From 9fe17b2153ed7cc206aaeeb1c1316094b774db4d Mon Sep 17 00:00:00 2001 From: Charles Strahan Date: Mon, 7 Aug 2017 23:20:21 -0400 Subject: [PATCH 01/14] hardening: fix #18995 --- .../bintools-wrapper/add-flags.sh | 1 + .../build-support/cc-wrapper/add-hardening.sh | 37 +++++++++++-------- pkgs/stdenv/generic/make-derivation.nix | 19 ++++++++++ pkgs/stdenv/generic/setup.sh | 3 ++ 4 files changed, 45 insertions(+), 15 deletions(-) diff --git a/pkgs/build-support/bintools-wrapper/add-flags.sh b/pkgs/build-support/bintools-wrapper/add-flags.sh index 7d118d20fc68..ce213897ee3f 100644 --- a/pkgs/build-support/bintools-wrapper/add-flags.sh +++ b/pkgs/build-support/bintools-wrapper/add-flags.sh @@ -5,6 +5,7 @@ var_templates_list=( NIX+LDFLAGS_BEFORE NIX+LDFLAGS_AFTER NIX+LDFLAGS_HARDEN + NIX+HARDENING_ENABLE ) var_templates_bool=( NIX+SET_BUILD_ID diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index a35ff3cb4260..f0da0a855169 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,33 +1,41 @@ -hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) -# Intentionally word-split in case 'hardeningEnable' is defined in -# Nix. Also, our bootstrap tools version of bash is old enough that -# undefined arrays trip `set -u`. -if [[ -v hardeningEnable[@] ]]; then - hardeningFlags+=(${hardeningEnable[@]}) -fi +allHardeningFlags=(fortify stackprotector pie pic strictoverflow format relro bindnow) hardeningCFlags=() declare -A hardeningDisableMap +declare -A hardeningEnableMap -# Intentionally word-split in case 'hardeningDisable' is defined in Nix. -for flag in ${hardeningDisable[@]:-IGNORED_KEY} @hardening_unsupported_flags@ -do +# Create table of unsupported flags for this toolchain. +for flag in @hardening_unsupported_flags@; do hardeningDisableMap[$flag]=1 done +# Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The +# array expansion also prevents undefined variables from causing trouble with +# `set -u`. +for flag in ${NIX_HARDENING_ENABLE+}; do + if [[ -n "${hardeningDisableMap[$flag]}" ]]; then + hardeningEnableMap[$flag]=1 + fi +done + if (( "${NIX_DEBUG:-0}" >= 1 )); then + # Determine which flags were effectively disabled so we can report below. + for flag in ${allHardeningFlags[@]}; do + if [[ -z "${hardeningEnableMap[$flag]}" ]]; then + hardeningDisableMap[$flag]=1 + fi + done + printf 'HARDENING: disabled flags:' >&2 (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2 echo >&2 fi -if [[ -z "${hardeningDisableMap[all]:-}" ]]; then +if (( "${#hardeningEnableMap[@]}" )); then if (( "${NIX_DEBUG:-0}" >= 1 )); then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi - for flag in "${hardeningFlags[@]}" - do - if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then + for flag in "${!hardeningEnableMap[@]}"; do case $flag in fortify) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi @@ -62,6 +70,5 @@ if [[ -z "${hardeningDisableMap[all]:-}" ]]; then # tool supports each flag. ;; esac - fi done fi diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index e8f78d7401f1..569777472460 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -115,6 +115,23 @@ rec { ] ]; + defaultHardeningFlags = [ + "fortify" "stackprotector" "pic" "strictoverflow" "format" "relro" "bindnow" + ]; + + hardeningDisable = + let val = attrs.hardeningDisable or [ ]; + in if builtins.isList val then val else [ val ]; + + hardeningEnable = + let val = attrs.hardeningEnable or [ ]; + in if builtins.isList val then val else [ val ]; + + enabledHardeningOptions = + if builtins.elem "all" hardeningDisable + then [] + else lib.subtractLists hardeningDisable (defaultHardeningFlags ++ hardeningEnable); + outputs' = outputs ++ (if separateDebugInfo then assert stdenv.hostPlatform.isLinux; [ "debug" ] else []); @@ -179,6 +196,8 @@ rec { ++ optional (elem "host" configurePlatforms) "--host=${stdenv.hostPlatform.config}" ++ optional (elem "target" configurePlatforms) "--target=${stdenv.targetPlatform.config}"; + } // lib.optionalAttrs (hardeningDisable != [] || hardeningEnable != []) { + NIX_HARDENING_ENABLE = enabledHardeningOptions; } // lib.optionalAttrs (stdenv.buildPlatform.isDarwin) { # TODO: remove lib.unique once nix has a list canonicalization primitive __sandboxProfile = diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index d7a4781448ae..62bc2c2af6f4 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -7,6 +7,9 @@ fi : ${outputs:=out} +# If unset, assume the default hardening flags. +: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"} +export NIX_HARDENING_ENABLE ###################################################################### # Hook handling. From 9783a677f36e9fda024073a3bfb2f09eeb1030d8 Mon Sep 17 00:00:00 2001 From: Charles Strahan Date: Tue, 8 Aug 2017 07:13:21 -0400 Subject: [PATCH 02/14] hardening: use lib.toList --- pkgs/stdenv/generic/make-derivation.nix | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 569777472460..be98dee01abc 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -119,13 +119,9 @@ rec { "fortify" "stackprotector" "pic" "strictoverflow" "format" "relro" "bindnow" ]; - hardeningDisable = - let val = attrs.hardeningDisable or [ ]; - in if builtins.isList val then val else [ val ]; + hardeningDisable = lib.toList (attrs.hardeningDisable or [ ]); - hardeningEnable = - let val = attrs.hardeningEnable or [ ]; - in if builtins.isList val then val else [ val ]; + hardeningEnable = lib.toList (attrs.hardeningEnable or [ ]); enabledHardeningOptions = if builtins.elem "all" hardeningDisable From 0937df463f4586799d3727b67f8ba714736bef95 Mon Sep 17 00:00:00 2001 From: Charles Strahan Date: Tue, 8 Aug 2017 07:33:40 -0400 Subject: [PATCH 03/14] hardening: fix bug/typo --- pkgs/build-support/cc-wrapper/add-hardening.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index f0da0a855169..fedb5c19021a 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -13,7 +13,7 @@ done # array expansion also prevents undefined variables from causing trouble with # `set -u`. for flag in ${NIX_HARDENING_ENABLE+}; do - if [[ -n "${hardeningDisableMap[$flag]}" ]]; then + if [[ -z "${hardeningDisableMap[$flag]}" ]]; then hardeningEnableMap[$flag]=1 fi done From 9920923cdeed74386182feb84861746847d0114e Mon Sep 17 00:00:00 2001 From: Charles Strahan Date: Tue, 8 Aug 2017 15:15:44 -0400 Subject: [PATCH 04/14] hardening: fix careless bugs I got a substitution backwards (used '+' instead of '-'). Also, this now works under `set -u` (had to fix a couple unbound variable references). --- pkgs/build-support/cc-wrapper/add-hardening.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index fedb5c19021a..5713d93ed3f3 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,8 +1,8 @@ allHardeningFlags=(fortify stackprotector pie pic strictoverflow format relro bindnow) hardeningCFlags=() -declare -A hardeningDisableMap -declare -A hardeningEnableMap +declare -A hardeningDisableMap=() +declare -A hardeningEnableMap=() # Create table of unsupported flags for this toolchain. for flag in @hardening_unsupported_flags@; do @@ -12,8 +12,8 @@ done # Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The # array expansion also prevents undefined variables from causing trouble with # `set -u`. -for flag in ${NIX_HARDENING_ENABLE+}; do - if [[ -z "${hardeningDisableMap[$flag]}" ]]; then +for flag in ${NIX_HARDENING_ENABLE-}; do + if [[ -z "${hardeningDisableMap[$flag]-}" ]]; then hardeningEnableMap[$flag]=1 fi done @@ -21,7 +21,7 @@ done if (( "${NIX_DEBUG:-0}" >= 1 )); then # Determine which flags were effectively disabled so we can report below. for flag in ${allHardeningFlags[@]}; do - if [[ -z "${hardeningEnableMap[$flag]}" ]]; then + if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then hardeningDisableMap[$flag]=1 fi done From cc7ce57f86b0cff87ac74074d45c993cf4ccf6ab Mon Sep 17 00:00:00 2001 From: Charles Strahan Date: Mon, 5 Mar 2018 21:06:07 -0500 Subject: [PATCH 05/14] hardening: clarify the whitelist logic Per @Ericson2314's suggestion [1], make it more clear that the active hardenings are decided via whitelist; the blacklist is merely for the debug messages. 1: https://github.com/NixOS/nixpkgs/pull/28029/commits/36d5ce41d4538e83199a000e6f849442c1cf959c#r133279731 --- .../build-support/cc-wrapper/add-hardening.sh | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 5713d93ed3f3..72221eaa28b0 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,21 +1,25 @@ allHardeningFlags=(fortify stackprotector pie pic strictoverflow format relro bindnow) hardeningCFlags=() -declare -A hardeningDisableMap=() declare -A hardeningEnableMap=() -# Create table of unsupported flags for this toolchain. -for flag in @hardening_unsupported_flags@; do - hardeningDisableMap[$flag]=1 -done - # Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The # array expansion also prevents undefined variables from causing trouble with # `set -u`. for flag in ${NIX_HARDENING_ENABLE-}; do - if [[ -z "${hardeningDisableMap[$flag]-}" ]]; then - hardeningEnableMap[$flag]=1 + hardeningEnableMap[$flag]=1 +done + +# Remove unsupported flags. +if (( "${NIX_DEBUG:-0}" >= 1 )); then + declare -A hardeningDisableMap=() +fi +for flag in @hardening_unsupported_flags@; do + [[ -n ${hardeningEnableMap[$flag]} ]] || continue + if (( "${NIX_DEBUG:-0}" >= 1 )); then + hardeningDisableMap[$flag]=1 fi + unset hardeningEnableMap[$flag] done if (( "${NIX_DEBUG:-0}" >= 1 )); then From fc46895e86a33232abbcf8dcee9033d5c58d2f2d Mon Sep 17 00:00:00 2001 From: Charles Strahan Date: Mon, 5 Mar 2018 21:27:00 -0500 Subject: [PATCH 06/14] hardening: allow user supplied flags to override Put hardening flags before user supplied flags. --- pkgs/build-support/bintools-wrapper/ld-wrapper.sh | 4 ++-- pkgs/build-support/cc-wrapper/cc-wrapper.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/build-support/bintools-wrapper/ld-wrapper.sh b/pkgs/build-support/bintools-wrapper/ld-wrapper.sh index 991ed0fe263c..bbab9a6b71d1 100644 --- a/pkgs/build-support/bintools-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/bintools-wrapper/ld-wrapper.sh @@ -57,8 +57,8 @@ fi source @out@/nix-support/add-hardening.sh -extraAfter=("${hardeningLDFlags[@]}") -extraBefore=() +extraAfter=() +extraBefore=("${hardeningLDFlags[@]}") if [ -z "${NIX_@infixSalt@_LDFLAGS_SET:-}" ]; then extraAfter+=($NIX_@infixSalt@_LDFLAGS) diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index c2e6c1406358..d1018193e5ae 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -134,8 +134,8 @@ fi source @out@/nix-support/add-hardening.sh # Add the flags for the C compiler proper. -extraAfter=($NIX_@infixSalt@_CFLAGS_COMPILE "${hardeningCFlags[@]}") -extraBefore=() +extraAfter=($NIX_@infixSalt@_CFLAGS_COMPILE) +extraBefore=("${hardeningCFlags[@]}") if [ "$dontLink" != 1 ]; then From 634c748050391b6f7c908d4716be026f839dceaf Mon Sep 17 00:00:00 2001 From: Charles Strahan Date: Tue, 6 Mar 2018 18:03:13 -0500 Subject: [PATCH 07/14] hardening: initial cross support --- pkgs/build-support/bintools-wrapper/add-flags.sh | 4 ++-- pkgs/build-support/cc-wrapper/add-flags.sh | 5 +++-- pkgs/build-support/cc-wrapper/add-hardening.sh | 2 +- pkgs/build-support/cc-wrapper/cc-wrapper.sh | 3 ++- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/pkgs/build-support/bintools-wrapper/add-flags.sh b/pkgs/build-support/bintools-wrapper/add-flags.sh index ce213897ee3f..a97809258954 100644 --- a/pkgs/build-support/bintools-wrapper/add-flags.sh +++ b/pkgs/build-support/bintools-wrapper/add-flags.sh @@ -24,10 +24,10 @@ if [ "${NIX_BINTOOLS_WRAPPER_@infixSalt@_TARGET_TARGET:-}" ]; then fi for var in "${var_templates_list[@]}"; do - mangleVarList "$var" "${role_infixes[@]}" + mangleVarList "$var" ${role_infixes[@]+"${role_infixes[@]}"} done for var in "${var_templates_bool[@]}"; do - mangleVarBool "$var" "${role_infixes[@]}" + mangleVarBool "$var" ${role_infixes[@]+"${role_infixes[@]}"} done if [ -e @out@/nix-support/libc-ldflags ]; then diff --git a/pkgs/build-support/cc-wrapper/add-flags.sh b/pkgs/build-support/cc-wrapper/add-flags.sh index d8b42244607a..7dedacf52479 100644 --- a/pkgs/build-support/cc-wrapper/add-flags.sh +++ b/pkgs/build-support/cc-wrapper/add-flags.sh @@ -10,6 +10,7 @@ var_templates_list=( NIX+CXXSTDLIB_COMPILE NIX+CXXSTDLIB_LINK NIX+GNATFLAGS_COMPILE + NIX+HARDENING_ENABLE ) var_templates_bool=( NIX+ENFORCE_NO_NATIVE @@ -31,10 +32,10 @@ fi # We need to mangle names for hygiene, but also take parameters/overrides # from the environment. for var in "${var_templates_list[@]}"; do - mangleVarList "$var" "${role_infixes[@]}" + mangleVarList "$var" ${role_infixes[@]+"${role_infixes[@]}"} done for var in "${var_templates_bool[@]}"; do - mangleVarBool "$var" "${role_infixes[@]}" + mangleVarBool "$var" ${role_infixes[@]+"${role_infixes[@]}"} done # `-B@out@/bin' forces cc to use ld-wrapper.sh when calling ld. diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 72221eaa28b0..de5eb2506a83 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -6,7 +6,7 @@ declare -A hardeningEnableMap=() # Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The # array expansion also prevents undefined variables from causing trouble with # `set -u`. -for flag in ${NIX_HARDENING_ENABLE-}; do +for flag in ${NIX_@infixSalt@_HARDENING_ENABLE-}; do hardeningEnableMap[$flag]=1 done diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index d1018193e5ae..15118d99db72 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -135,7 +135,8 @@ source @out@/nix-support/add-hardening.sh # Add the flags for the C compiler proper. extraAfter=($NIX_@infixSalt@_CFLAGS_COMPILE) -extraBefore=("${hardeningCFlags[@]}") + +extraBefore=(${hardeningCFlags[@]+"${hardeningCFlags[@]}"}) if [ "$dontLink" != 1 ]; then From 806edaa0a20db3358836d55d203500b87dbe8624 Mon Sep 17 00:00:00 2001 From: Charles Strahan Date: Tue, 6 Mar 2018 19:21:10 -0500 Subject: [PATCH 08/14] hardening: ld wrapper changes, setup-hook, etc --- .../bintools-wrapper/add-hardening.sh | 49 ++++++++++++------- .../bintools-wrapper/ld-wrapper.sh | 2 +- .../bintools-wrapper/setup-hook.sh | 4 ++ .../build-support/cc-wrapper/add-hardening.sh | 4 +- pkgs/build-support/cc-wrapper/cc-wrapper.sh | 1 - pkgs/build-support/cc-wrapper/setup-hook.sh | 4 ++ pkgs/stdenv/generic/make-derivation.nix | 18 ++----- pkgs/stdenv/generic/setup.sh | 4 -- 8 files changed, 46 insertions(+), 40 deletions(-) diff --git a/pkgs/build-support/bintools-wrapper/add-hardening.sh b/pkgs/build-support/bintools-wrapper/add-hardening.sh index 5282d17fce27..0f62aa49542a 100644 --- a/pkgs/build-support/bintools-wrapper/add-hardening.sh +++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh @@ -1,33 +1,45 @@ -hardeningFlags=(relro bindnow) -# Intentionally word-split in case 'hardeningEnable' is defined in -# Nix. Also, our bootstrap tools version of bash is old enough that -# undefined arrays trip `set -u`. -if [[ -v hardeningEnable[@] ]]; then - hardeningFlags+=(${hardeningEnable[@]}) +allHardeningFlags=(pie relro bindnow) +hardeningFlags=() + +declare -A hardeningEnableMap=() + +# Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The +# array expansion also prevents undefined variables from causing trouble with +# `set -u`. +for flag in ${NIX_@infixSalt@_HARDENING_ENABLE-}; do + hardeningEnableMap[$flag]=1 +done + +# Remove unsupported flags. +if (( "${NIX_DEBUG:-0}" >= 1 )); then + declare -A hardeningDisableMap=() fi -hardeningLDFlags=() - -declare -A hardeningDisableMap - -# Intentionally word-split in case 'hardeningDisable' is defined in Nix. -for flag in ${hardeningDisable[@]:-IGNORED_KEY} @hardening_unsupported_flags@ -do - hardeningDisableMap[$flag]=1 +for flag in @hardening_unsupported_flags@; do + [[ -n ${hardeningEnableMap[$flag]} ]] || continue + if (( "${NIX_DEBUG:-0}" >= 1 )); then + hardeningDisableMap[$flag]=1 + fi + unset hardeningEnableMap[$flag] done if (( "${NIX_DEBUG:-0}" >= 1 )); then + # Determine which flags were effectively disabled so we can report below. + for flag in ${allHardeningFlags[@]}; do + if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then + hardeningDisableMap[$flag]=1 + fi + done + printf 'HARDENING: disabled flags:' >&2 (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2 echo >&2 fi -if [[ -z "${hardeningDisableMap[all]:-}" ]]; then +if (( "${#hardeningEnableMap[@]}" )); then if (( "${NIX_DEBUG:-0}" >= 1 )); then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi - for flag in "${hardeningFlags[@]}" - do - if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then + for flag in "${!hardeningEnableMap[@]}"; do case $flag in pie) if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then @@ -48,6 +60,5 @@ if [[ -z "${hardeningDisableMap[all]:-}" ]]; then # tool supports each flag. ;; esac - fi done fi diff --git a/pkgs/build-support/bintools-wrapper/ld-wrapper.sh b/pkgs/build-support/bintools-wrapper/ld-wrapper.sh index bbab9a6b71d1..672a3dcbe385 100644 --- a/pkgs/build-support/bintools-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/bintools-wrapper/ld-wrapper.sh @@ -58,7 +58,7 @@ fi source @out@/nix-support/add-hardening.sh extraAfter=() -extraBefore=("${hardeningLDFlags[@]}") +extraBefore=(${hardeningLDFlags[@]+"${hardeningLDFlags[@]}"}) if [ -z "${NIX_@infixSalt@_LDFLAGS_SET:-}" ]; then extraAfter+=($NIX_@infixSalt@_LDFLAGS) diff --git a/pkgs/build-support/bintools-wrapper/setup-hook.sh b/pkgs/build-support/bintools-wrapper/setup-hook.sh index 48a00b0b9b07..831ee9b03872 100644 --- a/pkgs/build-support/bintools-wrapper/setup-hook.sh +++ b/pkgs/build-support/bintools-wrapper/setup-hook.sh @@ -83,6 +83,10 @@ do fi done +# If unset, assume the default hardening flags. +: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"} +export NIX_HARDENING_ENABLE + # No local scope in sourced file unset -v role_pre role_post cmd upper_case set +u diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index de5eb2506a83..0b483c12e841 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,4 +1,4 @@ -allHardeningFlags=(fortify stackprotector pie pic strictoverflow format relro bindnow) +allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) hardeningCFlags=() declare -A hardeningEnableMap=() @@ -12,7 +12,7 @@ done # Remove unsupported flags. if (( "${NIX_DEBUG:-0}" >= 1 )); then - declare -A hardeningDisableMap=() + declare -A hardeningDisableMap=() fi for flag in @hardening_unsupported_flags@; do [[ -n ${hardeningEnableMap[$flag]} ]] || continue diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 15118d99db72..8a3cfb694b4f 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -135,7 +135,6 @@ source @out@/nix-support/add-hardening.sh # Add the flags for the C compiler proper. extraAfter=($NIX_@infixSalt@_CFLAGS_COMPILE) - extraBefore=(${hardeningCFlags[@]+"${hardeningCFlags[@]}"}) if [ "$dontLink" != 1 ]; then diff --git a/pkgs/build-support/cc-wrapper/setup-hook.sh b/pkgs/build-support/cc-wrapper/setup-hook.sh index 29a7306b9b7e..15b84dca2794 100644 --- a/pkgs/build-support/cc-wrapper/setup-hook.sh +++ b/pkgs/build-support/cc-wrapper/setup-hook.sh @@ -147,6 +147,10 @@ export ${role_pre}CXX=@named_cxx@ export CC${role_post}=@named_cc@ export CXX${role_post}=@named_cxx@ +# If unset, assume the default hardening flags. +: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"} +export NIX_HARDENING_ENABLE + # No local scope in sourced file unset -v role_pre role_post set +u diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index be98dee01abc..6f3896b49066 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -74,6 +74,11 @@ rec { # TODO(@Ericson2314): Make this more modular, and not O(n^2). let supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; + defaultHardeningFlags = lib.remove "pie" supportedHardeningFlags; + enabledHardeningOptions = + if builtins.elem "all" hardeningDisable + then [] + else lib.subtractLists hardeningDisable (defaultHardeningFlags ++ hardeningEnable); # hardeningDisable additionally supports "all". erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable); in if builtins.length erroneousHardeningFlags != 0 @@ -115,19 +120,6 @@ rec { ] ]; - defaultHardeningFlags = [ - "fortify" "stackprotector" "pic" "strictoverflow" "format" "relro" "bindnow" - ]; - - hardeningDisable = lib.toList (attrs.hardeningDisable or [ ]); - - hardeningEnable = lib.toList (attrs.hardeningEnable or [ ]); - - enabledHardeningOptions = - if builtins.elem "all" hardeningDisable - then [] - else lib.subtractLists hardeningDisable (defaultHardeningFlags ++ hardeningEnable); - outputs' = outputs ++ (if separateDebugInfo then assert stdenv.hostPlatform.isLinux; [ "debug" ] else []); diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index 62bc2c2af6f4..5f3808e95888 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -7,10 +7,6 @@ fi : ${outputs:=out} -# If unset, assume the default hardening flags. -: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"} -export NIX_HARDENING_ENABLE - ###################################################################### # Hook handling. From 273ce83f29a24aefd8656dc3c031f56ba543376c Mon Sep 17 00:00:00 2001 From: Charles Strahan Date: Tue, 10 Apr 2018 13:04:46 -0400 Subject: [PATCH 09/14] hardening: make requested fixes --- pkgs/build-support/cc-wrapper/add-flags.sh | 1 - pkgs/stdenv/generic/setup.sh | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/build-support/cc-wrapper/add-flags.sh b/pkgs/build-support/cc-wrapper/add-flags.sh index 7dedacf52479..3137c7ca23dd 100644 --- a/pkgs/build-support/cc-wrapper/add-flags.sh +++ b/pkgs/build-support/cc-wrapper/add-flags.sh @@ -10,7 +10,6 @@ var_templates_list=( NIX+CXXSTDLIB_COMPILE NIX+CXXSTDLIB_LINK NIX+GNATFLAGS_COMPILE - NIX+HARDENING_ENABLE ) var_templates_bool=( NIX+ENFORCE_NO_NATIVE diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index 5f3808e95888..d7a4781448ae 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -7,6 +7,7 @@ fi : ${outputs:=out} + ###################################################################### # Hook