summary refs log tree commit diff
path: root/pkgs
diff options
context:
space:
mode:
authorMatthew Bauer <mjbauer95@gmail.com>2018-11-10 13:49:36 -0600
committerMatthew Bauer <mjbauer95@gmail.com>2018-11-13 07:03:31 -0600
commit76c956be5cecfc73423d767d9243d159d7b83508 (patch)
tree0c74e6fefa7959c7a90b277951d02b780628861f /pkgs
parent08d98b2e3814e5c6b4832f335897d482db6d361d (diff)
downloadnixpkgs-76c956be5cecfc73423d767d9243d159d7b83508.tar
nixpkgs-76c956be5cecfc73423d767d9243d159d7b83508.tar.gz
nixpkgs-76c956be5cecfc73423d767d9243d159d7b83508.tar.bz2
nixpkgs-76c956be5cecfc73423d767d9243d159d7b83508.tar.lz
nixpkgs-76c956be5cecfc73423d767d9243d159d7b83508.tar.xz
nixpkgs-76c956be5cecfc73423d767d9243d159d7b83508.tar.zst
nixpkgs-76c956be5cecfc73423d767d9243d159d7b83508.zip
treewide: disable pie in more places
Some packages don’t work correctly with pie. Here I disable it for:

- busybox
- linux kernel
- kexectools

I also get rid of the Musl conditional for disabling pie in GCC and
Binutils. Some day we might want to enable PIE without Musl and it
will be useful to have the *just* work with our compiler and linkers.
Diffstat (limited to 'pkgs')
-rw-r--r--pkgs/development/compilers/gcc/4.8/default.nix2
-rw-r--r--pkgs/development/compilers/gcc/4.9/default.nix2
-rw-r--r--pkgs/development/compilers/gcc/5/default.nix2
-rw-r--r--pkgs/development/compilers/gcc/6/default.nix2
-rw-r--r--pkgs/development/compilers/gcc/7/default.nix2
-rw-r--r--pkgs/development/compilers/gcc/8/default.nix2
-rw-r--r--pkgs/development/compilers/gcc/snapshot/default.nix2
-rw-r--r--pkgs/development/tools/misc/binutils/default.nix2
-rw-r--r--pkgs/os-specific/linux/busybox/default.nix3
-rw-r--r--pkgs/os-specific/linux/kernel/manual-config.nix2
-rw-r--r--pkgs/os-specific/linux/kexectools/default.nix2
11 files changed, 12 insertions, 11 deletions
diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix
index bcb724fd58c..a7a8011b2e6 100644
--- a/pkgs/development/compilers/gcc/4.8/default.nix
+++ b/pkgs/development/compilers/gcc/4.8/default.nix
@@ -177,7 +177,7 @@ stdenv.mkDerivation ({
 
   inherit patches;
 
-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];
 
   outputs = [ "out" "lib" "man" "info" ];
   setOutputFlags = false;
diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix
index 13ff4165a41..a3ba03f517a 100644
--- a/pkgs/development/compilers/gcc/4.9/default.nix
+++ b/pkgs/development/compilers/gcc/4.9/default.nix
@@ -185,7 +185,7 @@ stdenv.mkDerivation ({
 
   inherit patches;
 
-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];
 
   outputs = if langJava || langGo then ["out" "man" "info"]
     else [ "out" "lib" "man" "info" ];
diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix
index a30cd6bbda9..95e3d7b8492 100644
--- a/pkgs/development/compilers/gcc/5/default.nix
+++ b/pkgs/development/compilers/gcc/5/default.nix
@@ -178,7 +178,7 @@ stdenv.mkDerivation ({
 
   libc_dev = stdenv.cc.libc_dev;
 
-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];
 
   # This should kill all the stdinc frameworks that gcc and friends like to
   # insert into default search paths.
diff --git a/pkgs/development/compilers/gcc/6/default.nix b/pkgs/development/compilers/gcc/6/default.nix
index 372a7065f2d..ff48e485a9a 100644
--- a/pkgs/development/compilers/gcc/6/default.nix
+++ b/pkgs/development/compilers/gcc/6/default.nix
@@ -178,7 +178,7 @@ stdenv.mkDerivation ({
 
   libc_dev = stdenv.cc.libc_dev;
 
