mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-20 04:19:00 +02:00
cc-wrapper: Use set -u
throughout
Now is an opportune time to do this, as the infixSalt conversion in `add-flags.sh` ensures that all the relevant `NIX_*` vars will be defined even if empty.
This commit is contained in:
parent
a8bd415fa0
commit
2493454e13
|
@ -1,67 +1,69 @@
|
|||
hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
|
||||
# Intentionally word-split in case 'hardeningEnable' is defined in Nix.
|
||||
hardeningFlags+=(${hardeningEnable[@]})
|
||||
# Intentionally word-split in case 'hardeningEnable' is defined in
|
||||
# Nix. Also, our bootstrap tools version of bash is old enough that
|
||||
# undefined arrays trip `set -u`.
|
||||
if [[ -v hardeningEnable[@] ]]; then
|
||||
hardeningFlags+=(${hardeningEnable[@]})
|
||||
fi
|
||||
hardeningCFlags=()
|
||||
hardeningLDFlags=()
|
||||
|
||||
declare -A hardeningDisableMap
|
||||
|
||||
# Intentionally word-split in case 'hardeningDisable' is defined in Nix. The
|
||||
# array expansion also prevents undefined variables from causing trouble with
|
||||
# `set -u`.
|
||||
for flag in ${hardeningDisable[@]} @hardening_unsupported_flags@
|
||||
# Intentionally word-split in case 'hardeningDisable' is defined in Nix.
|
||||
for flag in ${hardeningDisable[@]:-IGNORED_KEY} @hardening_unsupported_flags@
|
||||
do
|
||||
hardeningDisableMap[$flag]=1
|
||||
done
|
||||
|
||||
if [[ -n "$NIX_DEBUG" ]]; then
|
||||
if [[ -n "${NIX_DEBUG:-}" ]]; then
|
||||
printf 'HARDENING: disabled flags:' >&2
|
||||
(( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
|
||||
echo >&2
|
||||
fi
|
||||
|
||||
if [[ -z "${hardeningDisableMap[all]}" ]]; then
|
||||
if [[ -n "$NIX_DEBUG" ]]; then
|
||||
if [[ -z "${hardeningDisableMap[all]:-}" ]]; then
|
||||
if [[ -n "${NIX_DEBUG:-}" ]]; then
|
||||
echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
|
||||
fi
|
||||
for flag in "${hardeningFlags[@]}"
|
||||
do
|
||||
if [[ -z "${hardeningDisableMap[$flag]}" ]]; then
|
||||
if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then
|
||||
case $flag in
|
||||
fortify)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi
|
||||
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling fortify >&2; fi
|
||||
hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
|
||||
;;
|
||||
stackprotector)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi
|
||||
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling stackprotector >&2; fi
|
||||
hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
|
||||
;;
|
||||
pie)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi
|
||||
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi
|
||||
hardeningCFlags+=('-fPIE')
|
||||
if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi
|
||||
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi
|
||||
hardeningLDFlags+=('-pie')
|
||||
fi
|
||||
;;
|
||||
pic)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi
|
||||
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling pic >&2; fi
|
||||
hardeningCFlags+=('-fPIC')
|
||||
;;
|
||||
strictoverflow)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi
|
||||
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling strictoverflow >&2; fi
|
||||
hardeningCFlags+=('-fno-strict-overflow')
|
||||
;;
|
||||
format)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi
|
||||
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling format >&2; fi
|
||||
hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
|
||||
;;
|
||||
relro)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi
|
||||
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling relro >&2; fi
|
||||
hardeningLDFlags+=('-z' 'relro')
|
||||
;;
|
||||
bindnow)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi
|
||||
