Use general hardening flag toggle lists

The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
This commit is contained in:
Franz Pletz 2016-02-26 18:38:15 +01:00
parent a2e449e43e
commit aff1f4ab94
309 changed files with 366 additions and 373 deletions

View File

@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa";
};
hardening_format = false;
hardeningDisable = [ "format" ];
buildInputs = [ qt4 alsaLib libjack2 ];

View File

@ -10,7 +10,7 @@ stdenv.mkDerivation {
sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0";
};
hardening_format = false;
hardeningDisable = [ "format" ];
configurePhase = ''
cd mp4v2

View File

@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
};
hardening_format = false;
hardeningDisable = [ "format" ];
preConfigure = "unset CC";

View File

@ -16,7 +16,7 @@ stdenv.mkDerivation {
enableParallelBuilding = true;
hardening_format = false;
hardeningDisable = [ "format" ];
src = fetchurl {
url = mirror://sourceforge/csound/Csound6.04.tar.gz;

View File

@ -19,7 +19,7 @@ stdenv.mkDerivation {
patches = [ ./am_path_sdl.patch ./xml.patch ];
hardening_format = false;
hardeningDisable = [ "format" ];
meta = {
description = "A live looping instrument with JACK and MIDI support";

View File

@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
cp jack_capture $out/bin/
'';
hardening_format = false;
hardeningDisable = [ "format" ];
meta = with stdenv.lib; {
description = "A program for recording soundfiles with jack";

View File

@ -8,7 +8,7 @@ stdenv.mkDerivation {
sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc";
};
hardening_format = false;
hardeningDisable = [ "format" ];
buildInputs = [ pkgconfig intltool gtk alsaLib libglade ];

View File

@ -21,7 +21,7 @@ stdenv.mkDerivation {
sourceRoot=".";
hardening_format = false;
hardeningDisable = [ "format" ];
buildPhase = "./cc";
installPhase = ''

View File

@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
buildInputs = [ ncurses pkgconfig gtk ];
hardening_format = false;
hardeningDisable = [ "format" ];
configurePhase =
'' sed -i Makefile \

View File

@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
install -Dv mp3val "$out/bin/mp3val"
'';
hardening_fortify = false;
hardeningDisable = [ "fortify" ];
meta = {
description = "A tool for validating and repairing MPEG audio streams";

View File

@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
};
hardening_format = false;
hardeningDisable = [ "format" ];
configureFlags = [
("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))

View File

@ -13,8 +13,7 @@ stdenv.mkDerivation rec {
sha256 = "12a83v4i830gj76z5744034y1vvwzgy27mjbjp508yh9bd328yqw";
};
hardening_bindnow = false;
hardening_relro = false;
hardeningDisable = [ "relro" "bindnow" ];
makeFlags = [
"PREFIX=$(out)"

View File

@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
buildInputs = [ puredata ];
hardening_format = false;
hardeningDisable = [ "format" ];
patchPhase = ''
for file in `grep -r -l g_canvas.h`

View File

@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
buildInputs = [ puredata ];
hardening_format = false;
hardeningDisable = [ "format" ];
patchPhase = ''
for i in ${puredata}/include/pd/*; do

View File

@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
buildInputs = [ puredata ];
hardening_format = false;
hardeningDisable = [ "format" ];
patchPhase = ''
for D in net osc

View File

@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn";
};
hardening_format = false;
hardeningDisable = [ "format" ];
patches = [ ./fltk-path.patch ];

View File

@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ];
nativeBuildInputs = [ cmake pkgconfig ];
hardening_format = false;
hardeningDisable = [ "format" ];
meta = with stdenv.lib; {
description = "High quality software synthesizer";

View File

@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
ncurses
];
hardening_format = false;
hardeningDisable = [ "format" ];
meta = with lib; {
description = "File editor/viewer/analyzer for executables";

View File

@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
buildInputs = [ intltool pkgconfig gtk ];
hardening_format = false;
hardeningDisable = [ "format" ];
configureFlags = [
"--enable-chooser"

View File

@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk
];
hardening_format = false;
hardeningDisable = [ "format" ];
patches = [ ./install.patch ];

View File

@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
sha256 = "1q0806b66ajppxbv1i71wx5d3ydc1h3hsz23m6g4g80dhiai7dly";
};
hardening_format = false;
hardeningDisable = [ "format" ];
prePatch = ''
sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl

View File

@ -15,7 +15,7 @@ stdenv.mkDerivation {
buildInputs = [pkgconfig gtk libpng];
hardening_format = false;
hardeningDisable = [ "format" ];
meta = {
description = "A fast image viewer";

View File

@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
patches = [ ./include-unistd.diff ];
hardening_format = false;
hardeningDisable = [ "format" ];
buildPhase = ''
mkdir -p "$out/include"

View File

@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ];
hardening_format = false;
hardeningDisable = [ "format" ];
configurePhase = ''
export CPATH="${ilmbase}/include/OpenEXR:$CPATH"

View File

@ -38,7 +38,7 @@ stdenv.mkDerivation rec {
buildInputs = [ autoconf automake libtool leptonica libpng libtiff ];
hardening_format = false;
hardeningDisable = [ "format" ];
preConfigure = ''
./autogen.sh

View File

@ -16,7 +16,7 @@ stdenv.mkDerivation {
nativeBuildInputs = [ imake makeWrapper ];
hardening_format = false;
hardeningDisable = [ "format" ];
NIX_CFLAGS_COMPILE = "-I${libXpm}/include/X11";

View File

@ -46,7 +46,7 @@ stdenv.mkDerivation rec {
--set INFERNO_ROOT "$out/share/inferno"
'';
hardening_fortify = false;
hardeningDisable = [ "fortify" ];
meta = {
description = "A compact distributed operating system for building cross-platform distributed systems";

View File

@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
buildInputs = [ pkgconfig gtk poppler ];
hardening_format = false;
hardeningDisable = [ "format" ];
patches = [ (fetchpatch {
name = "epdfview-0.1.8-glib2-headers.patch";

View File

@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE];
hardening_format = false;
hardeningDisable = [ "format" ];
# Makefiles are patched to fix references to `/usr/X11R6' and to add
# `-lX11' to make sure libX11's store path is in the RPATH.

View File

@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia
libid3tag ncurses libtool ];
hardening_format = false;
hardeningDisable = [ "format" ];
meta = {
description = "GTK+-based audio CD player/ripper";

View File

@ -31,7 +31,7 @@ in stdenv.mkDerivation rec {
openjpeg freetype jbig2dec djvulibre openssl ];
NIX_LDFLAGS = "-lX11 -lXext";
hardening_format = false;
hardeningDisable = [ "format" ];
k2_pa = ./k2pdfopt.patch;
tess_pa = ./tesseract.patch;

View File

@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723";
};
hardening_format = false;
hardeningDisable = [ "format" ];
# 'cvs' is only for the autogen
buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa

View File

@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5";
};
hardening_format = false;
hardeningDisable = [ "format" ];
buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ];

View File

@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51";
};
hardening_format = false;
hardeningDisable = [ "format" ];
patches = ( if stdenv.isDarwin
then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ]

View File

@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28";
};
hardening_format = false;
hardeningDisable = [ "format" ];
#
# I know this is ugly, but the Makefile does strange things in this package,

View File

@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
buildInputs = [ pkgconfig qt4 ];
hardening_format = false;
hardeningDisable = [ "format" ];
configurePhase = ''
qmake PREFIX="$out"

View File

@ -10,7 +10,7 @@ stdenv.mkDerivation {
buildInputs = [tcl tk xlibsWrapper makeWrapper];
hardening_format = false;
hardeningDisable = [ "format" ];
patchPhase = ''
sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c

View File

@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ];
hardening_format = false;
hardeningDisable = [ "format" ];
installFlags = "PREFIX=/ DESTDIR=$(out)";

View File

@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
'';
hardening_format = false;
hardeningDisable = [ "format" ];
configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}"
+ optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";

View File

@ -19,7 +19,7 @@ stdenv.mkDerivation {
dontDisableStatic = true;
hardening_format = false;
hardeningDisable = [ "format" ];
configureFlags = "--with-ncurses=${ncurses}";

View File

@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
configurePhase = "qmake INSTALL_PREFIX=$out -recursive vacuum.pro";
hardening_format = false;
hardeningDisable = [ "format" ];
buildInputs = [
qt4 openssl xproto libX11 libXScrnSaver scrnsaverproto xz