-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];
 
   # This should kill all the stdinc frameworks that gcc and friends like to
   # insert into default search paths.
diff --git a/pkgs/development/compilers/gcc/7/default.nix b/pkgs/development/compilers/gcc/7/default.nix
index 094c26cbf69..9235908f14c 100644
--- a/pkgs/development/compilers/gcc/7/default.nix
+++ b/pkgs/development/compilers/gcc/7/default.nix
@@ -149,7 +149,7 @@ stdenv.mkDerivation ({
 
   libc_dev = stdenv.cc.libc_dev;
 
-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];
 
   # This should kill all the stdinc frameworks that gcc and friends like to
   # insert into default search paths.
diff --git a/pkgs/development/compilers/gcc/8/default.nix b/pkgs/development/compilers/gcc/8/default.nix
index 1335666c54c..363694dcf4e 100644
--- a/pkgs/development/compilers/gcc/8/default.nix
+++ b/pkgs/development/compilers/gcc/8/default.nix
@@ -143,7 +143,7 @@ stdenv.mkDerivation ({
 
   libc_dev = stdenv.cc.libc_dev;
 
-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];
 
   # This should kill all the stdinc frameworks that gcc and friends like to
   # insert into default search paths.
diff --git a/pkgs/development/compilers/gcc/snapshot/default.nix b/pkgs/development/compilers/gcc/snapshot/default.nix
index c18189cd949..586fb2b44e1 100644
--- a/pkgs/development/compilers/gcc/snapshot/default.nix
+++ b/pkgs/development/compilers/gcc/snapshot/default.nix
@@ -137,7 +137,7 @@ stdenv.mkDerivation ({
 
   libc_dev = stdenv.cc.libc_dev;
 
-  hardeningDisable = [ "format" ];
+  hardeningDisable = [ "format" "pie" ];
 
   postPatch =
     if targetPlatform != hostPlatform || stdenv.cc.libc != null then
diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix
index 54f9b5e4031..2d2884eda3e 100644
--- a/pkgs/development/tools/misc/binutils/default.nix
+++ b/pkgs/development/tools/misc/binutils/default.nix
@@ -97,7 +97,7 @@ stdenv.mkDerivation rec {
     then "-Wno-string-plus-int -Wno-deprecated-declarations"
     else "-static-libgcc";
 
-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];
 
   # TODO(@Ericson2314): Always pass "--target" and always targetPrefix.
   configurePlatforms = [ "build" "host" ] ++ stdenv.lib.optional (stdenv.targetPlatform != stdenv.hostPlatform) "target";
diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix
index 71ad6203e32..5f4efe943ca 100644
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@@ -42,7 +42,8 @@ stdenv.mkDerivation rec {
     sha256 = "1dzg45vgy2w1xcd3p6h8d76ykhabbvk1h0lf8yb24ikrwlv8cr4p";
   };
 
-  hardeningDisable = [ "format" ] ++ lib.optionals enableStatic [ "fortify" ];
+  hardeningDisable = [ "format" "pie" ]
+    ++ lib.optionals enableStatic [ "fortify" ];
 
   patches = [
     ./busybox-in-store.patch
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index 1d280647c5a..0ce6ed769a3 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -269,7 +269,7 @@ stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.platform kernelPatches
       ++ optionals stdenv.lib.inNixShell [ pkgconfig ncurses ]
       ;
 
-  hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" ];
+  hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" "pie" ];
 
   # Absolute paths for compilers avoid any PATH-clobbering issues.
   makeFlags = commonMakeFlags ++ [
diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix
index 069bd17c483..b78286a902b 100644
--- a/pkgs/os-specific/linux/kexectools/default.nix
+++ b/pkgs/os-specific/linux/kexectools/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
     sha256 = "1ac20jws8iys9w6dpn4q3hihyx73zkabdwv3gcb779cxfrmq2k2h";
   };
 
-  hardeningDisable = [ "format" "pic" "relro" ];
+  hardeningDisable = [ "format" "pic" "relro" "pie" ];
 
   configureFlags = [ "BUILD_CC=${buildPackages.stdenv.cc.targetPrefix}cc" ];
   nativeBuildInputs = [ buildPackages.stdenv.cc ];
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-11 17:35:14 +0000