From d70006c6d95d581db203492514ea3fc82d61113b Mon Sep 17 00:00:00 2001
From: Orivej Desh <orivej@gmx.fr>
Date: Fri, 1 Sep 2017 00:46:26 +0000
Subject: [PATCH] mkDerivation: fix hardening flags check

- allow "all" in hardeningDisable
- fix busybox flags
- print detailed error message

Discussed at https://github.com/NixOS/nixpkgs/pull/28555#issuecomment-326413032
---
 pkgs/os-specific/linux/busybox/default.nix |  2 +-
 pkgs/stdenv/generic/make-derivation.nix    | 15 +++++++--------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix
index ee897fc37813a1..6c9c43e4e5a9c6 100644
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@@ -37,7 +37,7 @@ stdenv.mkDerivation rec {
     sha256 = "1pv3vs2w4l2wnw5qb0rkbpvjjdd1fwjv87miavqq0r0ynqbfajwx";
   };
 
-  hardeningDisable = [ "format" ] ++ lib.optional enableStatic [ "fortify" ];
+  hardeningDisable = [ "format" ] ++ lib.optionals enableStatic [ "fortify" ];
 
   patches = [ ./busybox-in-store.patch ];
 
diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
index b9d8b2d31175c7..c2f4f1c7b281e9 100644
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@@ -47,15 +47,14 @@ rec {
     , ... } @ attrs:
 
     # TODO(@Ericson2314): Make this more modular, and not O(n^2).
-    let allHardeningFlags = [
-      "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro"
-      "bindnow"
-    ];
-    in assert lib.all
-      (flag: lib.elem flag allHardeningFlags)
-      (hardeningEnable ++ hardeningDisable);
-
     let
+      supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
+      erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable);
+    in if builtins.length erroneousHardeningFlags != 0
+    then abort ("mkDerivation was called with unsupported hardening flags: " + lib.generators.toPretty {} {
+      inherit erroneousHardeningFlags hardeningDisable hardeningEnable supportedHardeningFlags;
+    })
+    else let
       dependencies = map lib.chooseDevOutputs [
         (map (drv: drv.nativeDrv or drv) nativeBuildInputs
            ++ lib.optional separateDebugInfo ../../build-support/setup-hooks/separate-debug-info.sh