colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cc-wrapper: Use set -u throughout

Browse Source 
Now is an opportune time to do this, as the infixSalt conversion in
`add-flags.sh` ensures that all the relevant `NIX_*` vars will be
defined even if empty.
This commit is contained in:
John Ericson 2017-08-03 15:34:23 -04:00
parent a8bd415fa0
commit 2493454e13
6 changed files with 68 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
pkgs/build-support/cc-wrapper/add-hardening.sh
View File

@ -1,67 +1,69 @@
hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
# Intentionally word-split in case 'hardeningEnable' is defined in Nix.
hardeningFlags+=(${hardeningEnable[@]})
# Intentionally word-split in case 'hardeningEnable' is defined in
# Nix. Also, our bootstrap tools version of bash is old enough that
# undefined arrays trip `set -u`.
if [[ -v hardeningEnable[@] ]]; then
hardeningFlags+=(${hardeningEnable[@]})
fi
hardeningCFlags=()
hardeningLDFlags=()
declare -A hardeningDisableMap
# Intentionally word-split in case 'hardeningDisable' is defined in Nix. The
# array expansion also prevents undefined variables from causing trouble with
# `set -u`.
for flag in ${hardeningDisable[@]} @hardening_unsupported_flags@
# Intentionally word-split in case 'hardeningDisable' is defined in Nix.
for flag in ${hardeningDisable[@]:-IGNORED_KEY} @hardening_unsupported_flags@
do
hardeningDisableMap[$flag]=1
done
if [[ -n "$NIX_DEBUG" ]]; then
if [[ -n "${NIX_DEBUG:-}" ]]; then
printf 'HARDENING: disabled flags:' >&2
(( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
echo >&2
fi
if [[ -z "${hardeningDisableMap[all]}" ]]; then
if [[ -n "$NIX_DEBUG" ]]; then
if [[ -z "${hardeningDisableMap[all]:-}" ]]; then
if [[ -n "${NIX_DEBUG:-}" ]]; then
echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
fi
for flag in "${hardeningFlags[@]}"
do
if [[ -z "${hardeningDisableMap[$flag]}" ]]; then
if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then
case $flag in
fortify)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling fortify >&2; fi
hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
;;
stackprotector)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling stackprotector >&2; fi
hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
;;
pie)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi
hardeningCFlags+=('-fPIE')
if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi
hardeningLDFlags+=('-pie')
fi
;;
pic)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling pic >&2; fi
hardeningCFlags+=('-fPIC')
;;
strictoverflow)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling strictoverflow >&2; fi
hardeningCFlags+=('-fno-strict-overflow')
;;
format)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling format >&2; fi
hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
;;
relro)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling relro >&2; fi
hardeningLDFlags+=('-z' 'relro')
;;
bindnow)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling bindnow >&2; fi
hardeningLDFlags+=('-z' 'now')
;;
*)

21
pkgs/build-support/cc-wrapper/cc-wrapper.sh
View File

@ -1,5 +1,5 @@
#! @shell@
set -e -o pipefail
set -eu -o pipefail
shopt -s nullglob
path_backup="$PATH"
@ -11,12 +11,12 @@ if [[ -n "@coreutils_bin@" && -n "@gnugrep_bin@" ]]; then
PATH="@coreutils_bin@/bin:@gnugrep_bin@/bin"
fi
if [ -n "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK" ]; then
source "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK"
if [ -z "${NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET:-}" ]; then
source @out@/nix-support/add-flags.sh
fi
if [ -z "$NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET" ]; then
source @out@/nix-support/add-flags.sh
if [ -n "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK" ]; then
source "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK"
fi
source @out@/nix-support/utils.sh
@ -36,7 +36,7 @@ declare -i n=0
nParams=${#params[@]}
while [ "$n" -lt "$nParams" ]; do
p=${params[n]}
p2=${params[n+1]}
p2=${params[n+1]:-} # handle `p` being last one
if [ "$p" = -c ]; then
dontLink=1
elif [ "$p" = -S ]; then
@ -79,13 +79,13 @@ if [ "$nonFlagArgs" = 0 ]; then
fi
# Optionally filter out paths not refering to the store.
if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE" ]]; then
if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE" ]]; then
rest=()
nParams=${#params[@]}
declare -i n=0
while [ "$n" -lt "$nParams" ]; do
p=${params[n]}
p2=${params[n+1]}
p2=${params[n+1]:-} # handle `p` being last one
if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then
skip "${p:2}"
elif [ "$p" = -L ] && badPath "$p2"; then
@ -162,13 +162,15 @@ if [ "$*" = -v ]; then
fi
# Optionally print debug info.
if [ -n "$NIX_DEBUG" ]; then
if [ -n "${NIX_DEBUG:-}" ]; then
set +u # Old bash workaround, see ld-wrapper for explanation.
echo "extra flags before to @prog@:" >&2
printf " %q\n" "${extraBefore[@]}" >&2
echo "original flags to @prog@:" >&2
printf " %q\n" "${params[@]}" >&2
echo "extra flags after to @prog@:" >&2
printf " %q\n" "${extraAfter[@]}" >&2
set -u
fi
if [ -n "$NIX_CC_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then
@ -176,4 +178,5 @@ if [ -n "$NIX_CC_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then
fi
PATH="$path_backup"
set +u # Old bash workaround, see above.
exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"

