diff options
| author | John Ericson <John.Ericson@Obsidian.Systems> | 2018-05-14 23:33:03 -0400 |
|---|---|---|
| committer | John Ericson <John.Ericson@Obsidian.Systems> | 2018-05-14 23:33:03 -0400 |
| commit | 5e17335bd7ff853379122e08dadfaa2fc1c020b7 (patch) | |
| tree | 911e75d700bebef1aa60fedcaa6a29b5032d6428 /pkgs/build-support/cc-wrapper | |
| parent | 330ca731e88ec015181c43d92ae8f7c77cf0226a (diff) | |
| parent | 0fc21a364bfd6b2dea9010fdf21415ff3de1805a (diff) | |
Merge remote-tracking branch 'upstream/staging' into strictDeps
Diffstat (limited to 'pkgs/build-support/cc-wrapper')
| -rw-r--r-- | pkgs/build-support/cc-wrapper/add-flags.sh | 22 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/add-hardening.sh | 115 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/cc-wrapper.sh | 6 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/default.nix | 63 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/gnat-wrapper.sh | 122 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh | 40 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/setup-hook.sh | 53 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/utils.sh | 76 |
8 files changed, 99 insertions, 398 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-flags.sh b/pkgs/build-support/cc-wrapper/add-flags.sh index d8b42244607..9762894607a 100644 --- a/pkgs/build-support/cc-wrapper/add-flags.sh +++ b/pkgs/build-support/cc-wrapper/add-flags.sh @@ -9,32 +9,20 @@ var_templates_list=( NIX+CFLAGS_LINK NIX+CXXSTDLIB_COMPILE NIX+CXXSTDLIB_LINK - NIX+GNATFLAGS_COMPILE ) var_templates_bool=( NIX+ENFORCE_NO_NATIVE ) -# Accumulate infixes for taking in the right input parameters. See setup-hook -# for details. -declare -a role_infixes=() -if [ "${NIX_CC_WRAPPER_@infixSalt@_TARGET_BUILD:-}" ]; then - role_infixes+=(_BUILD_) -fi -if [ "${NIX_CC_WRAPPER_@infixSalt@_TARGET_HOST:-}" ]; then - role_infixes+=(_) -fi -if [ "${NIX_CC_WRAPPER_@infixSalt@_TARGET_TARGET:-}" ]; then - role_infixes+=(_TARGET_) -fi +accumulateRoles # We need to mangle names for hygiene, but also take parameters/overrides # from the environment. for var in "${var_templates_list[@]}"; do - mangleVarList "$var" "${role_infixes[@]}" + mangleVarList "$var" ${role_infixes[@]+"${role_infixes[@]}"} done for var in "${var_templates_bool[@]}"; do - mangleVarBool "$var" "${role_infixes[@]}" + mangleVarBool "$var" ${role_infixes[@]+"${role_infixes[@]}"} done # `-B@out@/bin' forces cc to use ld-wrapper.sh when calling ld. @@ -51,10 +39,6 @@ if [ -e @out@/nix-support/cc-cflags ]; then NIX_@infixSalt@_CFLAGS_COMPILE="$(< @out@/nix-support/cc-cflags) $NIX_@infixSalt@_CFLAGS_COMPILE" fi -if [ -e @out@/nix-support/gnat-cflags ]; then - NIX_@infixSalt@_GNATFLAGS_COMPILE="$(< @out@/nix-support/gnat-cflags) $NIX_@infixSalt@_GNATFLAGS_COMPILE" -fi - if [ -e @out@/nix-support/cc-ldflags ]; then NIX_@infixSalt@_LDFLAGS+=" $(< @out@/nix-support/cc-ldflags)" fi diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index a35ff3cb426..fc40fe7408b 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,67 +1,72 @@ -hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) -# Intentionally word-split in case 'hardeningEnable' is defined in -# Nix. Also, our bootstrap tools version of bash is old enough that -# undefined arrays trip `set -u`. -if [[ -v hardeningEnable[@] ]]; then - hardeningFlags+=(${hardeningEnable[@]}) -fi -hardeningCFlags=() +declare -a hardeningCFlags=() + +declare -A hardeningEnableMap=() -declare -A hardeningDisableMap +# Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The +# array expansion also prevents undefined variables from