mkDerivation, cc-wrapper: Check hardening flag validity in Nix

This becomes necessary if more wrappers besides cc-wrapper start supporting hardening flags. Also good to make the warning into an error. Also ensure interface is being used right: Not as a string, not just in bash.
2017-08-28 14:56:08 -04:00 · 2017-08-28 14:56:08 -04:00 · 97a48835b7
parent 822a8d0148
commit 97a48835b7
5 changed files with 19 additions and 4 deletions
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@ -68,7 +68,8 @@ if [[ -z "${hardeningDisableMap[all]:-}" ]]; then
          hardeningLDFlags+=('-z' 'now')
          ;;
        *)
-          echo "Hardening flag unknown: $flag" >&2
+          # Ignore unsupported. Checked in Nix that at least *some*
+          # tool supports each flag.
          ;;
      esac
    fi
--- a/pkgs/os-specific/linux/devmem2/default.nix
+++ b/pkgs/os-specific/linux/devmem2/default.nix
@ -8,8 +8,9 @@ stdenv.mkDerivation rec {
    sha256 = "14f1k7v6i1yaxg4xcaaf5i4aqn0yabba857zjnbg9wiymy82qf7c";
  };

+  hardeningDisable = [ "format" ];  # fix compile error
+
  buildCommand = ''
-    export hardeningDisable=format  # fix compile error
    cc "$src" -o devmem2
    install -D devmem2 "$out/bin/devmem2"
  '';
--- a/pkgs/os-specific/linux/firmware/fwupdate/default.nix
+++ b/pkgs/os-specific/linux/firmware/fwupdate/default.nix
@ -17,7 +17,7 @@ let version = "8"; in
      buildInputs = [ gnu-efi libsmbios popt pkgconfig gettext ];
      propagatedBuildInputs = [ efivar ];
      # TODO: Just apply the disable to the efi subdir
-      hardeningDisable = "all";
+      hardeningDisable = [ "all" ];
      patchPhase = ''
        sed -i 's|/usr/include/smbios_c/token.h|smbios_c/token.h|' \
          linux/libfwup.c
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@ -41,7 +41,20 @@ rec {
    , __propagatedImpureHostDeps ? []
    , sandboxProfile ? ""
    , propagatedSandboxProfile ? ""
+
+    , hardeningEnable ? []
+    , hardeningDisable ? []
    , ... } @ attrs:
+
+    # TODO(@Ericson2314): Make this more modular, and not O(n^2).
+    let allHardeningFlags = [
+      "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro"
+      "bindnow"
+    ];
+    in assert lib.all
+      (flag: lib.elem flag allHardeningFlags)
+      (hardeningEnable ++ hardeningDisable);
+
    let
      dependencies = map lib.chooseDevOutputs [
        (map (drv: drv.nativeDrv or drv) nativeBuildInputs
--- a/pkgs/tools/networking/envoy/default.nix
+++ b/pkgs/tools/networking/envoy/default.nix
@ -233,7 +233,7 @@ stdenv.mkDerivation rec {

  patches = [ ./nixos.patch ];

-  hardeningDisable = "all";
+  hardeningDisable = [ "all" ];
  dontPatchELF = true;
  dontStrip = true;