if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling bindnow >&2; fi
|
||||
hardeningLDFlags+=('-z' 'now')
|
||||
;;
|
||||
*)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#! @shell@
|
||||
set -e -o pipefail
|
||||
set -eu -o pipefail
|
||||
shopt -s nullglob
|
||||
|
||||
path_backup="$PATH"
|
||||
|
@ -11,12 +11,12 @@ if [[ -n "@coreutils_bin@" && -n "@gnugrep_bin@" ]]; then
|
|||
PATH="@coreutils_bin@/bin:@gnugrep_bin@/bin"
|
||||
fi
|
||||
|
||||
if [ -n "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK" ]; then
|
||||
source "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK"
|
||||
if [ -z "${NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET:-}" ]; then
|
||||
source @out@/nix-support/add-flags.sh
|
||||
fi
|
||||
|
||||
if [ -z "$NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET" ]; then
|
||||
source @out@/nix-support/add-flags.sh
|
||||
if [ -n "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK" ]; then
|
||||
source "$NIX_CC_WRAPPER_@infixSalt@_START_HOOK"
|
||||
fi
|
||||
|
||||
source @out@/nix-support/utils.sh
|
||||
|
@ -36,7 +36,7 @@ declare -i n=0
|
|||
nParams=${#params[@]}
|
||||
while [ "$n" -lt "$nParams" ]; do
|
||||
p=${params[n]}
|
||||
p2=${params[n+1]}
|
||||
p2=${params[n+1]:-} # handle `p` being last one
|
||||
if [ "$p" = -c ]; then
|
||||
dontLink=1
|
||||
elif [ "$p" = -S ]; then
|
||||
|
@ -79,13 +79,13 @@ if [ "$nonFlagArgs" = 0 ]; then
|
|||
fi
|
||||
|
||||
# Optionally filter out paths not refering to the store.
|
||||
if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE" ]]; then
|
||||
if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE" ]]; then
|
||||
rest=()
|
||||
nParams=${#params[@]}
|
||||
declare -i n=0
|
||||
while [ "$n" -lt "$nParams" ]; do
|
||||
p=${params[n]}
|
||||
p2=${params[n+1]}
|
||||
p2=${params[n+1]:-} # handle `p` being last one
|
||||
if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then
|
||||
skip "${p:2}"
|
||||
elif [ "$p" = -L ] && badPath "$p2"; then
|
||||
|
@ -162,13 +162,15 @@ if [ "$*" = -v ]; then
|
|||
fi
|
||||
|
||||
# Optionally print debug info.
|
||||
if [ -n "$NIX_DEBUG" ]; then
|
||||
if [ -n "${NIX_DEBUG:-}" ]; then
|
||||
set +u # Old bash workaround, see ld-wrapper for explanation.
|
||||
echo "extra flags before to @prog@:" >&2
|
||||
printf " %q\n" "${extraBefore[@]}" >&2
|
||||
echo "original flags to @prog@:" >&2
|
||||
printf " %q\n" "${params[@]}" >&2
|
||||
echo "extra flags after to @prog@:" >&2
|
||||
printf " %q\n" "${extraAfter[@]}" >&2
|
||||
set -u
|
||||
fi
|
||||
|
||||
if [ -n "$NIX_CC_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then
|
||||
|
@ -176,4 +178,5 @@ if [ -n "$NIX_CC_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then
|
|||
fi
|
||||
|
||||
PATH="$path_backup"
|
||||
set +u # Old bash workaround, see above.
|
||||
exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
#! @shell@
|
||||
set -e -o pipefail
|
||||
set -eu -o pipefail
|
||||
shopt -s nullglob
|
||||
|
||||
# N.B. Gnat is not used during bootstrapping, so we don't need to
|
||||
# worry about the old bash empty array `set -u` workarounds.
|
||||
|
||||
path_backup="$PATH"
|
||||
|
||||
# phase separation makes this look useless
|
||||
|
@ -10,12 +13,12 @@ if [ -n "@coreutils_bin@" ]; then
|
|||
PATH="@coreutils_bin@/bin"
|
||||
fi
|
||||
|
||||
if [ -n "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK" ]; then
|
||||
source "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK"
|
||||
if [ -z "${NIX_@infixSalt@_GNAT_WRAPPER_FLAGS_SET:-}" ]; then
|
||||
source @out@/nix-support/add-flags.sh
|
||||
fi
|
||||
|
||||
if [ -z "$NIX_@infixSalt@_GNAT_WRAPPER_FLAGS_SET" ]; then
|
||||
source @out@/nix-support/add-flags.sh
|
||||
if [ -n "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK" ]; then
|
||||
source "$NIX_@infixSalt@_GNAT_WRAPPER_START_HOOK"