handling. From 386e77dae9f5ba2cead9984ee737a8a6b7069bf5 Mon Sep 17 00:00:00 2001 From: Charles Strahan Date: Tue, 10 Apr 2018 15:27:13 -0400 Subject: [PATCH 10/14] hardening: simplify reporting of disabled flags --- pkgs/build-support/bintools-wrapper/add-hardening.sh | 10 ++-------- pkgs/build-support/cc-wrapper/add-hardening.sh | 10 ++-------- 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/pkgs/build-support/bintools-wrapper/add-hardening.sh b/pkgs/build-support/bintools-wrapper/add-hardening.sh index 0f62aa49542a..c81c3b2f2105 100644 --- a/pkgs/build-support/bintools-wrapper/add-hardening.sh +++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh @@ -1,4 +1,3 @@ -allHardeningFlags=(pie relro bindnow) hardeningFlags=() declare -A hardeningEnableMap=() @@ -11,19 +10,14 @@ for flag in ${NIX_@infixSalt@_HARDENING_ENABLE-}; do done # Remove unsupported flags. -if (( "${NIX_DEBUG:-0}" >= 1 )); then - declare -A hardeningDisableMap=() -fi for flag in @hardening_unsupported_flags@; do - [[ -n ${hardeningEnableMap[$flag]} ]] || continue - if (( "${NIX_DEBUG:-0}" >= 1 )); then - hardeningDisableMap[$flag]=1 - fi unset hardeningEnableMap[$flag] done if (( "${NIX_DEBUG:-0}" >= 1 )); then # Determine which flags were effectively disabled so we can report below. + allHardeningFlags=(pie relro bindnow) + declare -A hardeningDisableMap=() for flag in ${allHardeningFlags[@]}; do if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then hardeningDisableMap[$flag]=1 diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 0b483c12e841..7fdfb615f7fa 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,4 +1,3 @@ -allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) hardeningCFlags=() declare -A hardeningEnableMap=() @@ -11,19 +10,14 @@ for flag in ${NIX_@infixSalt@_HARDENING_ENABLE-}; do done # Remove unsupported flags. -if (( "${NIX_DEBUG:-0}" >= 1 )); then - declare -A hardeningDisableMap=() -fi for flag in @hardening_unsupported_flags@; do - [[ -n ${hardeningEnableMap[$flag]} ]] || continue - if (( "${NIX_DEBUG:-0}" >= 1 )); then - hardeningDisableMap[$flag]=1 - fi unset hardeningEnableMap[$flag] done if (( "${NIX_DEBUG:-0}" >= 1 )); then # Determine which flags were effectively disabled so we can report below. + allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) + declare -A hardeningDisableMap=() for flag in ${allHardeningFlags[@]}; do if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then hardeningDisableMap[$flag]=1 From 4c76d8787179ca3be2b117cbed0b94d1b2575b76 Mon Sep 17 00:00:00 2001 From: John Ericson Date: Tue, 10 Apr 2018 15:42:05 -0400 Subject: [PATCH 11/14] hardenning: Rejigger ifs and explicit declare and unset -v --- .../bintools-wrapper/add-hardening.sh | 15 +++++++-------- pkgs/build-support/cc-wrapper/add-hardening.sh | 15 +++++++-------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/pkgs/build-support/bintools-wrapper/add-hardening.sh b/pkgs/build-support/bintools-wrapper/add-hardening.sh index c81c3b2f2105..19321fcb18b5 100644 --- a/pkgs/build-support/bintools-wrapper/add-hardening.sh +++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh @@ -1,4 +1,4 @@ -hardeningFlags=() +declare -a hardeningLDFlags=() declare -A hardeningEnableMap=() @@ -11,14 +11,14 @@ done # Remove unsupported flags. for flag in @hardening_unsupported_flags@; do - unset hardeningEnableMap[$flag] + unset -v hardeningEnableMap["$flag"] done if (( "${NIX_DEBUG:-0}" >= 1 )); then # Determine which flags were effectively disabled so we can report below. - allHardeningFlags=(pie relro bindnow) + declare -a allHardeningFlags=(pie relro bindnow) declare -A hardeningDisableMap=() - for flag in ${allHardeningFlags[@]}; do + for flag in "${allHardeningFlags[@]}"; do if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then hardeningDisableMap[$flag]=1 fi @@ -27,12 +27,12 @@ if (( "${NIX_DEBUG:-0}" >= 1 )); then printf 'HARDENING: disabled flags:' >&2 (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2 echo >&2 -fi -if (( "${#hardeningEnableMap[@]}" )); then - if (( "${NIX_DEBUG:-0}" >= 1 )); then + if (( "${#hardeningEnableMap[@]}" )); then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi +fi + for flag in "${!hardeningEnableMap[@]}"; do case $flag in pie) @@ -55,4 +55,3 @@ if (( "${#hardeningEnableMap[@]}" )); then ;; esac done -fi diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 