WIP - fix sa vs hardening

Alternative to NixOS#353131
Ma27 · Nov 2, 2024 · c84bb84 · c84bb84
1 parent d32fe41
commit c84bb84
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -6,9 +6,15 @@ declare -A hardeningEnableMap=()
 # Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The
 # array expansion also prevents undefined variables from causing trouble with
 # `set -u`.
-for flag in ${NIX_HARDENING_ENABLE_@suffixSalt@-}; do
-  hardeningEnableMap["$flag"]=1
-done
+if [[ -z "${__structuredAttrs-}" ]]; then
+  for flag in ${NIX_HARDENING_ENABLE_@suffixSalt@-}; do
+    hardeningEnableMap["$flag"]=1
+  done
+else
+  for flag in "${NIX_HARDENING_ENABLE_@suffixSalt@[@]}"; do
+    hardeningEnableMap["$flag"]=1
+  done
+fi
 
 # fortify3 implies fortify enablement - make explicit before
 # we filter unsupported flags because unsupporting fortify3

diff --git a/pkgs/test/cc-wrapper/hardening.nix b/pkgs/test/cc-wrapper/hardening.nix
@@ -178,6 +178,13 @@ in nameDrvAfterAttrName ({
     ignorePie = false;
   });
 
+  pieExplicitEnabledStructuredAttrs = brokenIf stdenv.hostPlatform.isStatic (checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningEnable = [ "pie" ];
+    __structuredAttrs = true;
+  }) {
+    ignorePie = false;
+  });
+
   relROExplicitEnabled = checkTestBin (f2exampleWithStdEnv stdenv {
     hardeningEnable = [ "relro" ];
   }) {