mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-25 16:33:15 +00:00
Use general hardening flag toggle lists
The following parameters are now available: * hardeningDisable To disable specific hardening flags * hardeningEnable To enable specific hardening flags Only the cc-wrapper supports this right now, but these may be reused by other wrappers, builders or setup hooks. cc-wrapper supports the following flags: * fortify * stackprotector * pie (disabled by default) * pic * strictoverflow * format * relro * bindnow
This commit is contained in:
parent
a2e449e43e
commit
aff1f4ab94
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ qt4 alsaLib libjack2 ];
|
||||
|
||||
|
@ -10,7 +10,7 @@ stdenv.mkDerivation {
|
||||
sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configurePhase = ''
|
||||
cd mp4v2
|
||||
|
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
preConfigure = "unset CC";
|
||||
|
||||
|
@ -16,7 +16,7 @@ stdenv.mkDerivation {
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
src = fetchurl {
|
||||
url = mirror://sourceforge/csound/Csound6.04.tar.gz;
|
||||
|
@ -19,7 +19,7 @@ stdenv.mkDerivation {
|
||||
|
||||
patches = [ ./am_path_sdl.patch ./xml.patch ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = {
|
||||
description = "A live looping instrument with JACK and MIDI support";
|
||||
|
@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
|
||||
cp jack_capture $out/bin/
|
||||
'';
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "A program for recording soundfiles with jack";
|
||||
|
@ -8,7 +8,7 @@ stdenv.mkDerivation {
|
||||
sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ pkgconfig intltool gtk alsaLib libglade ];
|
||||
|
||||
|
@ -21,7 +21,7 @@ stdenv.mkDerivation {
|
||||
|
||||
sourceRoot=".";
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildPhase = "./cc";
|
||||
installPhase = ''
|
||||
|
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ ncurses pkgconfig gtk ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configurePhase =
|
||||
'' sed -i Makefile \
|
||||
|
@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
|
||||
install -Dv mp3val "$out/bin/mp3val"
|
||||
'';
|
||||
|
||||
hardening_fortify = false;
|
||||
hardeningDisable = [ "fortify" ];
|
||||
|
||||
meta = {
|
||||
description = "A tool for validating and repairing MPEG audio streams";
|
||||
|
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = [
|
||||
("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))
|
||||
|
@ -13,8 +13,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "12a83v4i830gj76z5744034y1vvwzgy27mjbjp508yh9bd328yqw";
|
||||
};
|
||||
|
||||
hardening_bindnow = false;
|
||||
hardening_relro = false;
|
||||
hardeningDisable = [ "relro" "bindnow" ];
|
||||
|
||||
makeFlags = [
|
||||
"PREFIX=$(out)"
|
||||
|
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ puredata ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patchPhase = ''
|
||||
for file in `grep -r -l g_canvas.h`
|
||||
|
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ puredata ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patchPhase = ''
|
||||
for i in ${puredata}/include/pd/*; do
|
||||
|
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ puredata ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patchPhase = ''
|
||||
for D in net osc
|
||||
|
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = [ ./fltk-path.patch ];
|
||||
|
||||
|
@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
|
||||
buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ];
|
||||
nativeBuildInputs = [ cmake pkgconfig ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "High quality software synthesizer";
|
||||
|
@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
|
||||
ncurses
|
||||
];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with lib; {
|
||||
description = "File editor/viewer/analyzer for executables";
|
||||
|
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ intltool pkgconfig gtk ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = [
|
||||
"--enable-chooser"
|
||||
|
@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
|
||||
libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk
|
||||
];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = [ ./install.patch ];
|
||||
|
||||
|
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1q0806b66ajppxbv1i71wx5d3ydc1h3hsz23m6g4g80dhiai7dly";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
prePatch = ''
|
||||
sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl
|
||||
|
@ -15,7 +15,7 @@ stdenv.mkDerivation {
|
||||
|
||||
buildInputs = [pkgconfig gtk libpng];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = {
|
||||
description = "A fast image viewer";
|
||||
|
@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
patches = [ ./include-unistd.diff ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildPhase = ''
|
||||
mkdir -p "$out/include"
|
||||
|
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configurePhase = ''
|
||||
export CPATH="${ilmbase}/include/OpenEXR:$CPATH"
|
||||
|
@ -38,7 +38,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ autoconf automake libtool leptonica libpng libtiff ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
preConfigure = ''
|
||||
./autogen.sh
|
||||
|
@ -16,7 +16,7 @@ stdenv.mkDerivation {
|
||||
|
||||
nativeBuildInputs = [ imake makeWrapper ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
NIX_CFLAGS_COMPILE = "-I${libXpm}/include/X11";
|
||||
|
||||
|
@ -46,7 +46,7 @@ stdenv.mkDerivation rec {
|
||||
--set INFERNO_ROOT "$out/share/inferno"
|
||||
'';
|
||||
|
||||
hardening_fortify = false;
|
||||
hardeningDisable = [ "fortify" ];
|
||||
|
||||
meta = {
|
||||
description = "A compact distributed operating system for building cross-platform distributed systems";
|
||||
|
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ pkgconfig gtk poppler ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = [ (fetchpatch {
|
||||
name = "epdfview-0.1.8-glib2-headers.patch";
