Use general hardening flag toggle lists

The following parameters are now available: * hardeningDisable To disable specific hardening flags * hardeningEnable To enable specific hardening flags Only the cc-wrapper supports this right now, but these may be reused by other wrappers, builders or setup hooks. cc-wrapper supports the following flags: * fortify * stackprotector * pie (disabled by default) * pic * strictoverflow * format * relro * bindnow
2024-11-25 16:33:15 +00:00 · 2016-02-26 18:38:15 +01:00 · 2016-02-26 18:38:15 +01:00 · aff1f4ab94
commit aff1f4ab94
parent a2e449e43e
309 changed files with 366 additions and 373 deletions
--- a/pkgs/applications/audio/QmidiNet/default.nix
+++ b/pkgs/applications/audio/QmidiNet/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
    sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  buildInputs = [ qt4 alsaLib libjack2 ];
--- a/pkgs/applications/audio/aacgain/default.nix
+++ b/pkgs/applications/audio/aacgain/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation {
    sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configurePhase = ''
    cd mp4v2
--- a/pkgs/applications/audio/cdparanoia/default.nix
+++ b/pkgs/applications/audio/cdparanoia/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  preConfigure = "unset CC";
--- a/pkgs/applications/audio/csound/default.nix
+++ b/pkgs/applications/audio/csound/default.nix
@ -16,7 +16,7 @@ stdenv.mkDerivation {
  enableParallelBuilding = true;
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  src = fetchurl {
    url = mirror://sourceforge/csound/Csound6.04.tar.gz;
--- a/pkgs/applications/audio/freewheeling/default.nix
+++ b/pkgs/applications/audio/freewheeling/default.nix
@ -19,7 +19,7 @@ stdenv.mkDerivation {
  patches = [ ./am_path_sdl.patch ./xml.patch ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  meta = {
    description = "A live looping instrument with JACK and MIDI support";
--- a/pkgs/applications/audio/jack-capture/default.nix
+++ b/pkgs/applications/audio/jack-capture/default.nix
@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
    cp jack_capture $out/bin/
  '';
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  meta = with stdenv.lib; {
    description = "A program for recording soundfiles with jack";
--- a/pkgs/applications/audio/lingot/default.nix
+++ b/pkgs/applications/audio/lingot/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation {
    sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  buildInputs = [ pkgconfig intltool gtk alsaLib libglade ];
--- a/pkgs/applications/audio/mi2ly/default.nix
+++ b/pkgs/applications/audio/mi2ly/default.nix
@ -21,7 +21,7 @@ stdenv.mkDerivation {
  sourceRoot=".";
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  buildPhase = "./cc";
  installPhase = ''
--- a/pkgs/applications/audio/mp3info/default.nix
+++ b/pkgs/applications/audio/mp3info/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ ncurses pkgconfig gtk ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configurePhase =
    '' sed -i Makefile \
--- a/pkgs/applications/audio/mp3val/default.nix
+++ b/pkgs/applications/audio/mp3val/default.nix
@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
    install -Dv mp3val "$out/bin/mp3val"
  '';
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
  meta = {
    description = "A tool for validating and repairing MPEG audio streams";
--- a/pkgs/applications/audio/mpg321/default.nix
+++ b/pkgs/applications/audio/mpg321/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
    sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configureFlags = [
    ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))
--- a/pkgs/applications/audio/musescore/default.nix
+++ b/pkgs/applications/audio/musescore/default.nix
@ -13,8 +13,7 @@ stdenv.mkDerivation rec {
    sha256 = "12a83v4i830gj76z5744034y1vvwzgy27mjbjp508yh9bd328yqw";
  };
-  hardening_bindnow = false;
+  hardeningDisable = [ "relro" "bindnow" ];
  hardening_relro = false;
  makeFlags = [
    "PREFIX=$(out)"
--- a/pkgs/applications/audio/pd-plugins/cyclone/default.nix
+++ b/pkgs/applications/audio/pd-plugins/cyclone/default.nix
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ puredata ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  patchPhase = ''
    for file in `grep -r -l g_canvas.h`
--- a/pkgs/applications/audio/pd-plugins/maxlib/default.nix
+++ b/pkgs/applications/audio/pd-plugins/maxlib/default.nix
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ puredata ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  patchPhase = ''
