Loading pkgs/build-support/bintools-wrapper/add-hardening.sh +1 −11 Original line number Diff line number Diff line Loading @@ -15,7 +15,7 @@ for flag in @hardening_unsupported_flags@; do done if (( "${NIX_DEBUG:-0}" >= 1 )); then declare -a allHardeningFlags=(pie relro bindnow) declare -a allHardeningFlags=(relro bindnow) declare -A hardeningDisableMap=() # Determine which flags were effectively disabled so we can report below. Loading @@ -36,16 +36,6 @@ fi for flag in "${!hardeningEnableMap[@]}"; do case $flag in pie) if [[ ! (" ${params[*]} " =~ " -shared " \ || " ${params[*]} " =~ " -static " \ || " ${params[*]} " =~ " -r " \ || " ${params[*]} " =~ " -Ur " \ || " ${params[*]} " =~ " -i ") ]]; then if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi hardeningLDFlags+=('-pie') fi ;; relro) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling relro >&2; fi hardeningLDFlags+=('-z' 'relro') Loading pkgs/build-support/bintools-wrapper/default.nix +1 −18 Original line number Diff line number Diff line Loading @@ -55,24 +55,7 @@ "stackprotector" "strictoverflow" "zerocallusedregs" ] ++ lib.optional ( with stdenvNoCC; lib.any (x: x) [ # OpenBSD static linking requires PIE (with targetPlatform; isOpenBSD && isStatic) (lib.all (x: x) [ # Musl-based platforms will keep "pie", other platforms will not. # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` # in the nixpkgs manual to inform users about the defaults. (targetPlatform.libc == "musl") # Except when: # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. # - static armv7l, where compilation fails. (!(targetPlatform.isAarch && targetPlatform.isStatic)) ]) ] ) "pie", ], }: assert propagateDoc -> bintools ? man; Loading pkgs/build-support/cc-wrapper/add-hardening.sh +1 −10 Original line number Diff line number Diff line Loading @@ -52,7 +52,7 @@ fi if (( "${NIX_DEBUG:-0}" >= 1 )); then declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret strictflexarrays1 strictflexarrays3 pie pic strictoverflow glibcxxassertions format trivialautovarinit zerocallusedregs) declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret strictflexarrays1 strictflexarrays3 pic strictoverflow glibcxxassertions format trivialautovarinit zerocallusedregs) declare -A hardeningDisableMap=() # Determine which flags were effectively disabled so we can report below. Loading Loading @@ -127,15 +127,6 @@ for flag in "${!hardeningEnableMap[@]}"; do if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling nostrictaliasing >&2; fi hardeningCFlagsBefore+=('-fno-strict-aliasing') ;; pie) # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi hardeningCFlagsBefore=('-fPIE' "${hardeningCFlagsBefore[@]}") if [[ ! (" ${params[*]} " =~ " -shared " || " ${params[*]} " =~ " -static ") ]]; then if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi hardeningCFlagsBefore=('-pie' "${hardeningCFlagsBefore[@]}") fi ;; pic) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi hardeningCFlagsBefore+=('-fPIC') Loading pkgs/stdenv/generic/make-derivation.nix +1 −8 Original line number Diff line number Diff line Loading @@ -225,14 +225,7 @@ let canExecuteHostOnBuild = buildPlatform.canExecute hostPlatform; defaultHardeningFlags = (if stdenvHasCC then stdenv.cc else { }).defaultHardeningFlags or # fallback safe-ish set of flags ( if isOpenBSD && isStatic then knownHardeningFlags # Need pie, in fact else remove "pie" knownHardeningFlags ); (if stdenvHasCC then stdenv.cc else { }).defaultHardeningFlags or knownHardeningFlags; stdenvHostSuffix = optionalString (hostPlatform != buildPlatform) "-${hostPlatform.config}"; stdenvStaticMarker = optionalString isStatic "-static"; userHook = config.stdenv.userHook or null; Loading pkgs/test/cc-wrapper/hardening.nix +4 −37 Original line number Diff line number Diff line Loading @@ -455,23 +455,8 @@ nameDrvAfterAttrName ( ) ); pieExplicitEnabled = brokenIf stdenv.hostPlatform.isStatic ( checkTestBin (f2exampleWithStdEnv stdenv { hardeningEnable = [ "pie" ]; }) { ignorePie = false; } ); pieExplicitEnabledStructuredAttrs = brokenIf stdenv.hostPlatform.isStatic ( checkTestBin (f2exampleWithStdEnv stdenv { hardeningEnable = [ "pie" ]; __structuredAttrs = true; }) { pieAlwaysEnabled = brokenIf stdenv.hostPlatform.isStatic ( checkTestBin (f2exampleWithStdEnv stdenv { }) { ignorePie = false; } ); Loading Loading @@ -662,17 +647,6 @@ nameDrvAfterAttrName ( ) ); pieExplicitDisabled = brokenIf (stdenv.hostPlatform.isMusl && stdenv.cc.isClang) ( checkTestBin (f2exampleWithStdEnv stdenv { hardeningDisable = [ "pie" ]; }) { ignorePie = false; expectFailure = true; } ); # can't force-disable ("partial"?) relro relROExplicitDisabled = brokenIf true ( checkTestBin Loading Loading @@ -1101,13 +1075,6 @@ nameDrvAfterAttrName ( expectFailure = true; }; allExplicitDisabledPie = brokenIf (stdenv.hostPlatform.isMusl && stdenv.cc.isClang) ( checkTestBin tb { ignorePie = false; expectFailure = true; } ); # can't force-disable ("partial"?) relro allExplicitDisabledRelRO = brokenIf true ( checkTestBin tb { Loading Loading
