From ad9d37f1127b58b321f999fcf6bd6aa839868d2a Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Wed, 5 Jun 2024 23:08:07 +0100 Subject: [PATCH 1/4] doc/stdenv: hardening flags: add note on conditional support for some flags (cherry picked from commit a8062e526cb6448373b95028c4f91800ba108662) --- doc/stdenv/stdenv.chapter.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md index f3cdb1f2dc0c..368e7be93825 100644 --- a/doc/stdenv/stdenv.chapter.md +++ b/doc/stdenv/stdenv.chapter.md @@ -1558,6 +1558,8 @@ Both parameters take a list of flags as strings. The special `"all"` flag can be For more in-depth information on these hardening flags and hardening in general, refer to the [Debian Wiki](https://wiki.debian.org/Hardening), [Ubuntu Wiki](https://wiki.ubuntu.com/Security/Features), [Gentoo Wiki](https://wiki.gentoo.org/wiki/Project:Hardened), and the [Arch Wiki](https://wiki.archlinux.org/title/Security). +Note that support for some hardening flags varies by compiler, CPU architecture, target OS and libc. Combinations of these that don't support a particular hardening flag will silently ignore attempts to enable it. To see exactly which hardening flags are being employed in any invocation, the `NIX_DEBUG` environment variable can be used. + ### Hardening flags enabled by default {#sec-hardening-flags-enabled-by-default} The following flags are enabled by default and might require disabling with `hardeningDisable` if the program to package is incompatible. From 083ccd97bedc1fb27710b80afb03f48c5f8ea91f Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Wed, 5 Jun 2024 23:08:47 +0100 Subject: [PATCH 2/4] doc/stdenv: hardening flags: add section on fortify3 (cherry picked from commit 65cc6d3cf151552de1a5ed2868daea3c8e4aa5bc) --- doc/stdenv/stdenv.chapter.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md index 368e7be93825..a331ceb689ec 100644 --- a/doc/stdenv/stdenv.chapter.md +++ b/doc/stdenv/stdenv.chapter.md @@ -1609,6 +1609,16 @@ installwatch.c:3751:5: error: conflicting types for '__open_2' fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments ``` +Disabling `fortify` implies disablement of `fortify3` + +#### `fortify3` {#fortify3} + +Adds the `-O2 -D_FORTIFY_SOURCE=3` compiler options. This expands the cases that can be protected by fortify-checks to include some situations with dynamic-length buffers whose length can be inferred at runtime using compiler hints. + +Enabling this flag implies enablement of `fortify`. Disabling this flag does not imply disablement of `fortify`. + +This flag can sometimes conflict with a build-system's own attempts at enabling fortify support and result in errors complaining about `redefinition of _FORTIFY_SOURCE`. + #### `pic` {#pic} Adds the `-fPIC` compiler options. This options adds support for position independent code in shared libraries and thus making ASLR possible. From c9278a568c958643ed9b1d2649ae1ca37217c8b4 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Wed, 5 Jun 2024 23:09:12 +0100 Subject: [PATCH 3/4] doc/stdenv: hardening flags: add section on zerocallusedregs (cherry picked from commit 39f39b5568c34b2b40681cdb021c04cd6ae3bbef) --- doc/stdenv/stdenv.chapter.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md index a331ceb689ec..93ddeff7d016 100644 --- a/doc/stdenv/stdenv.chapter.md +++ b/doc/stdenv/stdenv.chapter.md @@ -1667,6 +1667,10 @@ Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Execut Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option. If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`. +#### `zerocallusedregs` {#zerocallusedregs} + +Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the general-purpose registers that an architecture's calling convention considers "call-used" to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call. + [^footnote-stdenv-ignored-build-platform]: The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always *specified* as interfaces, not concrete implementation. [^footnote-stdenv-native-dependencies-in-path]: Currently, this means for native builds all dependencies are put on the `PATH`. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the `depsBuild*` and `nativeBuildInputs` would be added to the `PATH`. [^footnote-stdenv-propagated-dependencies]: Nix itself already takes a package’s transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like [setup hooks](#ssec-setup-hooks) also are run as if it were a propagated dependency. From 7992a461e44a507ec5ecaef18709e5671ba2b842 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Wed, 5 Jun 2024 23:09:30 +0100 Subject: [PATCH 4/4] doc/stdenv: hardening flags: add section on trivialautovarinit (cherry picked from commit 062f1fa52a8aaf303889bda44c57b4fdba2911b1) --- doc/stdenv/stdenv.chapter.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md index 93ddeff7d016..f2bc7f71de38 100644 --- a/doc/stdenv/stdenv.chapter.md +++ b/doc/stdenv/stdenv.chapter.md @@ -1671,6 +1671,12 @@ If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`. Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the general-purpose registers that an architecture's calling convention considers "call-used" to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call. +#### `trivialautovarinit` {#trivialautovarinit} + +Adds the `-ftrivial-auto-var-init=pattern` compiler option. This causes "trivially-initializable" uninitialized stack variables to be forcibly initialized with a nonzero value that is likely to cause a crash (and therefore be noticed). Uninitialized variables generally take on their values based on fragments of previous program state, and attackers can carefully manipulate that state to craft malicious initial values for these variables. + +Use of this flag is controversial as it can prevent tools that detect uninitialized variable use (such as valgrind) from operating correctly. + [^footnote-stdenv-ignored-build-platform]: The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always *specified* as interfaces, not concrete implementation. [^footnote-stdenv-native-dependencies-in-path]: Currently, this means for native builds all dependencies are put on the `PATH`. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the `depsBuild*` and `nativeBuildInputs` would be added to the `PATH`. [^footnote-stdenv-propagated-dependencies]: Nix itself already takes a package’s transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like [setup hooks](#ssec-setup-hooks) also are run as if it were a propagated dependency.