cc-wrapper, clang: use new mechanism to selectively unsupport zerocallusedregs

this allows a compiler derivation to provide a
hardeningUnsupportedFlagsByTargetPlatform passthru attr
that will be called with the targetPlatform to determine
the unsupported hardening flags for that platform.

we can do this because even though a clang compiler is
multi-target by nature, cc-wrapper effectively fixes the
target platform at wrapping time. otherwise we'd have to
sniff the intended target at runtime, which wouldn't
be fun at all.

the advantage of using a new attribute instead of
allowing hardeningUnsupportedFlags to optionally be a
function is that hardeningUnsupportedFlags retains its
simple overriding pattern for simple cases (i.e.
  `(prev.hardeningUnsupportedFlags or []) ++ [ "foo" ]`
) which will continue to work as long as the bottom-most
function of hardeningUnsupportedFlagsByTargetPlatform
falls back to hardeningUnsupportedFlags.
This commit is contained in:
Robert Scott 2023-12-17 14:04:44 +00:00
parent e79c133858
commit 506ec38e7f
5 changed files with 26 additions and 13 deletions

View File

@ -223,6 +223,15 @@ let
defaultHardeningFlags = bintools.defaultHardeningFlags or [];
# if cc.hardeningUnsupportedFlagsByTargetPlatform exists, this is
# called with the targetPlatform as an argument and
# cc.hardeningUnsupportedFlags is completely ignored - the function
# is responsible for including the constant hardeningUnsupportedFlags
# list however it sees fit.
ccHardeningUnsupportedFlags = if cc ? hardeningUnsupportedFlagsByTargetPlatform
then cc.hardeningUnsupportedFlagsByTargetPlatform targetPlatform
else (cc.hardeningUnsupportedFlags or []);
darwinPlatformForCC = optionalString stdenv.targetPlatform.isDarwin (
if (targetPlatform.darwinPlatform == "macos" && isGNU) then "macosx"
else targetPlatform.darwinPlatform
@ -584,7 +593,7 @@ stdenv.mkDerivation {
## Hardening support
##
+ ''
export hardening_unsupported_flags="${builtins.concatStringsSep " " (cc.hardeningUnsupportedFlags or [])}"
export hardening_unsupported_flags="${builtins.concatStringsSep " " ccHardeningUnsupportedFlags}"
''
# Machine flags. These are necessary to support

View File

@ -7,7 +7,7 @@
}:
let
self = stdenv.mkDerivation (rec {
self = stdenv.mkDerivation (finalAttrs: rec {
pname = "clang";
inherit version;
@ -99,9 +99,10 @@ let
isClang = true;
hardeningUnsupportedFlags = [
"fortify3"
# supported on x86_64/aarch64 only
"zerocallusedregs"
];
hardeningUnsupportedFlagsByTargetPlatform = targetPlatform:
lib.optional (!(targetPlatform.isx86_64 || targetPlatform.isAarch64)) "zerocallusedregs"
++ (finalAttrs.passthru.hardeningUnsupportedFlags or []);
};
meta = llvm_meta // {

View File

@ -7,7 +7,7 @@
}:
let
self = stdenv.mkDerivation (rec {
self = stdenv.mkDerivation (finalAttrs: rec {
pname = "clang";
inherit version;
@ -93,9 +93,10 @@ let
isClang = true;
hardeningUnsupportedFlags = [
"fortify3"
# supported on x86_64/aarch64 only
"zerocallusedregs"
];
hardeningUnsupportedFlagsByTargetPlatform = targetPlatform:
lib.optional (!(targetPlatform.isx86_64 || targetPlatform.isAarch64)) "zerocallusedregs"
++ (finalAttrs.passthru.hardeningUnsupportedFlags or []);
};
meta = llvm_meta // {

View File

@ -7,7 +7,7 @@
}:
let
self = stdenv.mkDerivation (rec {
self = stdenv.mkDerivation (finalAttrs: rec {
pname = "clang";
inherit version;
@ -97,9 +97,10 @@ let
isClang = true;
hardeningUnsupportedFlags = [
"fortify3"
# supported on x86_64/aarch64 only
"zerocallusedregs"
];
hardeningUnsupportedFlagsByTargetPlatform = targetPlatform:
lib.optional (!(targetPlatform.isx86_64 || targetPlatform.isAarch64)) "zerocallusedregs"
++ (finalAttrs.passthru.hardeningUnsupportedFlags or []);
};
meta = llvm_meta // {

View File

@ -7,7 +7,7 @@
}:
let
self = stdenv.mkDerivation (rec {
self = stdenv.mkDerivation (finalAttrs: rec {
pname = "clang";
inherit version;
@ -97,9 +97,10 @@ let
isClang = true;
hardeningUnsupportedFlags = [
"fortify3"
# supported on x86_64/aarch64 only
"zerocallusedregs"
];
hardeningUnsupportedFlagsByTargetPlatform = targetPlatform:
lib.optional (!(targetPlatform.isx86_64 || targetPlatform.isAarch64)) "zerocallusedregs"
++ (finalAttrs.passthru.hardeningUnsupportedFlags or []);
};
meta = llvm_meta // {