|
||||
|
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
# Makefiles are patched to fix references to `/usr/X11R6' and to add
|
||||
# `-lX11' to make sure libX11's store path is in the RPATH.
|
||||
|
@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
|
||||
buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia
|
||||
libid3tag ncurses libtool ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = {
|
||||
description = "GTK+-based audio CD player/ripper";
|
||||
|
@ -31,7 +31,7 @@ in stdenv.mkDerivation rec {
|
||||
openjpeg freetype jbig2dec djvulibre openssl ];
|
||||
NIX_LDFLAGS = "-lX11 -lXext";
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
k2_pa = ./k2pdfopt.patch;
|
||||
tess_pa = ./tesseract.patch;
|
||||
|
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
# 'cvs' is only for the autogen
|
||||
buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa
|
||||
|
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ];
|
||||
|
||||
|
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = ( if stdenv.isDarwin
|
||||
then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ]
|
||||
|
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
#
|
||||
# I know this is ugly, but the Makefile does strange things in this package,
|
||||
|
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ pkgconfig qt4 ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configurePhase = ''
|
||||
qmake PREFIX="$out"
|
||||
|
@ -10,7 +10,7 @@ stdenv.mkDerivation {
|
||||
|
||||
buildInputs = [tcl tk xlibsWrapper makeWrapper];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patchPhase = ''
|
||||
sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c
|
||||
|
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
installFlags = "PREFIX=/ DESTDIR=$(out)";
|
||||
|
||||
|
@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
|
||||
ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
|
||||
'';
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}"
|
||||
+ optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";
|
||||
|
@ -19,7 +19,7 @@ stdenv.mkDerivation {
|
||||
|
||||
dontDisableStatic = true;
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = "--with-ncurses=${ncurses}";
|
||||
|
||||
|
@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
configurePhase = "qmake INSTALL_PREFIX=$out -recursive vacuum.pro";
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [
|
||||
qt4 openssl xproto libX11 libXScrnSaver scrnsaverproto xz
|
||||
|
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
|
||||
--localstatedir=$out/var --sbindir=$out/bin
|
||||
'';
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = {
|
||||
description = "A console-based network monitoring utility (fork of iptraf)";
|
||||
|
@ -18,8 +18,7 @@ stdenv.mkDerivation {
|
||||
ncurses tcl openssl pam kerberos openldap
|
||||
];
|
||||
|
||||
hardening_format = false;
|
||||
hardening_fortify = false;
|
||||
hardeningDisable = [ "format" "fortify" ];
|
||||
|
||||
configureFlags = [
|
||||
"--with-ssl-include-dir=${openssl}/include/openssl"
|
||||
|
@ -18,7 +18,7 @@ stdenv.mkDerivation {
|
||||
ncurses tcl openssl pam kerberos openldap
|
||||
];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = [
|
||||
"--with-ssl-include-dir=${openssl}/include/openssl"
|
||||
|
@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
configurePhase = "makeFlags=PREFIX=$out";
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
postInstall = ''
|
||||
sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl
|
||||
|
@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ cmake qt4 libxml2 libxslt ];
|
||||
|
||||
|
@ -5,7 +5,7 @@ stdenv.mkDerivation rec {
|
||||
name = "drgeo-${version}";
|
||||
version = "1.1.0";
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://sourceforge/ofset/${name}.tar.gz";
|
||||
|
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
preConfigure = ''
|
||||
substituteInPlace Makefile \
|
||||
|
@ -18,7 +18,7 @@ stdenv.mkDerivation {
|
||||
inherit (s) url sha256;
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildPhase = ''
|
||||
find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g"
|
||||
|
@ -8,7 +8,7 @@ stdenv.mkDerivation {
|
||||
sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patchPhase = ''
|
||||
RM=$(type -tp rm)
|
||||
|
@ -12,7 +12,7 @@ stdenv.mkDerivation {
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ zlib bzip2 ];
|
||||
|
||||
|
@ -5,7 +5,7 @@ stdenv.mkDerivation {
|
||||
version = "4-beta";
|
||||
buildInputs = [unzip gcc48];
|
||||
|
||||
hardening_stackprotector = false;
|
||||
hardeningDisable = [ "stackprotector" ];
|
||||
|
||||
src = fetchurl {
|
||||
url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip";
|
||||
|
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "0b986x5yny9vrzgxlbyg80b23mxylxv2zz8ppd9svhva6vi8xsm4";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
nativeBuildInputs = [ intltool pkgconfig ];
|
||||
buildInputs = [ libqalculate gtk gnome2.libglade gnome2.libgnome gnome2.scrollkeeper ];
|
||||
|
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
# Perl is only for the documentation
|
||||
nativeBuildInputs = [ perl ];
|
||||
|
@ -10,7 +10,7 @@ stdenv.mkDerivation {
|
||||
|
||||
patches = [ ./getcwd-chroot.patch ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
preConfigure = ''
|
||||
# Apply the Debian patches.
|
||||
|
@ -21,7 +21,7 @@ stdenv.mkDerivation {
|
||||
sha256 = "1zkbdmh5gvxalr8l1cwnirqq5raijmp2d0s36s6qabrlvqvq2yj7";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = [
|
||||
./docbook2texi.patch
|
||||
|
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [qt libXext libX11];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configurePhase = "qmake PREFIX=$out";
|
||||
|
||||
|
@ -11,7 +11,7 @@ in stdenv.mkDerivation rec {
|
||||
sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
# taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports
|
||||
# needed to separate run-time and build-time directories
|
||||
|
@ -43,8 +43,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
hardening_bindnow = false;
|
||||
hardening_relro = false;
|
||||
hardeningDisable = [ "bindnow" "relro" ];
|
||||
|
||||
postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub";
|
||||
|
||||
|
@ -17,9 +17,7 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" {
|
||||
# TODO: properly include openssl for secureBoot
|
||||
buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ];
|
||||
|
||||
hardening_stackprotector = false;
|
||||
hardening_pic = false;
|
||||
hardening_fortify = false;
|
||||
hardeningDisable = [ "stackprotector" "pic" "fortify" ];
|
||||
|
||||
unpackPhase = ''
|
||||
for file in \
|
||||
|
@ -146,7 +146,7 @@ stdenv.mkDerivation rec {
|
||||
NIX_CFLAGS_COMPILE="-I${gtk}/include/gtk-2.0/ -I${libtool}/include/";
|
||||
NIX_LDFLAGS="-L${libtool}/lib";
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "An open-source IA-32 (x86) PC emulator";
|
||||
|
@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ iasl flex bison ];
|
||||
|
||||
hardening_fortify = false;
|
||||
hardeningDisable = [ "fortify" ];
|
||||
|
||||
buildPhase = ''
|
||||
export LEX=${flex}/bin/flex
|
||||
|
@ -12,8 +12,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ iasl python ];
|
||||
|
||||
hardening_pic = false;
|
||||
hardening_stackprotector = false;
|
||||
hardeningDisable = [ "pic" "stackprotector" ];
|
||||
|
||||
configurePhase = ''
|
||||
# build SeaBIOS for CSM
|
||||
|
@ -17,7 +17,7 @@ stdenv.mkDerivation {
|
||||
|