17
pkgs/build-support/cc-wrapper/gnat-wrapper.sh
View File

@ -1,7 +1,10 @@
#! @shell@
set -e -o pipefail
set -eu -o pipefail
shopt -s nullglob
# N.B. Gnat is not used during bootstrapping, so we don't need to
# worry about the old bash empty array `set -u` workarounds.
path_backup="$PATH"
# phase separation makes this look useless
@ -10,12 +13,12 @@ if [ -n "@coreutils_bin@" ]; then
PATH="@coreutils_bin@/bin"
fi
if [ -n "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK" ]; then
source "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK"
if [ -z "${NIX_@infixSalt@_GNAT_WRAPPER_FLAGS_SET:-}" ]; then
source @out@/nix-support/add-flags.sh
fi
if [ -z "$NIX_@infixSalt@_GNAT_WRAPPER_FLAGS_SET" ]; then
source @out@/nix-support/add-flags.sh
if [ -n "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK" ]; then
source "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK"
fi
source @out@/nix-support/utils.sh
@ -52,7 +55,7 @@ fi
# Optionally filter out paths not refering to the store.
params=("$@")
if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE" ]]; then
if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE" ]]; then
rest=()
for p in "${params[@]}"; do
if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then
@ -110,7 +113,7 @@ fi
#fi
# Optionally print debug info.
if [ -n "$NIX_DEBUG" ]; then
if [ -n "${NIX_DEBUG:-}" ]; then
echo "extra flags before to @prog@:" >&2
printf " %q\n" "${extraBefore[@]}" >&2
echo "original flags to @prog@:" >&2

7
pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh
View File

@ -1,7 +1,10 @@
#! @shell@
set -e -o pipefail
set -eu -o pipefail
shopt -s nullglob
# N.B. Gnat is not used during bootstrapping, so we don't need to
# worry about the old bash empty array `set -u` workarounds.
# Add the flags for the GNAT compiler proper.
extraAfter=("--GCC=@out@/bin/gcc")
extraBefore=()
@ -21,7 +24,7 @@ extraBefore=()
#export NIX_@infixSalt@_LDFLAGS_SET=1
# Optionally print debug info.
if [ -n "$NIX_DEBUG" ]; then
if [ -n "${NIX_DEBUG:-}" ]; then
echo "extra flags before to @prog@:" >&2
printf " %q\n" "${extraBefore[@]}" >&2
echo "original flags to @prog@:" >&2

