From b8b4f9ce4b44e22308d6bac476c78a5639863610 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 9 Mar 2004 17:08:41 +0000
Subject: [PATCH] * Reject inputs outside of the store in ld if
 NIX_ENFORCE_PURITY is   set. * Various bug fixes.

svn path=/nixpkgs/trunk/; revision=824
---
 pkgs/build-support/gcc-wrapper/builder.sh     | 55 +++++++++++++------
 pkgs/build-support/gcc-wrapper/default.nix    |  9 +--
 pkgs/build-support/gcc-wrapper/gcc-wrapper.sh |  6 +-
 pkgs/build-support/gcc-wrapper/ld-wrapper.sh  | 35 +++++++++++-
 pkgs/build-support/gcc-wrapper/setup-hook.sh  | 16 +++++-
 5 files changed, 91 insertions(+), 30 deletions(-)

diff --git a/pkgs/build-support/gcc-wrapper/builder.sh b/pkgs/build-support/gcc-wrapper/builder.sh
index 92d187ab84d0..e704c8b67942 100755
--- a/pkgs/build-support/gcc-wrapper/builder.sh
+++ b/pkgs/build-support/gcc-wrapper/builder.sh
@@ -2,15 +2,32 @@
 
 . $stdenv/setup
 
-if test -z "$isNative"; then
-    cflagsCompile="-B$out/bin -B$glibc/lib -isystem $glibc/include"
-    ldflags="-L$glibc/lib -L$gcc/lib " \
-        "-dynamic-linker $glibc/lib/ld-linux.so.2" \
-        "-rpath $glibc/lib -rpath $gcc/lib"
-else
-    cflagsCompile="-B$out/bin"
+
+# Force gcc to use ld-wrapper.sh when calling ld.
+cflagsCompile="-B$out/bin"
+
+if test -n "$glibc"; then
+    # The "-B$glibc/lib" flag is a quick hack to force gcc to link
+    # against the crt1.o from our own glibc, rather than the one in
+    # /usr/lib.  The real solution is of course to prevent those paths
+    # from being used by gcc in the first place.
+    cflagsCompile="$cflagsCompile -B$glibc/lib -isystem $glibc/include"
+    ldflags="$ldflags -L$glibc/lib -rpath $glibc/lib -dynamic-linker $glibc/lib/ld-linux.so.2"
 fi
 
+if test -n "$gcc"; then
+    ldflags="$ldflags -L$gcc/lib -rpath $gcc/lib"
+fi
+
+if test -n "$isNative"; then
+    gccPath="$nativePrefix/bin"
+    ldPath="$nativePrefix/bin"
+else
+    gccPath="$gcc/bin"
+    ldPath="$binutils/bin"
+fi
+
+
 mkdir $out
 mkdir $out/bin
 
@@ -25,39 +42,43 @@ mkGccWrapper () {
     fi
 
     sed \
-        -e "s^@cflagsCompile@^$cflagsCompile^g" \
-        -e "s^@cflagsLink@^$cflagsLink^g" \
-        -e "s^@ldflags@^$ldflags^g" \
         -e "s^@gcc@^$src^g" \
+        -e "s^@out@^$out^g" \
         < $gccWrapper > $dst
     chmod +x $dst
-
 }
 
-mkGccWrapper $out/bin/gcc $gcc/bin/gcc
+mkGccWrapper $out/bin/gcc $gccPath/gcc
 ln -s gcc $out/bin/cc
 
-mkGccWrapper $out/bin/g++ $gcc/bin/g++
+mkGccWrapper $out/bin/g++ $gccPath/g++
 ln -s g++ $out/bin/c++
 
