Use general hardening flag toggle lists

The following parameters are now available: * hardeningDisable To disable specific hardening flags * hardeningEnable To enable specific hardening flags Only the cc-wrapper supports this right now, but these may be reused by other wrappers, builders or setup hooks. cc-wrapper supports the following flags: * fortify * stackprotector * pie (disabled by default) * pic * strictoverflow * format * relro * bindnow
author: Franz Pletz <fpletz@fnordicwalking.de> 2016-02-26 18:38:15 +0100
committer: Franz Pletz <fpletz@fnordicwalking.de> 2016-03-05 18:55:26 +0100
commit: aff1f4ab948b921ceaf2b81610f2f82454302b4b (patch)
tree: 6e51e90a41409d56cfa084b9ca64921f2611fafc /pkgs/os-specific
parent: a2e449e43e82e258b94c723d92a5e9af641967e7 (diff)
32 files changed, 35 insertions, 39 deletions
diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix
index 05a5549fae2..65223a32bad 100644
--- a/pkgs/os-specific/linux/acpi-call/default.nix
+++ b/pkgs/os-specific/linux/acpi-call/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
     sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75";
   };
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preBuild = ''
     sed -e 's/break/true/' -i examples/turn_off_gpu.sh
diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix
index 41c4f48ddb8..aabd36f945f 100644
--- a/pkgs/os-specific/linux/batman-adv/default.nix
+++ b/pkgs/os-specific/linux/batman-adv/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
     sha256 = "0r5faf12ifpj8h1fklkzvy4ck359cadk8xh1l3n7vimh67hxbxbz";
   };
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preBuild = ''
     makeFlags="KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix
index 2c91bfbd10f..67b843fac4d 100644
--- a/pkgs/os-specific/linux/bbswitch/default.nix
+++ b/pkgs/os-specific/linux/bbswitch/default.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation {
     sha256 = "1lbr6pyyby4k9rn2ry5qc38kc738d0442jhhq57vmdjb6hxjya7m";
   }) ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preBuild = ''
     substituteInPlace Makefile \
diff --git a/pkgs/os-specific/linux/blcr/default.nix b/pkgs/os-specific/linux/blcr/default.nix
index 78a576234ac..c2e3fa4b9e1 100644
--- a/pkgs/os-specific/linux/blcr/default.nix
+++ b/pkgs/os-specific/linux/blcr/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ perl makeWrapper ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preConfigure = ''
     configureFlagsArray=(
diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix
index cc3cfe2465d..2785a57ac8a 100644
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
     sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [ ./busybox-in-store.patch ];
 
diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix
index aacdfc496ee..6567e478636 100644
--- a/pkgs/os-specific/linux/criu/default.nix
+++ b/pkgs/os-specific/linux/criu/default.nix
@@ -23,7 +23,8 @@ stdenv.mkDerivation rec {
   configurePhase = "make config PREFIX=$out";
 
   makeFlags = "PREFIX=$(out)";
-  hardening_stackprotector = false;
+
+  hardeningDisable = [ "stackprotector" ];
 
   installPhase = ''
     mkdir -p $out/etc/logrotate.d
diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix
index 09d7651c249..7a2d94100fa 100644
--- a/pkgs/os-specific/linux/dietlibc/default.nix
+++ b/pkgs/os-specific/linux/dietlibc/default.nix
@@ -12,7 +12,8 @@ stdenv.mkDerivation {
 
   inherit glibc;
   kernelHeaders = glibc.linuxHeaders;
-  hardening_stackprotector = false;
+
+  hardeningDisable = [ "stackprotector" ];
 
   patches = [
 
diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix
index 8eba742ebfb..4c2d0c88576 100644
--- a/pkgs/os-specific/linux/disk-indicator/default.nix
+++ b/pkgs/os-specific/linux/disk-indicator/default.nix
@@ -19,7 +19,8 @@ stdenv.mkDerivation {
   buildPhase = "make -f makefile";
 
