hardening: initial cross support

pkgs/build-support/bintools-wrapper/add-flags.sh

@@ -24,10 +24,10 @@ if [ "${NIX_BINTOOLS_WRAPPER_@infixSalt@_TARGET_TARGET:-}" ]; then
 fi
 
 for var in "${var_templates_list[@]}"; do
-    mangleVarList "$var" "${role_infixes[@]}"
+    mangleVarList "$var" ${role_infixes[@]+"${role_infixes[@]}"}
 done
 for var in "${var_templates_bool[@]}"; do
-    mangleVarBool "$var" "${role_infixes[@]}"
+    mangleVarBool "$var" ${role_infixes[@]+"${role_infixes[@]}"}
 done
 
 if [ -e @out@/nix-support/libc-ldflags ]; then

pkgs/build-support/cc-wrapper/add-flags.sh

@@ -10,6 +10,7 @@ var_templates_list=(
     NIX+CXXSTDLIB_COMPILE
     NIX+CXXSTDLIB_LINK
     NIX+GNATFLAGS_COMPILE
+    NIX+HARDENING_ENABLE
 )
 var_templates_bool=(
     NIX+ENFORCE_NO_NATIVE
@@ -31,10 +32,10 @@ fi
 # We need to mangle names for hygiene, but also take parameters/overrides
 # from the environment.
 for var in "${var_templates_list[@]}"; do
-    mangleVarList "$var" "${role_infixes[@]}"
+    mangleVarList "$var" ${role_infixes[@]+"${role_infixes[@]}"}
 done
 for var in "${var_templates_bool[@]}"; do
-    mangleVarBool "$var" "${role_infixes[@]}"
+    mangleVarBool "$var" ${role_infixes[@]+"${role_infixes[@]}"}
 done
 
 # `-B@out@/bin' forces cc to use ld-wrapper.sh when calling ld.

pkgs/build-support/cc-wrapper/add-hardening.sh

@@ -6,7 +6,7 @@ declare -A hardeningEnableMap=()
 # Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The
 # array expansion also prevents undefined variables from causing trouble with
 # `set -u`.
-for flag in ${NIX_HARDENING_ENABLE-}; do
+for flag in ${NIX_@infixSalt@_HARDENING_ENABLE-}; do
   hardeningEnableMap[$flag]=1
 done
 

pkgs/build-support/cc-wrapper/cc-wrapper.sh

@@ -135,7 +135,8 @@ source @out@/nix-support/add-hardening.sh
 
 # Add the flags for the C compiler proper.
 extraAfter=($NIX_@infixSalt@_CFLAGS_COMPILE)
-extraBefore=("${hardeningCFlags[@]}")
+
+extraBefore=(${hardeningCFlags[@]+"${hardeningCFlags[@]}"})
 
 if [ "$dontLink" != 1 ]; then