cc-wrapper: add fortify flags after invocation args, not before

this splits hardeningCFlags into hardeningCFlagsAfter and hardeningCFlagsBefore (where most flags still remain) to allow us to *append* `-D_FORTIFY_SOURCE=` values to the command-line, forcing our choice of fortify level and avoiding potential redefinition warnings/errors through use of `-U_FORTIFY_SOURCE`
2024-11-22 15:03:28 +00:00 · 2023-07-30 12:25:02 +01:00 · 2023-07-30 12:25:02 +01:00 · 658ab4b45b
commit 658ab4b45b
parent bb1bf988bc
2 changed files with 18 additions and 13 deletions
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@ -1,4 +1,5 @@
-declare -a hardeningCFlags=()
+declare -a hardeningCFlagsAfter=()
+declare -a hardeningCFlagsBefore=()

 declare -A hardeningEnableMap=()

@ -48,15 +49,19 @@ for flag in "${!hardeningEnableMap[@]}"; do
    fortify | fortify3)
      # Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly
      # set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address').
-      hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE')
+      hardeningCFlagsBefore+=('-O2' '-U_FORTIFY_SOURCE')
+      # Unset any _FORTIFY_SOURCE values the command-line may have set before
+      # enforcing our own value, avoiding (potentially fatal) redefinition
+      # warnings
+      hardeningCFlagsAfter+=('-U_FORTIFY_SOURCE')
      case $flag in
        fortify)
          if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
-          hardeningCFlags+=('-D_FORTIFY_SOURCE=2')
+          hardeningCFlagsAfter+=('-D_FORTIFY_SOURCE=2')
        ;;
        fortify3)
          if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi
-          hardeningCFlags+=('-D_FORTIFY_SOURCE=3')
+          hardeningCFlagsAfter+=('-D_FORTIFY_SOURCE=3')
        ;;
        *)
          # Ignore unsupported.
@ -65,20 +70,20 @@ for flag in "${!hardeningEnableMap[@]}"; do
      ;;
    stackprotector)
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
-      hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
+      hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
      ;;
    pie)
      # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
-      hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}")
+      hardeningCFlagsBefore=('-fPIE' "${hardeningCFlagsBefore[@]}")
      if [[ ! (" ${params[*]} " =~ " -shared " || " ${params[*]} " =~ " -static ") ]]; then
        if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
-        hardeningCFlags=('-pie' "${hardeningCFlags[@]}")
+        hardeningCFlagsBefore=('-pie' "${hardeningCFlagsBefore[@]}")
      fi
      ;;
    pic)
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi
-      hardeningCFlags+=('-fPIC')
+      hardeningCFlagsBefore+=('-fPIC')
      ;;
    strictoverflow)
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi
@ -89,14 +94,14 @@ for flag in "${!hardeningEnableMap[@]}"; do
        #
        # See: https://github.com/llvm/llvm-project/blob/llvmorg-16.0.6/clang/lib/Driver/ToolChains/Clang.cpp#L6315
        #
-        hardeningCFlags+=('-fwrapv')
+        hardeningCFlagsBefore+=('-fwrapv')
      else
-        hardeningCFlags+=('-fno-strict-overflow')
+        hardeningCFlagsBefore+=('-fno-strict-overflow')
      fi
      ;;
    format)
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi
-      hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
+      hardeningCFlagsBefore+=('-Wformat' '-Wformat-security' '-Werror=format-security')
      ;;
    *)
      # Ignore unsupported. Checked in Nix that at least *some*
--- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
@ -171,8 +171,8 @@ fi
 source @out@/nix-support/add-hardening.sh

 # Add the flags for the C compiler proper.
-extraAfter=($NIX_CFLAGS_COMPILE_@suffixSalt@)
-extraBefore=(${hardeningCFlags[@]+"${hardeningCFlags[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@)
+extraAfter=(${hardeningCFlagsAfter[@]+"${hardeningCFlagsAfter[@]}"} $NIX_CFLAGS_COMPILE_@suffixSalt@)
+extraBefore=(${hardeningCFlagsBefore[@]+"${hardeningCFlagsBefore[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@)

 if [ "$dontLink" != 1 ]; then