cc-wrapper: Check if ld supports -z, fixes darwin

pkgs/build-support/cc-wrapper/add-hardening

@@ -2,11 +2,16 @@ hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
 hardeningFlags+=("${hardeningEnable[@]}")
 hardeningCFlags=()
 hardeningLDFlags=()
+hardeningDisable=(${hardeningDisable[@]})
+
+if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then
+  hardeningDisable+=(bindnow relro)
+fi
 
 if [[ ! $hardeningDisable == "all" ]]; then
   for flag in "${hardeningFlags[@]}"
   do
-    if [[ ! "$hardeningDisable" =~ "$flag" ]]; then
+    if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then
       case $flag in
         fortify)
           hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')

pkgs/build-support/cc-wrapper/cc-wrapper.sh

@@ -89,6 +89,7 @@ if [[ "@prog@" = *++ ]]; then
     fi
 fi
 
+LD=@ldPath@/ld
 source @out@/nix-support/add-hardening.sh
 
 # Add the flags for the C compiler proper.

pkgs/build-support/cc-wrapper/ld-wrapper.sh

@@ -47,6 +47,7 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \
     params=("${rest[@]}")
 fi
 
+LD=@prog@
 source @out@/nix-support/add-hardening.sh
 
 extra=(${hardeningLDFlags[@]})

pkgs/development/libraries/gmp/5.1.x.nix

@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ m4 ];
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardeningDisable = [ "stackprotector" ];
+  hardeningDisable = [ "format" "stackprotector" ];
 
   patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null;
 

pkgs/shells/bash/default.nix

@@ -19,6 +19,8 @@ stdenv.mkDerivation rec {
     inherit sha256;
   };
 
+  hardeningDisable = [ "format" ];
+
   outputs = [ "out" "doc" ];
 
   NIX_CFLAGS_COMPILE = ''