    for i in ${puredata}/include/pd/*; do
--- a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix
+++ b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ puredata ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  patchPhase = ''
    for D in net osc
--- a/pkgs/applications/audio/rakarrack/default.nix
+++ b/pkgs/applications/audio/rakarrack/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation  rec {
    sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  patches = [ ./fltk-path.patch ];
--- a/pkgs/applications/audio/zynaddsubfx/default.nix
+++ b/pkgs/applications/audio/zynaddsubfx/default.nix
@ -14,7 +14,7 @@ stdenv.mkDerivation  rec {
  buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ];
  nativeBuildInputs = [ cmake pkgconfig ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  meta = with stdenv.lib; {
    description = "High quality software synthesizer";
--- a/pkgs/applications/editors/ht/default.nix
+++ b/pkgs/applications/editors/ht/default.nix
@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
    ncurses
  ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  meta = with lib; {
    description = "File editor/viewer/analyzer for executables";
--- a/pkgs/applications/editors/leafpad/default.nix
+++ b/pkgs/applications/editors/leafpad/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ intltool pkgconfig gtk ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configureFlags = [
    "--enable-chooser"
--- a/pkgs/applications/graphics/cinepaint/default.nix
+++ b/pkgs/applications/graphics/cinepaint/default.nix
@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
    libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk
  ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  patches = [ ./install.patch ];
--- a/pkgs/applications/graphics/giv/default.nix
+++ b/pkgs/applications/graphics/giv/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
    sha256 = "1q0806b66ajppxbv1i71wx5d3ydc1h3hsz23m6g4g80dhiai7dly";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  prePatch = ''
    sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl
--- a/pkgs/applications/graphics/gqview/default.nix
+++ b/pkgs/applications/graphics/gqview/default.nix
@ -15,7 +15,7 @@ stdenv.mkDerivation {
  buildInputs = [pkgconfig gtk libpng];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  meta = {
    description = "A fast image viewer";
--- a/pkgs/applications/graphics/meshlab/default.nix
+++ b/pkgs/applications/graphics/meshlab/default.nix
@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
  patches = [ ./include-unistd.diff ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  buildPhase = ''
    mkdir -p "$out/include"
--- a/pkgs/applications/graphics/qtpfsgui/default.nix
+++ b/pkgs/applications/graphics/qtpfsgui/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configurePhase = ''
    export CPATH="${ilmbase}/include/OpenEXR:$CPATH"
--- a/pkgs/applications/graphics/tesseract/default.nix
+++ b/pkgs/applications/graphics/tesseract/default.nix
@ -38,7 +38,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ autoconf automake libtool leptonica libpng libtiff ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  preConfigure = ''
      ./autogen.sh
--- a/pkgs/applications/graphics/xfig/default.nix
+++ b/pkgs/applications/graphics/xfig/default.nix
@ -16,7 +16,7 @@ stdenv.mkDerivation {
  nativeBuildInputs = [ imake makeWrapper ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  NIX_CFLAGS_COMPILE = "-I${libXpm}/include/X11";
--- a/pkgs/applications/inferno/default.nix
+++ b/pkgs/applications/inferno/default.nix
@ -46,7 +46,7 @@ stdenv.mkDerivation rec {
      --set INFERNO_ROOT "$out/share/inferno"
  '';
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
  meta = {
    description = "A compact distributed operating system for building cross-platform distributed systems";
--- a/pkgs/applications/misc/epdfview/default.nix
+++ b/pkgs/applications/misc/epdfview/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ pkgconfig gtk poppler ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  patches = [ (fetchpatch {
                name = "epdfview-0.1.8-glib2-headers.patch";
--- a/pkgs/applications/misc/gkrellm/default.nix
+++ b/pkgs/applications/misc/gkrellm/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
  buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  # Makefiles are patched to fix references to `/usr/X11R6' and to add
