mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-28 18:03:04 +00:00
cc-wrapper: add support for pacret hardening flag on aarch64
This commit is contained in:
parent
cc7b011fe1
commit
48bde3a189
@ -265,6 +265,8 @@
|
||||
|
||||
- The `stackclashprotection` hardening flag has been added, though disabled by default.
|
||||
|
||||
- The `pacret` hardening flag has been added, though disabled by default.
|
||||
|
||||
- `cargoSha256` in `rustPlatform.buildRustPackage` has been deprecated in favor
|
||||
of `cargoHash` which supports SRI hashes. See
|
||||
[buildRustPackage: Compiling Rust applications with Cargo](https://nixos.org/manual/nixpkgs/unstable/#compiling-rust-applications-with-cargo)
|
||||
|
@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
|
||||
fi
|
||||
|
||||
if (( "${NIX_DEBUG:-0}" >= 1 )); then
|
||||
declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection pie pic strictoverflow format trivialautovarinit zerocallusedregs)
|
||||
declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection pacret pie pic strictoverflow format trivialautovarinit zerocallusedregs)
|
||||
declare -A hardeningDisableMap=()
|
||||
|
||||
# Determine which flags were effectively disabled so we can report below.
|
||||
@ -79,6 +79,10 @@ for flag in "${!hardeningEnableMap[@]}"; do
|
||||
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling shadowstack >&2; fi
|
||||
hardeningCFlagsBefore+=('-fcf-protection=return')
|
||||
;;
|
||||
pacret)
|
||||
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pacret >&2; fi
|
||||
hardeningCFlagsBefore+=('-mbranch-protection=pac-ret')
|
||||
;;
|
||||
stackprotector)
|
||||
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
|
||||
hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
|
||||
|
@ -437,6 +437,7 @@ pipe ((callFile ./common/builder.nix {}) ({
|
||||
&& targetPlatform.isx86_64
|
||||
&& targetPlatform.libc == "glibc"
|
||||
)) "shadowstack"
|
||||
++ optional (!(atLeast9 && targetPlatform.isLinux && targetPlatform.isAarch64)) "pacret"
|
||||
++ optionals (langFortran) [ "fortify" "format" ];
|
||||
};
|
||||
|
||||
|
@ -143,6 +143,11 @@ let
|
||||
|| !targetPlatform.isLinux
|
||||
|| !targetPlatform.isx86_64
|
||||
) "shadowstack"
|
||||
++ lib.optional (
|
||||
(lib.versionOlder release_version "8")
|
||||
|| !targetPlatform.isAarch64
|
||||
|| !targetPlatform.isLinux
|
||||
) "pacret"
|
||||
++ lib.optional (
|
||||
(lib.versionOlder release_version "11")
|
||||
|| (targetPlatform.isAarch64 && (lib.versionOlder release_version "18.1"))
|
||||
|
@ -116,6 +116,7 @@ let
|
||||
"fortify"
|
||||
"fortify3"
|
||||
"shadowstack"
|
||||
"pacret"
|
||||
"pic"
|
||||
"pie"
|
||||
"relro"
|
||||
|
@ -18,6 +18,7 @@ derivation ({
|
||||
hardeningUnsupportedFlags = [
|
||||
"fortify3"
|
||||
"shadowstack"
|
||||
"pacret"
|
||||
"stackclashprotection"
|
||||
"trivialautovarinit"
|
||||
"zerocallusedregs"
|
||||
|
@ -323,6 +323,7 @@ let
|
||||
stdenv = super'.withDefaultHardeningFlags (
|
||||
super'.stdenv.cc.defaultHardeningFlags ++ [
|
||||
"shadowstack"
|
||||
"pacret"
|
||||
"stackclashprotection"
|
||||
"trivialautovarinit"
|
||||
]
|
||||
|
Loading…
Reference in New Issue
Block a user