcc will have been placed at a new
# store path than that determined when built (as a source for the # store path than that determined when built (as a source for the

2
pkgs/development/libraries/gnu-efi/default.nix
View File

@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
sha256 = "1jxlypkgb8bd1c114x96i699ib0glb5aca9dv56j377x2ldg4c65"; sha256 = "1jxlypkgb8bd1c114x96i699ib0glb5aca9dv56j377x2ldg4c65";
}; };
noHardening_all = true;
buildInputs = [ pciutils ]; buildInputs = [ pciutils ];
makeFlags = [ makeFlags = [

2
pkgs/development/libraries/libgphoto2/default.nix
View File

@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
# These are mentioned in the Requires line of libgphoto's pkg-config file. # These are mentioned in the Requires line of libgphoto's pkg-config file.
propagatedBuildInputs = [ libexif ]; propagatedBuildInputs = [ libexif ];
noHardening_format = true;
meta = { meta = {
homepage = http://www.gphoto.org/proj/libgphoto2/; homepage = http://www.gphoto.org/proj/libgphoto2/;
description = "A library for accessing digital cameras"; description = "A library for accessing digital cameras";

2
pkgs/development/libraries/libvisual/default.nix
View File

@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
buildInputs = [ pkgconfig glib ]; buildInputs = [ pkgconfig glib ];
noHardening_format = true;
meta = { meta = {
description = "An abstraction library for audio visualisations"; description = "An abstraction library for audio visualisations";
homepage = "http://sourceforge.net/projects/libvisual/"; homepage = "http://sourceforge.net/projects/libvisual/";

2
pkgs/development/libraries/pupnp/default.nix
View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k"; sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k";
}; };
noHardening_all = true;
meta = { meta = {
description = "libupnp, an open source UPnP development kit for Linux"; description = "libupnp, an open source UPnP development kit for Linux";

2
pkgs/development/libraries/speechd/default.nix
View File

@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
buildInputs = [ dotconf glib pkgconfig ]; buildInputs = [ dotconf glib pkgconfig ];
noHardening_format = true;
meta = { meta = {
description = "Common interface to speech synthesis"; description = "Common interface to speech synthesis";

2
pkgs/development/tools/misc/elfutils/default.nix
View File

@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
patches = [ ./glibc-2.21.patch ]; patches = [ ./glibc-2.21.patch ];
noHardening_format = true;
# We need bzip2 in NativeInputs because otherwise we can't unpack the src, # We need bzip2 in NativeInputs because otherwise we can't unpack the src,
# as the host-bzip2 will be in the path. # as the host-bzip2 will be in the path.
nativeBuildInputs = [ m4 bison flex gettext bzip2 ]; nativeBuildInputs = [ m4 bison flex gettext bzip2 ];

2
pkgs/os-specific/linux/acpi-call/default.nix
View File

@ -9,6 +9,8 @@ stdenv.mkDerivation {
sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75"; sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75";
}; };
noHardening_pic = true;
preBuild = '' preBuild = ''
sed -e 's/break/true/' -i examples/turn_off_gpu.sh sed -e 's/break/true/' -i examples/turn_off_gpu.sh
sed -e 's@/bin/bash@.bin/sh@' -i examples/turn_off_gpu.sh sed -e 's@/bin/bash@.bin/sh@' -i examples/turn_off_gpu.sh

2
pkgs/os-specific/linux/busybox/default.nix
View File

@ -33,6 +33,8 @@ stdenv.mkDerivation rec {
sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5"; sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5";
}; };
noHardening_format = true;
patches = [ ./busybox-in-store.patch ]; patches = [ ./busybox-in-store.patch ];
configurePhase = '' configurePhase = ''

2
pkgs/os-specific/linux/gogoclient/default.nix
View File

@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
makeFlags = ["target=linux"]; makeFlags = ["target=linux"];
installFlags = ["installdir=$(out)"]; installFlags = ["installdir=$(out)"];
noHardening_format = true;
buildInputs = [openssl]; buildInputs = [openssl];
preFixup = '' preFixup = ''

2
pkgs/os-specific/linux/jool/default.nix
View File

@ -9,6 +9,8 @@ stdenv.mkDerivation {
src = sourceAttrs.src; src = sourceAttrs.src;
noHardening_pic = true;
prePatch = '' prePatch = ''
sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile
''; '';