causing trouble with +# `set -u`. +for flag in ${NIX_@infixSalt@_HARDENING_ENABLE-}; do + hardeningEnableMap["$flag"]=1 +done -# Intentionally word-split in case 'hardeningDisable' is defined in Nix. -for flag in ${hardeningDisable[@]:-IGNORED_KEY} @hardening_unsupported_flags@ -do - hardeningDisableMap[$flag]=1 +# Remove unsupported flags. +for flag in @hardening_unsupported_flags@; do + unset -v "hardeningEnableMap[$flag]" done if (( "${NIX_DEBUG:-0}" >= 1 )); then + declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) + declare -A hardeningDisableMap=() + + # Determine which flags were effectively disabled so we can report below. + for flag in "${allHardeningFlags[@]}"; do + if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then + hardeningDisableMap["$flag"]=1 + fi + done + printf 'HARDENING: disabled flags:' >&2 (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2 echo >&2 -fi -if [[ -z "${hardeningDisableMap[all]:-}" ]]; then - if (( "${NIX_DEBUG:-0}" >= 1 )); then + if (( "${#hardeningEnableMap[@]}" )); then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi - for flag in "${hardeningFlags[@]}" - do - if [[ -z "${hardeningDisableMap[$flag]:-}" ]]; then - case $flag in - fortify) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi - hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') - ;; - stackprotector) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi - hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') - ;; - pie) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi - hardeningCFlags+=('-fPIE') - if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi - hardeningCFlags+=('-pie') - fi - ;; - pic) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi - hardeningCFlags+=('-fPIC') - ;; - strictoverflow) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi - hardeningCFlags+=('-fno-strict-overflow') - ;; - format) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi - hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') - ;; - *) - # Ignore unsupported. Checked in Nix that at least *some* - # tool supports each flag. - ;; - esac - fi - done fi + +for flag in "${!hardeningEnableMap[@]}"; do + case $flag in + fortify) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi + hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') + ;; + stackprotector) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi + hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') + ;; + pie) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi + hardeningCFlags+=('-fPIE') + if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi + hardeningCFlags+=('-pie') + fi + ;; + pic) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi + hardeningCFlags+=('-fPIC') + ;; + strictoverflow) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi + hardeningCFlags+=('-fno-strict-overflow') + ;; + format) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi + hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') + ;; + *) + # Ignore unsupported. Checked in Nix that at least *some* + # tool supports each flag. + ;; + esac +done diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index c2e6c140635..1b43d7cc211 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -15,7 +15,7 @@ if [[ -n "@coreutils_bin@" && -n "@gnugrep_bin@" ]]; then PATH="@coreutils_bin@/bin:@gnugrep_bin@/bin" fi -source @out@/nix-support/utils.sh +source @out@/nix-support/utils.bash # Flirting with a layer violation here. if [ -z "${NIX_BINTOOLS_WRAPPER_@infixSalt@_FLAGS_SET:-}" ]; then @@ -134,8 +134,8 @@ fi source @out@/nix-support/add-hardening.sh # Add the