mkDerivation: add support for fortify3 hardening flag

pyrox.dev / nixpkgs

fork atom

lol

fork atom

Robert Scott 3 years ago 3d453e2a a9a713c9

+18 -10

1 changed file

expand all

pkgs

stdenv

generic

make-derivation.nix

+18 -10

pkgs/stdenv/generic/make-derivation.nix

··· 178 178 ++ buildInputs ++ propagatedBuildInputs 179 179 ++ depsTargetTarget ++ depsTargetTargetPropagated) == 0; 180 180 dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || !stdenv.hasCC; 181 - supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; 181 + 182 + hardeningDisable' = if lib.any (x: x == "fortify") hardeningDisable 183 + # disabling fortify implies fortify3 should also be disabled 184 + then lib.unique (hardeningDisable ++ [ "fortify3" ]) 185 + else hardeningDisable; 186 + supportedHardeningFlags = [ "fortify" "fortify3" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; 182 187 # Musl-based platforms will keep "pie", other platforms will not. 183 188 # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` 184 189 # in the nixpkgs manual to inform users about the defaults. 185 - defaultHardeningFlags = if stdenv.hostPlatform.isMusl && 186 - # Except when: 187 - # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. 188 - # - static armv7l, where compilation fails. 189 - !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) 190 - then supportedHardeningFlags 191 - else lib.remove "pie" supportedHardeningFlags; 190 + defaultHardeningFlags = let 191 + # not ready for this by default 192 + supportedHardeningFlags' = lib.remove "fortify3" supportedHardeningFlags; 193 + in if stdenv.hostPlatform.isMusl && 194 + # Except when: 195 + # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. 196 + # - static armv7l, where compilation fails. 197 + !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) 198 + then supportedHardeningFlags' 199 + else lib.remove "pie" supportedHardeningFlags'; 192 200 enabledHardeningOptions = 193 - if builtins.elem "all" hardeningDisable 201 + if builtins.elem "all" hardeningDisable' 194 202 then [] 195 - else lib.subtractLists hardeningDisable (defaultHardeningFlags ++ hardeningEnable); 203 + else lib.subtractLists hardeningDisable' (defaultHardeningFlags ++ hardeningEnable); 196 204 # hardeningDisable additionally supports "all". 197 205 erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable); 198 206