nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-16 17:14:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

mkDerivation: add support for fortify3 hardening flag

Browse Source
This commit is contained in:
Robert Scott 2023-01-21 12:37:24 +00:00
parent a9a713c9ac
commit 3d453e2aee
1 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
pkgs/stdenv/generic/make-derivation.nix
View File

@ -178,21 +178,29 @@ let
++ buildInputs ++ propagatedBuildInputs ++ buildInputs ++ propagatedBuildInputs
++ depsTargetTarget ++ depsTargetTargetPropagated) == 0; ++ depsTargetTarget ++ depsTargetTargetPropagated) == 0;
dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || !stdenv.hasCC; dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || !stdenv.hasCC;
supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
hardeningDisable' = if lib.any (x: x == "fortify") hardeningDisable
# disabling fortify implies fortify3 should also be disabled
then lib.unique (hardeningDisable ++ [ "fortify3" ])
else hardeningDisable;
supportedHardeningFlags = [ "fortify" "fortify3" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
# Musl-based platforms will keep "pie", other platforms will not. # Musl-based platforms will keep "pie", other platforms will not.
# If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
# in the nixpkgs manual to inform users about the defaults. # in the nixpkgs manual to inform users about the defaults.
defaultHardeningFlags = if stdenv.hostPlatform.isMusl && defaultHardeningFlags = let
# Except when: # not ready for this by default
# - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. supportedHardeningFlags' = lib.remove "fortify3" supportedHardeningFlags;
# - static armv7l, where compilation fails. in if stdenv.hostPlatform.isMusl &&
!(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) # Except when:
then supportedHardeningFlags # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
else lib.remove "pie" supportedHardeningFlags; # - static armv7l, where compilation fails.
!(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic)
then supportedHardeningFlags'
else lib.remove "pie" supportedHardeningFlags';
enabledHardeningOptions = enabledHardeningOptions =
if builtins.elem "all" hardeningDisable if builtins.elem "all" hardeningDisable'
then [] then []
else lib.subtractLists hardeningDisable (defaultHardeningFlags ++ hardeningEnable); else lib.subtractLists hardeningDisable' (defaultHardeningFlags ++ hardeningEnable);
# hardeningDisable additionally supports "all". # hardeningDisable additionally supports "all".
erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable); erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable);