tjh.dev
fork
Configure Feed
Select the types of activity you want to include in your feed.
nixpkgs mirror (for testing)
github.com/NixOS/nixpkgs
nix
fork
Configure Feed
Select the types of activity you want to include in your feed.
Merge pull request #212498 from risicle/ris-fortify3
hardening flags: add `FORTIFY_SOURCE=3` support
authored by
Robert Scott
and committed by
GitHub
0eedcfc3
8997f4a4
+78
-25
+24
-3
pkgs/build-support/cc-wrapper/add-hardening.sh
+24
-3
pkgs/build-support/cc-wrapper/add-hardening.sh
···
12
12
# Remove unsupported flags.
13
13
for flag in @hardening_unsupported_flags@; do
14
14
unset -v "hardeningEnableMap[$flag]"
15
+
# fortify being unsupported implies fortify3 is unsupported
16
+
if [[ "$flag" = 'fortify' ]] ; then
17
+
unset -v "hardeningEnableMap['fortify3']"
18
+
fi
15
19
done
20
+
21
+
# make fortify and fortify3 mutually exclusive
22
+
if [[ -z "${hardeningEnableMap[fortify3]-}" ]]; then
23
+
unset -v "hardeningEnableMap['fortify']"
24
+
fi
16
25
17
26
if (( "${NIX_DEBUG:-0}" >= 1 )); then
18
27
declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format)
···
45
36
46
37
for flag in "${!hardeningEnableMap[@]}"; do
47
38
case $flag in
48
-
fortify)
49
-
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
39
+
fortify | fortify3)
50
40
# Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly
51
41
# set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address').
52
-
hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE' '-D_FORTIFY_SOURCE=2')
42
+
hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE')
43
+
case $flag in
44
+
fortify)
45
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
46
+
hardeningCFlags+=('-D_FORTIFY_SOURCE=2')
47
+
;;
48
+
fortify3)
49
+
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi
50
+
hardeningCFlags+=('-D_FORTIFY_SOURCE=3')
51
+
;;
52
+
*)
53
+
# Ignore unsupported.
54
+
;;
55
+
esac
53
56
;;
54
57
stackprotector)
55
58
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
+1
pkgs/development/compilers/gcc/10/default.nix
+1
pkgs/development/compilers/gcc/10/default.nix
+1
pkgs/development/compilers/gcc/11/default.nix
+1
pkgs/development/compilers/gcc/11/default.nix
+1
-1
pkgs/development/compilers/gcc/4.8/default.nix
+1
-1
pkgs/development/compilers/gcc/4.8/default.nix
···
297
297
passthru = {
298
298
inherit langC langCC langObjC langObjCpp langFortran langGo version;
299
299
isGNU = true;
300
-
hardeningUnsupportedFlags = [ "stackprotector" ];
300
+
hardeningUnsupportedFlags = [ "stackprotector" "fortify3" ];
301
301
};
302
302
303
303
enableParallelBuilding = true;
+1
pkgs/development/compilers/gcc/4.9/default.nix
+1
pkgs/development/compilers/gcc/4.9/default.nix
+1
pkgs/development/compilers/gcc/6/default.nix
+1
pkgs/development/compilers/gcc/6/default.nix
+1
pkgs/development/compilers/gcc/7/default.nix
+1
pkgs/development/compilers/gcc/7/default.nix
+1
pkgs/development/compilers/gcc/8/default.nix
+1
pkgs/development/compilers/gcc/8/default.nix
+1
pkgs/development/compilers/gcc/9/default.nix
+1
pkgs/development/compilers/gcc/9/default.nix
+2
-1
pkgs/development/compilers/llvm/10/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/10/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/11/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/11/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/12/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/12/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/13/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/13/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/14/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/14/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/5/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/5/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/6/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/6/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/7/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/7/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/8/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/8/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/9/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/9/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/git/clang/default.nix
+2
-1
pkgs/development/compilers/llvm/git/clang/default.nix
+3
pkgs/development/libraries/acl/default.nix
+3
pkgs/development/libraries/acl/default.nix
···
19
19
nativeBuildInputs = [ gettext ];
20
20
buildInputs = [ attr ];
21
21
22
+
# causes failures in coreutils test suite
23
+
hardeningDisable = [ "fortify3" ];
24
+
22
25
# Upstream use C++-style comments in C code. Remove them.
23
26
# This comment breaks compilation if too strict gcc flags are used.
24
27
patchPhase = ''
+1
pkgs/development/libraries/libffi/default.nix
+1
pkgs/development/libraries/libffi/default.nix
+18
-10
pkgs/stdenv/generic/make-derivation.nix
+18
-10
pkgs/stdenv/generic/make-derivation.nix
···
186
186
++ buildInputs ++ propagatedBuildInputs
187
187
++ depsTargetTarget ++ depsTargetTargetPropagated) == 0;
188
188
dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || !stdenv.hasCC;
189
-
supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
189
+
190
+
hardeningDisable' = if lib.any (x: x == "fortify") hardeningDisable
191
+
# disabling fortify implies fortify3 should also be disabled
192
+
then lib.unique (hardeningDisable ++ [ "fortify3" ])
193
+
else hardeningDisable;
194
+
supportedHardeningFlags = [ "fortify" "fortify3" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
190
195
# Musl-based platforms will keep "pie", other platforms will not.
191
196
# If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
192
197
# in the nixpkgs manual to inform users about the defaults.
193
-
defaultHardeningFlags = if stdenv.hostPlatform.isMusl &&
194
-
# Except when:
195
-
# - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
196
-
# - static armv7l, where compilation fails.
197
-
!(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic)
198
-
then supportedHardeningFlags
199
-
else lib.remove "pie" supportedHardeningFlags;
198
+
defaultHardeningFlags = let
199
+
# not ready for this by default
200
+
supportedHardeningFlags' = lib.remove "fortify3" supportedHardeningFlags;
201
+
in if stdenv.hostPlatform.isMusl &&
202
+
# Except when:
203
+
# - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
204
+
# - static armv7l, where compilation fails.
205
+
!(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic)
206
+
then supportedHardeningFlags'
207
+
else lib.remove "pie" supportedHardeningFlags';
200
208
enabledHardeningOptions =
201
-
if builtins.elem "all" hardeningDisable
209
+
if builtins.elem "all" hardeningDisable'
202
210
then []
203
-
else lib.subtractLists hardeningDisable (defaultHardeningFlags ++ hardeningEnable);
211
+
else lib.subtractLists hardeningDisable' (defaultHardeningFlags ++ hardeningEnable);
204
212
# hardeningDisable additionally supports "all".
205
213
erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable);
206
214
+1
pkgs/stdenv/linux/bootstrap-tools-musl/default.nix
+1
pkgs/stdenv/linux/bootstrap-tools-musl/default.nix