7fdfb615f7fa..c8c95d2def42 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,4 +1,4 @@ -hardeningCFlags=() +declare -a hardeningCFlags=() declare -A hardeningEnableMap=() @@ -11,14 +11,14 @@ done # Remove unsupported flags. for flag in @hardening_unsupported_flags@; do - unset hardeningEnableMap[$flag] + unset -v hardeningEnableMap["$flag"] done if (( "${NIX_DEBUG:-0}" >= 1 )); then # Determine which flags were effectively disabled so we can report below. - allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) + declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) declare -A hardeningDisableMap=() - for flag in ${allHardeningFlags[@]}; do + for flag in "${allHardeningFlags[@]}"; do if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then hardeningDisableMap[$flag]=1 fi @@ -27,12 +27,12 @@ if (( "${NIX_DEBUG:-0}" >= 1 )); then printf 'HARDENING: disabled flags:' >&2 (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2 echo >&2 -fi -if (( "${#hardeningEnableMap[@]}" )); then - if (( "${NIX_DEBUG:-0}" >= 1 )); then + if (( "${#hardeningEnableMap[@]}" )); then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi +fi + for flag in "${!hardeningEnableMap[@]}"; do case $flag in fortify) @@ -69,4 +69,3 @@ if (( "${#hardeningEnableMap[@]}" )); then ;; esac done -fi From 2364c22ec903b4836e2610b562174c62d1eb35a7 Mon Sep 17 00:00:00 2001 From: John Ericson Date: Tue, 10 Apr 2018 15:57:41 -0400 Subject: [PATCH 12/14] hardening: line order, spacing, and pointless quoting for consistency --- pkgs/build-support/bintools-wrapper/add-hardening.sh | 5 +++-- pkgs/build-support/cc-wrapper/add-hardening.sh | 7 ++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/pkgs/build-support/bintools-wrapper/add-hardening.sh b/pkgs/build-support/bintools-wrapper/add-hardening.sh index 19321fcb18b5..2ed36df3e1d0 100644 --- a/pkgs/build-support/bintools-wrapper/add-hardening.sh +++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh @@ -6,7 +6,7 @@ declare -A hardeningEnableMap=() # array expansion also prevents undefined variables from causing trouble with # `set -u`. for flag in ${NIX_@infixSalt@_HARDENING_ENABLE-}; do - hardeningEnableMap[$flag]=1 + hardeningEnableMap["$flag"]=1 done # Remove unsupported flags. @@ -15,9 +15,10 @@ for flag in @hardening_unsupported_flags@; do done if (( "${NIX_DEBUG:-0}" >= 1 )); then - # Determine which flags were effectively disabled so we can report below. declare -a allHardeningFlags=(pie relro bindnow) declare -A hardeningDisableMap=() + + # Determine which flags were effectively disabled so we can report below. for flag in "${allHardeningFlags[@]}"; do if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then hardeningDisableMap[$flag]=1 diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index c8c95d2def42..6799899ef89b 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -6,7 +6,7 @@ declare -A hardeningEnableMap=() # array expansion also prevents undefined variables from causing trouble with # `set -u`. for flag in ${NIX_@infixSalt@_HARDENING_ENABLE-}; do - hardeningEnableMap[$flag]=1 + hardeningEnableMap["$flag"]=1 done # Remove unsupported flags. @@ -15,12 +15,13 @@ for flag in @hardening_unsupported_flags@; do done if (( "${NIX_DEBUG:-0}" >= 1 )); then - # Determine which flags were effectively disabled so we can report below. declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) declare -A hardeningDisableMap=() + + # Determine which flags were effectively disabled so we can report below. for flag in "${allHardeningFlags[@]}"; do if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then - hardeningDisableMap[$flag]=1 + hardeningDisableMap["$flag"]=1 fi done From 21818ae592a10ec5067cdb396e209099cf7eb020 Mon Sep 17 00:00:00 2001 From: John Ericson Date: Tue, 10 Apr 2018 16:08:53 -0400 Subject: [PATCH 13/14] hardening: Tiny reindent --- pkgs/build-support/bintools-wrapper/add-hardening.sh | 4 ++-- pkgs/build-support/cc-wrapper/add-hardening.