|
||||
fi
|
||||
|
||||
source @out@/nix-support/utils.sh
|
||||
|
@ -52,7 +55,7 @@ fi
|
|||
|
||||
# Optionally filter out paths not refering to the store.
|
||||
params=("$@")
|
||||
if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE" ]]; then
|
||||
if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE" ]]; then
|
||||
rest=()
|
||||
for p in "${params[@]}"; do
|
||||
if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then
|
||||
|
@ -110,7 +113,7 @@ fi
|
|||
#fi
|
||||
|
||||
# Optionally print debug info.
|
||||
if [ -n "$NIX_DEBUG" ]; then
|
||||
if [ -n "${NIX_DEBUG:-}" ]; then
|
||||
echo "extra flags before to @prog@:" >&2
|
||||
printf " %q\n" "${extraBefore[@]}" >&2
|
||||
echo "original flags to @prog@:" >&2
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
#! @shell@
|
||||
set -e -o pipefail
|
||||
set -eu -o pipefail
|
||||
shopt -s nullglob
|
||||
|
||||
# N.B. Gnat is not used during bootstrapping, so we don't need to
|
||||
# worry about the old bash empty array `set -u` workarounds.
|
||||
|
||||
# Add the flags for the GNAT compiler proper.
|
||||
extraAfter=("--GCC=@out@/bin/gcc")
|
||||
extraBefore=()
|
||||
|
@ -21,7 +24,7 @@ extraBefore=()
|
|||
#export NIX_@infixSalt@_LDFLAGS_SET=1
|
||||
|
||||
# Optionally print debug info.
|
||||
if [ -n "$NIX_DEBUG" ]; then
|
||||
if [ -n "${NIX_DEBUG:-}" ]; then
|
||||
echo "extra flags before to @prog@:" >&2
|
||||
printf " %q\n" "${extraBefore[@]}" >&2
|
||||
echo "original flags to @prog@:" >&2
|
||||
|
|
|
@ -10,12 +10,12 @@ if [ -n "@coreutils_bin@" ]; then
|
|||
PATH="@coreutils_bin@/bin"
|
||||
fi
|
||||
|
||||
if [ -n "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK" ]; then
|
||||
source "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK"
|
||||
if [ -z "${NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET:-}" ]; then
|
||||
source @out@/nix-support/add-flags.sh
|
||||
fi
|
||||
|
||||
if [ -z "$NIX_CC_WRAPPER_@infixSalt@_FLAGS_SET" ]; then
|
||||
source @out@/nix-support/add-flags.sh
|
||||
if [ -n "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK" ]; then
|
||||
source "$NIX_LD_WRAPPER_@infixSalt@_START_HOOK"
|
||||
fi
|
||||
|
||||
source @out@/nix-support/utils.sh
|
||||
|
@ -23,14 +23,14 @@ source @out@/nix-support/utils.sh
|
|||
|
||||
# Optionally filter out paths not refering to the store.
|
||||
expandResponseParams "$@"
|
||||
if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE"
|
||||
&& ( -z "$NIX_@infixSalt@_IGNORE_LD_THROUGH_GCC" || -z "$NIX_@infixSalt@_LDFLAGS_SET" ) ]]; then
|
||||
if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE"
|
||||
&& ( -z "$NIX_@infixSalt@_IGNORE_LD_THROUGH_GCC" || -z "${NIX_@infixSalt@_LDFLAGS_SET:-}" ) ]]; then
|
||||
rest=()
|
||||
nParams=${#params[@]}
|
||||
declare -i n=0
|
||||
while [ "$n" -lt "$nParams" ]; do
|
||||
p=${params[n]}
|
||||
p2=${params[n+1]}
|
||||
p2=${params[n+1]:-} # handle `p` being last one
|
||||
if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then
|
||||
skip "${p:2}"
|
||||
elif [ "$p" = -L ] && badPath "$p2"; then
|
||||
|
@ -59,7 +59,7 @@ source @out@/nix-support/add-hardening.sh
|
|||
extraAfter=("${hardeningLDFlags[@]}")
|
||||
extraBefore=()
|
||||
|
||||
if [ -z "$NIX_@infixSalt@_LDFLAGS_SET" ]; then
|
||||
if [ -z "${NIX_@infixSalt@_LDFLAGS_SET:-}" ]; then
|
||||
extraAfter+=($NIX_@infixSalt@_LDFLAGS)
|
||||
extraBefore+=($NIX_@infixSalt@_LDFLAGS_BEFORE)