6
pkgs/os-specific/linux/kernel/manual-config.nix
View File

@ -224,10 +224,16 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe
nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null)
(ubootChooser stdenv.platform.uboot); (ubootChooser stdenv.platform.uboot);
noHardening_format = true;
noHardening_fortify = true;
noHardening_stackprotector = true;
makeFlags = commonMakeFlags ++ [ makeFlags = commonMakeFlags ++ [
"ARCH=${stdenv.platform.kernelArch}" "ARCH=${stdenv.platform.kernelArch}"
]; ];
noHardening_pic = true;
karch = stdenv.platform.kernelArch; karch = stdenv.platform.kernelArch;
crossAttrs = let cp = stdenv.cross.platform; in crossAttrs = let cp = stdenv.cross.platform; in

2
pkgs/os-specific/linux/kexectools/default.nix
View File

@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di"; sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di";
}; };
noHardening_format = true;
buildInputs = [ zlib ]; buildInputs = [ zlib ];
meta = with stdenv.lib; { meta = with stdenv.lib; {

2
pkgs/os-specific/linux/numad/default.nix
View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4"; sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4";
}; };
noHardening_format = true;
patches = [ patches = [
./numad-linker-flags.patch ./numad-linker-flags.patch
]; ];

2
pkgs/servers/gpm/default.nix
View File

@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ]; nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ];
buildInputs = [ ncurses ]; buildInputs = [ ncurses ];
noHardening_format = true;
preConfigure = '' preConfigure = ''
./autogen.sh ./autogen.sh
''; '';

2
pkgs/shells/dash/default.nix
View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6"; sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6";
}; };
noHardening_format = true;
meta = { meta = {
homepage = http://gondor.apana.org.au/~herbert/dash/; homepage = http://gondor.apana.org.au/~herbert/dash/;
description = "A POSIX-compliant implementation of /bin/sh that aims to be as small as possible"; description = "A POSIX-compliant implementation of /bin/sh that aims to be as small as possible";

16
pkgs/stdenv/adapters.nix
View File

@ -236,6 +236,22 @@ rec {
}); });
}; };
useHardenFlags = stdenv: stdenv //
{ mkDerivation = args: stdenv.mkDerivation (args // {
NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "")
+ stdenv.lib.optionalString (!(args.noHardening_all or false)) (
stdenv.lib.optionalString (!(args.noHardening_fortify or false)) " -O2 -D_FORTIFY_SOURCE=2"
+ stdenv.lib.optionalString (!(args.noHardening_stackprotector or false)) " -fstack-protector-all"
+ stdenv.lib.optionalString ((args.noHardening_pie or false) && true) " -fPIE -pie"
+ stdenv.lib.optionalString (!(args.noHardening_pic or false)) " -fPIC"
+ stdenv.lib.optionalString (!(args.noHardening_relro or false)) " -z relro"
+ stdenv.lib.optionalString ((args.noHardening_bindnow or false) && true) " -z now"
+ stdenv.lib.optionalString (!(args.noHardening_strictoverflow or false)) " -fno-strict-overflow"
+ stdenv.lib.optionalString (!(args.noHardening_format or false)) " -Wformat -Wformat-security -Werror=format-security"
);
});
};
dropCxx = drv: drv.override { dropCxx = drv: drv.override {
stdenv = if pkgs.stdenv.isDarwin stdenv = if pkgs.stdenv.isDarwin
then pkgs.allStdenvs.stdenvDarwinNaked then pkgs.allStdenvs.stdenvDarwinNaked

2
pkgs/tools/admin/tightvnc/default.nix
View File

@ -13,6 +13,8 @@ stdenv.mkDerivation {
inherit xauth fontDirectories perl; inherit xauth fontDirectories perl;
gcc = stdenv.cc.cc; gcc = stdenv.cc.cc;
noHardening_format = true;
buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw
libXpm libXp xauth openssh ]; libXpm libXp xauth openssh ];

2
pkgs/tools/archivers/sharutils/default.nix
View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g";
}; };
noHardening_format = true;
preConfigure = '' preConfigure = ''
# Fix for building on Glibc 2.16. Won't be needed once the # Fix for building on Glibc 2.16. Won't be needed once the
# gnulib in sharutils is updated. # gnulib in sharutils is updated.

