diff options
| author | Robert Scott <code@humanleg.org.uk> | 2023-02-16 21:19:30 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-16 21:19:30 +0000 |
| commit | 0eedcfc3f4570ae3df43116d5d1e3f586fc36f7d (patch) | |
| tree | 07ff452e2aa56b17ce1c3d971c2e0dee4c374d03 /pkgs | |
| parent | 8997f4a4db9b9e9dc68a5fdb0ae9d23cfd0d85b1 (diff) | |
| parent | 4e49c5d2e3550e072a34aa2c761cb7beb82e1309 (diff) | |
| download | nixpkgs-0eedcfc3f4570ae3df43116d5d1e3f586fc36f7d.tar nixpkgs-0eedcfc3f4570ae3df43116d5d1e3f586fc36f7d.tar.gz nixpkgs-0eedcfc3f4570ae3df43116d5d1e3f586fc36f7d.tar.bz2 nixpkgs-0eedcfc3f4570ae3df43116d5d1e3f586fc36f7d.tar.lz nixpkgs-0eedcfc3f4570ae3df43116d5d1e3f586fc36f7d.tar.xz nixpkgs-0eedcfc3f4570ae3df43116d5d1e3f586fc36f7d.tar.zst nixpkgs-0eedcfc3f4570ae3df43116d5d1e3f586fc36f7d.zip | |
Merge pull request #212498 from risicle/ris-fortify3
hardening flags: add `FORTIFY_SOURCE=3` support
Diffstat (limited to 'pkgs')
25 files changed, 78 insertions, 25 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index b23fda1fed7..3a7513a9f01 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -12,8 +12,17 @@ done # Remove unsupported flags. for flag in @hardening_unsupported_flags@; do unset -v "hardeningEnableMap[$flag]" + # fortify being unsupported implies fortify3 is unsupported + if [[ "$flag" = 'fortify' ]] ; then + unset -v "hardeningEnableMap['fortify3']" + fi done +# make fortify and fortify3 mutually exclusive +if [[ -z "${hardeningEnableMap[fortify3]-}" ]]; then + unset -v "hardeningEnableMap['fortify']" +fi + if (( "${NIX_DEBUG:-0}" >= 1 )); then declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) declare -A hardeningDisableMap=() @@ -36,11 +45,23 @@ fi for flag in "${!hardeningEnableMap[@]}"; do case $flag in - fortify) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi + fortify | fortify3) # Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly # set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address'). - hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE' '-D_FORTIFY_SOURCE=2') + hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE') + case $flag in + fortify) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi + hardeningCFlags+=('-D_FORTIFY_SOURCE=2') + ;; + fortify3) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi + hardeningCFlags+=('-D_FORTIFY_SOURCE=3') + ;; + *) + # Ignore unsupported. + ;; + esac ;; stackprotector) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi diff --git a/pkgs/development/compilers/gcc/10/default.nix b/pkgs/development/compilers/gcc/10/default.nix index 4df0872688b..f470cb120de 100644 --- a/pkgs/development/compilers/gcc/10/default.nix +++ b/pkgs/development/compilers/gcc/10/default.nix @@ -271,6 +271,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/11/default.nix b/pkgs/development/compilers/gcc/11/default.nix index 4b91e059830..3ae54fc3b91 100644 --- a/pkgs/development/compilers/gcc/11/default.nix +++ b/pkgs/development/compilers/gcc/11/default.nix @@ -280,6 +280,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index 7e6d4eb1223..99c8ef399b5 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -297,7 +297,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langFortran langGo version; isGNU = true; - hardeningUnsupportedFlags = [ "stackprotector" ]; + hardeningUnsupportedFlags = [ "stackprotector" "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index 4ea63d7c12e..d966b75d377 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -317,6 +317,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langFortran langGo version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/6/default.nix b/pkgs/development/compilers/gcc/6/default.nix index 7e5e2c6b10b..953f931fa81 100644 --- a/pkgs/development/compilers/gcc/6/default.nix +++ b/pkgs/development/compilers/gcc/6/default.nix @@ -338,6 +338,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langFortran langAda langGo version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/7/default.nix