View File

@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
--localstatedir=$out/var --sbindir=$out/bin
'';
hardening_format = false;
hardeningDisable = [ "format" ];
meta = {
description = "A console-based network monitoring utility (fork of iptraf)";

View File

@ -18,8 +18,7 @@ stdenv.mkDerivation {
ncurses tcl openssl pam kerberos openldap
];
hardening_format = false;
hardening_fortify = false;
hardeningDisable = [ "format" "fortify" ];
configureFlags = [
"--with-ssl-include-dir=${openssl}/include/openssl"

View File

@ -18,7 +18,7 @@ stdenv.mkDerivation {
ncurses tcl openssl pam kerberos openldap
];
hardening_format = false;
hardeningDisable = [ "format" ];
configureFlags = [
"--with-ssl-include-dir=${openssl}/include/openssl"

View File

@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
configurePhase = "makeFlags=PREFIX=$out";
hardening_format = false;
hardeningDisable = [ "format" ];
postInstall = ''
sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl

View File

@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8";
};
hardening_format = false;
hardeningDisable = [ "format" ];
buildInputs = [ cmake qt4 libxml2 libxslt ];

View File

@ -5,7 +5,7 @@ stdenv.mkDerivation rec {
name = "drgeo-${version}";
version = "1.1.0";
hardening_format = false;
hardeningDisable = [ "format" ];
src = fetchurl {
url = "mirror://sourceforge/ofset/${name}.tar.gz";

View File

@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6";
};
hardening_format = false;
hardeningDisable = [ "format" ];
preConfigure = ''
substituteInPlace Makefile \

View File

@ -18,7 +18,7 @@ stdenv.mkDerivation {
inherit (s) url sha256;
};
hardening_format = false;
hardeningDisable = [ "format" ];
buildPhase = ''
find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g"

View File

@ -8,7 +8,7 @@ stdenv.mkDerivation {
sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3";
};
hardening_format = false;
hardeningDisable = [ "format" ];
patchPhase = ''
RM=$(type -tp rm)

View File

@ -12,7 +12,7 @@ stdenv.mkDerivation {
enableParallelBuilding = true;
hardening_format = false;
hardeningDisable = [ "format" ];
buildInputs = [ zlib bzip2 ];

View File

@ -5,7 +5,7 @@ stdenv.mkDerivation {
version = "4-beta";
buildInputs = [unzip gcc48];
hardening_stackprotector = false;
hardeningDisable = [ "stackprotector" ];
src = fetchurl {
url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip";

View File

@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
sha256 = "0b986x5yny9vrzgxlbyg80b23mxylxv2zz8ppd9svhva6vi8xsm4";
};
hardening_format = false;
hardeningDisable = [ "format" ];
nativeBuildInputs = [ intltool pkgconfig ];
buildInputs = [ libqalculate gtk gnome2.libglade gnome2.libgnome gnome2.scrollkeeper ];

View File

@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78";
};
hardening_format = false;
hardeningDisable = [ "format" ];
# Perl is only for the documentation
nativeBuildInputs = [ perl ];

View File

@ -10,7 +10,7 @@ stdenv.mkDerivation {
patches = [ ./getcwd-chroot.patch ];
hardening_format = false;
hardeningDisable = [ "format" ];
preConfigure = ''
# Apply the Debian patches.

View File

@ -21,7 +21,7 @@ stdenv.mkDerivation {
sha256 = "1zkbdmh5gvxalr8l1cwnirqq5raijmp2d0s36s6qabrlvqvq2yj7";
};
hardening_format = false;
hardeningDisable = [ "format" ];
patches = [
./docbook2texi.patch

View File

@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
buildInputs = [qt libXext libX11];
hardening_format = false;
hardeningDisable = [ "format" ];
configurePhase = "qmake PREFIX=$out";

View File

@ -11,7 +11,7 @@ in stdenv.mkDerivation rec {
sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0";
};
hardening_format = false;
hardeningDisable = [ "format" ];
# taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports
# needed to separate run-time and build-time directories

View File

@ -43,8 +43,7 @@ stdenv.mkDerivation rec {
enableParallelBuilding = true;
hardening_bindnow = false;
hardening_relro = false;
hardeningDisable = [ "bindnow" "relro" ];
postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub";