||||
KERN_DIR = "${kernel.dev}/lib/modules/*/build";
|
||||
|
||||
hardening_pic = false;
|
||||
hardeningDisable = [ "pic" ];
|
||||
|
||||
buildInputs = [ patchelf cdrkit makeWrapper dbus ];
|
||||
|
||||
|
@ -75,9 +75,7 @@ stdenv.mkDerivation {
|
||||
|
||||
pythonPath = [ pythonPackages.curses ];
|
||||
|
||||
hardening_stackprotector = false;
|
||||
hardening_fortify = false;
|
||||
hardening_pic = false;
|
||||
hardeningDisable = [ "stackprotector" "fortify" "pic" ];
|
||||
|
||||
patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
|
||||
|
||||
|
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ libX11 xproto ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "Stand alone tray";
|
||||
|
41
pkgs/build-support/cc-wrapper/add-hardening
Normal file
41
pkgs/build-support/cc-wrapper/add-hardening
Normal file
@ -0,0 +1,41 @@
|
||||
hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
|
||||
hardeningFlags+=("${hardeningEnable[@]}")
|
||||
hardeningCFlags=()
|
||||
hardeningLDFlags=()
|
||||
|
||||
if [[ ! $hardeningDisable == "all" ]]; then
|
||||
for flag in "${hardeningFlags[@]}"
|
||||
do
|
||||
if [[ ! "$hardeningDisable" =~ "$flag" ]]; then
|
||||
case $flag in
|
||||
fortify)
|
||||
hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
|
||||
;;
|
||||
stackprotector)
|
||||
hardeningCFlags+=('-fstack-protector-strong')
|
||||
;;
|
||||
pie)
|
||||
hardeningCFlags+=('-fPIE' '-pie')
|
||||
;;
|
||||
pic)
|
||||
hardeningCFlags+=('-fPIC')
|
||||
;;
|
||||
strictoverflow)
|
||||
hardeningCFlags+=('-fno-strict-overflow')
|
||||
;;
|
||||
format)
|
||||
hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
|
||||
;;
|
||||
relro)
|
||||
hardeningLDFlags+=('-z relro')
|
||||
;;
|
||||
bindnow)
|
||||
hardeningLDFlags+=('-z now')
|
||||
;;
|
||||
*)
|
||||
echo "Hardening flag unknown: $flag"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
done
|
||||
fi
|
@ -56,7 +56,6 @@ if [ "$nonFlagArgs" = 0 ]; then
|
||||
dontLink=1
|
||||
fi
|
||||
|
||||
|
||||
# Optionally filter out paths not refering to the store.
|
||||
params=("$@")
|
||||
if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then
|
||||
@ -90,16 +89,17 @@ if [[ "@prog@" = *++ ]]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
# Add the flags for the C compiler proper.
|
||||
extraAfter=($NIX_CFLAGS_COMPILE)
|
||||
extraBefore=()
|
||||
source @out@/nix-support/add-hardening.sh
|
||||
|
||||
# Add the flags for the C compiler proper.
|
||||
extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]})
|
||||
extraBefore=()
|
||||
|
||||
if [ "$dontLink" != 1 ]; then
|
||||
|
||||
# Add the flags that should only be passed to the compiler when
|
||||
# linking.
|
||||
extraAfter+=($NIX_CFLAGS_LINK)
|
||||
extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]})
|
||||
|
||||
# Add the flags that should be passed to the linker (and prevent
|
||||
# `ld-wrapper' from adding NIX_LDFLAGS again).
|
||||
|
@ -234,6 +234,7 @@ stdenv.mkDerivation {
|
||||
rm $out/nix-support/setup-hook.tmp
|
||||
|
||||
substituteAll ${./add-flags} $out/nix-support/add-flags.sh
|
||||
cp -p ${./add-hardening} $out/nix-support/add-hardening.sh
|
||||
cp -p ${./utils.sh} $out/nix-support/utils.sh
|
||||
''
|
||||
+ extraBuildCommands;
|
||||
|
@ -47,8 +47,9 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \
|
||||
params=("${rest[@]}")
|
||||
fi
|
||||
|
||||
source @out@/nix-support/add-hardening.sh
|
||||
|
||||
extra=()
|
||||
extra=(${hardeningLDFlags[@]})
|
||||
extraBefore=()
|
||||
|
||||
if [ -z "$NIX_LDFLAGS_SET" ]; then
|
||||
@ -56,7 +57,7 @@ if [ -z "$NIX_LDFLAGS_SET" ]; then
|
||||
extraBefore+=($NIX_LDFLAGS_BEFORE)
|
||||
fi
|
||||
|
||||
extra+=($NIX_LDFLAGS_AFTER)
|
||||
extra+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN)