b/pkgs/development/compilers/gcc/7/default.nix index 75366c5b04d..7a326b8d73c 100644 --- a/pkgs/development/compilers/gcc/7/default.nix +++ b/pkgs/development/compilers/gcc/7/default.nix @@ -278,6 +278,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langFortran langGo version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/8/default.nix b/pkgs/development/compilers/gcc/8/default.nix index e0b1a1e24ad..a929663dca2 100644 --- a/pkgs/development/compilers/gcc/8/default.nix +++ b/pkgs/development/compilers/gcc/8/default.nix @@ -254,6 +254,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langFortran langGo version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/9/default.nix b/pkgs/development/compilers/gcc/9/default.nix index bcfd1c7dd38..6da17fb0945 100644 --- a/pkgs/development/compilers/gcc/9/default.nix +++ b/pkgs/development/compilers/gcc/9/default.nix @@ -268,6 +268,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/llvm/10/clang/default.nix b/pkgs/development/compilers/llvm/10/clang/default.nix index 0f3c943b527..37292e04052 100644 --- a/pkgs/development/compilers/llvm/10/clang/default.nix +++ b/pkgs/development/compilers/llvm/10/clang/default.nix @@ -91,8 +91,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/11/clang/default.nix b/pkgs/development/compilers/llvm/11/clang/default.nix index fa8080c998f..9108392129d 100644 --- a/pkgs/development/compilers/llvm/11/clang/default.nix +++ b/pkgs/development/compilers/llvm/11/clang/default.nix @@ -96,8 +96,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/12/clang/default.nix b/pkgs/development/compilers/llvm/12/clang/default.nix index ed99f4fe7bc..5fa4f2e920c 100644 --- a/pkgs/development/compilers/llvm/12/clang/default.nix +++ b/pkgs/development/compilers/llvm/12/clang/default.nix @@ -90,8 +90,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/13/clang/default.nix b/pkgs/development/compilers/llvm/13/clang/default.nix index 056a1b7e0f0..bc09187c33a 100644 --- a/pkgs/development/compilers/llvm/13/clang/default.nix +++ b/pkgs/development/compilers/llvm/13/clang/default.nix @@ -84,8 +84,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/14/clang/default.nix b/pkgs/development/compilers/llvm/14/clang/default.nix index 55d879fb76e..b4cadbe8ca3 100644 --- a/pkgs/development/compilers/llvm/14/clang/default.nix +++ b/pkgs/development/compilers/llvm/14/clang/default.nix @@ -87,8 +87,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/5/clang/default.nix b/pkgs/development/compilers/llvm/5/clang/default.nix index 57d6fe6ae7f..5cccbc44cb4 100644 --- a/pkgs/development/compilers/llvm/5/clang/default.nix +++ b/pkgs/development/compilers/llvm/5/clang/default.nix @@ -84,8 +84,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/6/clang/default.nix b/pkgs/development/compilers/llvm/6/clang/default.nix index 1b37efe3f08..104baeafd10 100644 --- a/pkgs/development/compilers/llvm/6/clang/default.nix +++ b/pkgs/development/compilers/llvm/6/clang/default.nix @@ -84,8 +84,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/7/clang/default.nix b/pkgs/development/compilers/llvm/7/clang/default.nix index d146e5b5f81..5c40ba14396 100644 --- a/pkgs/development/compilers/llvm/7/clang/default.nix +++ b/pkgs/development/compilers/llvm/7/clang/default.nix @@ -96,8 +96,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/8/clang/default.nix b/pkgs/development/compilers/llvm/8/clang/default.nix index bc2ed03eed9..e00bc1c319a 100644 --- a/pkgs/development/compilers/llvm/8/clang/default.nix +++ b/pkgs/development/compilers/llvm/8/clang/default.nix @@ -102,8 +102,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/9/clang/default.nix b/pkgs/development/compilers/llvm/9/clang/default.nix index 7819676e33a..fa9cabf3671 100644 --- a/pkgs/development/compilers/llvm/9/clang/default.nix +++ b/pkgs/development/compilers/llvm/9/clang/default.nix @@ -97,8 +97,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/git/clang/default.nix b/pkgs/development/compilers/llvm/git/clang/default.nix index 8f2663b7e89..35d196b4b6e 