   NIX_CFLAGS_COMPILE = "-Wno-error=cpp";
-  hardening_fortify = false;
+
+  hardeningDisable = [ "fortify" ];
 
   installPhase = ''
     mkdir -p "$out/bin"
diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix
index 48494bd6b18..b25a65b2ab4 100644
--- a/pkgs/os-specific/linux/facetimehd/default.nix
+++ b/pkgs/os-specific/linux/facetimehd/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     export INSTALL_MOD_PATH="$out"
   '';
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   makeFlags = [
     "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix
index 93c334b9593..e86c751331b 100644
--- a/pkgs/os-specific/linux/gogoclient/default.nix
+++ b/pkgs/os-specific/linux/gogoclient/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   makeFlags = ["target=linux"];
   installFlags = ["installdir=$(out)"];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [openssl];
 
diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix
index a5cd2411819..b9390d1d589 100644
--- a/pkgs/os-specific/linux/ifenslave/default.nix
+++ b/pkgs/os-specific/linux/ifenslave/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     cp -a ifenslave $out/bin
   '';
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "Utility for enslaving networking interfaces under a bond";
diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix
index 7c956e3c244..79094ebb3e3 100644
--- a/pkgs/os-specific/linux/jool/default.nix
+++ b/pkgs/os-specific/linux/jool/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
 
   src = sourceAttrs.src;
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   prePatch = ''
     sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile
diff --git a/pkgs/os-specific/linux/kernel-headers/3.18.nix b/pkgs/os-specific/linux/kernel-headers/3.18.nix
index be54d7a4e6a..22650747ba2 100644
--- a/pkgs/os-specific/linux/kernel-headers/3.18.nix
+++ b/pkgs/os-specific/linux/kernel-headers/3.18.nix
@@ -35,7 +35,7 @@ stdenv.mkDerivation {
   buildInputs = [perl];
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   extraIncludeDirs =
     if cross != null then
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index 5a22b5e2432..85a4b98982a 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -225,16 +225,12 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe
   nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null)
     (ubootChooser stdenv.platform.uboot);
 
-  hardening_format = false;
-  hardening_fortify = false;
-  hardening_stackprotector = false;
+  hardeningDisable = [ "format" "fortify" "stackprotector" "pic" ];
 
   makeFlags = commonMakeFlags ++ [
     "ARCH=${stdenv.platform.kernelArch}"
   ];
 
-  hardening_pic = false;
-
   karch = stdenv.platform.kernelArch;
 
   crossAttrs = let cp = stdenv.cross.platform; in
diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix
index 98593ea85a9..d1a2fabf814 100644
--- a/pkgs/os-specific/linux/kexectools/default.nix
+++ b/pkgs/os-specific/linux/kexectools/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
     sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ zlib ];
 
diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix
index b05b0dc4463..ffa381d0f29 100644
--- a/pkgs/os-specific/linux/klibc/default.nix
+++ b/pkgs/os-specific/linux/klibc/default.nix
@@ -21,8 +21,7 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ perl ];
 
-  hardening_format = false;
-  hardening_stackprotector = false;
+  hardeningDisable = [ "format" "stackprotector" ];
 
   makeFlags = commonMakeFlags ++ [
     "KLIBCARCH=${stdenv.platform.kernelArch}"
diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix
index f6a5e30afa0..0bcc6dd5143 100644
--- a/pkgs/os-specific/linux/lttng-modules/default.nix
+++ b/pkgs/os-specific/linux/lttng-modules/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     sha256 = "0sk7cyjf5ylmxqrrrz5zmmw4c0dmxh1f98aj870gmcnxfa76y4mx";
   };
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preConfigure = ''
     export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix
index 8aee4b73fdd..409eb31e14f 100644
--- a/pkgs/os-specific/linux/multipath-tools/default.nix
+++ b/pkgs/os-specific/linux/multipath-tools/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1yd6l1l1c62xjr1xnij2x49kr416anbgfs4y06r86kp9hkmz2g7i";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   postPatch = ''
     sed -i -re '
diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix
index e95cd4e133c..35781dc7f95 100644
--- a/pkgs/os-specific/linux/netatop/default.nix
+++ b/pkgs/os-specific/linux/netatop/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ zlib ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preConfigure = ''
     patchShebangs mkversion
diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix
index 959de19ead2..7310e7e36ad 100644
--- a/pkgs/os-specific/linux/numad/default.nix
+++ b/pkgs/os-specific/linux/numad/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [
     ./numad-linker-flags.patch
diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix
index 50aa77104c2..7ef98eb2353 100644
--- a/pkgs/os-specific/linux/paxctl/default.nix
+++ b/pkgs/os-specific/linux/paxctl/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
   ];
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   setupHook = ./setup-hook.sh;
 
diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix
index 56ff6c473b4..56c12e9a4f0 100644
--- a/pkgs/os-specific/linux/phc-intel/default.nix
+++ b/pkgs/os-specific/linux/phc-intel/default.nix
@@ -21,7 +21,7 @@ in stdenv.mkDerivation rec {
 
