1 declare -a hardeningLDFlags
=()
3 declare -A hardeningEnableMap
=()
5 # Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The
6 # array expansion also prevents undefined variables from causing trouble with
8 for flag
in ${NIX_HARDENING_ENABLE_@suffixSalt@-}; do
9 hardeningEnableMap
["$flag"]=1
12 # Remove unsupported flags.
13 for flag
in @hardening_unsupported_flags@
; do
14 unset -v "hardeningEnableMap[$flag]"
17 if (( "${NIX_DEBUG:-0}" >= 1 )); then
18 declare -a allHardeningFlags
=(pie relro bindnow
)
19 declare -A hardeningDisableMap
=()
21 # Determine which flags were effectively disabled so we can report below.
22 for flag
in "${allHardeningFlags[@]}"; do
23 if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then
24 hardeningDisableMap
[$flag]=1
28 printf 'HARDENING: disabled flags:' >&2
29 (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
32 if (( "${#hardeningEnableMap[@]}" )); then
33 echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
37 for flag
in "${!hardeningEnableMap[@]}"; do
40 if [[ ! (" ${params[*]} " =~
" -shared " \
41 ||
" ${params[*]} " =~
" -static " \
42 ||
" ${params[*]} " =~
" -r " \
43 ||
" ${params[*]} " =~
" -Ur " \
44 ||
" ${params[*]} " =~
" -i ") ]]; then
45 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING
: enabling LDFlags
-pie >&2; fi
46 hardeningLDFlags
+=('-pie')
50 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING
: enabling relro
>&2; fi
51 hardeningLDFlags
+=('-z' 'relro')
54 if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING
: enabling bindnow
>&2; fi
55 hardeningLDFlags
+=('-z' 'now')
58 # Ignore unsupported. Checked in Nix that at least *some*
59 # tool supports each flag.
