Merge branch 'hardened-stdenv' into staging

Closes #12895

Amazing work by @globin & @fpletz getting hardened compiler flags by
enabled default on the whole package set
This commit is contained in:
obadz 2016-08-22 01:19:35 +01:00
commit 24a9183f90
468 changed files with 1777 additions and 1453 deletions

View File

@ -632,7 +632,7 @@ Given a `default.nix`:
src = ./.; }
Running `nix-shell` with no arguments should give you
the environment in which the package would be build with
the environment in which the package would be built with
`nix-build`.
Shortcut to setup environments with C headers/libraries and python packages:

View File

@ -1360,6 +1360,209 @@ in the default system locations.</para>
</section>
<section xml:id="sec-hardening-in-nixpkgs"><title>Hardening in Nixpkgs</title>
<para>There are flags available to harden packages at compile or link-time.
These can be toggled using the <varname>stdenv.mkDerivation</varname> parameters
<varname>hardeningDisable</varname> and <varname>hardeningEnable</varname>.
</para>
<para>The following flags are enabled by default and might require disabling
if the program to package is incompatible.
</para>
<variablelist>
<varlistentry>
<term><varname>format</varname></term>
<listitem><para>Adds the <option>-Wformat -Wformat-security
-Werror=format-security</option> compiler options. At present,
this warns about calls to <varname>printf</varname> and
<varname>scanf</varname> functions where the format string is
not a string literal and there are no format arguments, as in
<literal>printf(foo);</literal>. This may be a security hole
if the format string came from untrusted input and contains
<literal>%n</literal>.</para>
<para>This needs to be turned off or fixed for errors similar to:</para>
<programlisting>
/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
printf(help_message);
^
cc1plus: some warnings being treated as errors
</programlisting></listitem>
</varlistentry>
<varlistentry>
<term><varname>stackprotector</varname></term>
<listitem>
<para>Adds the <option>-fstack-protector-strong
--param ssp-buffer-size=4</option>
compiler options. This adds safety checks against stack overwrites
rendering many potential code injection attacks into aborting situations.
In the best case this turns code injection vulnerabilities into denial
of service or into non-issues (depending on the application).</para>
<para>This needs to be turned off or fixed for errors similar to:</para>
<programlisting>
bin/blib.a(bios_console.o): In function `bios_handle_cup':
/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
</programlisting></listitem>
</varlistentry>
<varlistentry>
<term><varname>fortify</varname></term>
<listitem>
<para>Adds the <option>-O2 -D_FORTIFY_SOURCE=2</option> compiler
options. During code generation the compiler knows a great deal of
information about buffer sizes (where possible), and attempts to replace
insecure unlimited length buffer function calls with length-limited ones.
This is especially useful for old, crufty code. Additionally, format
strings in writable memory that contain '%n' are blocked. If an application
depends on such a format string, it will need to be worked around.
</para>
<para>Addtionally, some warnings are enabled which might trigger build
failures if compiler warnings are treated as errors in the package build.
In this case, set <option>NIX_CFLAGS_COMPILE</option> to
<option>-Wno-error=warning-type</option>.</para>
<para>This needs to be turned off or fixed for errors similar to:</para>
<programlisting>
malloc.c:404:15: error: return type is an incomplete type
malloc.c:410:19: error: storage size of 'ms' isn't known
</programlisting>
<programlisting>
strdup.h:22:1: error: expected identifier or '(' before '__extension__'
</programlisting>
<programlisting>
strsep.c:65:23: error: register name not specified for 'delim'
</programlisting>
<programlisting>
installwatch.c:3751:5: error: conflicting types for '__open_2'
</programlisting>
<programlisting>
fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>pic</varname></term>
<listitem>
<para>Adds the <option>-fPIC</option> compiler options. This options adds
support for position independant code in shared libraries and thus making
ASLR possible.</para>
<para>Most notably, the Linux kernel, kernel modules and other code
not running in an operating system environment like boot loaders won't
build with PIC enabled. The compiler will is most cases complain that
PIC is not supported for a specific build.
</para>
<para>This needs to be turned off or fixed for assembler errors similar to:</para>
<programlisting>
ccbLfRgg.s: Assembler messages:
ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF'
</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>strictoverflow</varname></term>
<listitem>
<para>Signed integer overflow is undefined behaviour according to the C
standard. If it happens, it is an error in the program as it should check
for overflow before it can happen, not afterwards. GCC provides built-in
functions to perform arithmetic with overflow checking, which are correct
and faster than any custom implementation. As a workaround, the option
<option>-fno-strict-overflow</option> makes gcc behave as if signed
integer overflows were defined.
</para>
<para>This flag should not trigger any build or runtime errors.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>relro</varname></term>
<listitem>
<para>Adds the <option>-z relro</option> linker option. During program
load, several ELF memory sections need to be written to by the linker,
but can be turned read-only before turning over control to the program.
This prevents some GOT (and .dtors) overwrite attacks, but at least the
part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.
</para>
<para>This flag can break dynamic shared object loading. For instance, the
module systems of Xorg and OpenCV are incompatible with this flag. In almost
all cases the <varname>bindnow</varname> flag must also be disabled and
incompatible programs typically fail with similar errors at runtime.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>bindnow</varname></term>
<listitem>
<para>Adds the <option>-z bindnow</option> linker option. During program
load, all dynamic symbols are resolved, allowing for the complete GOT to
be marked read-only (due to <varname>relro</varname>). This prevents GOT
overwrite attacks. For very large applications, this can incur some
performance loss during initial load while symbols are resolved, but this
shouldn't be an issue for daemons.
</para>
<para>This flag can break dynamic shared object loading. For instance, the
module systems of Xorg and PHP are incompatible with this flag. Programs
incompatible with this flag often fail at runtime due to missing symbols,
like:</para>
<programlisting>
intel_drv.so: undefined symbol: vgaHWFreeHWRec
</programlisting>
</listitem>
</varlistentry>
</variablelist>
<para>The following flags are disabled by default and should be enabled
for packages that take untrusted input, like network services.
</para>
<variablelist>
<varlistentry>
<term><varname>pie</varname></term>
<listitem>
<para>Adds the <option>-fPIE</option> compiler and <option>-pie</option>
linker options. Position Independent Executables are needed to take
advantage of Address Space Layout Randomization, supported by modern
kernel versions. While ASLR can already be enforced for data areas in
the stack and heap (brk and mmap), the code areas must be compiled as
position-independent. Shared libraries already do this with the
<varname>pic</varname> flag, so they gain ASLR automatically, but binary
.text regions need to be build with <varname>pie</varname> to gain ASLR.
When this happens, ROP attacks are much harder since there are no static
locations to bounce off of during a memory corruption attack.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>For more in-depth information on these hardening flags and hardening in
general, refer to the
<link xlink:href="https://wiki.debian.org/Hardening">Debian Wiki</link>,
<link xlink:href="https://wiki.ubuntu.com/Security/Features">Ubuntu Wiki</link>,
<link xlink:href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Wiki</link>,
and the <link xlink:href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">
Arch Wiki</link>.
</para>
</section>
</chapter>

