mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-27 23:50:18 +02:00
stdenv: change hardening flags
* remove relro/bindnow from compile flags as they break clang * use fstackprotector-strong instead of fstackprotector-all for speed
This commit is contained in:
parent
35f92d9810
commit
57d6a38ed5
|
@ -241,11 +241,9 @@ rec {
|
|||
NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "")
|
||||
+ stdenv.lib.optionalString (args.hardening_all or true) (
|
||||
stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2"
|
||||
+ stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all"
|
||||
+ stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong"
|
||||
+ stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie"
|
||||
+ stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC"
|
||||
+ stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro"
|
||||
+ stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now"
|
||||
+ stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow"
|
||||
+ stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security"
|
||||
);
|
||||
|
|
Loading…
Reference in a new issue