-mkGccWrapper $out/bin/g77 $gcc/bin/g77
+mkGccWrapper $out/bin/g77 $gccPath/g77
 ln -s g77 $out/bin/f77
 
 
 sed \
     -e "s^@ldflags@^$ldflags^g" \
-    -e "s^@ld@^$gcc/bin/ld^g" \
+    -e "s^@ld@^$ldPath/ld^g" \
     < $ldWrapper > $out/bin/ld
 chmod +x $out/bin/ld
 
 
 mkdir $out/nix-support
-test -z "$isNative" && echo $gcc > $out/nix-support/orig-gcc
-test -z "$isNative" && echo $glibc > $out/nix-support/orig-glibc
+test -z "$gcc" && echo $gcc > $out/nix-support/orig-gcc
+test -n "$glibc" && echo $glibc > $out/nix-support/orig-glibc
+
+cat > $out/nix-support/add-flags <<EOF
+NIX_CFLAGS_COMPILE="$cflagsCompile \$NIX_CFLAGS_COMPILE"
+NIX_CFLAGS_LINK="$cflagsLink \$NIX_CFLAGS_LINK"
+NIX_LDFLAGS="$ldflags \$NIX_LDFLAGS"
+EOF
 
 sed \
     -e "s^@isNative@^$isNative^g" \
     -e "s^@enforcePurity@^$enforcePurity^g" \
     -e "s^@gcc@^$gcc^g" \
+    -e "s^@binutils@^$binutils^g" \
     -e "s^@glibc@^$glibc^g" \
     < $setupHook > $out/nix-support/setup-hook
diff --git a/pkgs/build-support/gcc-wrapper/default.nix b/pkgs/build-support/gcc-wrapper/default.nix
index 11282e131dac..631212a9f227 100644
--- a/pkgs/build-support/gcc-wrapper/default.nix
+++ b/pkgs/build-support/gcc-wrapper/default.nix
@@ -5,9 +5,10 @@
 # derivation provides a wrapper that sets up the right environment
 # variables so that the compiler and the linker just "work".
 
-{name, stdenv, isNative, gcc ? null, glibc ? null, binutils ? null}:
+{ name, stdenv, isNative, nativePrefix ? ""
+, gcc ? null, glibc ? null, binutils ? null}:
 
-assert isNative -> gcc != "";
+assert isNative -> nativePrefix != "";
 assert !isNative -> gcc != null && glibc != null && binutils != null;
 
 derivation {
@@ -16,8 +17,8 @@ derivation {
   setupHook = ./setup-hook.sh;
   gccWrapper = ./gcc-wrapper.sh;
   ldWrapper = ./ld-wrapper.sh;
-  inherit name stdenv isNative gcc glibc binutils;
-  enforcePurity = if isNative then false else gcc.noSysDirs;
+  inherit name stdenv isNative nativePrefix gcc glibc binutils;
+  enforcePurity = if isNative then false else gcc.enforcePurity;
   langC = if isNative then true else gcc.langC;
   langCC = if isNative then true else gcc.langCC;
   langF77 = if isNative then false else gcc.langF77;
diff --git a/pkgs/build-support/gcc-wrapper/gcc-wrapper.sh b/pkgs/build-support/gcc-wrapper/gcc-wrapper.sh
index 6cb3493f6bfc..7bc01eb035be 100644
--- a/pkgs/build-support/gcc-wrapper/gcc-wrapper.sh
+++ b/pkgs/build-support/gcc-wrapper/gcc-wrapper.sh
@@ -5,16 +5,14 @@ if test -n "$NIX_GCC_WRAPPER_START_HOOK"; then
 fi
 
 if test -z "$NIX_GLIBC_FLAGS_SET"; then
-    NIX_CFLAGS_COMPILE="@cflagsCompile@ $NIX_CFLAGS_COMPILE"
-    NIX_CFLAGS_LINK="@cflagsLink@ $NIX_CFLAGS_LINK"
-    NIX_LDFLAGS="@ldflags@ $NIX_LDFLAGS"
+    . @out@/nix-support/add-flags
 fi
 