View File

@ -9,8 +9,7 @@ with lib;
default = false;
description =
'' When enabled, GNU software is chosen by default whenever a there is
a choice between GNU and non-GNU software (e.g., GNU lsh
vs. OpenSSH).
a choice between GNU and non-GNU software.
'';
};
};
@ -33,11 +32,6 @@ with lib;
boot.loader.grub.enable = !pkgs.stdenv.isArm;
boot.loader.grub.version = 2;
# GNU lsh.
services.openssh.enable = false;
services.lshd.enable = true;
programs.ssh.startAgent = false;
# TODO: GNU dico.
# TODO: GNU Inetutils' inetd.
# TODO: GNU Pies.

View File

@ -404,7 +404,6 @@
./services/networking/softether.nix
./services/networking/spiped.nix
./services/networking/sslh.nix
./services/networking/ssh/lshd.nix
./services/networking/ssh/sshd.nix
./services/networking/strongswan.nix
./services/networking/supplicant.nix

View File

@ -1,176 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (pkgs) lsh;
cfg = config.services.lshd;
in
{
###### interface
options = {
services.lshd = {
enable = mkOption {
default = false;
description = ''
Whether to enable the GNU lshd SSH2 daemon, which allows
secure remote login.
'';
};
portNumber = mkOption {
default = 22;
description = ''
The port on which to listen for connections.
'';
};
interfaces = mkOption {
default = [];
description = ''
List of network interfaces where listening for connections.
When providing the empty list, `[]', lshd listens on all
network interfaces.
'';
example = [ "localhost" "1.2.3.4:443" ];
};
hostKey = mkOption {
default = "/etc/lsh/host-key";
description = ''
Path to the server's private key. Note that this key must
have been created, e.g., using "lsh-keygen --server |
lsh-writekey --server", so that you can run lshd.
'';
};
syslog = mkOption {
default = true;
description = ''Whether to enable syslog output.'';
};
passwordAuthentication = mkOption {
default = true;
description = ''Whether to enable password authentication.'';
};
publicKeyAuthentication = mkOption {
default = true;
description = ''Whether to enable public key authentication.'';
};
rootLogin = mkOption {
default = false;
description = ''Whether to enable remote root login.'';
};
loginShell = mkOption {
default = null;
description = ''
If non-null, override the default login shell with the
specified value.
'';
example = "/nix/store/xyz-bash-10.0/bin/bash10";
};
srpKeyExchange = mkOption {
default = false;
description = ''
Whether to enable SRP key exchange and user authentication.
'';
};
tcpForwarding = mkOption {
default = true;
description = ''Whether to enable TCP/IP forwarding.'';
};
x11Forwarding = mkOption {
default = true;
description = ''Whether to enable X11 forwarding.'';
};
subsystems = mkOption {
description = ''
List of subsystem-path pairs, where the head of the pair
denotes the subsystem name, and the tail denotes the path to
an executable implementing it.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ];
systemd.services.lshd = {
description = "GNU lshd SSH2 daemon";
after = [ "network-interfaces.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
LD_LIBRARY_PATH = config.system.nssModules.path;
};
preStart = ''
test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh
test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh
if ! test -f /var/spool/lsh/yarrow-seed-file
then
# XXX: It would be nice to provide feedback to the
# user when this fails, so that they can retry it
# manually.
${lsh}/bin/lsh-make-seed --sloppy \
-o /var/spool/lsh/yarrow-seed-file
fi
if ! test -f "${cfg.hostKey}"
then
${lsh}/bin/lsh-keygen --server | \
${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}"
fi
'';
script = with cfg; ''
${lsh}/sbin/lshd --daemonic \
--password-helper="${lsh}/sbin/lsh-pam-checkpw" \
-p ${toString portNumber} \
${if interfaces == [] then ""
else (concatStrings (map (i: "--interface=\"${i}\"")
interfaces))} \
-h "${hostKey}" \
${if !syslog then "--no-syslog" else ""} \
${if passwordAuthentication then "--password" else "--no-password" } \
${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \
${if rootLogin then "--root-login" else "--no-root-login" } \
${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \
${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \
${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \
${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \
--subsystems=${concatStringsSep ","
(map (pair: (head pair) + "=" +
(head (tail pair)))
subsystems)}
'';
};
security.pam.services.lshd = {};
};
}

View File

@ -341,7 +341,7 @@ in
default = false;
type = types.bool;
description = ''
Whether GRUB should be build against libzfs.
Whether GRUB should be built against libzfs.
ZFS support is only available for GRUB v2.
This option is ignored for GRUB v1.
'';
@ -351,7 +351,7 @@ in
default = false;
type = types.bool;
description = ''
Whether GRUB should be build with EFI support.
Whether GRUB should be built with EFI support.
EFI support is only available for GRUB v2.
This option is ignored for GRUB v1.
'';