100644 --- a/pkgs/development/compilers/llvm/git/clang/default.nix +++ b/pkgs/development/compilers/llvm/git/clang/default.nix @@ -88,8 +88,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/libraries/acl/default.nix b/pkgs/development/libraries/acl/default.nix index 1ac577e19cd..5b31ba3a1c8 100644 --- a/pkgs/development/libraries/acl/default.nix +++ b/pkgs/development/libraries/acl/default.nix @@ -19,6 +19,9 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ gettext ]; buildInputs = [ attr ]; + # causes failures in coreutils test suite + hardeningDisable = [ "fortify3" ]; + # Upstream use C++-style comments in C code. Remove them. # This comment breaks compilation if too strict gcc flags are used. patchPhase = '' diff --git a/pkgs/development/libraries/libffi/default.nix b/pkgs/development/libraries/libffi/default.nix index 2031f175eab..681f9cbfb22 100644 --- a/pkgs/development/libraries/libffi/default.nix +++ b/pkgs/development/libraries/libffi/default.nix @@ -44,6 +44,7 @@ stdenv.mkDerivation rec { preCheck = '' # The tests use -O0 which is not compatible with -D_FORTIFY_SOURCE. + NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify3/} NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify/} ''; diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 6bf319d0730..d9672f62e3d 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -186,21 +186,29 @@ let ++ buildInputs ++ propagatedBuildInputs ++ depsTargetTarget ++ depsTargetTargetPropagated) == 0; dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || !stdenv.hasCC; - supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; + + hardeningDisable' = if lib.any (x: x == "fortify") hardeningDisable + # disabling fortify implies fortify3 should also be disabled + then lib.unique (hardeningDisable ++ [ "fortify3" ]) + else hardeningDisable; + supportedHardeningFlags = [ "fortify" "fortify3" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; # Musl-based platforms will keep "pie", other platforms will not. # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` # in the nixpkgs manual to inform users about the defaults. - defaultHardeningFlags = if stdenv.hostPlatform.isMusl && - # Except when: - # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. - # - static armv7l, where compilation fails. - !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) - then supportedHardeningFlags - else lib.remove "pie" supportedHardeningFlags; + defaultHardeningFlags = let + # not ready for this by default + supportedHardeningFlags' = lib.remove "fortify3" supportedHardeningFlags; + in if stdenv.hostPlatform.isMusl && + # Except when: + # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. + # - static armv7l, where compilation fails. + !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) + then supportedHardeningFlags' + else lib.remove "pie" supportedHardeningFlags'; enabledHardeningOptions = - if builtins.elem "all" hardeningDisable + if builtins.elem "all" hardeningDisable' then [] - else lib.subtractLists hardeningDisable (defaultHardeningFlags ++ hardeningEnable); + else lib.subtractLists hardeningDisable' (defaultHardeningFlags ++ hardeningEnable); # hardeningDisable additionally supports "all". erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable); diff --git a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix index d690f402672..569f0c6f31e 100644 --- a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix +++ b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix @@ -15,4 +15,5 @@ derivation ({ langC = true; langCC = true; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; } // extraAttrs) diff --git a/pkgs/stdenv/linux/bootstrap-tools/default.nix b/pkgs/stdenv/linux/bootstrap-tools/default.nix index d690f402672..569f0c6f31e 100644 --- a/pkgs/stdenv/linux/bootstrap-tools/default.nix +++ b/pkgs/stdenv/linux/bootstrap-tools/default.nix @@ -15,4 +15,5 @@ derivation ({ langC = true; langCC = true; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; } // extraAttrs) |