 
 # Figure out if linker flags should be passed.  GCC prints annoying
 # warnings when they are not needed.
 dontLink=0
-if test "$*" = "-v"; then
+if test "$*" = "-v" -o -z "$*"; then
     dontLink=1
 else    
     for i in "$@"; do
diff --git a/pkgs/build-support/gcc-wrapper/ld-wrapper.sh b/pkgs/build-support/gcc-wrapper/ld-wrapper.sh
index 2201bbe19d23..c94f24833c70 100644
--- a/pkgs/build-support/gcc-wrapper/ld-wrapper.sh
+++ b/pkgs/build-support/gcc-wrapper/ld-wrapper.sh
@@ -4,6 +4,37 @@ if test -n "$NIX_LD_WRAPPER_START_HOOK"; then
     . "$NIX_LD_WRAPPER_START_HOOK"
 fi
 
+# Optionally filter out paths not refering to the store.
+skip () {
+    if test "$NIX_DEBUG" = "1"; then
+        echo "skipping impure path $1" >&2
+    fi
+}
+
+params=("$@")
+if test "$NIX_ENFORCE_PURITY" = "1" -a -n "$NIX_STORE"; then
+    rest=()
+    n=0
+    while test $n -lt ${#params[*]}; do
+        p=${params[n]}
+        p2=${params[$((n+1))]}
+        if test "${p:0:3}" = "-L/" -a "${p:2:${#NIX_STORE}}" != "$NIX_STORE"; then
+            skip $p
+        elif test "$p" = "-L" -a "${p2:0:${#NIX_STORE}}" != "$NIX_STORE"; then
+            n=$((n + 1)); skip $p2
+        elif test "${p:0:1}" = "/" -a "${p:0:${#NIX_STORE}}" != "$NIX_STORE"; then
+            # We cannot skip this; barf.
+            echo "impure path \`$p' used in link"
+            exit 1
+        else
+            rest=("${rest[@]}" "$p")
+        fi
+        n=$((n + 1))
+    done
+    params=("${rest[@]}")
+fi
+
+
 extra=()
 
 if test -z "$NIX_LDFLAGS_SET"; then
@@ -12,7 +43,7 @@ fi
 
 if test "$NIX_DEBUG" = "1"; then
   echo "original flags to @ld@:" >&2
-  for i in "$@"; do
+  for i in "${params[@]}"; do
       echo "  $i" >&2
   done
   echo "extra flags to @ld@:" >&2
@@ -25,4 +56,4 @@ if test -n "$NIX_LD_WRAPPER_EXEC_HOOK"; then
     . "$NIX_LD_WRAPPER_EXEC_HOOK"
 fi
 
-exec @ld@ "$@" ${extra[@]}
+exec @ld@ "${params[@]}" ${extra[@]}
diff --git a/pkgs/build-support/gcc-wrapper/setup-hook.sh b/pkgs/build-support/gcc-wrapper/setup-hook.sh
index cc20c5f94829..4385ab0602ba 100644
--- a/pkgs/build-support/gcc-wrapper/setup-hook.sh
+++ b/pkgs/build-support/gcc-wrapper/setup-hook.sh
@@ -11,8 +11,18 @@ addCVars () {
 envHooks=(${envHooks[@]} addCVars)
 
 export NIX_IS_NATIVE=@isNative@
-if test -z "$NIX_IS_NATIVE"; then
-    PATH=$PATH:@gcc@/bin:@glibc@/bin
+export NIX_ENFORCE_PURITY=@enforcePurity@
+
+# Note: these come *after* $out in the PATH (see setup.sh).
+
+if test -n "@gcc@"; then
+    PATH=$PATH:@gcc@/bin
 fi
 
-export NIX_ENFORCE_PURITY=@enforcePurity@
+if test -n "@binutils@"; then
+    PATH=$PATH:@binutils@/bin
+fi
+
+if test -n "@glibc@"; then
+    PATH=$PATH:@glibc@/bin
+fi