View File

@ -8,6 +8,7 @@ import ./make-test.nix ({ pkgs, ... }: {
kdev = config.boot.kernelPackages.kernel.dev;
kver = config.boot.kernelPackages.kernel.modDirVersion;
ksrc = "${kdev}/lib/modules/${kver}/build";
hardeningDisable = [ "pic" ];
} ''
echo "obj-m += $name.o" > Makefile
echo "$source" > "$name.c"

View File

@ -2,6 +2,7 @@
stdenv.mkDerivation {
name = "aacgain-1.9.0";
src = fetchFromGitHub {
owner = "mulx";
repo = "aacgain";
@ -9,6 +10,8 @@ stdenv.mkDerivation {
sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0";
};
hardeningDisable = [ "format" ];
configurePhase = ''
cd mp4v2
./configure

View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
};
hardeningDisable = [ "format" ];
preConfigure = "unset CC";
patches = stdenv.lib.optionals stdenv.isDarwin [

View File

@ -16,6 +16,8 @@ stdenv.mkDerivation {
enableParallelBuilding = true;
hardeningDisable = [ "format" ];
src = fetchurl {
url = mirror://sourceforge/csound/Csound6.04.tar.gz;
sha256 = "1030w38lxdwjz1irr32m9cl0paqmgr02lab2m7f7j1yihwxj1w0g";

View File

@ -19,6 +19,8 @@ stdenv.mkDerivation {
patches = [ ./am_path_sdl.patch ./xml.patch ];
hardeningDisable = [ "format" ];
meta = {
description = "A live looping instrument with JACK and MIDI support";
longDescription = ''

View File

@ -13,6 +13,8 @@ stdenv.mkDerivation {
buildInputs = [ mpd_clientlib dbus_glib audacious gtk gsl libaudclient ];
hardeningDisable = [ "format" ];
meta = with stdenv.lib; {
description = "Generates playlists such that each song sounds good following the previous song";
homepage = http://gjay.sourceforge.net/;

View File

@ -18,6 +18,8 @@ stdenv.mkDerivation rec {
cp jack_capture $out/bin/
'';
hardeningDisable = [ "format" ];
meta = with stdenv.lib; {
description = "A program for recording soundfiles with jack";
homepage = http://archive.notam02.no/arkiv/src;

View File

@ -8,6 +8,8 @@ stdenv.mkDerivation {
sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc";
};
hardeningDisable = [ "format" ];
buildInputs = [ pkgconfig intltool gtk alsaLib libglade ];
configureFlags = "--disable-jack";

View File

@ -21,6 +21,8 @@ stdenv.mkDerivation {
sourceRoot=".";
hardeningDisable = [ "format" ];
buildPhase = "./cc";
installPhase = ''
mkdir -p "$out"/{bin,share/doc/mi2ly}

View File

@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
buildInputs = [ ncurses pkgconfig gtk ];
hardeningDisable = [ "format" ];
configurePhase =
'' sed -i Makefile \
-e "s|^prefix=.*$|prefix=$out|g ;

View File

@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
install -Dv mp3val "$out/bin/mp3val"
'';
hardeningDisable = [ "fortify" ];
meta = {
description = "A tool for validating and repairing MPEG audio streams";
longDescription = ''

View File

@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
};
hardeningDisable = [ "format" ];
configureFlags = [
("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))
];

View File

@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
sha256 = "067f4li48qfhz2barj70zpf2d2mlii12npx07jx9xjkkgz84z4c9";
};
hardeningDisable = [ "relro" "bindnow" ];
makeFlags = [
"PREFIX=$(out)"
];

View File

@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
buildInputs = [ puredata ];
hardeningDisable = [ "format" ];
patchPhase = ''
for file in `grep -r -l g_canvas.h`
do

View File

@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
buildInputs = [ puredata ];
hardeningDisable = [ "format" ];
patchPhase = ''
for i in ${puredata}/include/pd/*; do
ln -s $i .

View File

@ -14,7 +14,9 @@ stdenv.mkDerivation rec {
sha256 = "12jqba3jsdrk20ib9wc2wiivki88ypcd4mkzgsri9siywbbz9w8x";
};
buildInputs = [puredata ];
buildInputs = [ puredata ];
hardeningDisable = [ "format" ];
patchPhase = ''
for D in net osc

View File

@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa";
};
hardeningDisable = [ "format" ];
buildInputs = [ qt4 alsaLib libjack2 ];
meta = with stdenv.lib; {

View File

@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn";
};
hardeningDisable = [ "format" ];
patches = [ ./fltk-path.patch ];
buildInputs = [ alsaLib alsaUtils fltk libjack2 libXft libXpm libjpeg

View File

@ -1,5 +1,5 @@
{ stdenv, fetchurl, fetchgit, ftgl, freefont_ttf, libjack2, mesa_glu, pkgconfig
, libltc, libsndfile, libsamplerate
, libltc, libsndfile, libsamplerate, xz
, lv2, mesa, gtk2, cairo, pango, fftwFloat, zita-convolver }:
stdenv.mkDerivation rec {
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
sha256 = "1ald0c5xbfkdq6g5xwyy8wmbi636m3k3gqrq16kbh46g0kld1as9";
};
buildInputs = [ mesa_glu ftgl freefont_ttf libjack2 libltc libsndfile libsamplerate lv2 mesa gtk2 cairo pango fftwFloat pkgconfig zita-convolver];
buildInputs = [ xz mesa_glu ftgl freefont_ttf libjack2 libltc libsndfile libsamplerate lv2 mesa gtk2 cairo pango fftwFloat pkgconfig zita-convolver];
makeFlags = [ "PREFIX=$(out)" "FONTFILE=${freefont_ttf}/share/fonts/truetype/FreeSansBold.ttf" "LIBZITACONVOLVER=${zita-convolver}/include/zita-convolver.h" ];

View File

@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ];
nativeBuildInputs = [ cmake pkgconfig ];
hardeningDisable = [ "format" ];
meta = with stdenv.lib; {
description = "High quality software synthesizer";
homepage = http://zynaddsubfx.sourceforge.net;