31
pkgs/build-support/cc-wrapper/ld-wrapper.sh
View File

@ -10,12 +10,12 @@ if [ -n "@coreutils_bin@" ]; then
PATH="@coreutils_bin@/bin"
fi
if [ -n "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK" ]; then
source "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK"
if [ -z "${NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET:-}" ]; then
source @out@/nix-support/add-flags.sh
fi
if [ -z "$NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET" ]; then
source @out@/nix-support/add-flags.sh
if [ -n "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK" ]; then
source "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK"
fi
source @out@/nix-support/utils.sh
@ -23,14 +23,14 @@ source @out@/nix-support/utils.sh
# Optionally filter out paths not refering to the store.
expandResponseParams "$@"
if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE"
&& ( -z "$NIX_@infixSalt@_IGNORE_LD_THROUGH_GCC" || -z "$NIX_@infixSalt@_LDFLAGS_SET" ) ]]; then
if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE"
&& ( -z "$NIX_@infixSalt@_IGNORE_LD_THROUGH_GCC" || -z "${NIX_@infixSalt@_LDFLAGS_SET:-}" ) ]]; then
rest=()
nParams=${#params[@]}
declare -i n=0
while [ "$n" -lt "$nParams" ]; do
p=${params[n]}
p2=${params[n+1]}
p2=${params[n+1]:-} # handle `p` being last one
if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then
skip "${p:2}"
elif [ "$p" = -L ] && badPath "$p2"; then
@ -59,7 +59,7 @@ source @out@/nix-support/add-hardening.sh
extraAfter=("${hardeningLDFlags[@]}")
extraBefore=()
if [ -z "$NIX_@infixSalt@_LDFLAGS_SET" ]; then
if [ -z "${NIX_@infixSalt@_LDFLAGS_SET:-}" ]; then
extraAfter+=($NIX_@infixSalt@_LDFLAGS)
extraBefore+=($NIX_@infixSalt@_LDFLAGS_BEFORE)
fi
@ -73,7 +73,11 @@ relocatable=
# Find all -L... switches for rpath, and relocatable flags for build id.
if [ "$NIX_@infixSalt@_DONT_SET_RPATH" != 1 ] || [ "$NIX_@infixSalt@_SET_BUILD_ID" = 1 ]; then
prev=
# Old bash thinks empty arrays are undefined, ugh, so temporarily disable
# `set -u`.
set +u
for p in "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"; do
set -u
case "$prev" in
-L)
libDirs+=("$p")
@ -119,7 +123,7 @@ if [ "$NIX_@infixSalt@_DONT_SET_RPATH" != 1 ]; then
if [[ "$dir" =~ [/.][/.] ]] && dir2=$(readlink -f "$dir"); then
dir="$dir2"
fi
if [ "${rpaths[$dir]}" ] || [[ "$dir" != "$NIX_STORE"/* ]]; then
if [ -n "${rpaths[$dir]:-}" ] || [[ "$dir" != "$NIX_STORE"/* ]]; then
# If the path is not in the store, don't add it to the rpath.
# This typically happens for libraries in /tmp that are later
# copied to $out/lib. If not, we're screwed.
@ -127,9 +131,9 @@ if [ "$NIX_@infixSalt@_DONT_SET_RPATH" != 1 ]; then
fi
for path in "$dir"/lib*.so; do
file="${path##*/}"
if [ "${libs[$file]}" ]; then
if [ "${libs[$file]:-}" ]; then
libs["$file"]=
if [ ! "${rpaths[$dir]}" ]; then
if [ -z "${rpaths[$dir]:-}" ]; then
rpaths["$dir"]=1
extraAfter+=(-rpath "$dir")
fi
@ -147,13 +151,15 @@ fi
# Optionally print debug info.
if [ -n "$NIX_DEBUG" ]; then
if [ -n "${NIX_DEBUG:-}" ]; then
set +u # Old bash workaround, see above.
echo "extra flags before to @prog@:" >&2
printf " %q\n" "${extraBefore[@]}" >&2
echo "original flags to @prog@:" >&2
printf " %q\n" "${params[@]}" >&2
echo "extra flags after to @prog@:" >&2
printf " %q\n" "${extraAfter[@]}" >&2
set -u
fi
if [ -n "$NIX_LD_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then
@ -161,4 +167,5 @@ if [ -n "$NIX_LD_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then
fi
PATH="$path_backup"
set +u # Old bash workaround, see above.
exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"

2
pkgs/build-support/cc-wrapper/utils.sh
View File

@ -1,5 +1,5 @@
skip () {
if [ -n "$NIX_DEBUG" ]; then
if [ -n "${NIX_DEBUG:-}" ]; then
echo "skipping impure path $1" >&2
fi
}