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/build-support/bintools-wrapper/add-hardening.sh b/pkgs/build-support/bintools-wrapper/add-hardening.sh index 2ed36df3e1d0..5b3ff9676531 100644 --- a/pkgs/build-support/bintools-wrapper/add-hardening.sh +++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh @@ -34,7 +34,7 @@ if (( "${NIX_DEBUG:-0}" >= 1 )); then fi fi - for flag in "${!hardeningEnableMap[@]}"; do +for flag in "${!hardeningEnableMap[@]}"; do case $flag in pie) if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then @@ -55,4 +55,4 @@ fi # tool supports each flag. ;; esac - done +done diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 6799899ef89b..e33399f0b625 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -34,7 +34,7 @@ if (( "${NIX_DEBUG:-0}" >= 1 )); then fi fi - for flag in "${!hardeningEnableMap[@]}"; do +for flag in "${!hardeningEnableMap[@]}"; do case $flag in fortify) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi @@ -69,4 +69,4 @@ fi # tool supports each flag. ;; esac - done +done From ac4d74b6d9af98a47bafad27c47c52fd1ce1d53f Mon Sep 17 00:00:00 2001 From: John Ericson Date: Tue, 10 Apr 2018 15:44:55 -0400 Subject: [PATCH 14/14] hardening: Reindent --- .../bintools-wrapper/add-hardening.sh | 40 +++++------ .../build-support/cc-wrapper/add-hardening.sh | 68 +++++++++---------- 2 files changed, 54 insertions(+), 54 deletions(-) diff --git a/pkgs/build-support/bintools-wrapper/add-hardening.sh b/pkgs/build-support/bintools-wrapper/add-hardening.sh index 5b3ff9676531..a15be821659f 100644 --- a/pkgs/build-support/bintools-wrapper/add-hardening.sh +++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh @@ -35,24 +35,24 @@ if (( "${NIX_DEBUG:-0}" >= 1 )); then fi for flag in "${!hardeningEnableMap[@]}"; do - case $flag in - pie) - if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi - hardeningLDFlags+=('-pie') - fi - ;; - relro) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling relro >&2; fi - hardeningLDFlags+=('-z' 'relro') - ;; - bindnow) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling bindnow >&2; fi - hardeningLDFlags+=('-z' 'now') - ;; - *) - # Ignore unsupported. Checked in Nix that at least *some* - # tool supports each flag. - ;; - esac + case $flag in + pie) + if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi + hardeningLDFlags+=('-pie') + fi + ;; + relro) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling relro >&2; fi + hardeningLDFlags+=('-z' 'relro') + ;; + bindnow) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling bindnow >&2; fi + hardeningLDFlags+=('-z' 'now') + ;; + *) + # Ignore unsupported. Checked in Nix that at least *some* + # tool supports each flag. + ;; + esac done diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index e33399f0b625..026e48671447 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -35,38 +35,38 @@ if (( "${NIX_DEBUG:-0}" >= 1 )); then fi for flag in "${!hardeningEnableMap[@]}"; do - case $flag in - fortify) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi - hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') - ;; - stackprotector) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi - hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') - ;; - pie) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi - hardeningCFlags+=('-fPIE') - if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi - hardeningCFlags+=('-pie') - fi - ;; - pic) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi - hardeningCFlags+=('-fPIC') - ;; - strictoverflow) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi - hardeningCFlags+=('-fno-strict-overflow') - ;; - format) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi - hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') - ;; - *) - # Ignore unsupported. Checked in Nix that at least *some* - # tool supports each flag. - ;; - esac + case $flag in + fortify) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi + hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') + ;; + stackprotector) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi + hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') + ;; + pie) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi + hardeningCFlags+=('-fPIE') + if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi + hardeningCFlags+=('-pie') + fi + ;; + pic) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi + hardeningCFlags+=('-fPIC') + ;; + strictoverflow) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi + hardeningCFlags+=('-fno-strict-overflow') + ;; + format) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi + hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') + ;; + *) + # Ignore unsupported. Checked in Nix that at least *some* + # tool supports each flag. + ;; + esac done