pkgs/build-support/bintools-wrapper/add-hardening.sh +1 −11 Original line number Diff line number Diff line Loading @@ -15,7 +15,7 @@ for flag in @hardening_unsupported_flags@; do done if (( "${NIX_DEBUG:-0}" >= 1 )); then declare -a allHardeningFlags=(pie relro bindnow) declare -a allHardeningFlags=(relro bindnow) declare -A hardeningDisableMap=() # Determine which flags were effectively disabled so we can report below. Loading @@ -36,16 +36,6 @@ fi for flag in "${!hardeningEnableMap[@]}"; do case $flag in pie) if [[ ! (" ${params[*]} " =~ " -shared " \ || " ${params[*]} " =~ " -static " \ || " ${params[*]} " =~ " -r " \ || " ${params[*]} " =~ " -Ur " \ || " ${params[*]} " =~ " -i ") ]]; then if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi hardeningLDFlags+=('-pie') fi ;; relro) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling relro >&2; fi hardeningLDFlags+=('-z' 'relro') Loading
pkgs/build-support/bintools-wrapper/default.nix +1 −18 Original line number Diff line number Diff line Loading @@ -55,24 +55,7 @@ "stackprotector" "strictoverflow" "zerocallusedregs" ] ++ lib.optional ( with stdenvNoCC; lib.any (x: x) [ # OpenBSD static linking requires PIE (with targetPlatform; isOpenBSD && isStatic) (lib.all (x: x) [ # Musl-based platforms will keep "pie", other platforms will not. # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` # in the nixpkgs manual to inform users about the defaults. (targetPlatform.libc == "musl") # Except when: # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. # - static armv7l, where compilation fails. (!(targetPlatform.isAarch && targetPlatform.isStatic)) ]) ] ) "pie", ], }: assert propagateDoc -> bintools ? man; Loading
pkgs/build-support/cc-wrapper/add-hardening.sh +1 −10 Original line number Diff line number Diff line Loading @@ -52,7 +52,7 @@ fi if (( "${NIX_DEBUG:-0}" >= 1 )); then declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret strictflexarrays1 strictflexarrays3 pie pic strictoverflow glibcxxassertions format trivialautovarinit zerocallusedregs) declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret strictflexarrays1 strictflexarrays3 pic strictoverflow glibcxxassertions format trivialautovarinit zerocallusedregs) declare -A hardeningDisableMap=() # Determine which flags were effectively disabled so we can report below. Loading Loading @@ -127,15 +127,6 @@ for flag in "${!hardeningEnableMap[@]}"; do if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling nostrictaliasing >&2; fi hardeningCFlagsBefore+=('-fno-strict-aliasing') ;; pie) # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi hardeningCFlagsBefore=('-fPIE' "${hardeningCFlagsBefore[@]}") if [[ ! (" ${params[*]} " =~ " -shared " || " ${params[*]} " =~ " -static ") ]]; then if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi hardeningCFlagsBefore=('-pie' "${hardeningCFlagsBefore[@]}") fi ;; pic) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi hardeningCFlagsBefore+=('-fPIC') Loading
pkgs/stdenv/generic/make-derivation.nix +1 −8 Original line number Diff line number Diff line Loading @@ -225,14 +225,7 @@ let canExecuteHostOnBuild = buildPlatform.canExecute hostPlatform; defaultHardeningFlags = (if stdenvHasCC then stdenv.cc else { }).defaultHardeningFlags or # fallback safe-ish set of flags ( if isOpenBSD && isStatic then knownHardeningFlags # Need pie, in fact else remove "pie" knownHardeningFlags ); (if stdenvHasCC then stdenv.cc else { }).defaultHardeningFlags or knownHardeningFlags; stdenvHostSuffix = optionalString (hostPlatform != buildPlatform) "-${hostPlatform.config}"; stdenvStaticMarker = optionalString isStatic "-static"; userHook = config.stdenv.userHook or null; Loading
pkgs/test/cc-wrapper/hardening.nix +4 −37 Original line number Diff line number Diff line Loading @@ -455,23 +455,8 @@ nameDrvAfterAttrName ( ) ); pieExplicitEnabled = brokenIf stdenv.hostPlatform.isStatic ( checkTestBin (f2exampleWithStdEnv stdenv { hardeningEnable = [ "pie" ]; }) { ignorePie = false; } ); pieExplicitEnabledStructuredAttrs = brokenIf stdenv.hostPlatform.isStatic ( checkTestBin (f2exampleWithStdEnv stdenv { hardeningEnable = [ "pie" ]; __structuredAttrs = true; }) { pieAlwaysEnabled = brokenIf stdenv.hostPlatform.isStatic ( checkTestBin (f2exampleWithStdEnv stdenv { }) { ignorePie = false; } ); Loading Loading @@ -662,17 +647,6 @@ nameDrvAfterAttrName ( ) ); pieExplicitDisabled = brokenIf (stdenv.hostPlatform.isMusl && stdenv.cc.isClang) ( checkTestBin (f2exampleWithStdEnv stdenv { hardeningDisable = [ "pie" ]; }) { ignorePie = false; expectFailure = true; } ); # can't force-disable ("partial"?) relro relROExplicitDisabled = brokenIf true ( checkTestBin Loading Loading @@ -1101,13 +1075,6 @@ nameDrvAfterAttrName ( expectFailure = true; }; allExplicitDisabledPie = brokenIf (stdenv.hostPlatform.isMusl && stdenv.cc.isClang) ( checkTestBin tb { ignorePie = false; expectFailure = true; } ); # can't force-disable ("partial"?) relro allExplicitDisabledRelRO = brokenIf true ( checkTestBin tb { Loading