View File

@ -17,9 +17,7 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" {
# TODO: properly include openssl for secureBoot
buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ];
hardening_stackprotector = false;
hardening_pic = false;
hardening_fortify = false;
hardeningDisable = [ "stackprotector" "pic" "fortify" ];
unpackPhase = ''
for file in \

View File

@ -146,7 +146,7 @@ stdenv.mkDerivation rec {
NIX_CFLAGS_COMPILE="-I${gtk}/include/gtk-2.0/ -I${libtool}/include/";
NIX_LDFLAGS="-L${libtool}/lib";
hardening_format = false;
hardeningDisable = [ "format" ];
meta = with stdenv.lib; {
description = "An open-source IA-32 (x86) PC emulator";

View File

@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
buildInputs = [ iasl flex bison ];
hardening_fortify = false;
hardeningDisable = [ "fortify" ];
buildPhase = ''
export LEX=${flex}/bin/flex

View File

@ -12,8 +12,7 @@ stdenv.mkDerivation rec {
buildInputs = [ iasl python ];
hardening_pic = false;
hardening_stackprotector = false;
hardeningDisable = [ "pic" "stackprotector" ];
configurePhase = ''
# build SeaBIOS for CSM

View File

@ -17,7 +17,7 @@ stdenv.mkDerivation {
KERN_DIR = "${kernel.dev}/lib/modules/*/build";
hardening_pic = false;
hardeningDisable = [ "pic" ];
buildInputs = [ patchelf cdrkit makeWrapper dbus ];

View File

@ -75,9 +75,7 @@ stdenv.mkDerivation {
pythonPath = [ pythonPackages.curses ];
hardening_stackprotector = false;
hardening_fortify = false;
hardening_pic = false;
hardeningDisable = [ "stackprotector" "fortify" "pic" ];
patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;

View File

@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
buildInputs = [ libX11 xproto ];
hardening_format = false;
hardeningDisable = [ "format" ];
meta = with stdenv.lib; {
description = "Stand alone tray";

View File

@ -0,0 +1,41 @@
hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
hardeningFlags+=("${hardeningEnable[@]}")
hardeningCFlags=()
hardeningLDFlags=()
if [[ ! $hardeningDisable == "all" ]]; then
for flag in "${hardeningFlags[@]}"
do
if [[ ! "$hardeningDisable" =~ "$flag" ]]; then
case $flag in
fortify)
hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
;;
stackprotector)
hardeningCFlags+=('-fstack-protector-strong')
;;
pie)
hardeningCFlags+=('-fPIE' '-pie')
;;
pic)
hardeningCFlags+=('-fPIC')
;;
strictoverflow)
hardeningCFlags+=('-fno-strict-overflow')
;;
format)
hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
;;
relro)
hardeningLDFlags+=('-z relro')
;;
bindnow)
hardeningLDFlags+=('-z now')
;;
*)
echo "Hardening flag unknown: $flag"
;;
esac
fi
done
fi

View File

@ -56,7 +56,6 @@ if [ "$nonFlagArgs" = 0 ]; then
dontLink=1
fi
# Optionally filter out paths not refering to the store.
params=("$@")
if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then
@ -90,16 +89,17 @@ if [[ "@prog@" = *++ ]]; then
fi
fi
# Add the flags for the C compiler proper.
extraAfter=($NIX_CFLAGS_COMPILE)
extraBefore=()
source @out@/nix-support/add-hardening.sh
# Add the flags for the C compiler proper.
extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]})
extraBefore=()
if [ "$dontLink" != 1 ]; then
# Add the flags that should only be passed to the compiler when
# linking.
extraAfter+=($NIX_CFLAGS_LINK)
extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]})
# Add the flags that should be passed to the linker (and prevent
# `ld-wrapper' from adding NIX_LDFLAGS again).

View File

@ -234,6 +234,7 @@ stdenv.mkDerivation {
rm $out/nix-support/setup-hook.tmp
substituteAll ${./add-flags} $out/nix-support/add-flags.sh
cp -p ${./add-hardening} $out/nix-support/add-hardening.sh
cp -p ${./utils.sh} $out/nix-support/utils.sh
''
+ extraBuildCommands;

View File

@ -47,8 +47,9 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \
params=("${rest[@]}")
fi
source @out@/nix-support/add-hardening.sh
extra=()
extra=(${hardeningLDFlags[@]})
extraBefore=()
if [ -z "$NIX_LDFLAGS_SET" ]; then
@ -56,7 +57,7 @@ if [ -z "$NIX_LDFLAGS_SET" ]; then
extraBefore+=($NIX_LDFLAGS_BEFORE)
fi
extra+=($NIX_LDFLAGS_AFTER)
extra+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN)
# Add all used dynamic libraries to the rpath.