  # `-lX11' to make sure libX11's store path is in the RPATH.
--- a/pkgs/applications/misc/grip/default.nix
+++ b/pkgs/applications/misc/grip/default.nix
@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia
    libid3tag ncurses libtool ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  meta = {
    description = "GTK+-based audio CD player/ripper";
--- a/pkgs/applications/misc/k2pdfopt/default.nix
+++ b/pkgs/applications/misc/k2pdfopt/default.nix
@ -31,7 +31,7 @@ in stdenv.mkDerivation rec {
                    openjpeg freetype jbig2dec djvulibre openssl ];
  NIX_LDFLAGS = "-lX11 -lXext";
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  k2_pa = ./k2pdfopt.patch;
  tess_pa = ./tesseract.patch;
--- a/pkgs/applications/misc/navit/default.nix
+++ b/pkgs/applications/misc/navit/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
    sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  # 'cvs' is only for the autogen
  buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa
--- a/pkgs/applications/misc/posterazor/default.nix
+++ b/pkgs/applications/misc/posterazor/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ];
--- a/pkgs/applications/misc/sdcv/default.nix
+++ b/pkgs/applications/misc/sdcv/default.nix
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
    sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  patches = ( if stdenv.isDarwin
              then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ]
--- a/pkgs/applications/misc/tasknc/default.nix
+++ b/pkgs/applications/misc/tasknc/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
    sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  #
  # I know this is ugly, but the Makefile does strange things in this package,
--- a/pkgs/applications/misc/vym/default.nix
+++ b/pkgs/applications/misc/vym/default.nix
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ pkgconfig qt4 ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configurePhase = ''
    qmake PREFIX="$out"
--- a/pkgs/applications/misc/wordnet/default.nix
+++ b/pkgs/applications/misc/wordnet/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation {
  buildInputs = [tcl tk xlibsWrapper makeWrapper];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  patchPhase = ''
    sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c
--- a/pkgs/applications/networking/browsers/vimprobable2/default.nix
+++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  installFlags = "PREFIX=/ DESTDIR=$(out)";
--- a/pkgs/applications/networking/browsers/w3m/default.nix
+++ b/pkgs/applications/networking/browsers/w3m/default.nix
@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
    ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
  '';
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}"
    + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";
--- a/pkgs/applications/networking/instant-messengers/silc-client/default.nix
+++ b/pkgs/applications/networking/instant-messengers/silc-client/default.nix
@ -19,7 +19,7 @@ stdenv.mkDerivation {
  dontDisableStatic = true;
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configureFlags = "--with-ncurses=${ncurses}";
--- a/pkgs/applications/networking/instant-messengers/vacuum/default.nix
+++ b/pkgs/applications/networking/instant-messengers/vacuum/default.nix
@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
  configurePhase = "qmake INSTALL_PREFIX=$out -recursive vacuum.pro";
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  buildInputs = [
    qt4 openssl xproto libX11 libXScrnSaver scrnsaverproto xz
--- a/pkgs/applications/networking/iptraf-ng/default.nix
+++ b/pkgs/applications/networking/iptraf-ng/default.nix
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
                --localstatedir=$out/var --sbindir=$out/bin
  '';
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  meta = {
    description = "A console-based network monitoring utility (fork of iptraf)";
--- a/pkgs/applications/networking/mailreaders/alpine/default.nix
