From 954e9903adc837c201a7bd70eede50d874aadbf6 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 23 Dec 2015 02:59:47 +0100 Subject: Use a hardened stdenv by default --- pkgs/applications/audio/cdparanoia/default.nix | 2 ++ pkgs/applications/audio/mpg321/default.nix | 2 ++ pkgs/applications/networking/browsers/w3m/default.nix | 2 ++ .../version-management/git-and-tools/git/default.nix | 2 ++ pkgs/applications/virtualization/xen/generic.nix | 2 ++ pkgs/desktops/gnome-2/platform/libgnomecups/default.nix | 2 ++ pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix | 6 ++++-- pkgs/development/compilers/dev86/default.nix | 2 ++ pkgs/development/compilers/gcc/4.5/default.nix | 2 ++ pkgs/development/compilers/gcc/4.9/default.nix | 2 ++ pkgs/development/compilers/go/1.4.nix | 2 ++ pkgs/development/compilers/go/1.5.nix | 2 ++ .../development/haskell-modules/configuration-common.nix | 6 +++++- pkgs/development/libraries/CoinMP/default.nix | 2 ++ pkgs/development/libraries/audio/libbs2b/default.nix | 2 ++ pkgs/development/libraries/fribidi/default.nix | 4 +++- pkgs/development/libraries/gd/default.nix | 6 ++++-- pkgs/development/libraries/gettext/default.nix | 2 ++ pkgs/development/libraries/giflib/libungif.nix | 2 ++ pkgs/development/libraries/glibc/common.nix | 4 ++++ pkgs/development/libraries/glibc/default.nix | 2 ++ pkgs/development/libraries/gnu-efi/default.nix | 2 ++ pkgs/development/libraries/libgphoto2/default.nix | 2 ++ pkgs/development/libraries/libvisual/default.nix | 2 ++ pkgs/development/libraries/pupnp/default.nix | 2 ++ pkgs/development/libraries/speechd/default.nix | 2 ++ pkgs/development/tools/misc/elfutils/default.nix | 2 ++ pkgs/os-specific/linux/acpi-call/default.nix | 4 +++- pkgs/os-specific/linux/busybox/default.nix | 2 ++ pkgs/os-specific/linux/gogoclient/default.nix | 2 ++ pkgs/os-specific/linux/jool/default.nix | 2 ++ pkgs/os-specific/linux/kernel/manual-config.nix | 6 ++++++ pkgs/os-specific/linux/kexectools/default.nix | 2 ++ pkgs/os-specific/linux/numad/default.nix | 2 ++ pkgs/servers/gpm/default.nix | 2 ++ pkgs/shells/dash/default.nix | 2 ++ pkgs/stdenv/adapters.nix | 16 ++++++++++++++++ pkgs/tools/admin/tightvnc/default.nix | 2 ++ pkgs/tools/archivers/sharutils/default.nix | 2 ++ pkgs/tools/archivers/unzip/default.nix | 2 ++ pkgs/tools/archivers/zip/default.nix | 2 ++ pkgs/tools/cd-dvd/cdrkit/default.nix | 2 ++ pkgs/tools/graphics/graphviz/default.nix | 2 ++ pkgs/tools/graphics/transfig/default.nix | 2 ++ pkgs/tools/misc/expect/default.nix | 2 ++ pkgs/tools/misc/grub/2.0x.nix | 2 ++ pkgs/tools/misc/gummiboot/default.nix | 2 ++ pkgs/tools/networking/iperf/2.nix | 2 ++ pkgs/tools/networking/vde2/default.nix | 2 ++ pkgs/tools/typesetting/tex/texlive-new/bin.nix | 2 ++ pkgs/top-level/all-packages.nix | 4 ++-- 51 files changed, 131 insertions(+), 9 deletions(-) (limited to 'pkgs') diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix index 1658d9c7449..c19b261016d 100644 --- a/pkgs/applications/audio/cdparanoia/default.nix +++ b/pkgs/applications/audio/cdparanoia/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80"; }; + noHardening_format = true; + preConfigure = "unset CC"; patches = stdenv.lib.optionals stdenv.isDarwin [ diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix index 489831dc464..e833784ee76 100644 --- a/pkgs/applications/audio/mpg321/default.nix +++ b/pkgs/applications/audio/mpg321/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"; }; + noHardening_format = true; + configureFlags = [ ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no")) ]; diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index 076b3faf11f..d849b10daee 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -50,6 +50,8 @@ stdenv.mkDerivation rec { ln -s $out/libexec/w3m/w3mimgdisplay $out/bin ''; + noHardening_format = true; + configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}" + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 49ecce0456b..a5df0dbe08e 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation { sha256 = "03bvb8s5j8i54qbi3yayl42bv0wf2fpgnh1a2lkhbj79zi7b77zs"; }; + noHardening_format = true; + patches = [ ./docbook2texi.patch ./symlinks-in-bin.patch diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index 6774675266c..c742ffb5002 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -75,6 +75,8 @@ stdenv.mkDerivation { pythonPath = [ pythonPackages.curses ]; + noHardening_all = true; + patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; postPatch = '' diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix index 2aa47d799c9..ec7b9ff8a8b 100644 --- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71"; }; + noHardening_format = true; + patches = [ ./glib.patch ./cups_1.6.patch ]; buildInputs = [ pkgconfig gtk gettext intltool libart_lgpl ]; diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix index 6aab400c60a..5044dbabd2f 100644 --- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix @@ -2,12 +2,14 @@ stdenv.mkDerivation { name = "libgtkhtml-2.11.1"; - + src = fetchurl { url = mirror://gnome/sources/libgtkhtml/2.11/libgtkhtml-2.11.1.tar.bz2; sha256 = "0msajafd42545dxzyr5zqka990cjrxw2yz09ajv4zs8m1w6pm9rw"; }; - + buildInputs = [ pkgconfig gtk gettext ]; propagatedBuildInputs = [ libxml2 ]; + + noHardening_format = true; } diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix index f37dae80830..b8083c9ed6b 100644 --- a/pkgs/development/compilers/dev86/default.nix +++ b/pkgs/development/compilers/dev86/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e"; }; + noHardening_format = true; + makeFlags = "PREFIX=$(out)"; # Awful hackery to get dev86 to compile with recent gcc/binutils. diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index 6cde7aba92a..4f1b017302a 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -134,6 +134,8 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; + noHardening_all = true; + patches = [ ] ++ optional (cross != null) ../libstdc++-target.patch diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index add9b30fb62..c7d63099be1 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -218,6 +218,8 @@ stdenv.mkDerivation ({ inherit patches; + noHardening_format = true; + postPatch = if (stdenv.isGNU || (libcCross != null # e.g., building `gcc.crossDrv' diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index d2500169744..fdfc9d45646 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { buildInputs = [ pcre ]; propagatedBuildInputs = lib.optional stdenv.isDarwin Security; + noHardening_all = true; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index 54c8cf219d5..26ffabced6a 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { Security Foundation ]; + noHardening_all = true; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 1f746802c7b..1982ca21802 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -44,7 +44,11 @@ self: super: { options_1_2 = dontCheck super.options_1_2; options = dontCheck super.options; statistics = dontCheck super.statistics; - c2hs = if pkgs.stdenv.isDarwin then dontCheck super.c2hs else super.c2hs; + c2hs = let c2hs_ = pkgs.stdenv.lib.overrideDerivation super.c2hs (drv: { + noHardening_format = true; + doCheck = false; + }); + in if pkgs.stdenv.isDarwin then dontCheck c2hs_ else c2hs_; # The package doesn't compile with ruby 1.9, which is our default at the moment. hruby = super.hruby.override { ruby = pkgs.ruby_2_1; }; diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix index e819078f786..bdd380fd4b8 100644 --- a/pkgs/development/libraries/CoinMP/default.nix +++ b/pkgs/development/libraries/CoinMP/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6"; }; + noHardening_format = true; + meta = with stdenv.lib; { homepage = https://projects.coin-or.org/CoinMP/; description = "COIN-OR lightweight API for COIN-OR libraries CLP, CBC, and CGL"; diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix index e43a5acb6bd..e9a13b6ff87 100644 --- a/pkgs/development/libraries/audio/libbs2b/default.nix +++ b/pkgs/development/libraries/audio/libbs2b/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libsndfile ]; + noHardening_format = true; + meta = { homepage = "http://bs2b.sourceforge.net/"; description = "Bauer stereophonic-to-binaural DSP library"; diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix index 23795e9633e..5d0e451c54c 100644 --- a/pkgs/development/libraries/fribidi/default.nix +++ b/pkgs/development/libraries/fribidi/default.nix @@ -3,12 +3,14 @@ stdenv.mkDerivation rec { name = "fribidi-${version}"; version = "0.19.6"; - + src = fetchurl { url = "http://fribidi.org/download/${name}.tar.bz2"; sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b"; }; + noHardening_format = true; + meta = with stdenv.lib; { homepage = http://fribidi.org/; description = "GNU implementation of the Unicode Bidirectional Algorithm (bidi)"; diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index 7c3c53626b5..5ca1de273b4 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -2,16 +2,18 @@ stdenv.mkDerivation { name = "gd-2.0.35"; - + src = fetchurl { url = http://www.libgd.org/releases/gd-2.0.35.tar.bz2; sha256 = "1y80lcmb8qbzf0a28841zxhq9ndfapmh2fsrqfd9lalxfj8288mz"; }; - + buildInputs = [zlib libpng freetype]; propagatedBuildInputs = [libjpeg fontconfig]; # urgh + noHardening_format = true; + configureFlags = "--without-x"; meta = { diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index 3d7cfc0ca31..cbdb448723a 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation (rec { outputs = [ "out" "doc" ]; + noHardening_format = true; + LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; configureFlags = [ "--disable-csharp" "--with-xz" ] diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix index f3302f8f333..45384b825c1 100644 --- a/pkgs/development/libraries/giflib/libungif.nix +++ b/pkgs/development/libraries/giflib/libungif.nix @@ -6,5 +6,7 @@ stdenv.mkDerivation { url = mirror://sourceforge/giflib/libungif-4.1.4.tar.gz; md5 = "efdfcf8e32e35740288a8c5625a70ccb"; }; + + noHardening_format = true; } diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 26d2f2454b4..6e9aa497f77 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -213,6 +213,10 @@ stdenv.mkDerivation ({ preBuild = "unset NIX_DONT_SET_RPATH"; } +// stdenv.lib.optionalAttrs (name == "glibc-locales") { + noHardening_stackprotector = true; +} + // stdenv.lib.optionalAttrs (hurdHeaders != null) { # Work around the fact that the configure snippet that looks for # does not honor `--with-headers=$sysheaders' and that diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index 08eaf555e02..a2ecedbe7e9 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -25,6 +25,8 @@ in builder = ./builder.sh; + noHardening_all = true; + # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for # any program we run, because the gcc will have been placed at a new # store path than that determined when built (as a source for the diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix index e674aae2b58..e6209ad93f6 100644 --- a/pkgs/development/libraries/gnu-efi/default.nix +++ b/pkgs/development/libraries/gnu-efi/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1jxlypkgb8bd1c114x96i699ib0glb5aca9dv56j377x2ldg4c65"; }; + noHardening_all = true; + buildInputs = [ pciutils ]; makeFlags = [ diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix index e25cdb61d86..3df793df73f 100644 --- a/pkgs/development/libraries/libgphoto2/default.nix +++ b/pkgs/development/libraries/libgphoto2/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { # These are mentioned in the Requires line of libgphoto's pkg-config file. propagatedBuildInputs = [ libexif ]; + noHardening_format = true; + meta = { homepage = http://www.gphoto.org/proj/libgphoto2/; description = "A library for accessing digital cameras"; diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix index dc2f0338b48..a2c9c52937e 100644 --- a/pkgs/development/libraries/libvisual/default.nix +++ b/pkgs/development/libraries/libvisual/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib ]; + noHardening_format = true; + meta = { description = "An abstraction library for audio visualisations"; homepage = "http://sourceforge.net/projects/libvisual/"; diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix index c5e26c1dfad..267b434da52 100644 --- a/pkgs/development/libraries/pupnp/default.nix +++ b/pkgs/development/libraries/pupnp/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k"; }; + noHardening_all = true; + meta = { description = "libupnp, an open source UPnP development kit for Linux"; diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix index 5104532ea91..cbd731aef68 100644 --- a/pkgs/development/libraries/speechd/default.nix +++ b/pkgs/development/libraries/speechd/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ dotconf glib pkgconfig ]; + noHardening_format = true; + meta = { description = "Common interface to speech synthesis"; diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix index 0a62859d207..a412d7e537c 100644 --- a/pkgs/development/tools/misc/elfutils/default.nix +++ b/pkgs/development/tools/misc/elfutils/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./glibc-2.21.patch ]; + noHardening_format = true; + # We need bzip2 in NativeInputs because otherwise we can't unpack the src, # as the host-bzip2 will be in the path. nativeBuildInputs = [ m4 bison flex gettext bzip2 ]; diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix index 289b54f1b54..1187bf10d14 100644 --- a/pkgs/os-specific/linux/acpi-call/default.nix +++ b/pkgs/os-specific/linux/acpi-call/default.nix @@ -8,7 +8,9 @@ stdenv.mkDerivation { rev = "ac67445bc75ec4fcf46ceb195fb84d74ad350d51"; sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75"; }; - + + noHardening_pic = true; + preBuild = '' sed -e 's/break/true/' -i examples/turn_off_gpu.sh sed -e 's@/bin/bash@.bin/sh@' -i examples/turn_off_gpu.sh diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index fa6591701a6..86551f4eecb 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -33,6 +33,8 @@ stdenv.mkDerivation rec { sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5"; }; + noHardening_format = true; + patches = [ ./busybox-in-store.patch ]; configurePhase = '' diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix index a627a8cbcc9..38762a5f1fe 100644 --- a/pkgs/os-specific/linux/gogoclient/default.nix +++ b/pkgs/os-specific/linux/gogoclient/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { makeFlags = ["target=linux"]; installFlags = ["installdir=$(out)"]; + noHardening_format = true; + buildInputs = [openssl]; preFixup = '' diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index fdb2f041a65..f5e76c0df50 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { src = sourceAttrs.src; + noHardening_pic = true; + prePatch = '' sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile ''; diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 4a826ff7ae3..8c537d67551 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -224,10 +224,16 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); + noHardening_format = true; + noHardening_fortify = true; + noHardening_stackprotector = true; + makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" ]; + noHardening_pic = true; + karch = stdenv.platform.kernelArch; crossAttrs = let cp = stdenv.cross.platform; in diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index 2199524154d..5255b331bb1 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di"; }; + noHardening_format = true; + buildInputs = [ zlib ]; meta = with stdenv.lib; { diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix index 2e88e2c794e..fa7e5110de9 100644 --- a/pkgs/os-specific/linux/numad/default.nix +++ b/pkgs/os-specific/linux/numad/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4"; }; + noHardening_format = true; + patches = [ ./numad-linker-flags.patch ]; diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix index a9fac485f90..c496ff3fdbb 100644 --- a/pkgs/servers/gpm/default.nix +++ b/pkgs/servers/gpm/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ]; buildInputs = [ ncurses ]; + noHardening_format = true; + preConfigure = '' ./autogen.sh ''; diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix index d3104439e57..ab49613a39c 100644 --- a/pkgs/shells/dash/default.nix +++ b/pkgs/shells/dash/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6"; }; + noHardening_format = true; + meta = { homepage = http://gondor.apana.org.au/~herbert/dash/; description = "A POSIX-compliant implementation of /bin/sh that aims to be as small as possible"; diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix index 836dedf1cb1..58e1c157b93 100644 --- a/pkgs/stdenv/adapters.nix +++ b/pkgs/stdenv/adapters.nix @@ -236,6 +236,22 @@ rec { }); }; + useHardenFlags = stdenv: stdenv // + { mkDerivation = args: stdenv.mkDerivation (args // { + NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + + stdenv.lib.optionalString (!(args.noHardening_all or false)) ( + stdenv.lib.optionalString (!(args.noHardening_fortify or false)) " -O2 -D_FORTIFY_SOURCE=2" + + stdenv.lib.optionalString (!(args.noHardening_stackprotector or false)) " -fstack-protector-all" + + stdenv.lib.optionalString ((args.noHardening_pie or false) && true) " -fPIE -pie" + + stdenv.lib.optionalString (!(args.noHardening_pic or false)) " -fPIC" + + stdenv.lib.optionalString (!(args.noHardening_relro or false)) " -z relro" + + stdenv.lib.optionalString ((args.noHardening_bindnow or false) && true) " -z now" + + stdenv.lib.optionalString (!(args.noHardening_strictoverflow or false)) " -fno-strict-overflow" + + stdenv.lib.optionalString (!(args.noHardening_format or false)) " -Wformat -Wformat-security -Werror=format-security" + ); + }); + }; + dropCxx = drv: drv.override { stdenv = if pkgs.stdenv.isDarwin then pkgs.allStdenvs.stdenvDarwinNaked diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 22b8a607fd3..1e562ee3ecf 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; + noHardening_format = true; + buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index e806a962eab..5d60c449173 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; + noHardening_format = true; + preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the # gnulib in sharutils is updated. diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index b5d03bc18b2..dcc51320bbd 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; + noHardening_format = true; + patches = [ ./CVE-2014-8139.diff ./CVE-2014-8140.diff diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index 431ed354d21..f9349937b8f 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; + noHardening_format = true; + makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; installFlags = "prefix=$(out) INSTALL=cp"; diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index bcf9ec2c0cc..5fcccbee02c 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; + noHardening_format = true; + # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 5635e3a69ff..090af09fca0 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; + noHardening_all = true; + patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index f540029cbc7..bcbbe71b897 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; + noHardening_format = true; + patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; prefixPatch1 = diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index a50717d5399..4efa9461232 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; + noHardening_format = true; + patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure ''; diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index 8e52adc7699..abe690ca0e4 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,6 +52,8 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; + noHardening_all = true; + preConfigure = '' for i in "tests/util/"*.in do diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix index 9d9b7700c90..e831bbdab6f 100644 --- a/pkgs/tools/misc/gummiboot/default.nix +++ b/pkgs/tools/misc/gummiboot/default.nix @@ -5,6 +5,8 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; + noHardening_all = true; + # Sigh, gummiboot should be able to find this in buildInputs configureFlags = [ "--with-efi-includedir=${gnu-efi}/include" diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 33d8ee2fd63..6d9fe64f169 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; + noHardening_format = true; + meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; description = "Tool to measure IP bandwidth using UDP or TCP"; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index 72a31262e26..4aecc41aa3d 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; + noHardening_format = true; + meta = { homepage = http://vde.sourceforge.net/; description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network"; diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index 431f3926a13..37c19319ef7 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,6 +64,8 @@ core = stdenv.mkDerivation rec { perl ]; + noHardening_format = true; + preConfigure = '' rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \ libs/{mpfr,pixman,poppler,potrace,xpdf,zlib,zziplib} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index c8dc32920e2..0e658228f2f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -214,12 +214,12 @@ let allPackages = args: import ./all-packages.nix ({ inherit config system; } // args); }; - defaultStdenv = allStdenvs.stdenv // { inherit platform; }; + defaultStdenv = stdenvAdapters.useHardenFlags (allStdenvs.stdenv // { inherit platform; }); stdenvCross = lowPrio (makeStdenvCross defaultStdenv crossSystem binutilsCross gccCrossStageFinal); stdenv = - if bootStdenv != null then (bootStdenv // {inherit platform;}) else + if bootStdenv != null then (stdenvAdapters.useHardenFlags bootStdenv // {inherit platform;}) else if crossSystem != null then stdenvCross else -- cgit 1.4.1