hardenning: Rejigger ifs and explicit declare and unset -v

2024-11-22 23:13:19 +00:00 · 2018-04-10 15:42:05 -04:00 · 2018-04-10 15:42:05 -04:00 · 4c76d87871
commit 4c76d87871
parent 386e77dae9
2 changed files with 14 additions and 16 deletions
--- a/pkgs/build-support/bintools-wrapper/add-hardening.sh
+++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh
@ -1,4 +1,4 @@
-hardeningFlags=()
+declare -a hardeningLDFlags=()

 declare -A hardeningEnableMap=()

@ -11,14 +11,14 @@ done

 # Remove unsupported flags.
 for flag in @hardening_unsupported_flags@; do
-  unset hardeningEnableMap[$flag]
+  unset -v hardeningEnableMap["$flag"]
 done

 if (( "${NIX_DEBUG:-0}" >= 1 )); then
  # Determine which flags were effectively disabled so we can report below.
-  allHardeningFlags=(pie relro bindnow)
+  declare -a allHardeningFlags=(pie relro bindnow)
  declare -A hardeningDisableMap=()
-  for flag in ${allHardeningFlags[@]}; do
+  for flag in "${allHardeningFlags[@]}"; do
    if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then
      hardeningDisableMap[$flag]=1
    fi
@ -27,12 +27,12 @@ if (( "${NIX_DEBUG:-0}" >= 1 )); then
  printf 'HARDENING: disabled flags:' >&2
  (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
  echo >&2
-fi

-if (( "${#hardeningEnableMap[@]}" )); then
-  if (( "${NIX_DEBUG:-0}" >= 1 )); then
+  if (( "${#hardeningEnableMap[@]}" )); then
    echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
  fi
+fi
+
  for flag in "${!hardeningEnableMap[@]}"; do
      case $flag in
        pie)
@ -55,4 +55,3 @@ if (( "${#hardeningEnableMap[@]}" )); then
          ;;
      esac
  done
-fi
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@ -1,4 +1,4 @@
-hardeningCFlags=()
+declare -a hardeningCFlags=()

 declare -A hardeningEnableMap=()

@ -11,14 +11,14 @@ done

 # Remove unsupported flags.
 for flag in @hardening_unsupported_flags@; do
-  unset hardeningEnableMap[$flag]
+  unset -v hardeningEnableMap["$flag"]
 done

 if (( "${NIX_DEBUG:-0}" >= 1 )); then
  # Determine which flags were effectively disabled so we can report below.
-  allHardeningFlags=(fortify stackprotector pie pic strictoverflow format)
+  declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format)
  declare -A hardeningDisableMap=()
-  for flag in ${allHardeningFlags[@]}; do
+  for flag in "${allHardeningFlags[@]}"; do
    if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then
      hardeningDisableMap[$flag]=1
    fi
@ -27,12 +27,12 @@ if (( "${NIX_DEBUG:-0}" >= 1 )); then
  printf 'HARDENING: disabled flags:' >&2
  (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
  echo >&2
-fi

-if (( "${#hardeningEnableMap[@]}" )); then
-  if (( "${NIX_DEBUG:-0}" >= 1 )); then
+  if (( "${#hardeningEnableMap[@]}" )); then
    echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
  fi
+fi
+
  for flag in "${!hardeningEnableMap[@]}"; do
      case $flag in
        fortify)
@ -69,4 +69,3 @@ if (( "${#hardeningEnableMap[@]}" )); then
          ;;
      esac
  done
-fi