swendel/nixpkgs
1
0
Fork 0
mirror of https://github.com/SebastianWendel/nixpkgs.git synced 2024-09-27 23:50:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

stdenv: change hardening flags

Browse source 
* remove relro/bindnow from compile flags as they break clang
 * use fstackprotector-strong instead of fstackprotector-all for speed
This commit is contained in:
Robin Gloster 2016-02-22 18:31:04 +00:00
parent 35f92d9810
commit 57d6a38ed5
1 changed files with 1 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pkgs/stdenv/adapters.nix
View file

@ -241,11 +241,9 @@ rec {
NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "")
+ stdenv.lib.optionalString (args.hardening_all or true) (
stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2"
+ stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all"
+ stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong"
+ stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie"
+ stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC"
+ stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro"
+ stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now"
+ stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow"
+ stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security"
);