2
pkgs/tools/archivers/unzip/default.nix
View File

@ -9,6 +9,8 @@ stdenv.mkDerivation {
sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83";
}; };
noHardening_format = true;
patches = [ patches = [
./CVE-2014-8139.diff ./CVE-2014-8139.diff
./CVE-2014-8140.diff ./CVE-2014-8140.diff

2
pkgs/tools/archivers/zip/default.nix
View File

@ -13,6 +13,8 @@ stdenv.mkDerivation {
sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h";
}; };
noHardening_format = true;
makefile = "unix/Makefile"; makefile = "unix/Makefile";
buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic";
installFlags = "prefix=$(out) INSTALL=cp"; installFlags = "prefix=$(out) INSTALL=cp";

2
pkgs/tools/cd-dvd/cdrkit/default.nix
View File

@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
buildInputs = [cmake libcap zlib bzip2]; buildInputs = [cmake libcap zlib bzip2];
noHardening_format = true;
# efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244
patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ];

2
pkgs/tools/graphics/graphviz/default.nix
View File

@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1";
}; };
noHardening_all = true;
patches = patches =
[ ./0001-vimdot-lookup-vim-in-PATH.patch [ ./0001-vimdot-lookup-vim-in-PATH.patch

2
pkgs/tools/graphics/transfig/default.nix
View File

@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
buildInputs = [zlib libjpeg libpng imake]; buildInputs = [zlib libjpeg libpng imake];
inherit libpng; inherit libpng;
noHardening_format = true;
patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch];
prefixPatch1 = prefixPatch1 =

2
pkgs/tools/misc/expect/default.nix
View File

@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
buildInputs = [ tcl ]; buildInputs = [ tcl ];
nativeBuildInputs = [ makeWrapper ]; nativeBuildInputs = [ makeWrapper ];
noHardening_format = true;
patchPhase = '' patchPhase = ''
sed -i "s,/bin/stty,$(type -p stty),g" configure sed -i "s,/bin/stty,$(type -p stty),g" configure
''; '';

2
pkgs/tools/misc/grub/2.0x.nix
View File

@ -52,6 +52,8 @@ stdenv.mkDerivation rec {
++ optional doCheck qemu ++ optional doCheck qemu
++ optional zfsSupport zfs; ++ optional zfsSupport zfs;
noHardening_all = true;
preConfigure = preConfigure =
'' for i in "tests/util/"*.in '' for i in "tests/util/"*.in
do do

2
pkgs/tools/misc/gummiboot/default.nix
View File

@ -5,6 +5,8 @@ stdenv.mkDerivation rec {
buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; buildInputs = [ gnu-efi pkgconfig libxslt utillinux ];
noHardening_all = true;
# Sigh, gummiboot should be able to find this in buildInputs # Sigh, gummiboot should be able to find this in buildInputs
configureFlags = [ configureFlags = [
"--with-efi-includedir=${gnu-efi}/include" "--with-efi-includedir=${gnu-efi}/include"

2
pkgs/tools/networking/iperf/2.nix
View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3";
}; };
noHardening_format = true;
meta = with stdenv.lib; { meta = with stdenv.lib; {
homepage = "http://sourceforge.net/projects/iperf/"; homepage = "http://sourceforge.net/projects/iperf/";
description = "Tool to measure IP bandwidth using UDP or TCP"; description = "Tool to measure IP bandwidth using UDP or TCP";

2
pkgs/tools/networking/vde2/default.nix
View File

@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
buildInputs = [ openssl libpcap python ]; buildInputs = [ openssl libpcap python ];
noHardening_format = true;
meta = { meta = {
homepage = http://vde.sourceforge.net/; homepage = http://vde.sourceforge.net/;
description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network"; description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network";

2
pkgs/tools/typesetting/tex/texlive-new/bin.nix
View File

@ -64,6 +64,8 @@ core = stdenv.mkDerivation rec {
perl perl
]; ];
noHardening_format = true;
preConfigure = '' preConfigure = ''
rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \ rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \
libs/{mpfr,pixman,poppler,potrace,xpdf,zlib,zziplib} libs/{mpfr,pixman,poppler,potrace,xpdf,zlib,zziplib}

4
pkgs/top-level/all-packages.nix
View File

@ -214,12 +214,12 @@ let
allPackages = args: import ./all-packages.nix ({ inherit config system; } // args); allPackages = args: import ./all-packages.nix ({ inherit config system; } // args);
}; };
defaultStdenv = allStdenvs.stdenv // { inherit platform; }; defaultStdenv = stdenvAdapters.useHardenFlags (allStdenvs.stdenv // { inherit platform; });
stdenvCross = lowPrio (makeStdenvCross defaultStdenv crossSystem binutilsCross gccCrossStageFinal); stdenvCross = lowPrio (makeStdenvCross defaultStdenv crossSystem binutilsCross gccCrossStageFinal);
stdenv = stdenv =
if bootStdenv != null then (bootStdenv // {inherit platform;}) else if bootStdenv != null then (stdenvAdapters.useHardenFlags bootStdenv // {inherit platform;}) else
if crossSystem != null then if crossSystem != null then
stdenvCross stdenvCross
else else