View File

@ -1,19 +1,23 @@
{ stdenv, lib, fetchurl, ncurses }:
{ stdenv, fetchurl, ncurses }:
stdenv.mkDerivation rec {
name = "bviplus-${version}";
version = "0.9.4";
src = fetchurl {
url = "mirror://sourceforge/project/bviplus/bviplus/${version}/bviplus-${version}.tgz";
sha256 = "10x6fbn8v6i0y0m40ja30pwpyqksnn8k2vqd290vxxlvlhzah4zb";
};
buildInputs = [
ncurses
];
makeFlags = "PREFIX=$(out)";
buildFlags = [ "CFLAGS=-fgnu89-inline" ];
meta = with lib; {
meta = with stdenv.lib; {
description = "Ncurses based hex editor with a vim-like interface";
homepage = http://bviplus.sourceforge.net;
license = licenses.gpl3;

View File

@ -56,6 +56,8 @@ stdenv.mkDerivation rec {
propagatedBuildInputs = stdenv.lib.optionals stdenv.isDarwin [ AppKit GSS ImageIO ];
hardeningDisable = [ "format" ];
configureFlags =
(if stdenv.isDarwin
then [ "--with-ns" "--disable-ns-self-contained" ]

View File

@ -3,13 +3,18 @@
stdenv.mkDerivation rec {
name = "ht-${version}";
version = "2.1.0";
src = fetchurl {
url = "mirror://sourceforge/project/hte/ht-source/ht-${version}.tar.bz2";
sha256 = "0w2xnw3z9ws9qrdpb80q55h6ynhh3aziixcfn45x91bzrbifix9i";
};
buildInputs = [
ncurses
];
hardeningDisable = [ "format" ];
meta = with lib; {
description = "File editor/viewer/analyzer for executables";
homepage = "http://hte.sourceforge.net";

View File

@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
buildInputs = [ intltool pkgconfig gtk ];
hardeningDisable = [ "format" ];
configureFlags = [
"--enable-chooser"
];

View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "1v8y8vwj3kn91crsddqkz843y6csgw7wkjnd3zdcb4bcrf1pjrsk";
};
hardeningDisable = [ "format" ];
buildInputs = [ xlibsWrapper motif libXpm ];
buildFlags = if stdenv.isLinux then "linux" else

View File

@ -99,6 +99,9 @@ let
"-DLUA_PRG=${luaPackages.lua}/bin/lua"
];
# triggers on buffer overflow bug while running tests
hardeningDisable = [ "fortify" ];
preConfigure = ''
substituteInPlace runtime/autoload/man.vim \
--replace /usr/bin/man ${man}/bin/man

View File

@ -192,6 +192,8 @@ composableDerivation {
dontStrip = 1;
hardeningDisable = [ "fortify" ];
meta = with stdenv.lib; {
description = "The most popular clone of the VI editor";
homepage = http://www.vim.org;

View File

@ -30,6 +30,8 @@ stdenv.mkDerivation rec {
"--enable-nls"
];
hardeningDisable = [ "fortify" ];
postInstall = ''
ln -s $out/bin/vim $out/bin/vi
mkdir -p $out/share/vim

View File

@ -18,14 +18,14 @@ stdenv.mkDerivation rec {
libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk
];
hardeningDisable = [ "format" ];
patches = [ ./install.patch ];
nativeBuildInputs = [ cmake pkgconfig ];
NIX_LDFLAGS = "-llcms -ljpeg -lX11";
# NIX_CFLAGS_COMPILE = "-I.";
meta = {
homepage = http://www.cinepaint.org/;
license = stdenv.lib.licenses.free;

View File

@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ cmake ];
hardeningDisable = [ "format" ];
meta = {
description = "Fontmatrix is a free/libre font explorer for Linux, Windows and Mac";
homepage = http://fontmatrix.be/;

View File

@ -11,8 +11,7 @@ stdenv.mkDerivation rec {
sha256 = "1sz2n7jbmg3g97bs613xxjpzqbsl5rvpg6v7g3x3ycyd35r8vsfp";
};
# It built code to be put in a shared object without -fPIC
NIX_CFLAGS_COMPILE = "-fPIC";
hardeningDisable = [ "format" ];
prePatch = ''
sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl

View File

@ -15,6 +15,8 @@ stdenv.mkDerivation {
buildInputs = [pkgconfig gtk libpng];
hardeningDisable = [ "format" ];
meta = {
description = "A fast image viewer";
homepage = http://gqview.sourceforge.net;

View File

@ -25,6 +25,6 @@ stdenv.mkDerivation rec {
homepage = http://www.kipi-plugins.org;
inherit (kdelibs.meta) platforms;
maintainers = with stdenv.lib.maintainers; [ viric urkud ];
broken = true; # it should be build from digikam sources, perhaps together
broken = true; # it should be built from digikam sources, perhaps together
};
}

View File

@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
patches = [ ./include-unistd.diff ];
hardeningDisable = [ "format" ];
buildPhase = ''
mkdir -p "$out/include"
export NIX_LDFLAGS="-rpath $out/opt/meshlab $NIX_LDFLAGS"

View File

@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ];
nativeBuildInputs = [ qmake4Hook ];
hardeningDisable = [ "format" ];
preConfigure = ''
export CPATH="${ilmbase}/include/OpenEXR:$CPATH"
'';

View File

@ -38,6 +38,8 @@ stdenv.mkDerivation rec {
buildInputs = [ autoconf automake libtool leptonica libpng libtiff ];
hardeningDisable = [ "format" ];
preConfigure = ''
./autogen.sh
substituteInPlace "configure" \

View File

@ -16,6 +16,8 @@ stdenv.mkDerivation {
nativeBuildInputs = [ imake makeWrapper ];
hardeningDisable = [ "format" ];
NIX_CFLAGS_COMPILE = "-I${libXpm.dev}/include/X11";
patches =

View File

@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
buildInputs = [ SDL SDL_image pkgconfig libjpeg libpng libtiff ];
hardeningDisable = [ "format" ];
makeFlags = [
"BACKEND=SDL"
];

View File

@ -46,6 +46,8 @@ stdenv.mkDerivation rec {
--set INFERNO_ROOT "$out/share/inferno"
'';
hardeningDisable = [ "fortify" ];
meta = {
description = "A compact distributed operating system for building cross-platform distributed systems";
homepage = "http://inferno-os.org/";

View File

@ -1,11 +1,17 @@
{ stdenv, fetchurl, fetchpatch, pkgconfig, gtk, poppler }:
stdenv.mkDerivation rec {
name = "epdfview-0.1.8";
src = fetchurl {
url = "http://trac.emma-soft.com/epdfview/chrome/site/releases/${name}.tar.bz2";
sha256 = "1w7qybh8ssl4dffi5qfajq8mndw7ipsd92vkim03nywxgjp4i1ll";
};
buildInputs = [ pkgconfig gtk poppler ];
hardeningDisable = [ "format" ];
patches = [ (fetchpatch {
name = "epdfview-0.1.8-glib2-headers.patch";
url = "https://projects.archlinux.org/svntogit/community.git/plain/trunk/epdfview-0.1.8-glib2-headers.patch?h=packages/epdfview&id=40ba115c860bdec31d03a30fa594a7ec2864d634";
@ -17,6 +23,7 @@ stdenv.mkDerivation rec {
sha256 = "07yvgvai2bvbr5fa1mv6lg7nqr0qyryjn1xyjlh8nidg9k9vv001";
})
];
meta = {
homepage = http://trac.emma-soft.com/epdfview/;
description = "A lightweight PDF document viewer using Poppler and GTK+";

View File

@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE];
hardeningDisable = [ "format" ];
# Makefiles are patched to fix references to `/usr/X11R6' and to add
# `-lX11' to make sure libX11's store path is in the RPATH.
patchPhase = ''

View File

@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia
libid3tag ncurses libtool ];
hardeningDisable = [ "format" ];
meta = {
description = "GTK+-based audio CD player/ripper";
homepage = "http://nostatic.org/grip";

View File

@ -31,6 +31,8 @@ in stdenv.mkDerivation rec {
openjpeg freetype jbig2dec djvulibre openssl ];
NIX_LDFLAGS = "-lX11 -lXext";
hardeningDisable = [ "format" ];
k2_pa = ./k2pdfopt.patch;
tess_pa = ./tesseract.patch;

View File

@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
owner = "yuejia";
};
hardeningDisable = [ "format" ];
preConfigure = ''
sed -i 's#/usr/bin/##g' Makefile
sed -i "s#-lclang#-L$(clang --print-search-dirs |

View File

@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723";
};
hardeningDisable = [ "format" ];
# 'cvs' is only for the autogen
buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa
libXmu freeglut python gettext quesoglc gd postgresql cmake qt4 SDL_ttf fribidi ];

View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5";
};
hardeningDisable = [ "format" ];
buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ];
unpackPhase = ''

View File

@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51";
};
hardeningDisable = [ "format" ];
patches = ( if stdenv.isDarwin
then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ]
else [ ./sdcv.cpp.patch ] );

View File

@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28";
};
hardeningDisable = [ "format" ];
#
# I know this is ugly, but the Makefile does strange things in this package,
# so we have to:

View File

@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
sha256 = "1x4qp6wpszscbbs4czkfvskm7qjglvxm813nqv281bpy4y1hhvgs";
};
hardeningDisable = [ "format" ];
buildInputs = [ pkgconfig qt4 qmake4Hook ];
meta = with stdenv.lib; {

View File

@ -10,6 +10,8 @@ stdenv.mkDerivation {
buildInputs = [tcl tk xlibsWrapper makeWrapper];
hardeningDisable = [ "format" ];
patchPhase = ''
sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c
'';

View File

@ -25,6 +25,8 @@ stdenv.mkDerivation {
# Debian uses '-fpermissive' to bypass some errors on char* constantness.
CXXFLAGS = "-O2 -fpermissive";
hardeningDisable = [ "format" ];
configureFlags = "--enable-a4-paper";
postInstall = stdenv.lib.optionalString (base14Fonts != null) ''

View File

@ -11,9 +11,9 @@ stdenv.mkDerivation rec {
buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ];
installPhase = ''
make PREFIX=/ DESTDIR=$out install
'';
hardeningDisable = [ "format" ];
installFlags = "PREFIX=/ DESTDIR=$(out)";
preFixup = ''
wrapProgram "$out/bin/vimprobable2" \

View File

@ -50,6 +50,8 @@ stdenv.mkDerivation rec {
ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
'';
hardeningDisable = [ "format" ];
configureFlags = "--with-ssl=${openssl.dev} --with-gc=${boehmgc.dev}"
+ optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";

View File

@ -19,6 +19,8 @@ stdenv.mkDerivation {
dontDisableStatic = true;
hardeningDisable = [ "format" ];
configureFlags = "--with-ncurses=${ncurses.dev}";
preConfigure = stdenv.lib.optionalString enablePlugin ''

View File

@ -27,6 +27,8 @@ stdenv.mkDerivation rec {
qmakeFlags="$qmakeFlags INSTALL_PREFIX=$out"
'';
hardeningDisable = [ "format" ];
meta = with stdenv.lib; {
description = "An XMPP client fully composed of plugins";
maintainers = [ maintainers.raskin ];

View File

@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
--localstatedir=$out/var --sbindir=$out/bin
'';
hardeningDisable = [ "format" ];
meta = {
description = "A console-based network monitoring utility (fork of iptraf)";
longDescription = ''

View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "12n059j9iihhpf6spmlaspqzxz3wqan6kkpnhmlj08jdijpnk84m";
};
hardeningDisable = [ "format" ];
patchPhase = ''
sed -i -e 's,#include <linux/if_tr.h>,#include <netinet/if_tr.h>,' src/*
'';

View File

@ -30,10 +30,7 @@ in stdenv.mkDerivation {
}
];
postPatch = ''
'';
configureFlags = [ "--disable-pie" ];
NIX_CFLAGS_COMPILE = "-Wno-error=unused-result";
buildInputs = [ bison flex autoconf automake openssl ];

View File

@ -1,36 +1,37 @@
{stdenv, fetchurl, ncurses, tcl, openssl, pam, pkgconfig, gettext, kerberos
, openldap
}:
let
s =
rec {
version = "2.00";
baseName = "alpine";
in
stdenv.mkDerivation {
name = "${baseName}-${version}";
src = fetchurl {
url = "ftp://ftp.cac.washington.edu/alpine/alpine-${version}.tar.bz2";
sha256 = "19m2w21dqn55rhxbh5lr9qarc2fqa9wmpj204jx7a0zrb90bhpf8";
baseName = "alpine";
name = "${baseName}-${version}";
};
buildInputs = [
ncurses tcl openssl pam kerberos openldap
];
in
stdenv.mkDerivation {
inherit (s) name version;
inherit buildInputs;
src = fetchurl {
inherit (s) url sha256;
};
hardeningDisable = [ "format" "fortify" ];
configureFlags = [
"--with-ssl-include-dir=${openssl.dev}/include/openssl"
"--with-tcl-lib=${tcl.libPrefix}"
"--with-passfile=.pine-passfile"
];
preConfigure = ''
export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
'';
meta = {
inherit (s) version;
description = ''Console mail reader'';
description = "Console mail reader";
license = stdenv.lib.licenses.asl20;
maintainers = [stdenv.lib.maintainers.raskin];
platforms = stdenv.lib.platforms.linux;

View File

@ -2,34 +2,35 @@
, openldap
}:
let
s =
rec {
baseName = "re-alpine";
version = "2.03";
in
stdenv.mkDerivation {
name = "${baseName}-${version}";
inherit version;
src = fetchurl {
url = "mirror://sourceforge/re-alpine/re-alpine-${version}.tar.bz2";
sha256 = "11xspzbk9cwmklmcw6rxsan7j71ysd4m9c7qldlc59ck595k5nbh";
baseName = "re-alpine";
name = "${baseName}-${version}";
};
buildInputs = [
ncurses tcl openssl pam kerberos openldap
];
in
stdenv.mkDerivation {
inherit (s) name version;
inherit buildInputs;
src = fetchurl {
inherit (s) url sha256;
};
hardeningDisable = [ "format" ];
configureFlags = [
"--with-ssl-include-dir=${openssl.dev}/include/openssl"
"--with-tcl-lib=${tcl.libPrefix}"
];
preConfigure = ''
export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
'';
meta = {
inherit (s) version;
description = ''Console mail reader'';
description = "Console mail reader";
license = stdenv.lib.licenses.asl20;
maintainers = [stdenv.lib.maintainers.raskin];
platforms = stdenv.lib.platforms.linux;

View File

@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
configurePhase = "makeFlags=PREFIX=$out";
hardeningDisable = [ "format" ];
postInstall = ''
sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl
sed -i -e 's|/usr/bin/perl|${perl}/bin/perl|' $out/lib/ssvnc/util/ss_vncviewer

View File

@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8";
};
cmakeFlags = [ "-DCMAKE_BUILD_TYPE=Release" ];
hardeningDisable = [ "format" ];
buildInputs = [ cmake qt4 libxml2 libxslt ];

View File

@ -5,6 +5,8 @@ stdenv.mkDerivation rec {
name = "drgeo-${version}";
version = "1.1.0";
hardeningDisable = [ "format" ];
src = fetchurl {
url = "mirror://sourceforge/ofset/${name}.tar.gz";
sha256 = "05i2czgzhpzi80xxghinvkyqx4ym0gm9f38fz53idjhigiivp4wc";

View File

@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6";
};
hardeningDisable = [ "format" ];
preConfigure = ''
substituteInPlace Makefile \
--replace "CC=gcc" ""

View File

@ -17,6 +17,9 @@ stdenv.mkDerivation {
src = fetchurl {
inherit (s) url sha256;
};
hardeningDisable = [ "format" ];
buildPhase = ''
find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g"
find . -name Makefile | xargs sed -i -e "s@/bin/mv@$(type -P mv)@g"
@ -32,11 +35,13 @@ stdenv.mkDerivation {
make -C source/formed realclean
make -C source/formed formed
'';
installPhase = ''
mkdir -p "$out"/{bin,share/otter}
cp bin/* source/formed/formed "$out/bin/"
cp -r examples examples-mace2 documents README* Legal Changelog Contents index.html "$out/share/otter/"
'';
meta = {
inherit (s) version;
description = "A reliable first-order theorem prover";

View File

@ -8,7 +8,7 @@ stdenv.mkDerivation {
sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3";
};
phases = "unpackPhase patchPhase buildPhase installPhase";
hardeningDisable = [ "format" ];
patchPhase = ''
RM=$(type -tp rm)
@ -23,6 +23,8 @@ stdenv.mkDerivation {
buildFlags = "all";
checkPhase = "make test1";
installPhase = ''
mkdir -p $out/bin
cp bin/* $out/bin

View File

@ -12,6 +12,8 @@ stdenv.mkDerivation {
enableParallelBuilding = true;
hardeningDisable = [ "format" ];
buildInputs = [ zlib bzip2 ];
# FIXME: move share/coin/Data to a separate output?

View File

@ -5,6 +5,8 @@ stdenv.mkDerivation {
version = "4-beta";
buildInputs = [unzip gcc48];
hardeningDisable = [ "stackprotector" ];
src = fetchurl {
url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip";
sha256 = "09brijnqabhgfjlj5wny0bqm5dwqcfkp1x5wif6yzdmqh080jybj";
@ -30,7 +32,7 @@ stdenv.mkDerivation {
around datasets arising from point samples, images, distance
matrices and so forth.
'';
homepage = "www.sas.upenn.edu/~vnanda/perseus/index.html";
homepage = "http://www.sas.upenn.edu/~vnanda/perseus/index.html";
license = stdenv.lib.licenses.gpl3;
maintainers = with stdenv.lib.maintainers; [erikryb];
platforms = stdenv.lib.platforms.linux;

View File

@ -1,4 +1,5 @@
{ stdenv, fetchurl, intltool, autoreconfHook, pkgconfig, libqalculate, gtk3, wrapGAppsHook }:
stdenv.mkDerivation rec {
name = "qalculate-gtk-${version}";
version = "0.9.8";
@ -8,6 +9,8 @@ stdenv.mkDerivation rec {
sha256 = "15ci0p7jlikk2rira6ykgrmcdvgpxzprpqmkdxx6hsg4pvzrj54s";
};
hardeningDisable = [ "format" ];
nativeBuildInputs = [ intltool pkgconfig autoreconfHook wrapGAppsHook ];
buildInputs = [ libqalculate gtk3 ];

View File

@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
find . -exec sed -e 's@/bin/uname@${coreutils}&@g' -i '{}' ';'
'';
hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector";
postInstall = ''
rm -rf "$out/LIB"
cp -r Singular/LIB "$out"

View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78";
};
hardeningDisable = [ "format" ];
# Perl is only for the documentation
nativeBuildInputs = [ perl ];

View File

@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
sha256 = "0lk4vydpq5bi52m81h327gvzdzybf8kkak7yjwmpj6kg1jn9blaz";
};
hardeningDisable = [ "fortify" ];
enableParallelBuilding = true;
buildInputs = [

View File

@ -10,6 +10,8 @@ stdenv.mkDerivation {
patches = [ ./getcwd-chroot.patch ];
hardeningDisable = [ "format" ];
preConfigure = ''
# Apply the Debian patches.
for p in "debian/patches/"*; do

View File

@ -22,6 +22,8 @@ stdenv.mkDerivation {
sha256 = "0qzs681a64k3shh5p0rg41l1z16fbk5sj0xga45k34hp1hsp654z";
};
hardeningDisable = [ "format" ];
patches = [
./docbook2texi.patch
./symlinks-in-bin.patch

View File

@ -3,20 +3,13 @@
stdenv.mkDerivation rec {
name = "qgit-2.5";
meta =
{
license = stdenv.lib.licenses.gpl2;
homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit";
description = "Graphical front-end to Git";
inherit (qt4.meta) platforms;
};
src = fetchurl
{
src = fetchurl {
url = "http://libre.tibirna.org/attachments/download/9/${name}.tar.gz";
sha256 = "25f1ca2860d840d87b9919d34fc3a1b05d4163671ed87d29c3e4a8a09e0b2499";
};
hardeningDisable = [ "format" ];
buildInputs = [ qt4 libXext libX11 ];
nativeBuildInputs = [ qmake4Hook ];
@ -24,4 +17,11 @@ stdenv.mkDerivation rec {
installPhase = ''
install -s -D -m 755 bin/qgit "$out/bin/qgit"
'';
meta = {
license = stdenv.lib.licenses.gpl2;
homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit";
description = "Graphical front-end to Git";
inherit (qt4.meta) platforms;
};
}

View File

@ -11,6 +11,8 @@ in stdenv.mkDerivation rec {
sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0";
};
hardeningDisable = [ "format" ];
# taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports
# needed to separate run-time and build-time directories
patches = [
@ -18,6 +20,7 @@ in stdenv.mkDerivation rec {
./2004_FHS_plugins_assets.patch
./2003_externalize_session_config.patch
];
postPatch = ''
substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins')" "ENV['RAILS_PLUGINS']"
substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins', id.to_s, 'db', 'migrate')" "File.join(ENV['RAILS_PLUGINS'], id.to_s, 'db', 'migrate')"

View File

@ -43,6 +43,8 @@ stdenv.mkDerivation rec {
enableParallelBuilding = true;
hardeningDisable = [ "bindnow" "relro" ];
postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub";
meta = {

View File

@ -67,14 +67,11 @@ stdenv.mkDerivation {
pkgconfig perl perlXMLParser libavc1394 libiec61883 intltool libXv gettext libX11 glib cairo ffmpeg libv4l ]; # TODOoptional packages
configureFlags = "--enable-local-ffmpeg=no";
#preConfigure = "
# grep 11 env-vars
# ex
#";
hardeningDisable = [ "format" ];
patches = [ ./kino-1.3.4-v4l1.patch ./kino-1.3.4-libav-0.7.patch ./kino-1.3.4-libav-0.8.patch ]; #./kino-1.3.4-libavcodec-pkg-config.patch ];
postInstall = "
rpath=`patchelf --print-rpath \$out/bin/kino`;
for i in $\buildInputs; do
@ -86,7 +83,6 @@ stdenv.mkDerivation {
done
";
meta = {
description = "Non-linear DV editor for GNU/Linux";
homepage = http://www.kinodv.org/;

View File

@ -41,6 +41,8 @@ stdenv.mkDerivation rec {
doCheck = true;
hardeningDisable = [ "format" ];
patches = [ ./subtitleeditor-0.52.1-build-fix.patch ];
preConfigure = ''

View File

@ -17,6 +17,8 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" {
# TODO: properly include openssl for secureBoot
buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ];
hardeningDisable = [ "stackprotector" "pic" "fortify" ];
unpackPhase = ''
for file in \
"${edk2.src}"/{UefiCpuPkg,MdeModulePkg,IntelFrameworkModulePkg,PcAtChipsetPkg,FatBinPkg,EdkShellBinPkg,MdePkg,ShellPkg,OptionRomPkg,IntelFrameworkPkg};

View File

@ -146,6 +146,8 @@ stdenv.mkDerivation rec {
NIX_CFLAGS_COMPILE="-I${gtk.dev}/include/gtk-2.0/ -I${libtool}/include/";
NIX_LDFLAGS="-L${libtool.lib}/lib";
hardeningDisable = [ "format" ];
meta = with stdenv.lib; {
description = "An open-source IA-32 (x86) PC emulator";
longDescription = ''

View File

@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
buildInputs = [ iasl flex bison ];
hardeningDisable = [ "fortify" ];
buildPhase = ''
export LEX=${flex}/bin/flex
make -C util/cbfstool

View File

@ -14,6 +14,8 @@ stdenv.mkDerivation {
cp bios.bin* $out/.
'';
hardeningDisable = [ "stackprotector" "pic" ];
meta = {
description = "A simple x86 firmware for booting Linux";
homepage = https://github.com/bonzini/qboot;

View File

@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
buildInputs = [ iasl python ];
hardeningDisable = [ "pic" "stackprotector" "fortify" ];
configurePhase = ''
# build SeaBIOS for CSM
cat > .config << EOF

View File

@ -74,6 +74,8 @@ in stdenv.mkDerivation {
++ optional pythonBindings python
++ optional pulseSupport libpulseaudio;
hardeningDisable = [ "fortify" "pic" "stackprotector" ];
prePatch = ''
set -x
MODULES_BUILD_DIR=`echo ${kernel.dev}/lib/modules/*/build`

View File

@ -17,6 +17,8 @@ stdenv.mkDerivation {
KERN_DIR = "${kernel.dev}/lib/modules/*/build";
hardeningDisable = [ "pic" ];
buildInputs = [ patchelf cdrkit makeWrapper dbus ];
installPhase = ''

View File

@ -48,6 +48,8 @@ stdenv.mkDerivation {
pythonPath = [ pythonPackages.curses ];
hardeningDisable = [ "stackprotector" "fortify" "pic" ];
patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
postPatch = ''

View File

@ -3,12 +3,16 @@
stdenv.mkDerivation rec {
name = "stalonetray-${version}";
version = "0.8.1";
src = fetchurl {
url = "mirror://sourceforge/stalonetray/${name}.tar.bz2";
sha256 = "1wp8pnlv34w7xizj1vivnc3fkwqq4qgb9dbrsg15598iw85gi8ll";
};
buildInputs = [ libX11 xproto ];
hardeningDisable = [ "format" ];
meta = with stdenv.lib; {
description = "Stand alone tray";
maintainers = with maintainers; [ raskin ];

View File

@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
buildInputs = [ cairo gdk_pixbuf libconfig pango pkgconfig xcbutilwm ];
hardeningDisable = [ "format" ];
postPatch = ''
substituteInPlace ./Makefile --replace "\$(shell git describe)" "${version}"
'';

View File

@ -0,0 +1,61 @@
hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
hardeningFlags+=("${hardeningEnable[@]}")
hardeningCFlags=()
hardeningLDFlags=()
hardeningDisable=${hardeningDisable:-""}
if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then
hardeningDisable+=" bindnow relro"
fi
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi
if [[ ! $hardeningDisable == "all" ]]; then
if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi
for flag in "${hardeningFlags[@]}"
do
if [[ ! "${hardeningDisable}" =~ "$flag" ]]; then
case $flag in
fortify)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi
hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
;;
stackprotector)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi
hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4')
;;
pie)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi
hardeningCFlags+=('-fPIE')
if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi
hardeningLDFlags+=('-pie')
fi
;;
pic)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi
hardeningCFlags+=('-fPIC')
;;
strictoverflow)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi
hardeningCFlags+=('-fno-strict-overflow')
;;
format)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi
hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
;;
relro)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi
hardeningLDFlags+=('-z relro')
;;
bindnow)
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi
hardeningLDFlags+=('-z now')
;;
*)
echo "Hardening flag unknown: $flag" >&2
;;
esac
fi
done
fi

View File

@ -70,7 +70,6 @@ if [ "$nonFlagArgs" = 0 ]; then
dontLink=1
fi
# Optionally filter out paths not refering to the store.
if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then
rest=()
@ -117,16 +116,18 @@ if [[ "$isCpp" = 1 ]]; then
NIX_CFLAGS_LINK="$NIX_CFLAGS_LINK $NIX_CXXSTDLIB_LINK"
fi
# Add the flags for the C compiler proper.
extraAfter=($NIX_CFLAGS_COMPILE)
extraBefore=()
LD=@ldPath@/ld
source @out@/nix-support/add-hardening.sh
# Add the flags for the C compiler proper.
extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]})
extraBefore=()
if [ "$dontLink" != 1 ]; then
# Add the flags that should only be passed to the compiler when
# linking.
extraAfter+=($NIX_CFLAGS_LINK)
extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]})
# Add the flags that should be passed to the linker (and prevent
# `ld-wrapper' from adding NIX_LDFLAGS again).

View File

@ -238,6 +238,7 @@ stdenv.mkDerivation {
rm $out/nix-support/setup-hook.tmp
substituteAll ${./add-flags} $out/nix-support/add-flags.sh
cp -p ${./add-hardening} $out/nix-support/add-hardening.sh
cp -p ${./utils.sh} $out/nix-support/utils.sh
''
+ extraBuildCommands;

View File

@ -47,8 +47,10 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \
params=("${rest[@]}")
fi
LD=@prog@
source @out@/nix-support/add-hardening.sh
extra=()
extra=(${hardeningLDFlags[@]})
extraBefore=()
if [ -z "$NIX_LDFLAGS_SET" ]; then
@ -56,7 +58,7 @@ if [ -z "$NIX_LDFLAGS_SET" ]; then
extraBefore+=($NIX_LDFLAGS_BEFORE)
fi
extra+=($NIX_LDFLAGS_AFTER)
extra+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN)
# Add all used dynamic libraries to the rpath.

View File

@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71";
};
hardeningDisable = [ "format" ];
patches = [ ./glib.patch ./cups_1.6.patch ];
buildInputs = [ pkgconfig gtk gettext intltool libart_lgpl ];

Some files were not shown because too many files have changed in this diff Show More