mkDerivation, bintools-wrapper: move defaultHardeningFlags determination to bintools-wrapper

this makes it a lot easier to create a modified stdenv with a
different set of defaultHardeningFlags and as a bonus allows us
to inject the correct defaultHardeningFlags into toolchain wrapper
scripts, reducing repetition.

while most hardening flags are arguably more of a compiler thing,
it works better to put them in bintools-wrapper because cc-wrapper
can easily refer to bintools but not vice-versa.

mkDerivation can still easily refer to either when it is constructed.

this also switches fortran-hook.sh to use the same defaults for
NIX_HARDENING_ENABLE as for C. previously NIX_HARDENING_ENABLE
defaults were apparently used to avoid passing problematic flags
to a fortran compiler, but this falls apart as soon as mkDerivation
sets its own NIX_HARDENING_ENABLE - cc.hardeningUnsupportedFlags
is a more appropriate mechanism for this as it actively filters
out flags from being used by the wrapper, so switch to using that
instead.

this is still an imperfect mechanism because it doesn't handle a
compiler which has both langFortran *and* langC very well - applying
the superset of the two's hardeningUnsupportedFlags to either
compiler's invocation. however this is nothing new - cc-wrapper
already poorly handles a langFortran+langC compiler, applying two
setup hooks that have contradictory options.
This commit is contained in:
Robert Scott 2023-10-02 19:38:56 +01:00
parent 229cde6757
commit 1a5bd697ad
8 changed files with 53 additions and 20 deletions

View File

@ -33,6 +33,28 @@
, useMacosReexportHack ? false , useMacosReexportHack ? false
, wrapGas ? false , wrapGas ? false
# Note: the hardening flags are part of the bintools-wrapper, rather than
# the cc-wrapper, because a few of them are handled by the linker.
, defaultHardeningFlags ? with stdenvNoCC; [
"bindnow"
"format"
"fortify"
"fortify3"
"pic"
"relro"
"stackprotector"
"strictoverflow"
] ++ lib.optional (
# Musl-based platforms will keep "pie", other platforms will not.
# If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
# in the nixpkgs manual to inform users about the defaults.
targetPlatform.libc == "musl"
# Except when:
# - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
# - static armv7l, where compilation fails.
&& !(hostPlatform.isAarch && hostPlatform.isStatic)
) "pie"
# Darwin code signing support utilities # Darwin code signing support utilities
, postLinkSignHook ? null, signingUtils ? null , postLinkSignHook ? null, signingUtils ? null
}: }:
@ -124,6 +146,8 @@ stdenv.mkDerivation {
(setenv "NIX_LDFLAGS_${suffixSalt}" (concat (getenv "NIX_LDFLAGS_${suffixSalt}") " -L" arg "/lib64")))) (setenv "NIX_LDFLAGS_${suffixSalt}" (concat (getenv "NIX_LDFLAGS_${suffixSalt}") " -L" arg "/lib64"))))
'(${concatStringsSep " " (map (pkg: "\"${pkg}\"") pkgs)})) '(${concatStringsSep " " (map (pkg: "\"${pkg}\"") pkgs)}))
''; '';
inherit defaultHardeningFlags;
}; };
dontBuild = true; dontBuild = true;
@ -380,6 +404,7 @@ stdenv.mkDerivation {
wrapperName = "BINTOOLS_WRAPPER"; wrapperName = "BINTOOLS_WRAPPER";
inherit dynamicLinker targetPrefix suffixSalt coreutils_bin; inherit dynamicLinker targetPrefix suffixSalt coreutils_bin;
inherit bintools_bin libc_bin libc_dev libc_lib; inherit bintools_bin libc_bin libc_dev libc_lib;
default_hardening_flags_str = builtins.toString defaultHardeningFlags;
}; };
meta = meta =

View File

@ -65,7 +65,7 @@ do
done done
# If unset, assume the default hardening flags. # If unset, assume the default hardening flags.
: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"} : ${NIX_HARDENING_ENABLE="@default_hardening_flags_str@"}
export NIX_HARDENING_ENABLE export NIX_HARDENING_ENABLE
# No local scope in sourced file # No local scope in sourced file

View File

@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
fi fi
if (( "${NIX_DEBUG:-0}" >= 1 )); then if (( "${NIX_DEBUG:-0}" >= 1 )); then
declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format)
declare -A hardeningDisableMap=() declare -A hardeningDisableMap=()
# Determine which flags were effectively disabled so we can report below. # Determine which flags were effectively disabled so we can report below.

View File

@ -218,6 +218,8 @@ let
then guess then guess
else null; else null;
defaultHardeningFlags = bintools.defaultHardeningFlags or [];
darwinPlatformForCC = optionalString stdenv.targetPlatform.isDarwin ( darwinPlatformForCC = optionalString stdenv.targetPlatform.isDarwin (
if (targetPlatform.darwinPlatform == "macos" && isGNU) then "macosx" if (targetPlatform.darwinPlatform == "macos" && isGNU) then "macosx"
else targetPlatform.darwinPlatform else targetPlatform.darwinPlatform
@ -271,6 +273,8 @@ stdenv.mkDerivation {
inherit expand-response-params; inherit expand-response-params;
inherit nixSupport; inherit nixSupport;
inherit defaultHardeningFlags;
}; };
dontBuild = true; dontBuild = true;
@ -706,6 +710,7 @@ stdenv.mkDerivation {
inherit suffixSalt coreutils_bin bintools; inherit suffixSalt coreutils_bin bintools;
inherit libc_bin libc_dev libc_lib; inherit libc_bin libc_dev libc_lib;
inherit darwinPlatformForCC darwinMinVersion darwinMinVersionVariable; inherit darwinPlatformForCC darwinMinVersion darwinMinVersionVariable;
default_hardening_flags_str = builtins.toString defaultHardeningFlags;
}; };
meta = meta =