+++ b/pkgs/applications/networking/mailreaders/alpine/default.nix
@ -18,8 +18,7 @@ stdenv.mkDerivation {
    ncurses tcl openssl pam kerberos openldap
  ];
-  hardening_format = false;
+  hardeningDisable = [ "format" "fortify" ];
  hardening_fortify = false;
  configureFlags = [
    "--with-ssl-include-dir=${openssl}/include/openssl"
--- a/pkgs/applications/networking/mailreaders/realpine/default.nix
+++ b/pkgs/applications/networking/mailreaders/realpine/default.nix
@ -18,7 +18,7 @@ stdenv.mkDerivation {
    ncurses tcl openssl pam kerberos openldap
  ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configureFlags = [
    "--with-ssl-include-dir=${openssl}/include/openssl"
--- a/pkgs/applications/networking/remote/ssvnc/default.nix
+++ b/pkgs/applications/networking/remote/ssvnc/default.nix
@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
  configurePhase = "makeFlags=PREFIX=$out";
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  postInstall = ''
    sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl
--- a/pkgs/applications/science/electronics/caneda/default.nix
+++ b/pkgs/applications/science/electronics/caneda/default.nix
@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
    sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  buildInputs = [ cmake qt4 libxml2 libxslt ];
--- a/pkgs/applications/science/geometry/drgeo/default.nix
+++ b/pkgs/applications/science/geometry/drgeo/default.nix
@ -5,7 +5,7 @@ stdenv.mkDerivation rec {
  name = "drgeo-${version}";
  version = "1.1.0";
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  src = fetchurl {
    url = "mirror://sourceforge/ofset/${name}.tar.gz";
--- a/pkgs/applications/science/logic/ltl2ba/default.nix
+++ b/pkgs/applications/science/logic/ltl2ba/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
    sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  preConfigure = ''
    substituteInPlace Makefile \
--- a/pkgs/applications/science/logic/otter/default.nix
+++ b/pkgs/applications/science/logic/otter/default.nix
@ -18,7 +18,7 @@ stdenv.mkDerivation {
    inherit (s) url sha256;
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  buildPhase = ''
    find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g"
--- a/pkgs/applications/science/logic/prover9/default.nix
+++ b/pkgs/applications/science/logic/prover9/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation {
    sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  patchPhase = ''
    RM=$(type -tp rm)
--- a/pkgs/applications/science/math/cbc/default.nix
+++ b/pkgs/applications/science/math/cbc/default.nix
@ -12,7 +12,7 @@ stdenv.mkDerivation {
  enableParallelBuilding = true;
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  buildInputs = [ zlib bzip2 ];
--- a/pkgs/applications/science/math/perseus/default.nix
+++ b/pkgs/applications/science/math/perseus/default.nix
@ -5,7 +5,7 @@ stdenv.mkDerivation {
  version = "4-beta";
  buildInputs = [unzip gcc48];
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
  src = fetchurl {
    url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip";
--- a/pkgs/applications/science/math/qalculate-gtk/default.nix
+++ b/pkgs/applications/science/math/qalculate-gtk/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "0b986x5yny9vrzgxlbyg80b23mxylxv2zz8ppd9svhva6vi8xsm4";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  nativeBuildInputs = [ intltool pkgconfig ];
  buildInputs = [ libqalculate gtk gnome2.libglade gnome2.libgnome gnome2.scrollkeeper ];
--- a/pkgs/applications/science/math/yacas/default.nix
+++ b/pkgs/applications/science/math/yacas/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  # Perl is only for the documentation
  nativeBuildInputs = [ perl ];
--- a/pkgs/applications/version-management/cvs/default.nix
+++ b/pkgs/applications/version-management/cvs/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation {
  patches = [ ./getcwd-chroot.patch ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  preConfigure = ''
