mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 15:03:28 +00:00
stdenv: Fix regression on ARM+static when enabling hardening (#115363)
4e9dc46dea
re-enabled hardening for Musl, which is good. Though static builds for ARM fail in various ways - cross armv7l static does not build - cross aarch64 static produces segfaulting dynamically linked binaries - native aarch64 static also produces segfaulting dynamically linked binaries It seems that for native x86_64-linux, static builds are fine though. This works around the issue by removing PIE from the hardening flags, keeping all other hardening flags. This is an improvement (I think) from before4e9dc46d
. Fixes #114953
This commit is contained in:
parent
924b214e05
commit
76552e95cc
@ -106,7 +106,12 @@ in rec {
|
||||
++ depsTargetTarget ++ depsTargetTargetPropagated) == 0;
|
||||
dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || (stdenv.noCC or false);
|
||||
supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
|
||||
defaultHardeningFlags = if stdenv.hostPlatform.isMusl
|
||||
# Musl-based platforms will keep "pie", other platforms will not.
|
||||
defaultHardeningFlags = if stdenv.hostPlatform.isMusl &&
|
||||
# Except when:
|
||||
# - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
|
||||
# - static armv7l, where compilation fails.
|
||||
!((stdenv.hostPlatform.isAarch64 || stdenv.hostPlatform.isAarch32) && stdenv.hostPlatform.isStatic)
|
||||
then supportedHardeningFlags
|
||||
else lib.remove "pie" supportedHardeningFlags;
|
||||
enabledHardeningOptions =
|
||||
|
Loading…
Reference in New Issue
Block a user