nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-04-14 13:19:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #212498 from risicle/ris-fortify3

Browse Source 
hardening flags: add `FORTIFY_SOURCE=3` support
This commit is contained in:
Robert Scott 2023-02-16 21:19:30 +00:00 committed by GitHub
commit 0eedcfc3f4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
25 changed files with 78 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
pkgs/build-support/cc-wrapper/add-hardening.sh
View File

@ -12,8 +12,17 @@ done
# Remove unsupported flags.
for flag in @hardening_unsupported_flags@; do
unset -v "hardeningEnableMap[$flag]"
# fortify being unsupported implies fortify3 is unsupported
if [[ "$flag" = 'fortify' ]] ; then
unset -v "hardeningEnableMap['fortify3']"
fi
done
# make fortify and fortify3 mutually exclusive
if [[ -z "${hardeningEnableMap[fortify3]-}" ]]; then
unset -v "hardeningEnableMap['fortify']"
fi
if (( "${NIX_DEBUG:-0}" >= 1 )); then
declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format)
declare -A hardeningDisableMap=()
@ -36,11 +45,23 @@ fi
for flag in "${!hardeningEnableMap[@]}"; do
case $flag in
fortify)
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
fortify | fortify3)
# Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly
# set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address').
hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE' '-D_FORTIFY_SOURCE=2')
hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE')
case $flag in
fortify)
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
hardeningCFlags+=('-D_FORTIFY_SOURCE=2')
;;
fortify3)
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi
hardeningCFlags+=('-D_FORTIFY_SOURCE=3')
;;
*)
# Ignore unsupported.
;;
esac
;;
stackprotector)
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi

1
pkgs/development/compilers/gcc/10/default.nix
View File

@ -271,6 +271,7 @@ stdenv.mkDerivation ({
passthru = {
inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD version;
isGNU = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
enableParallelBuilding = true;

1
pkgs/development/compilers/gcc/11/default.nix
View File

@ -280,6 +280,7 @@ stdenv.mkDerivation ({
passthru = {
inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD version;
isGNU = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
enableParallelBuilding = true;

2
pkgs/development/compilers/gcc/4.8/default.nix
View File

@ -297,7 +297,7 @@ stdenv.mkDerivation ({
passthru = {
inherit langC langCC langObjC langObjCpp langFortran langGo version;
isGNU = true;
hardeningUnsupportedFlags = [ "stackprotector" ];
hardeningUnsupportedFlags = [ "stackprotector" "fortify3" ];
};
enableParallelBuilding = true;

1
pkgs/development/compilers/gcc/4.9/default.nix
View File

@ -317,6 +317,7 @@ stdenv.mkDerivation ({
passthru = {
inherit langC langCC langObjC langObjCpp langFortran langGo version;
isGNU = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
enableParallelBuilding = true;

1
pkgs/development/compilers/gcc/6/default.nix
View File

@ -338,6 +338,7 @@ stdenv.mkDerivation ({
passthru = {
inherit langC langCC langObjC langObjCpp langFortran langAda langGo version;
isGNU = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
enableParallelBuilding = true;

1
pkgs/development/compilers/gcc/7/default.nix
View File

@ -278,6 +278,7 @@ stdenv.mkDerivation ({
passthru = {
inherit langC langCC langObjC langObjCpp langFortran langGo version;
isGNU = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
enableParallelBuilding = true;

1
pkgs/development/compilers/gcc/8/default.nix
View File

@ -254,6 +254,7 @@ stdenv.mkDerivation ({
passthru = {
inherit langC langCC langObjC langObjCpp langFortran langGo version;
isGNU = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
enableParallelBuilding = true;

1
pkgs/development/compilers/gcc/9/default.nix
View File

@ -268,6 +268,7 @@ stdenv.mkDerivation ({
passthru = {
inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD version;
isGNU = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
enableParallelBuilding = true;

3
pkgs/development/compilers/llvm/10/clang/default.nix
View File

@ -91,8 +91,9 @@ let
'';
passthru = {
isClang = true;
inherit libllvm;
isClang = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
meta = llvm_meta // {

3
pkgs/development/compilers/llvm/11/clang/default.nix
View File

@ -96,8 +96,9 @@ let
'';
passthru = {
isClang = true;
inherit libllvm;
isClang = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
meta = llvm_meta // {

3
pkgs/development/compilers/llvm/12/clang/default.nix
View File

@ -90,8 +90,9 @@ let
'';
passthru = {
isClang = true;
inherit libllvm;
isClang = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
meta = llvm_meta // {

3
pkgs/development/compilers/llvm/13/clang/default.nix
View File

@ -84,8 +84,9 @@ let
'';
passthru = {
isClang = true;
inherit libllvm;
isClang = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
meta = llvm_meta // {

3
pkgs/development/compilers/llvm/14/clang/default.nix
View File

@ -87,8 +87,9 @@ let
'';
passthru = {
isClang = true;
inherit libllvm;
isClang = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
meta = llvm_meta // {

3
pkgs/development/compilers/llvm/5/clang/default.nix
View File

@ -84,8 +84,9 @@ let
'';
passthru = {
isClang = true;
inherit libllvm;
isClang = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
meta = llvm_meta // {

3
pkgs/development/compilers/llvm/6/clang/default.nix
View File

@ -84,8 +84,9 @@ let
'';
passthru = {
isClang = true;
inherit libllvm;
isClang = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
meta = llvm_meta // {

3
pkgs/development/compilers/llvm/7/clang/default.nix
View File

@ -96,8 +96,9 @@ let
'';
passthru = {
isClang = true;
inherit libllvm;
isClang = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
meta = llvm_meta // {

3
pkgs/development/compilers/llvm/8/clang/default.nix
View File

@ -102,8 +102,9 @@ let
'';
passthru = {
isClang = true;
inherit libllvm;
isClang = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
meta = llvm_meta // {

3
pkgs/development/compilers/llvm/9/clang/default.nix
View File

@ -97,8 +97,9 @@ let
'';
passthru = {
isClang = true;
inherit libllvm;
isClang = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
meta = llvm_meta // {

3
pkgs/development/compilers/llvm/git/clang/default.nix
View File

@ -88,8 +88,9 @@ let
'';
passthru = {
isClang = true;
inherit libllvm;
isClang = true;
hardeningUnsupportedFlags = [ "fortify3" ];
};
meta = llvm_meta // {

3
pkgs/development/libraries/acl/default.nix
View File

@ -19,6 +19,9 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ gettext ];
buildInputs = [ attr ];
# causes failures in coreutils test suite
hardeningDisable = [ "fortify3" ];
# Upstream use C++-style comments in C code. Remove them.
# This comment breaks compilation if too strict gcc flags are used.
patchPhase = ''

1
pkgs/development/libraries/libffi/default.nix
View File

@ -44,6 +44,7 @@ stdenv.mkDerivation rec {
preCheck = ''
# The tests use -O0 which is not compatible with -D_FORTIFY_SOURCE.
NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify3/}
NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify/}
'';

28
pkgs/stdenv/generic/make-derivation.nix
View File

@ -186,21 +186,29 @@ let
++ buildInputs ++ propagatedBuildInputs
++ depsTargetTarget ++ depsTargetTargetPropagated) == 0;
dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || !stdenv.hasCC;
supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
hardeningDisable' = if lib.any (x: x == "fortify") hardeningDisable
# disabling fortify implies fortify3 should also be disabled
then lib.unique (hardeningDisable ++ [ "fortify3" ])
else hardeningDisable;
supportedHardeningFlags = [ "fortify" "fortify3" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
# Musl-based platforms will keep "pie", other platforms will not.
# If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
# in the nixpkgs manual to inform users about the defaults.
defaultHardeningFlags = if stdenv.hostPlatform.isMusl &&
# Except when:
# - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
# - static armv7l, where compilation fails.
!(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic)
then supportedHardeningFlags
else lib.remove "pie" supportedHardeningFlags;
defaultHardeningFlags = let
# not ready for this by default
supportedHardeningFlags' = lib.remove "fortify3" supportedHardeningFlags;
in if stdenv.hostPlatform.isMusl &&
# Except when:
# - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
# - static armv7l, where compilation fails.
!(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic)
then supportedHardeningFlags'
else lib.remove "pie" supportedHardeningFlags';
enabledHardeningOptions =
if builtins.elem "all" hardeningDisable
if builtins.elem "all" hardeningDisable'
then []
else lib.subtractLists hardeningDisable (defaultHardeningFlags ++ hardeningEnable);
else lib.subtractLists hardeningDisable' (defaultHardeningFlags ++ hardeningEnable);
# hardeningDisable additionally supports "all".
erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable);

1
pkgs/stdenv/linux/bootstrap-tools-musl/default.nix
View File

@ -15,4 +15,5 @@ derivation ({
langC = true;
langCC = true;
isGNU = true;
hardeningUnsupportedFlags = [ "fortify3" ];
} // extraAttrs)

1
pkgs/stdenv/linux/bootstrap-tools/default.nix
View File

@ -15,4 +15,5 @@ derivation ({
langC = true;
langCC = true;
isGNU = true;
hardeningUnsupportedFlags = [ "fortify3" ];
} // extraAttrs)