    # Apply the Debian patches.
--- a/pkgs/applications/version-management/git-and-tools/git/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/git/default.nix
@ -21,7 +21,7 @@ stdenv.mkDerivation {
    sha256 = "1zkbdmh5gvxalr8l1cwnirqq5raijmp2d0s36s6qabrlvqvq2yj7";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  patches = [
    ./docbook2texi.patch
--- a/pkgs/applications/version-management/git-and-tools/qgit/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/qgit/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
  buildInputs = [qt libXext libX11];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configurePhase = "qmake PREFIX=$out";
--- a/pkgs/applications/version-management/redmine/default.nix
+++ b/pkgs/applications/version-management/redmine/default.nix
@ -11,7 +11,7 @@ in stdenv.mkDerivation rec {
    sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  # taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports
  # needed to separate run-time and build-time directories
--- a/pkgs/applications/video/aegisub/default.nix
+++ b/pkgs/applications/video/aegisub/default.nix
@ -43,8 +43,7 @@ stdenv.mkDerivation rec {
  enableParallelBuilding = true;
-  hardening_bindnow = false;
+  hardeningDisable = [ "bindnow" "relro" ];
  hardening_relro = false;
  postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub";
--- a/pkgs/applications/virtualization/OVMF/default.nix
+++ b/pkgs/applications/virtualization/OVMF/default.nix
@ -17,9 +17,7 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" {
  # TODO: properly include openssl for secureBoot
  buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ];
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" "pic" "fortify" ];
  hardening_pic = false;
  hardening_fortify = false;
  unpackPhase = ''
    for file in \
--- a/pkgs/applications/virtualization/bochs/default.nix
+++ b/pkgs/applications/virtualization/bochs/default.nix
@ -146,7 +146,7 @@ stdenv.mkDerivation rec {
  NIX_CFLAGS_COMPILE="-I${gtk}/include/gtk-2.0/ -I${libtool}/include/";
  NIX_LDFLAGS="-L${libtool}/lib";
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  meta = with stdenv.lib; {
    description = "An open-source IA-32 (x86) PC emulator";
--- a/pkgs/applications/virtualization/cbfstool/default.nix
+++ b/pkgs/applications/virtualization/cbfstool/default.nix
@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ iasl flex bison ];
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
  buildPhase = ''
    export LEX=${flex}/bin/flex
--- a/pkgs/applications/virtualization/seabios/default.nix
+++ b/pkgs/applications/virtualization/seabios/default.nix
@ -12,8 +12,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ iasl python ];
-  hardening_pic = false;
+  hardeningDisable = [ "pic" "stackprotector" ];
  hardening_stackprotector = false;
  configurePhase = ''
    # build SeaBIOS for CSM
--- a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix
+++ b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix
@ -17,7 +17,7 @@ stdenv.mkDerivation {
  KERN_DIR = "${kernel.dev}/lib/modules/*/build";
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
  buildInputs = [ patchelf cdrkit makeWrapper dbus ];
--- a/pkgs/applications/virtualization/xen/generic.nix
+++ b/pkgs/applications/virtualization/xen/generic.nix
@ -75,9 +75,7 @@ stdenv.mkDerivation {
  pythonPath = [ pythonPackages.curses ];
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" "fortify" "pic" ];
  hardening_fortify = false;
  hardening_pic = false;
  patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
--- a/pkgs/applications/window-managers/stalonetray/default.nix
+++ b/pkgs/applications/window-managers/stalonetray/default.nix
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ libX11 xproto ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  meta = with stdenv.lib; {
    description = "Stand alone tray";
--- a/pkgs/build-support/cc-wrapper/add-hardening
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@ -0,0 +1,41 @@
 hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
 hardeningFlags+=("${hardeningEnable[@]}")
 hardeningCFlags=()
 hardeningLDFlags=()
 if [[ ! $hardeningDisable == "all" ]]; then
  for flag in "${hardeningFlags[@]}"
  do
    if [[ ! "$hardeningDisable" =~ "$flag" ]]; then
      case $flag in
        fortify)
          hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
          ;;
        stackprotector)
          hardeningCFlags+=('-fstack-protector-strong')
          ;;
        pie)
          hardeningCFlags+=('-fPIE' '-pie')
          ;;
        pic)
          hardeningCFlags+=('-fPIC')
          ;;
        strictoverflow)
          hardeningCFlags+=('-fno-strict-overflow')
          ;;
        format)
          hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
          ;;
        relro)
          hardeningLDFlags+=('-z relro')
          ;;
        bindnow)
          hardeningLDFlags+=('-z now')
          ;;
        *)
          echo "Hardening flag unknown: $flag"
          ;;
      esac
    fi
  done
 fi
--- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
@ -56,7 +56,6 @@ if [ "$nonFlagArgs" = 0 ]; then
    dontLink=1
 fi
 # Optionally filter out paths not refering to the store.
 params=("$@")
 if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then
@ -90,16 +89,17 @@ if [[ "@prog@" = *++ ]]; then
    fi
 fi
-# Add the flags for the C compiler proper.
+source @out@/nix-support/add-hardening.sh
 extraAfter=($NIX_CFLAGS_COMPILE)
 extraBefore=()
 # Add the flags for the C compiler proper.
 extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]})
 extraBefore=()
 if [ "$dontLink" != 1 ]; then
    # Add the flags that should only be passed to the compiler when
    # linking.
-    extraAfter+=($NIX_CFLAGS_LINK)
+    extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]})
    # Add the flags that should be passed to the linker (and prevent
    # `ld-wrapper' from adding NIX_LDFLAGS again).
--- a/pkgs/build-support/cc-wrapper/default.nix
+++ b/pkgs/build-support/cc-wrapper/default.nix
@ -234,6 +234,7 @@ stdenv.mkDerivation {
      rm $out/nix-support/setup-hook.tmp
      substituteAll ${./add-flags} $out/nix-support/add-flags.sh
      cp -p ${./add-hardening} $out/nix-support/add-hardening.sh
      cp -p ${./utils.sh} $out/nix-support/utils.sh
    ''
    + extraBuildCommands;
--- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh
@ -47,8 +47,9 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \
    params=("${rest[@]}")
 fi
 source @out@/nix-support/add-hardening.sh
-extra=()
+extra=(${hardeningLDFlags[@]})
 extraBefore=()
 if [ -z "$NIX_LDFLAGS_SET" ]; then
@ -56,7 +57,7 @@ if [ -z "$NIX_LDFLAGS_SET" ]; then
    extraBefore+=($NIX_LDFLAGS_BEFORE)
 fi
-extra+=($NIX_LDFLAGS_AFTER)
+extra+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN)
 # Add all used dynamic libraries to the rpath.
--- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  patches = [ ./glib.patch ./cups_1.6.patch ];
--- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
@ -11,5 +11,5 @@ stdenv.mkDerivation {
  buildInputs = [ pkgconfig gtk gettext ];
  propagatedBuildInputs = [ libxml2 ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 }
--- a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix
+++ b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix
@ -17,7 +17,7 @@ in stdenv.mkDerivation rec {
    "--enable-gi-system-install=no"
  ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  enableParallelBuilding = true;
--- a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix
+++ b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix
@ -8,7 +8,7 @@ kde {
  nativeBuildInputs = [ cmake ];
-  hardening_all = false;
+  hardeningDisable = [ "all" ];
  # The patch is not ready for upstream submmission.
  # I should add an option() instead.
--- a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix
+++ b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix
@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  meta = {
    homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}";
--- a/pkgs/development/compilers/clean/default.nix
+++ b/pkgs/development/compilers/clean/default.nix
@ -14,8 +14,7 @@ stdenv.mkDerivation rec {
    })
    else throw "Architecture not supported";
-  hardening_format = false;
+  hardeningDisable = [ "format" "pic" ];
  hardening_pic = false;
  # clm uses timestamps of dcl, icl, abc and o files to decide what must be rebuild
  # and for chroot builds all of the library files will have equal timestamps.  This
--- a/pkgs/development/compilers/dev86/default.nix
+++ b/pkgs/development/compilers/dev86/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation {
    sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  makeFlags = "PREFIX=$(out)";
--- a/pkgs/development/compilers/ecl/default.nix
+++ b/pkgs/development/compilers/ecl/default.nix
@ -38,7 +38,7 @@ stdenv.mkDerivation {
      "--enable-unicode")
    ;
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  postInstall = ''
    sed -e 's/@[-a-zA-Z_]*@//g' -i $out/bin/ecl-config
--- a/pkgs/development/compilers/edk2/default.nix