View File

@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71";
};
hardening_format = false;
hardeningDisable = [ "format" ];
patches = [ ./glib.patch ./cups_1.6.patch ];

View File

@ -11,5 +11,5 @@ stdenv.mkDerivation {
buildInputs = [ pkgconfig gtk gettext ];
propagatedBuildInputs = [ libxml2 ];
hardening_format = false;
hardeningDisable = [ "format" ];
}

View File

@ -17,7 +17,7 @@ in stdenv.mkDerivation rec {
"--enable-gi-system-install=no"
];
hardening_format = false;
hardeningDisable = [ "format" ];
enableParallelBuilding = true;

View File

@ -8,7 +8,7 @@ kde {
nativeBuildInputs = [ cmake ];
hardening_all = false;
hardeningDisable = [ "all" ];
# The patch is not ready for upstream submmission.
# I should add an option() instead.

View File

@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ];
hardening_format = false;
hardeningDisable = [ "format" ];
meta = {
homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}";

View File

@ -14,8 +14,7 @@ stdenv.mkDerivation rec {
})
else throw "Architecture not supported";
hardening_format = false;
hardening_pic = false;
hardeningDisable = [ "format" "pic" ];
# clm uses timestamps of dcl, icl, abc and o files to decide what must be rebuild
# and for chroot builds all of the library files will have equal timestamps. This

View File

@ -8,7 +8,7 @@ stdenv.mkDerivation {
sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e";
};
hardening_format = false;
hardeningDisable = [ "format" ];
makeFlags = "PREFIX=$(out)";

View File

@ -38,7 +38,7 @@ stdenv.mkDerivation {
"--enable-unicode")
;
hardening_format = false;
hardeningDisable = [ "format" ];
postInstall = ''
sed -e 's/@[-a-zA-Z_]*@//g' -i $out/bin/ecl-config

View File

@ -22,8 +22,7 @@ edk2 = stdenv.mkDerivation {
makeFlags = "-C BaseTools";
hardening_fortify = false;
hardening_format = false;
hardeningDisable = [ "format" "fortify" ];
installPhase = ''
mkdir -vp $out

View File

@ -95,8 +95,7 @@ stdenv.mkDerivation ({
++ (optionals langVhdl [gnat])
;
hardening_format = false;
hardening_stackprotector = false;
hardeningDisable = [ "format" "stackprotector" ];
configureFlags = "
${if enableMultilib then "" else "--disable-multilib"}

View File

@ -103,7 +103,7 @@ stdenv.mkDerivation ({
inherit langC langCC langFortran langJava langAda;
};
hardening_format = false;
hardeningDisable = [ "format" ];
patches =
[ ./pass-cxxcpp.patch

View File

@ -134,8 +134,7 @@ stdenv.mkDerivation ({
inherit langC langCC langFortran langJava langAda;
};
hardening_format = false;
hardening_all = name != "gnat";
hardeningDisable = [ "format" ] ++ optional (name != "gnat") "all";
patches =
[ ]

View File

@ -189,7 +189,7 @@ stdenv.mkDerivation ({
inherit patches enableMultilib;
hardening_format = false;
hardeningDisable = [ "format" ];
postPatch =
if (stdenv.isGNU

View File

@ -218,7 +218,7 @@ stdenv.mkDerivation ({
inherit patches;
hardening_format = false;
hardeningDisable = [ "format" ];
postPatch =
if (stdenv.isGNU

View File

@ -220,9 +220,8 @@ stdenv.mkDerivation ({
inherit patches;
# FIXME needs gcc 4.9 in bootstrap tools
hardening_stackprotector = false;
hardening_format = false;
# FIXME stackprotector needs gcc 4.9 in bootstrap tools
hardeningDisable = [ "format" "stackprotector" ];
postPatch =
if (stdenv.isGNU

View File

@ -216,7 +216,7 @@ stdenv.mkDerivation ({
sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq";
};
hardening_format = false;
hardeningDisable = [ "format" ];
inherit patches;

View File

@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
"--enable-ansi"
];
hardening_pic = false;
hardeningDisable = [ "pic" ];
meta = {
description = "GNU Common Lisp compiler working via GCC";

View File

@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
buildInputs = [ghc libedit perl gmp];
hardening_format = false;
hardeningDisable = [ "format" ];
configureFlags = [
"--with-gmp-libraries=${gmp}/lib"

View File

@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
buildInputs = [ pcre ];
propagatedBuildInputs = lib.optional stdenv.isDarwin Security;
hardening_all = false;
hardeningDisable = [ "all" ];
# I'm not sure what go wants from its 'src', but the go installation manual
# describes an installation keeping the src.

View File

@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
Security Foundation
];
hardening_all = false;
hardeningDisable = [ "all" ];
# I'm not sure what go wants from its 'src', but the go installation manual
# describes an installation keeping the src.

View File

@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
Security Foundation
];
hardening_all = false;
hardeningDisable = [ "all" ];
# I'm not sure what go wants from its 'src', but the go installation manual
# describes an installation keeping the src.

View File

@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
buildInputs = [ makeWrapper ];
propagatedBuildInputs = [ gmp ];
hardening_format = false;
hardeningDisable = [ "format" ];
configureFlags = [
"GMP_CFLAGS=-I${gmp}/include"

View File

@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
enableParallelBuilding = true;
hardening_format = false;
hardeningDisable = [ "format" ];
meta = with stdenv.lib; {
description = "Smalltalk programming language and environment";

View File

@ -17,7 +17,7 @@ stdenv.mkDerivation {
buildInputs = [ gmp readline openssl libjpeg unixODBC libXinerama
libXft libXpm libSM libXt zlib freetype pkgconfig fontconfig ];
hardening_format = false;
hardeningDisable = [ "format" ];
configureFlags = "--with-world --enable-gmp --enable-shared";

View File

@ -12,7 +12,7 @@ stdenv.mkDerivation {
buildInputs = [ omake ocaml flex bison ];
hardening_format = false;
hardeningDisable = [ "format" ];
buildPhase = "omake all";

View File

@ -41,11 +41,9 @@ self: super: {
options_1_2 = dontCheck super.options_1_2;
options = dontCheck super.options;
statistics = dontCheck super.statistics;
c2hs = pkgs.lib.overrideDerivation (dontCheck super.c2hs) (drv: {
hardening_format = false;
});
epanet-haskell = pkgs.lib.overrideDerivation super.epanet-haskell (drv: {
hardening_format = false;
c2hs = dontCheck super.c2hs;
epanet-haskell = super.epanet-haskell.overrideDerivation (drv: {
hardeningDisable = [ "format" ];
});
# The package doesn't compile with ruby 1.9, which is our default at the moment.
@ -244,9 +242,7 @@ self: super: {
gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib;
gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib;
gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib;
glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: {
hardening_fortify = false;
});
glib = addPkgconfigDepend super.glib pkgs.glib;
gtk3 = super.gtk3.override { inherit (pkgs) gtk3; };
gtk = addPkgconfigDepend super.gtk pkgs.gtk;
gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; };

View File

@ -45,7 +45,7 @@ stdenv.mkDerivation rec {
NIX_CFLAGS_COMPILE="-O0";
hardening_format = false;
hardeningDisable = [ "format" ];
# TODO : make mod-check fails
doCheck = false;

View File

@ -22,7 +22,7 @@ stdenv.mkDerivation {
configureFlags = "--with-ssl=${openssl}";
hardening_format = false;
hardeningDisable = [ "format" ];
postInstall = let
manpages = fetchurl {

View File

@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
intltool gettext zlib
];
hardening_pic = false;
hardeningDisable = [ "pic" ];
NIX_LDFLAGS=" -lz ";

View File

@ -72,7 +72,7 @@ let
enableParallelBuilding = true;
# FIXME needs gcc 4.9 in bootstrap tools
hardening_stackprotector = false;
hardeningDisable = [ "stackprotector" ];
preConfigure =
''

Some files were not shown because too many files have changed in this diff Show More