View File

@ -4,8 +4,7 @@ getTargetRoleWrapper
export FC${role_post}=@named_fc@ export FC${role_post}=@named_fc@
# If unset, assume the default hardening flags. # If unset, assume the default hardening flags.
# These are different for fortran. : ${NIX_HARDENING_ENABLE="@default_hardening_flags_str@"}
: ${NIX_HARDENING_ENABLE="stackprotector pic strictoverflow relro bindnow"}
export NIX_HARDENING_ENABLE export NIX_HARDENING_ENABLE
unset -v role_post unset -v role_post

View File

@ -111,7 +111,7 @@ export CC${role_post}=@named_cc@
export CXX${role_post}=@named_cxx@ export CXX${role_post}=@named_cxx@
# If unset, assume the default hardening flags. # If unset, assume the default hardening flags.
: ${NIX_HARDENING_ENABLE="fortify fortify3 stackprotector pic strictoverflow format relro bindnow"} : ${NIX_HARDENING_ENABLE="@default_hardening_flags_str@"}
export NIX_HARDENING_ENABLE export NIX_HARDENING_ENABLE
# No local scope in sourced file # No local scope in sourced file

View File

@ -406,8 +406,9 @@ lib.pipe ((callFile ./common/builder.nix {}) ({
passthru = { passthru = {
inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD langJava version; inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD langJava version;
isGNU = true; isGNU = true;
} // lib.optionalAttrs (!atLeast12) { hardeningUnsupportedFlags = lib.optional is48 "stackprotector"
hardeningUnsupportedFlags = lib.optionals is48 [ "stackprotector" ] ++ [ "fortify3" ]; ++ lib.optional (!atLeast12) "fortify3"
++ lib.optionals (langFortran) [ "fortify" "format" ];
}; };
enableParallelBuilding = true; enableParallelBuilding = true;

View File

@ -239,23 +239,26 @@ let
# disabling fortify implies fortify3 should also be disabled # disabling fortify implies fortify3 should also be disabled
then unique (hardeningDisable ++ [ "fortify3" ]) then unique (hardeningDisable ++ [ "fortify3" ])
else hardeningDisable; else hardeningDisable;
supportedHardeningFlags = [ "fortify" "fortify3" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; knownHardeningFlags = [
# Musl-based platforms will keep "pie", other platforms will not. "bindnow"
# If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` "format"
# in the nixpkgs manual to inform users about the defaults. "fortify"
defaultHardeningFlags = if stdenv.hostPlatform.isMusl && "fortify3"
# Except when: "pic"
# - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. "pie"
# - static armv7l, where compilation fails. "relro"
!(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) "stackprotector"
then supportedHardeningFlags "strictoverflow"
else remove "pie" supportedHardeningFlags; ];
defaultHardeningFlags = stdenv.cc.defaultHardeningFlags or
# fallback safe-ish set of flags
(remove "pie" knownHardeningFlags);
enabledHardeningOptions = enabledHardeningOptions =
if builtins.elem "all" hardeningDisable' if builtins.elem "all" hardeningDisable'
then [] then []
else subtractLists hardeningDisable' (defaultHardeningFlags ++ hardeningEnable); else subtractLists hardeningDisable' (defaultHardeningFlags ++ hardeningEnable);
# hardeningDisable additionally supports "all". # hardeningDisable additionally supports "all".
erroneousHardeningFlags = subtractLists supportedHardeningFlags (hardeningEnable ++ remove "all" hardeningDisable); erroneousHardeningFlags = subtractLists knownHardeningFlags (hardeningEnable ++ remove "all" hardeningDisable);
checkDependencyList = checkDependencyList' []; checkDependencyList = checkDependencyList' [];
checkDependencyList' = positions: name: deps: flip imap1 deps (index: dep: checkDependencyList' = positions: name: deps: flip imap1 deps (index: dep:
@ -264,7 +267,7 @@ let
else throw "Dependency is not of a valid type: ${concatMapStrings (ix: "element ${toString ix} of ") ([index] ++ positions)}${name} for ${attrs.name or attrs.pname}"); else throw "Dependency is not of a valid type: ${concatMapStrings (ix: "element ${toString ix} of ") ([index] ++ positions)}${name} for ${attrs.name or attrs.pname}");
in if builtins.length erroneousHardeningFlags != 0 in if builtins.length erroneousHardeningFlags != 0
then abort ("mkDerivation was called with unsupported hardening flags: " + lib.generators.toPretty {} { then abort ("mkDerivation was called with unsupported hardening flags: " + lib.generators.toPretty {} {
inherit erroneousHardeningFlags hardeningDisable hardeningEnable supportedHardeningFlags; inherit erroneousHardeningFlags hardeningDisable hardeningEnable knownHardeningFlags;
}) })
else let else let
doCheck = doCheck'; doCheck = doCheck';