+++ b/pkgs/development/compilers/edk2/default.nix
@ -22,8 +22,7 @@ edk2 = stdenv.mkDerivation {
  makeFlags = "-C BaseTools";
-  hardening_fortify = false;
+  hardeningDisable = [ "format" "fortify" ];
  hardening_format = false;
  installPhase = ''
    mkdir -vp $out
--- a/pkgs/development/compilers/gcc/4.3/default.nix
+++ b/pkgs/development/compilers/gcc/4.3/default.nix
@ -95,8 +95,7 @@ stdenv.mkDerivation ({
    ++ (optionals langVhdl [gnat])
    ;
-  hardening_format = false;
+  hardeningDisable = [ "format" "stackprotector" ];
  hardening_stackprotector = false;
  configureFlags = "
    ${if enableMultilib then "" else "--disable-multilib"}
--- a/pkgs/development/compilers/gcc/4.4/default.nix
+++ b/pkgs/development/compilers/gcc/4.4/default.nix
@ -103,7 +103,7 @@ stdenv.mkDerivation ({
    inherit langC langCC langFortran langJava langAda;
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  patches =
    [ ./pass-cxxcpp.patch
--- a/pkgs/development/compilers/gcc/4.5/default.nix
+++ b/pkgs/development/compilers/gcc/4.5/default.nix
@ -134,8 +134,7 @@ stdenv.mkDerivation ({
    inherit langC langCC langFortran langJava langAda;
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ] ++ optional (name != "gnat") "all";
  hardening_all = name != "gnat";
  patches =
    [ ]
--- a/pkgs/development/compilers/gcc/4.6/default.nix
+++ b/pkgs/development/compilers/gcc/4.6/default.nix
@ -189,7 +189,7 @@ stdenv.mkDerivation ({
  inherit patches enableMultilib;
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  postPatch =
    if (stdenv.isGNU
--- a/pkgs/development/compilers/gcc/4.8/default.nix
+++ b/pkgs/development/compilers/gcc/4.8/default.nix
@ -218,7 +218,7 @@ stdenv.mkDerivation ({
  inherit patches;
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  postPatch =
    if (stdenv.isGNU
--- a/pkgs/development/compilers/gcc/4.9/default.nix
+++ b/pkgs/development/compilers/gcc/4.9/default.nix
@ -220,9 +220,8 @@ stdenv.mkDerivation ({
  inherit patches;
-  # FIXME needs gcc 4.9 in bootstrap tools
+  # FIXME stackprotector needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "format" "stackprotector" ];
  hardening_format = false;
  postPatch =
    if (stdenv.isGNU
--- a/pkgs/development/compilers/gcc/5/default.nix
+++ b/pkgs/development/compilers/gcc/5/default.nix
@ -216,7 +216,7 @@ stdenv.mkDerivation ({
    sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq";
  };
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  inherit patches;
--- a/pkgs/development/compilers/gcl/default.nix
+++ b/pkgs/development/compilers/gcl/default.nix
@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
    "--enable-ansi"
  ];
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
  meta = {
    description = "GNU Common Lisp compiler working via GCC";
--- a/pkgs/development/compilers/ghc/6.10.4.nix
+++ b/pkgs/development/compilers/ghc/6.10.4.nix
@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ghc libedit perl gmp];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configureFlags = [
    "--with-gmp-libraries=${gmp}/lib"
--- a/pkgs/development/compilers/go/1.4.nix
+++ b/pkgs/development/compilers/go/1.4.nix
@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ pcre ];
  propagatedBuildInputs = lib.optional stdenv.isDarwin Security;
-  hardening_all = false;
+  hardeningDisable = [ "all" ];
  # I'm not sure what go wants from its 'src', but the go installation manual
  # describes an installation keeping the src.
--- a/pkgs/development/compilers/go/1.5.nix
+++ b/pkgs/development/compilers/go/1.5.nix
@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
    Security Foundation
  ];
-  hardening_all = false;
+  hardeningDisable = [ "all" ];