flags for the C compiler proper. -extraAfter=($NIX_@infixSalt@_CFLAGS_COMPILE "${hardeningCFlags[@]}") -extraBefore=() +extraAfter=($NIX_@infixSalt@_CFLAGS_COMPILE) +extraBefore=(${hardeningCFlags[@]+"${hardeningCFlags[@]}"}) if [ "$dontLink" != 1 ]; then diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 7cd02c4b24c..7a18993d607 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -5,24 +5,22 @@ # script that sets up the right environment variables so that the # compiler and the linker just "work". -{ name ? "", stdenvNoCC, nativeTools, noLibc ? false, nativeLibc, nativePrefix ? "" +{ name ? "" +, stdenvNoCC, nativeTools, propagateDoc ? !nativeTools, noLibc ? false, nativeLibc, nativePrefix ? "" , cc ? null, libc ? null, bintools, coreutils ? null, shell ? stdenvNoCC.shell -, zlib ? null, extraPackages ? [], extraBuildCommands ? "" +, extraPackages ? [], extraBuildCommands ? "" , isGNU ? false, isClang ? cc.isClang or false, gnugrep ? null , buildPackages ? {} }: with stdenvNoCC.lib; -assert nativeTools -> nativePrefix != ""; +assert nativeTools -> !propagateDoc && nativePrefix != ""; assert !nativeTools -> cc != null && coreutils != null && gnugrep != null; assert !(nativeLibc && noLibc); assert (noLibc || nativeLibc) == (libc == null); -# For ghdl (the vhdl language provider to gcc) we need zlib in the wrapper. -assert cc.langVhdl or false -> zlib != null; - let stdenv = stdenvNoCC; inherit (stdenv) hostPlatform targetPlatform; @@ -73,7 +71,7 @@ assert nativePrefix == bintools.nativePrefix; stdenv.mkDerivation { name = targetPrefix - + (if name != "" then name else "${ccName}-wrapper") + + (if name != "" then name else stdenv.lib.removePrefix targetPrefix "${ccName}-wrapper") + (stdenv.lib.optionalString (cc != null && ccVersion != "") "-${ccVersion}"); preferLocalBuild = true; @@ -84,7 +82,7 @@ stdenv.mkDerivation { inherit targetPrefix infixSalt; - outputs = [ "out" "man" ]; + outputs = [ "out" ] ++ optionals propagateDoc [ "man" "info" ]; passthru = { # "cc" is the generic name for a C compiler, but there is no one for package @@ -115,7 +113,7 @@ stdenv.mkDerivation { '' set -u - mkdir -p $out/bin $out/nix-support $man/nix-support + mkdir -p $out/bin $out/nix-support wrap() { local dst="$1" @@ -188,24 +186,18 @@ stdenv.mkDerivation { + optionalString cc.langGo or false '' wrap ${targetPrefix}gccgo ${./cc-wrapper.sh} $ccPath/${targetPrefix}gccgo - '' - - + optionalString cc.langAda or false '' - wrap ${targetPrefix}gnatgcc ${./cc-wrapper.sh} $ccPath/${targetPrefix}gnatgcc - wrap ${targetPrefix}gnatmake ${./gnat-wrapper.sh} $ccPath/${targetPrefix}gnatmake - wrap ${targetPrefix}gnatbind ${./gnat-wrapper.sh} $ccPath/${targetPrefix}gnatbind - wrap ${targetPrefix}gnatlink ${./gnatlink-wrapper.sh} $ccPath/${targetPrefix}gnatlink - '' - - + optionalString cc.langVhdl or false '' - ln -s $ccPath/${targetPrefix}ghdl $out/bin/${targetPrefix}ghdl ''; strictDeps = true; propagatedBuildInputs = [ bintools ]; depsTargetTargetPropagated = extraPackages; - setupHook = ./setup-hook.sh; + wrapperName = "CC_WRAPPER"; + + setupHooks = [ + ../setup-hooks/role.bash + ./setup-hook.sh + ]; postFixup = '' @@ -247,7 +239,6 @@ stdenv.mkDerivation { '' + optionalString (!nativeTools) '' - ## ## Initial CFLAGS ## @@ -263,33 +254,21 @@ stdenv.mkDerivation { ccLDFlags+=" -L${cc_solib}/lib" ccCFlags+=" -B${cc_solib}/lib" - ${optionalString cc.langVhdl or false '' - ccLDFlags+=" -L${zlib.out}/lib" - ''} - - # Find the gcc libraries path (may work only without multilib). - ${optionalString cc.langAda or false '' - basePath=`echo ${cc_solib}/lib/*/*/*` - ccCFlags+=" -B$basePath -I$basePath/adainclude" - gnatCFlags="-aI$basePath/adainclude -aO$basePath/adalib" - echo "$gnatCFlags" > $out/nix-support/gnat-cflags - ''} - echo "$ccLDFlags" > $out/nix-support/cc-ldflags echo "$ccCFlags" > $out/nix-support/cc-cflags + '' + + optionalString propagateDoc '' ## - ## User env support + ## Man page and info support ## - # Propagate the wrapped cc so that if you install the wrapper, - # you get tools like gcov, the manpages, etc. as well (including - # for binutils and Glibc). + mkdir -p $man/nix-support $info/nix-support printWords ${cc.man or ""} > $man/nix-support/propagated-user-env-packages + printWords ${cc.info or ""} > $info/nix-support/propagated-user-env-packages '' + '' - ## ## Hardening support ## @@ -304,18 +283,18 @@ stdenv.mkDerivation { + '' substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh - substituteAll ${./utils.sh} $out/nix-support/utils.sh + substituteAll ${../wrapper-common/utils.bash} $out/nix-support/utils.bash ## ## Extra custom steps ## - '' + + extraBuildCommands; inherit expand-response-params; - # for substitution in utils.sh + # for substitution in utils.bash expandResponseParams = "${expand-response-params}/bin/expand-response-params"; meta = diff --git a/pkgs/build-support/cc-wrapper/gnat-wrapper.sh b/pkgs/build-support/cc-wrapper/gnat-wrapper.sh deleted file mode 100644 index a86c9fe4ada..00000000000 --- a/pkgs/build-support/cc-wrapper/gnat-wrapper.sh +++ /dev/null @@ -1,122 +0,0 @@ -#! @shell@ -set -eu -o pipefail +o posix -shopt -s nullglob - -if (( "${NIX_DEBUG:-0}" >= 7 )); then - set -x -fi - -# N.B. Gnat is not used during bootstrapping, so we don't need to -# worry about the old bash empty array `set -u` workarounds. - -path_backup="$PATH" - -# phase separation makes this look useless -# shellcheck disable=SC2157 -if [ -n "@coreutils_bin@" ]; then - PATH="@coreutils_bin@/bin" -fi - -source @out@/nix-support/utils.sh - -if [ -z "${NIX_@infixSalt@_GNAT_WRAPPER_FLAGS_SET:-}" ]; then - source @out@/nix-support/add-flags.sh -fi - - -# Figure out if linker flags should be passed. GCC prints annoying -# warnings when they are not needed. -dontLink=0 -nonFlagArgs=0 - -for i in "$@"; do - if [ "$i" = -c ]; then - dontLink=1 - elif [ "$i" = -M ]; then - dontLink=1 - elif [ "${i:0:1}" != - ]; then - nonFlagArgs=1 - fi -done - -# If we pass a flag like -Wl, then gcc will call the linker unless it -# can figure out that it has to do something else (e.g., because of a -# "-c" flag). So if no non-flag arguments are given, don't pass any -# linker flags. This catches cases like "gcc" (should just print -# "gcc: no input files") and "gcc -v" (should print the version). -if [ "$nonFlagArgs" = 0 ]; then - dontLink=1 -fi - - -# Optionally filter out paths not refering to the store. -params=("$@") -if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "$NIX_STORE" ]]; then - rest=() - for p in "${params[@]}"; do - if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then - skip "${p:2}" - elif [ "${p:0:3}" = -I/ ] && badPath "${p:2}"; then - skip "${p:2}" - elif [ "${p:0:4}" = -aI/ ] && badPath "${p:3}"; then - skip "${p:2}" - elif [ "${p:0:4}" = -aO/ ] && badPath "${p:3}"; then - skip "${p:2}" - else - rest+=("$p") - fi - done - params=("${rest[@]}") -fi - - -# Clear march/mtune=native -- they bring impurity. -if [ "$NIX_@infixSalt@_ENFORCE_NO_NATIVE" = 1 ]; then - rest=() - for p in "${params[@]}"; do - if [[ "$p" = -m*=native ]]; then - skip "$p" - else - rest+=("$p") - fi - done - params=("${rest[@]}") -fi - - -# Add the flags for the GNAT compiler proper. -extraAfter=($NIX_@infixSalt@_GNATFLAGS_COMPILE) -extraBefore=() - -if [ "$(basename "$0")x" = "gnatmakex" ]; then - extraBefore=("--GNATBIND=@out@/bin/gnatbind" "--GNATLINK=@out@/bin/gnatlink ") -fi - -#if [ "$dontLink" != 1 ]; then -# # Add the flags that should be passed to the linker (and prevent -# # `ld-wrapper' from adding NIX_@infixSalt@_LDFLAGS again). -# for i in $NIX_@infixSalt@_LDFLAGS_BEFORE; do -# extraBefore+=("-largs" "$i") -# done -# for i in $NIX_@infixSalt@_LDFLAGS; do -# if [ "${i:0:3}" = -L/ ]; then -# extraAfter+=("$i") -# else -# extraAfter+=("-largs" "$i") -# fi -# done -# export NIX_@infixSalt@_LDFLAGS_SET=1 -#fi - -# Optionally print debug info. -if (( "${NIX_DEBUG:-0}" >= 1 )); then - echo "extra flags before to @prog@:" >&2 - printf " %q\n" "${extraBefore[@]}" >&2 - echo "original flags to @prog@:" >&2 - printf " %q\n" "${params[@]}" >&2 - echo "extra flags after to @prog@:" >&2 - printf " %q\n" "${extraAfter[@]}" >&2 -fi - -PATH="$path_backup" -exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}" diff --git a/pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh b/pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh deleted file mode 100644 index 0944d74e431..00000000000 --- a/pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh +++ /dev/null @@ -1,40 +0,0 @@ -#! @shell@ -set -eu -o pipefail +o posix -shopt -s nullglob - -if (( "${NIX_DEBUG:-0}" >= 7 )); then - set -x -fi - -# N.B. Gnat is not used during bootstrapping, so we don't need to -# worry about the old bash empty array `set -u` workarounds. - -# Add the flags for the GNAT compiler proper. -extraAfter=("--GCC=@out@/bin/gcc") -extraBefore=() - -## Add the flags that should be passed to the linker (and prevent -## `ld-wrapper' from adding NIX_@infixSalt@_LDFLAGS again). -#for i in $NIX_@infixSalt@_LDFLAGS_BEFORE; do -# extraBefore+=("-largs" "$i") -#done -#for i in $NIX_@infixSalt@_LDFLAGS; do -# if [ "${i:0:3}" = -L/ ]; then -# extraAfter+=("$i") -# else -# extraAfter+=("-largs" "$i") -# fi -#done -#export NIX_@infixSalt@_LDFLAGS_SET=1 - -# Optionally print debug info. -if (( "${NIX_DEBUG:-0}" >= 1 )); then - echo "extra flags before to @prog@:" >&2 - printf " %q\n" "${extraBefore[@]}" >&2 - echo "original flags to @prog@:" >&2 - printf " %q\n" "$@" >&2 - echo "extra flags after to @prog@:" >&2 - printf " %q\n" "${extraAfter[@]}" >&2 -fi - -exec @prog@ "${extraBefore[@]}" "$@" "${extraAfter[@]}" diff --git a/pkgs/build-support/cc-wrapper/setup-hook.sh b/pkgs/build-support/cc-wrapper/setup-hook.sh index 6e635486078..9dacacc1f36 100644 --- a/pkgs/build-support/cc-wrapper/setup-hook.sh +++ b/pkgs/build-support/cc-wrapper/setup-hook.sh @@ -66,55 +66,22 @@ set -u # over no state, and there's no @-substitutions within, so any redefined # function is guaranteed to be exactly the same. ccWrapper_addCVars () { - # The `depHostOffset` describes how the host platform of the dependencies - # are slid relative to the depending package. It is brought into scope of - # the environment hook defined as the role of the dependency being applied. - case $depHostOffset in - -1) local role='BUILD_' ;; - 0) local role='' ;; - 1) local role='TARGET_' ;; - *) echo "cc-wrapper: Error: Cannot be used with $depHostOffset-offset deps" >2; - return 1 ;; - esac + # See ../setup-hooks/role.bash + local role_post role_pre + getTargetRoleEnvHook if [[ -d "$1/include" ]]; then - export NIX_${role}CFLAGS_COMPILE+=" ${ccIncludeFlag:--isystem} $1/include" + export NIX_${role_pre}CFLAGS_COMPILE+=" ${ccIncludeFlag:--isystem} $1/include" fi if [[ -d "$1/Library/Frameworks" ]]; then - export NIX_${role}CFLAGS_COMPILE+=" -F$1/Library/Frameworks" + export NIX_${role_pre}CFLAGS_COMPILE+=" -F$1/Library/Frameworks" fi } -# Since the same cc-wrapper derivation can be depend on in multiple ways, we -# need to accumulate *each* role (i.e. target platform relative the depending -# derivation) in which the cc-wrapper derivation is used. -# `NIX_CC_WRAPPER_@infixSalt@_TARGET_*` tracks this (needs to be an exported env -# var so can't use fancier data structures). -# -# We also need to worry about what role is being added on *this* invocation of -# setup-hook, which `role` tracks. -case $targetOffset in - -1) - export NIX_CC_WRAPPER_@infixSalt@_TARGET_BUILD=1 - role_pre='BUILD_' - role_post='_FOR_BUILD' - ;; - 0) - export NIX_CC_WRAPPER_@infixSalt@_TARGET_HOST=1 - role_pre='' - role_post='' - ;; - 1) - export NIX_CC_WRAPPER_@infixSalt@_TARGET_TARGET=1 - role_pre='TARGET_' - role_post='_FOR_TARGET' - ;; - *) - echo "cc-wrapper: used as improper sort of dependency" >2; - return 1 - ;; -esac +# See ../setup-hooks/role.bash +getTargetRole +getTargetRoleWrapper # We use the `targetOffset` to choose the right env hook to accumulate the right # sort of deps (those with that offset). @@ -147,6 +114,10 @@ export ${role_pre}CXX=@named_cxx@ export CC${role_post}=@named_cc@ export CXX${role_post}=@named_cxx@ +# If unset, assume the default hardening flags. +: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"} +export NIX_HARDENING_ENABLE + # No local scope in sourced file unset -v role_pre role_post set +u diff --git a/pkgs/build-support/cc-wrapper/utils.sh b/pkgs/build-support/cc-wrapper/utils.sh deleted file mode 100644 index 4b2b1380918..00000000000 --- a/pkgs/build-support/cc-wrapper/utils.sh +++ /dev/null @@ -1,76 +0,0 @@ -mangleVarList() { - local var="$1" - shift - local -a role_infixes=("$@") - - local outputVar="${var/+/_@infixSalt@_}" - declare -gx ${outputVar}+='' - # For each role we serve, we accumulate the input parameters into our own - # cc-wrapper-derivation-specific environment variables. - for infix in "${role_infixes[@]}"; do - local inputVar="${var/+/${infix}}" - if [ -v "$inputVar" ]; then - export ${outputVar}+="${!outputVar:+ }${!inputVar}" - fi - done -} - -mangleVarBool() { - local var="$1" - shift - local -a role_infixes=("$@") - - local outputVar="${var/+/_@infixSalt@_}" - declare -gxi ${outputVar}+=0 - for infix in "${role_infixes[@]}"; do - local inputVar="${var/+/${infix}}" - if [ -v "$inputVar" ]; then - let "${outputVar} |= ${!inputVar}" - fi - done -} - -skip () { - if (( "${NIX_DEBUG:-0}" >= 1 )); then - echo "skipping impure path $1" >&2 - fi -} - - -# Checks whether a path is impure. E.g., `/lib/foo.so' is impure, but -# `/nix/store/.../lib/foo.so' isn't. -badPath() { - local p=$1 - - # Relative paths are okay (since they're presumably relative to - # the temporary build directory). - if [ "${p:0:1}" != / ]; then return 1; fi - - # Otherwise, the path should refer to the store or some temporary - # directory (including the build directory). - test \ - "$p" != "/dev/null" -a \ - "${p:0:${#NIX_STORE}}" != "$NIX_STORE" -a \ - "${p:0:4}" != "/tmp" -a \ - "${p:0:${#NIX_BUILD_TOP}}" != "$NIX_BUILD_TOP" -} - -expandResponseParams() { - declare -ga params=("$@") - local arg - for arg in "$@"; do - if [[ "$arg" == @* ]]; then - # phase separation makes this look useless - # shellcheck disable=SC2157 - if [ -x "@expandResponseParams@" ]; then - # params is used by caller - #shellcheck disable=SC2034 - readarray -d '' params < <("@expandResponseParams@" "$@") - return 0 - else - echo "Response files aren't supported during bootstrapping" >&2 - return 1 - fi - fi - done -} |