|
||||
fi
|
||||
|
@ -73,7 +73,11 @@ relocatable=
|
|||
# Find all -L... switches for rpath, and relocatable flags for build id.
|
||||
if [ "$NIX_@infixSalt@_DONT_SET_RPATH" != 1 ] || [ "$NIX_@infixSalt@_SET_BUILD_ID" = 1 ]; then
|
||||
prev=
|
||||
# Old bash thinks empty arrays are undefined, ugh, so temporarily disable
|
||||
# `set -u`.
|
||||
set +u
|
||||
for p in "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"; do
|
||||
set -u
|
||||
case "$prev" in
|
||||
-L)
|
||||
libDirs+=("$p")
|
||||
|
@ -119,7 +123,7 @@ if [ "$NIX_@infixSalt@_DONT_SET_RPATH" != 1 ]; then
|
|||
if [[ "$dir" =~ [/.][/.] ]] && dir2=$(readlink -f "$dir"); then
|
||||
dir="$dir2"
|
||||
fi
|
||||
if [ "${rpaths[$dir]}" ] || [[ "$dir" != "$NIX_STORE"/* ]]; then
|
||||
if [ -n "${rpaths[$dir]:-}" ] || [[ "$dir" != "$NIX_STORE"/* ]]; then
|
||||
# If the path is not in the store, don't add it to the rpath.
|
||||
# This typically happens for libraries in /tmp that are later
|
||||
# copied to $out/lib. If not, we're screwed.
|
||||
|
@ -127,9 +131,9 @@ if [ "$NIX_@infixSalt@_DONT_SET_RPATH" != 1 ]; then
|
|||
fi
|
||||
for path in "$dir"/lib*.so; do
|
||||
file="${path##*/}"
|
||||
if [ "${libs[$file]}" ]; then
|
||||
if [ "${libs[$file]:-}" ]; then
|
||||
libs["$file"]=
|
||||
if [ ! "${rpaths[$dir]}" ]; then
|
||||
if [ -z "${rpaths[$dir]:-}" ]; then
|
||||
rpaths["$dir"]=1
|
||||
extraAfter+=(-rpath "$dir")
|
||||
fi
|
||||
|
@ -147,13 +151,15 @@ fi
|
|||
|
||||
|
||||
# Optionally print debug info.
|
||||
if [ -n "$NIX_DEBUG" ]; then
|
||||
if [ -n "${NIX_DEBUG:-}" ]; then
|
||||
set +u # Old bash workaround, see above.
|
||||
echo "extra flags before to @prog@:" >&2
|
||||
printf " %q\n" "${extraBefore[@]}" >&2
|
||||
echo "original flags to @prog@:" >&2
|
||||
printf " %q\n" "${params[@]}" >&2
|
||||
echo "extra flags after to @prog@:" >&2
|
||||
printf " %q\n" "${extraAfter[@]}" >&2
|
||||
set -u
|
||||
fi
|
||||
|
||||
if [ -n "$NIX_LD_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then
|
||||
|
@ -161,4 +167,5 @@ if [ -n "$NIX_LD_WRAPPER_@infixSalt@_EXEC_HOOK" ]; then
|
|||
fi
|
||||
|
||||
PATH="$path_backup"
|
||||
set +u # Old bash workaround, see above.
|
||||
exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
skip () {
|
||||
if [ -n "$NIX_DEBUG" ]; then
|
||||
if [ -n "${NIX_DEBUG:-}" ]; then
|
||||
echo "skipping impure path $1" >&2
|
||||
fi
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue