Use general hardening flag toggle lists

The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow

pkgs/applications/audio/QmidiNet/default.nix

@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ qt4 alsaLib libjack2 ];
 

pkgs/applications/audio/aacgain/default.nix

@@ -10,7 +10,7 @@ stdenv.mkDerivation {
     sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configurePhase = ''
     cd mp4v2

pkgs/applications/audio/cdparanoia/default.nix

@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = "unset CC";
 

pkgs/applications/audio/csound/default.nix

@@ -16,7 +16,7 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   src = fetchurl {
     url = mirror://sourceforge/csound/Csound6.04.tar.gz;

pkgs/applications/audio/freewheeling/default.nix

@@ -19,7 +19,7 @@ stdenv.mkDerivation {
 
   patches = [ ./am_path_sdl.patch ./xml.patch ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "A live looping instrument with JACK and MIDI support";

pkgs/applications/audio/jack-capture/default.nix

@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     cp jack_capture $out/bin/
   '';
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "A program for recording soundfiles with jack";

pkgs/applications/audio/lingot/default.nix

@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ pkgconfig intltool gtk alsaLib libglade ];
 

pkgs/applications/audio/mi2ly/default.nix

@@ -21,7 +21,7 @@ stdenv.mkDerivation {
 
   sourceRoot=".";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildPhase = "./cc";
   installPhase = ''

pkgs/applications/audio/mp3info/default.nix

@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ ncurses pkgconfig gtk ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configurePhase =
     '' sed -i Makefile \

pkgs/applications/audio/mp3val/default.nix

@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     install -Dv mp3val "$out/bin/mp3val"
   '';
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   meta = {
     description = "A tool for validating and repairing MPEG audio streams";

pkgs/applications/audio/mpg321/default.nix

@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = [
     ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))

pkgs/applications/audio/musescore/default.nix

@@ -13,8 +13,7 @@ stdenv.mkDerivation rec {
     sha256 = "12a83v4i830gj76z5744034y1vvwzgy27mjbjp508yh9bd328yqw";
   };
 
-  hardening_bindnow = false;
-  hardening_relro = false;
+  hardeningDisable = [ "relro" "bindnow" ];
 
   makeFlags = [
     "PREFIX=$(out)"

pkgs/applications/audio/pd-plugins/cyclone/default.nix

@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ puredata ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     for file in `grep -r -l g_canvas.h`

pkgs/applications/audio/pd-plugins/maxlib/default.nix

@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ puredata ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     for i in ${puredata}/include/pd/*; do

pkgs/applications/audio/pd-plugins/mrpeach/default.nix

@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ puredata ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     for D in net osc

pkgs/applications/audio/rakarrack/default.nix

@@ -10,7 +10,7 @@ stdenv.mkDerivation  rec {
     sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [ ./fltk-path.patch ];
 

pkgs/applications/audio/zynaddsubfx/default.nix

@@ -14,7 +14,7 @@ stdenv.mkDerivation  rec {
   buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ];
   nativeBuildInputs = [ cmake pkgconfig ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "High quality software synthesizer";

pkgs/applications/editors/ht/default.nix

@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
     ncurses
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with lib; {
     description = "File editor/viewer/analyzer for executables";

pkgs/applications/editors/leafpad/default.nix

@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ intltool pkgconfig gtk ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = [
     "--enable-chooser"

pkgs/applications/graphics/cinepaint/default.nix

@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [ ./install.patch ];
 

pkgs/applications/graphics/giv/default.nix

@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1q0806b66ajppxbv1i71wx5d3ydc1h3hsz23m6g4g80dhiai7dly";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   prePatch = ''
     sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl

pkgs/applications/graphics/gqview/default.nix

@@ -15,7 +15,7 @@ stdenv.mkDerivation {
 
   buildInputs = [pkgconfig gtk libpng];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "A fast image viewer";

pkgs/applications/graphics/meshlab/default.nix

@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./include-unistd.diff ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildPhase = ''
     mkdir -p "$out/include"

pkgs/applications/graphics/qtpfsgui/default.nix

@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configurePhase = ''
     export CPATH="${ilmbase}/include/OpenEXR:$CPATH"

pkgs/applications/graphics/tesseract/default.nix

@@ -38,7 +38,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ autoconf automake libtool leptonica libpng libtiff ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
       ./autogen.sh

pkgs/applications/graphics/xfig/default.nix

@@ -16,7 +16,7 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ imake makeWrapper ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   NIX_CFLAGS_COMPILE = "-I${libXpm}/include/X11";
 

pkgs/applications/inferno/default.nix

@@ -46,7 +46,7 @@ stdenv.mkDerivation rec {
       --set INFERNO_ROOT "$out/share/inferno"
   '';
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   meta = {
     description = "A compact distributed operating system for building cross-platform distributed systems";

pkgs/applications/misc/epdfview/default.nix

@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig gtk poppler ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [ (fetchpatch {
                 name = "epdfview-0.1.8-glib2-headers.patch";

pkgs/applications/misc/gkrellm/default.nix

@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # Makefiles are patched to fix references to `/usr/X11R6' and to add
   # `-lX11' to make sure libX11's store path is in the RPATH.

pkgs/applications/misc/grip/default.nix

@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia
     libid3tag ncurses libtool ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "GTK+-based audio CD player/ripper";

pkgs/applications/misc/k2pdfopt/default.nix

@@ -31,7 +31,7 @@ in stdenv.mkDerivation rec {
                     openjpeg freetype jbig2dec djvulibre openssl ];
   NIX_LDFLAGS = "-lX11 -lXext";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   k2_pa = ./k2pdfopt.patch;
   tess_pa = ./tesseract.patch;

pkgs/applications/misc/navit/default.nix

@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # 'cvs' is only for the autogen
   buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa

pkgs/applications/misc/posterazor/default.nix

@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ];
 

pkgs/applications/misc/sdcv/default.nix

@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
     sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = ( if stdenv.isDarwin
               then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ]

pkgs/applications/misc/tasknc/default.nix

@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   #
   # I know this is ugly, but the Makefile does strange things in this package,

pkgs/applications/misc/vym/default.nix

@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig qt4 ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configurePhase = ''
     qmake PREFIX="$out"

pkgs/applications/misc/wordnet/default.nix

@@ -10,7 +10,7 @@ stdenv.mkDerivation {
 
   buildInputs = [tcl tk xlibsWrapper makeWrapper];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c

pkgs/applications/networking/browsers/vimprobable2/default.nix

@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   installFlags = "PREFIX=/ DESTDIR=$(out)";
 

pkgs/applications/networking/browsers/w3m/default.nix

@@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
     ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
   '';
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}"
     + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";

pkgs/applications/networking/instant-messengers/silc-client/default.nix

@@ -19,7 +19,7 @@ stdenv.mkDerivation {
 
   dontDisableStatic = true;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = "--with-ncurses=${ncurses}";
 

pkgs/applications/networking/instant-messengers/vacuum/default.nix

@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
 
   configurePhase = "qmake INSTALL_PREFIX=$out -recursive vacuum.pro";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [
     qt4 openssl xproto libX11 libXScrnSaver scrnsaverproto xz

pkgs/applications/networking/iptraf-ng/default.nix

@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
                 --localstatedir=$out/var --sbindir=$out/bin
   '';
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "A console-based network monitoring utility (fork of iptraf)";

pkgs/applications/networking/mailreaders/alpine/default.nix

@@ -18,8 +18,7 @@ stdenv.mkDerivation {
     ncurses tcl openssl pam kerberos openldap
   ];
 
-  hardening_format = false;
-  hardening_fortify = false;
+  hardeningDisable = [ "format" "fortify" ];
 
   configureFlags = [
     "--with-ssl-include-dir=${openssl}/include/openssl"

pkgs/applications/networking/mailreaders/realpine/default.nix

@@ -18,7 +18,7 @@ stdenv.mkDerivation {
     ncurses tcl openssl pam kerberos openldap
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = [
     "--with-ssl-include-dir=${openssl}/include/openssl"