|
||||
|
||||
|
||||
# Add all used dynamic libraries to the rpath.
|
||||
|
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = [ ./glib.patch ./cups_1.6.patch ];
|
||||
|
||||
|
@ -11,5 +11,5 @@ stdenv.mkDerivation {
|
||||
buildInputs = [ pkgconfig gtk gettext ];
|
||||
propagatedBuildInputs = [ libxml2 ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
}
|
||||
|
@ -17,7 +17,7 @@ in stdenv.mkDerivation rec {
|
||||
"--enable-gi-system-install=no"
|
||||
];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
|
@ -8,7 +8,7 @@ kde {
|
||||
|
||||
nativeBuildInputs = [ cmake ];
|
||||
|
||||
hardening_all = false;
|
||||
hardeningDisable = [ "all" ];
|
||||
|
||||
# The patch is not ready for upstream submmission.
|
||||
# I should add an option() instead.
|
||||
|
@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = {
|
||||
homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}";
|
||||
|
@ -14,8 +14,7 @@ stdenv.mkDerivation rec {
|
||||
})
|
||||
else throw "Architecture not supported";
|
||||
|
||||
hardening_format = false;
|
||||
hardening_pic = false;
|
||||
hardeningDisable = [ "format" "pic" ];
|
||||
|
||||
# clm uses timestamps of dcl, icl, abc and o files to decide what must be rebuild
|
||||
# and for chroot builds all of the library files will have equal timestamps. This
|
||||
|
@ -8,7 +8,7 @@ stdenv.mkDerivation {
|
||||
sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
makeFlags = "PREFIX=$(out)";
|
||||
|
||||
|
@ -38,7 +38,7 @@ stdenv.mkDerivation {
|
||||
"--enable-unicode")
|
||||
;
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
postInstall = ''
|
||||
sed -e 's/@[-a-zA-Z_]*@//g' -i $out/bin/ecl-config
|
||||
|
@ -22,8 +22,7 @@ edk2 = stdenv.mkDerivation {
|
||||
|
||||
makeFlags = "-C BaseTools";
|
||||
|
||||
hardening_fortify = false;
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" "fortify" ];
|
||||
|
||||
installPhase = ''
|
||||
mkdir -vp $out
|
||||
|
@ -95,8 +95,7 @@ stdenv.mkDerivation ({
|
||||
++ (optionals langVhdl [gnat])
|
||||
;
|
||||
|
||||
hardening_format = false;
|
||||
hardening_stackprotector = false;
|
||||
hardeningDisable = [ "format" "stackprotector" ];
|
||||
|
||||
configureFlags = "
|
||||
${if enableMultilib then "" else "--disable-multilib"}
|
||||
|
@ -103,7 +103,7 @@ stdenv.mkDerivation ({
|
||||
inherit langC langCC langFortran langJava langAda;
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches =
|
||||
[ ./pass-cxxcpp.patch
|
||||
|
@ -134,8 +134,7 @@ stdenv.mkDerivation ({
|
||||
inherit langC langCC langFortran langJava langAda;
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardening_all = name != "gnat";
|
||||
hardeningDisable = [ "format" ] ++ optional (name != "gnat") "all";
|
||||
|
||||
patches =
|
||||
[ ]
|
||||
|
@ -189,7 +189,7 @@ stdenv.mkDerivation ({
|
||||
|
||||
inherit patches enableMultilib;
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
postPatch =
|
||||
if (stdenv.isGNU
|
||||
|
@ -218,7 +218,7 @@ stdenv.mkDerivation ({
|
||||
|
||||
inherit patches;
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
postPatch =
|
||||
if (stdenv.isGNU
|
||||
|
@ -220,9 +220,8 @@ stdenv.mkDerivation ({
|
||||
|
||||
inherit patches;
|
||||
|
||||
# FIXME needs gcc 4.9 in bootstrap tools
|
||||
hardening_stackprotector = false;
|
||||
hardening_format = false;
|
||||
# FIXME stackprotector needs gcc 4.9 in bootstrap tools
|
||||
hardeningDisable = [ "format" "stackprotector" ];
|
||||
|
||||
postPatch =
|
||||
if (stdenv.isGNU
|
||||
|
@ -216,7 +216,7 @@ stdenv.mkDerivation ({
|
||||
sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq";
|
||||
};
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
inherit patches;
|
||||
|
||||
|
@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
|
||||
"--enable-ansi"
|
||||
];
|
||||
|
||||
hardening_pic = false;
|
||||
hardeningDisable = [ "pic" ];
|
||||
|
||||
meta = {
|
||||
description = "GNU Common Lisp compiler working via GCC";
|
||||
|
@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ghc libedit perl gmp];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = [
|
||||
"--with-gmp-libraries=${gmp}/lib"
|
||||
|
@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
|
||||
buildInputs = [ pcre ];
|
||||
propagatedBuildInputs = lib.optional stdenv.isDarwin Security;
|
||||
|
||||
hardening_all = false;
|
||||
hardeningDisable = [ "all" ];
|
||||
|
||||
# I'm not sure what go wants from its 'src', but the go installation manual
|
||||
# describes an installation keeping the src.
|
||||
|
@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
|
||||
Security Foundation
|
||||
];
|
||||
|
||||
hardening_all = false;
|
||||
hardeningDisable = [ "all" ];
|
||||
|
||||
# I'm not sure what go wants from its 'src', but the go installation manual
|
||||
# describes an installation keeping the src.
|
||||
|
@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
|
||||
Security Foundation
|
||||
];
|
||||
|
||||
hardening_all = false;
|
||||
hardeningDisable = [ "all" ];
|
||||
|
||||
# I'm not sure what go wants from its 'src', but the go installation manual
|
||||
# describes an installation keeping the src.
|
||||
|
@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
|
||||
buildInputs = [ makeWrapper ];
|
||||
propagatedBuildInputs = [ gmp ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = [
|
||||
"GMP_CFLAGS=-I${gmp}/include"
|
||||
|
@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "Smalltalk programming language and environment";
|
||||
|
@ -17,7 +17,7 @@ stdenv.mkDerivation {
|
||||
buildInputs = [ gmp readline openssl libjpeg unixODBC libXinerama
|
||||
libXft libXpm libSM libXt zlib freetype pkgconfig fontconfig ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = "--with-world --enable-gmp --enable-shared";
|
||||
|
||||
|
@ -12,7 +12,7 @@ stdenv.mkDerivation {
|
||||
|
||||
buildInputs = [ omake ocaml flex bison ];
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildPhase = "omake all";
|
||||
|
||||
|
@ -41,11 +41,9 @@ self: super: {
|
||||
options_1_2 = dontCheck super.options_1_2;
|
||||
options = dontCheck super.options;
|
||||
statistics = dontCheck super.statistics;
|
||||
c2hs = pkgs.lib.overrideDerivation (dontCheck super.c2hs) (drv: {
|
||||
hardening_format = false;
|
||||
});
|
||||
epanet-haskell = pkgs.lib.overrideDerivation super.epanet-haskell (drv: {
|
||||
hardening_format = false;
|
||||
c2hs = dontCheck super.c2hs;
|
||||
epanet-haskell = super.epanet-haskell.overrideDerivation (drv: {
|
||||
hardeningDisable = [ "format" ];
|
||||
});
|
||||
|
||||
# The package doesn't compile with ruby 1.9, which is our default at the moment.
|
||||
@ -244,9 +242,7 @@ self: super: {
|
||||
gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib;
|
||||
gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib;
|
||||
gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib;
|
||||
glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: {
|
||||
hardening_fortify = false;
|
||||
});
|
||||
glib = addPkgconfigDepend super.glib pkgs.glib;
|
||||
gtk3 = super.gtk3.override { inherit (pkgs) gtk3; };
|
||||
gtk = addPkgconfigDepend super.gtk pkgs.gtk;
|
||||
gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; };
|
||||
|
@ -45,7 +45,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
NIX_CFLAGS_COMPILE="-O0";
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
# TODO : make mod-check fails
|
||||
doCheck = false;
|
||||
|
@ -22,7 +22,7 @@ stdenv.mkDerivation {
|
||||
|
||||
configureFlags = "--with-ssl=${openssl}";
|
||||
|
||||
hardening_format = false;
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
postInstall = let
|
||||
manpages = fetchurl {
|
||||
|
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
|
||||
intltool gettext zlib
|
||||
];
|
||||
|
||||
hardening_pic = false;
|
||||
hardeningDisable = [ "pic" ];
|
||||
|
||||
NIX_LDFLAGS=" -lz ";
|
||||
|
||||
|
@ -72,7 +72,7 @@ let
|
||||
enableParallelBuilding = true;
|
||||
|
||||
# FIXME needs gcc 4.9 in bootstrap tools
|
||||
hardening_stackprotector = false;
|
||||
hardeningDisable = [ "stackprotector" ];
|
||||
|
||||
preConfigure =
|
||||
''
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user