NixOS · groxxda · Oct 11, 2016 · Oct 11, 2016 · Oct 13, 2016 · Oct 11, 2016
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
@@ -117,7 +117,6 @@ if [[ "$isCpp" = 1 ]]; then
 fi
 
 LD=@ldPath@/ld
-source @out@/nix-support/add-hardening.sh
 
 # Add the flags for the C compiler proper.
 extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]})

diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix
@@ -260,7 +260,6 @@ stdenv.mkDerivation {
       fi
 
       substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh
-      substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh
       cp -p ${./utils.sh} $out/nix-support/utils.sh
     ''
     + extraBuildCommands;

diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh
@@ -48,7 +48,6 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \
 fi
 
 LD=@prog@
-source @out@/nix-support/add-hardening.sh
 
 extra=(${hardeningLDFlags[@]})
 extraBefore=()

diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix
@@ -220,8 +220,7 @@ stdenv.mkDerivation ({
     inherit sha256;
   };
 
-  # FIXME stackprotector needs gcc 4.9 in bootstrap tools
-  hardeningDisable = [ "stackprotector" "format" ];
+  hardeningDisable = [ "format" ];
 
   inherit patches;
 
@@ -508,8 +507,10 @@ stdenv.mkDerivation ({
       ]
     else null;
 
-  passthru =
-    { inherit langC langCC langObjC langObjCpp langAda langFortran langVhdl langGo version; isGNU = true; };
+  passthru = {
+    inherit langC langCC langObjC langObjCpp langAda langFortran langVhdl langGo version; isGNU = true;
+    hardeningSupported = [ "fortify" "stackprotector" "pic" "strictoverflow" "format" "relro" "bindnow" ];
+  };
 
   inherit enableParallelBuilding enableMultilib;
 

diff --git a/pkgs/development/compilers/gcc/6/default.nix b/pkgs/development/compilers/gcc/6/default.nix
@@ -506,8 +506,10 @@ stdenv.mkDerivation ({
       ]
     else null;
 
-  passthru =
-    { inherit langC langCC langObjC langObjCpp langAda langFortran langVhdl langGo version; isGNU = true; };
+  passthru = {
+    inherit langC langCC langObjC langObjCpp langAda langFortran langVhdl langGo version; isGNU = true;
+    hardeningSupported = [ "fortify" "stackprotector" "pic" "strictoverflow" "format" "relro" "bindnow" ];
+  };
 
   inherit enableParallelBuilding enableMultilib;
 

diff --git a/pkgs/development/libraries/isl/0.14.1.nix b/pkgs/development/libraries/isl/0.14.1.nix
@@ -12,9 +12,6 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  # FIXME needs gcc 4.9 in bootstrap tools
-  hardeningDisable = [ "stackprotector" ];
-
   meta = {
     homepage = http://www.kotnet.org/~skimo/isl/;
     license = stdenv.lib.licenses.lgpl21;

diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
@@ -114,6 +114,8 @@ let
     , __propagatedImpureHostDeps ? []
     , sandboxProfile ? ""
     , propagatedSandboxProfile ? ""
+    , hardeningEnable ? [ "all" ]
+    , hardeningDisable ? [ ]
     , ... } @ attrs:
     let
       pos' =
@@ -185,6 +187,7 @@ let
         (removeAttrs attrs
           ["meta" "passthru" "crossAttrs" "pos"
            "__impureHostDeps" "__propagatedImpureHostDeps"
+           "hardeningEnable" "hardeningDisable"
            "sandboxProfile" "propagatedSandboxProfile"])
         // (let
           computedSandboxProfile =
@@ -203,6 +206,11 @@ let
           system = result.system;
           userHook = config.stdenv.userHook or null;
           __ignoreNulls = true;
+          inherit (import ./hardening.nix {
+            inherit lib;
+            inherit hardeningEnable hardeningDisable;
+            hardeningSupported = result.cc.cc.hardeningSupported or [];
+          }) hardeningCFlags hardeningLDFlags;
 
           # Inputs built by the cross compiler.
           buildInputs = if crossConfig != null then buildInputs' else [];

diff --git a/pkgs/stdenv/generic/hardening.nix b/pkgs/stdenv/generic/hardening.nix
@@ -0,0 +1,52 @@
+{ lib
+# toolchain supported flags
+, hardeningSupported
+# package level flags
+, hardeningEnable, hardeningDisable
+}:
+let
+inherit (builtins) filter map elem;
+inherit (lib) getAttr concatMap flip attrNames;
+
+# mapping from nixpkgs hardening flags to their compiler / linker meanings
+hardeningFlagMap = {
+  bindnow = {
+    LD = [ "-z" "now" ];
+  };
+  format = {
+    C = [ "-Wformat" "-Wformat-security" "-Werror=format-security" ];
+  };
+  fortify = {
+    C = [ "-O2" "-D_FORTIFY_SOURCE=2" ];
+  };
+  pie = {
+    C = [ "-fPIE" ];
+    LD = [ "-pie" ];
+  };
+  pic = {
+    C = [ "-fPIC" ];
+  };
+  relro = {
+    LD = [ "-z" "relro" ];
+  };
+  stackprotector = {
+    C = [ "-fstack-protector-strong" "--param ssp-buffer-size=4" ];
+  };
+  strictoverflow = {
+    C = [ "-fno-strict-overflow" ];
+  };
+};
+
+enabledFlags =
+  if elem "all" hardeningDisable then []
+  else filter (x: ! elem x hardeningDisable) (
+    if elem "all" hardeningEnable then hardeningSupported
+    else filter (flip elem hardeningSupported) hardeningEnable
+  );
+
+enabledFlagsMap = map (flip getAttr hardeningFlagMap) enabledFlags;
+
+in {
+  hardeningCFlags = concatMap (x: x.C or []) enabledFlagsMap;
+  hardeningLDFlags = concatMap (x: x.LD or []) enabledFlagsMap;
+}