  # I'm not sure what go wants from its 'src', but the go installation manual
  # describes an installation keeping the src.
--- a/pkgs/development/compilers/go/1.6.nix
+++ b/pkgs/development/compilers/go/1.6.nix
@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
    Security Foundation
  ];
-  hardening_all = false;
+  hardeningDisable = [ "all" ];
  # I'm not sure what go wants from its 'src', but the go installation manual
  # describes an installation keeping the src.
--- a/pkgs/development/compilers/mkcl/default.nix
+++ b/pkgs/development/compilers/mkcl/default.nix
@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ makeWrapper ];
  propagatedBuildInputs = [ gmp ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configureFlags = [
    "GMP_CFLAGS=-I${gmp}/include"
--- a/pkgs/development/compilers/squeak/default.nix
+++ b/pkgs/development/compilers/squeak/default.nix
@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
  enableParallelBuilding = true;
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  meta = with stdenv.lib; {
    description = "Smalltalk programming language and environment";
--- a/pkgs/development/compilers/swi-prolog/default.nix
+++ b/pkgs/development/compilers/swi-prolog/default.nix
@ -17,7 +17,7 @@ stdenv.mkDerivation {
  buildInputs = [ gmp readline openssl libjpeg unixODBC libXinerama
    libXft libXpm libSM libXt zlib freetype pkgconfig fontconfig ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  configureFlags = "--with-world --enable-gmp --enable-shared";
--- a/pkgs/development/compilers/teyjus/default.nix
+++ b/pkgs/development/compilers/teyjus/default.nix
@ -12,7 +12,7 @@ stdenv.mkDerivation {
  buildInputs = [ omake ocaml flex bison ];
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  buildPhase = "omake all";
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@ -41,11 +41,9 @@ self: super: {
  options_1_2 = dontCheck super.options_1_2;
  options = dontCheck super.options;
  statistics = dontCheck super.statistics;
-  c2hs = pkgs.lib.overrideDerivation (dontCheck super.c2hs) (drv: {
+  c2hs = dontCheck super.c2hs;
-    hardening_format = false;
+  epanet-haskell = super.epanet-haskell.overrideDerivation (drv: {
-  });
+    hardeningDisable = [ "format" ];
  epanet-haskell = pkgs.lib.overrideDerivation super.epanet-haskell (drv: {
    hardening_format = false;
  });
  # The package doesn't compile with ruby 1.9, which is our default at the moment.
@ -244,9 +242,7 @@ self: super: {
  gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib;
  gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib;
  gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib;
-  glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: {
+  glib = addPkgconfigDepend super.glib pkgs.glib;
     hardening_fortify = false;
  });
  gtk3 = super.gtk3.override { inherit (pkgs) gtk3; };
  gtk = addPkgconfigDepend super.gtk pkgs.gtk;
  gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; };
--- a/pkgs/development/interpreters/clisp/2.44.1.nix
+++ b/pkgs/development/interpreters/clisp/2.44.1.nix
@ -45,7 +45,7 @@ stdenv.mkDerivation rec {
  NIX_CFLAGS_COMPILE="-O0";
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  # TODO : make mod-check fails
  doCheck = false;
--- a/pkgs/development/interpreters/erlang/R14.nix
+++ b/pkgs/development/interpreters/erlang/R14.nix
@ -22,7 +22,7 @@ stdenv.mkDerivation {
  configureFlags = "--with-ssl=${openssl}";
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
  postInstall = let
    manpages = fetchurl {
--- a/pkgs/development/interpreters/lush/default.nix
+++ b/pkgs/development/interpreters/lush/default.nix
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
    intltool gettext zlib
  ];
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
  NIX_LDFLAGS=" -lz ";
--- a/pkgs/development/interpreters/perl/default.nix
+++ b/pkgs/development/interpreters/perl/default.nix
@ -72,7 +72,7 @@ let
    enableParallelBuilding = true;
    # FIXME needs gcc 4.9 in bootstrap tools
-    hardening_stackprotector = false;
+    hardeningDisable = [ "stackprotector" ];
    preConfigure =
      ''
--- a/Show More
+++ b/Show More