   buildInputs = [ which ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   makeFlags = with kernel; [
     "DESTDIR=$(out)"
diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix
index 5a03df98346..102b935be29 100644
--- a/pkgs/os-specific/linux/rtl8812au/default.nix
+++ b/pkgs/os-specific/linux/rtl8812au/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
     sha256 = "14ifhplawipfd6971mxw76dv3ygwc0n8sbz2l3f0vvkin6x88bsj";
   };
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   patchPhase = ''
     substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/"
diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix
index 6e8d9d3cf7a..5f539b9a97e 100644
--- a/pkgs/os-specific/linux/setools/default.nix
+++ b/pkgs/os-specific/linux/setools/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     "--with-tcl=${tcl}/lib"
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   NIX_CFLAGS_COMPILE = "-fstack-protector-all";
   NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib";
diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix
index 67e2f16848b..3fbfa4fdc53 100644
--- a/pkgs/os-specific/linux/spl/default.nix
+++ b/pkgs/os-specific/linux/spl/default.nix
@@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ autoconf automake libtool ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preConfigure = ''
     ./autogen.sh
diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix
index 00f9a66f0cd..358f7d38efa 100644
--- a/pkgs/os-specific/linux/sysdig/default.nix
+++ b/pkgs/os-specific/linux/sysdig/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
     cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl
   ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   cmakeFlags = [
     "-DUSE_BUNDLED_DEPS=OFF"
diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix
index 3ace0f5c5ed..a68ab9c478c 100644
--- a/pkgs/os-specific/linux/syslinux/default.nix
+++ b/pkgs/os-specific/linux/syslinux/default.nix
@@ -16,8 +16,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ libuuid makeWrapper ];
 
   enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...'
-  hardening_stackprotector = false;
-  hardening_pic = false;
+  hardeningDisable = [ "pic" "stackprotector" ];
 
   preBuild = ''
     substituteInPlace Makefile --replace /bin/pwd $(type -P pwd)
diff --git a/pkgs/os-specific/linux/tp_smapi/default.nix b/pkgs/os-specific/linux/tp_smapi/default.nix
index 116a0344450..dceb777ad72 100644
--- a/pkgs/os-specific/linux/tp_smapi/default.nix
+++ b/pkgs/os-specific/linux/tp_smapi/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "6aef02b92d10360ac9be0db29ae390636be55017990063a092a285c70b54e666";
   };
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   makeFlags = [
     "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix
index 8b44f3388d3..376a407d993 100644
--- a/pkgs/os-specific/linux/v4l2loopback/default.nix
+++ b/pkgs/os-specific/linux/v4l2loopback/default.nix
@@ -9,8 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1crkhxlnskqrfj3f7jmiiyi5m75zmj7n0s26xz07wcwdzdf2p568";
   };
 
-  hardening_pic = false;
-  hardening_format = false;
+  hardeningDisable = [ "format" "pic" ];
 
   preBuild = ''
     substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install"
diff --git a/pkgs/os-specific/linux/v86d/default.nix b/pkgs/os-specific/linux/v86d/default.nix
index 17255aa1283..073a6ded998 100644
--- a/pkgs/os-specific/linux/v86d/default.nix
+++ b/pkgs/os-specific/linux/v86d/default.nix
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
 
   configureFlags = [ "--with-klibc" "--with-x86emu" ];
 
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   makeFlags = [
     "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source"
diff --git a/pkgs/os-specific/linux/xf86-video-nested/default.nix b/pkgs/os-specific/linux/xf86-video-nested/default.nix
index 96f353a64da..8b712553be9 100644
--- a/pkgs/os-specific/linux/xf86-video-nested/default.nix
+++ b/pkgs/os-specific/linux/xf86-video-nested/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
       pkgconfig renderproto utilmacros xorgserver
     ];
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   CFLAGS = "-I${pixman}/include/pixman-1";
 
diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix
index 0a61bdcea85..c49f393dd16 100644
--- a/pkgs/os-specific/linux/zfs/default.nix
+++ b/pkgs/os-specific/linux/zfs/default.nix
@@ -38,7 +38,7 @@ stdenv.mkDerivation rec {
   # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work
   NIX_CFLAGS_LINK = "-lgcc_s";
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preConfigure = ''
     substituteInPlace ./module/zfs/zfs_ctldir.c   --replace "umount -t zfs"           "${utillinux}/bin/umount -t zfs"
author	Franz Pletz <fpletz@fnordicwalking.de>	2016-02-26 18:38:15 +0100
committer	Franz Pletz <fpletz@fnordicwalking.de>	2016-03-05 18:55:26 +0100
commit	aff1f4ab948b921ceaf2b81610f2f82454302b4b (patch)
tree	6e51e90a41409d56cfa084b9ca64921f2611fafc /pkgs/os-specific
parent	a2e449e43e82e258b94c723d92a5e9af641967e7 (diff)