nixpkgs/pkgs/development/libraries/glibc/default.nix
Emily 8a837af302
Merge pull request #326819 from risicle/ris-shadowstack
cc-wrapper: add support for `shadowstack` hardening flag
2024-07-28 19:07:52 +01:00

186 lines
7.5 KiB
Nix

{ lib, stdenv, callPackage
, withLinuxHeaders ? true
, profilingLibraries ? false
, withGd ? false
, enableCET ? if stdenv.hostPlatform.isx86_64 then "permissive" else false
, enableCETRuntimeDefault ? false
, pkgsBuildBuild
, libgcc
}:
let
gdCflags = [
"-Wno-error=stringop-truncation"
"-Wno-error=missing-attributes"
"-Wno-error=array-bounds"
];
in
(callPackage ./common.nix { inherit stdenv; } {
inherit withLinuxHeaders withGd profilingLibraries enableCET enableCETRuntimeDefault;
pname = "glibc" + lib.optionalString withGd "-gd" + lib.optionalString (stdenv.cc.isGNU && libgcc==null) "-nolibgcc";
}).overrideAttrs(previousAttrs: {
# Note:
# Things you write here override, and do not add to,
# the values in `common.nix`.
# (For example, if you define `patches = [...]` here, it will
# override the patches in `common.nix` -- so instead you should
# write `patches = (previousAttrs.patches or []) ++ [ ... ]`.
NIX_NO_SELF_RPATH = true;
postConfigure = ''
# Hack: get rid of the `-static' flag set by the bootstrap stdenv.
# This has to be done *after* `configure' because it builds some
# test binaries.
export NIX_CFLAGS_LINK=
export NIX_LDFLAGS_BEFORE=
export NIX_DONT_SET_RPATH=1
unset CFLAGS
# Apparently --bindir is not respected.
makeFlagsArray+=("bindir=$bin/bin" "sbindir=$bin/sbin" "rootsbindir=$bin/sbin")
'';
# The pie, stackprotector and fortify hardening flags are autodetected by
# glibc and enabled by default if supported. Setting it for every gcc
# invocation does not work.
hardeningDisable = [ "fortify" "pie" "stackprotector" ];
env = (previousAttrs.env or { }) // {
NIX_CFLAGS_COMPILE = (previousAttrs.env.NIX_CFLAGS_COMPILE or "") + lib.concatStringsSep " "
(builtins.concatLists [
(lib.optionals withGd gdCflags)
# Fix -Werror build failure when building glibc with musl with GCC >= 8, see:
# https://github.com/NixOS/nixpkgs/pull/68244#issuecomment-544307798
(lib.optional stdenv.hostPlatform.isMusl "-Wno-error=attribute-alias")
(lib.optionals ((stdenv.hostPlatform != stdenv.buildPlatform) || stdenv.hostPlatform.isMusl) [
# Ignore "error: '__EI___errno_location' specifies less restrictive attributes than its target '__errno_location'"
# New warning as of GCC 9
# Same for musl: https://github.com/NixOS/nixpkgs/issues/78805
"-Wno-error=missing-attributes"
])
(lib.optionals (stdenv.hostPlatform.isPower64) [
# Do not complain about the Processor Specific ABI (i.e. the
# choice to use IEEE-standard `long double`). We pass this
# flag in order to mute a `-Werror=psabi` passed by glibc;
# hopefully future glibc releases will not pass that flag.
"-Wno-error=psabi"
])
]);
};
# glibc needs to `dlopen()` `libgcc_s.so` but does not link
# against it. Furthermore, glibc doesn't use the ordinary
# `dlopen()` call to do this; instead it uses one which ignores
# most paths:
#
# https://sourceware.org/legacy-ml/libc-help/2013-11/msg00026.html
#
# In order to get it to not ignore `libgcc_s.so`, we have to add its path to
# `user-defined-trusted-dirs`:
#
# https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/Makefile;h=b509b3eada1fb77bf81e2a0ca5740b94ad185764#l1355
#
# Conveniently, this will also inform Nix of the fact that glibc depends on
# gcc.libgcc, since the path will be embedded in the resulting binary.
#
makeFlags =
(previousAttrs.makeFlags or [])
++ lib.optionals (libgcc != null) [
"user-defined-trusted-dirs=${libgcc}/lib"
];
postInstall = previousAttrs.postInstall + (if stdenv.buildPlatform.canExecute stdenv.hostPlatform then ''
echo SUPPORTED-LOCALES=C.UTF-8/UTF-8 > ../glibc-2*/localedata/SUPPORTED
make -j''${NIX_BUILD_CORES:-1} localedata/install-locales
'' else lib.optionalString stdenv.buildPlatform.isLinux
# This is based on http://www.linuxfromscratch.org/lfs/view/development/chapter06/glibc.html
# Instead of using their patch to build a build-native localedef,
# we simply use the one from pkgsBuildBuild.
#
# Note that we can't use pkgsBuildHost (aka buildPackages) here, because
# that will cause an eval-time infinite recursion: "buildPackages.glibc
# depended on buildPackages.libgcc, which, since it's GCC, depends on the
# target's bintools, which depend on the target's glibc, which, again,
# depends on buildPackages.glibc, causing an infinute recursion when
# evaluating buildPackages.glibc when glibc hasn't come from stdenv
# (e.g. on musl)." https://github.com/NixOS/nixpkgs/pull/259964
''
pushd ../glibc-2*/localedata
export I18NPATH=$PWD GCONV_PATH=$PWD/../iconvdata
mkdir -p $NIX_BUILD_TOP/${pkgsBuildBuild.glibc}/lib/locale
${lib.getBin pkgsBuildBuild.glibc}/bin/localedef \
--alias-file=../intl/locale.alias \
-i locales/C \
-f charmaps/UTF-8 \
--prefix $NIX_BUILD_TOP \
${if stdenv.hostPlatform.parsed.cpu.significantByte.name == "littleEndian" then
"--little-endian"
else
"--big-endian"} \
C.UTF-8
cp -r $NIX_BUILD_TOP/${pkgsBuildBuild.glibc}/lib/locale $out/lib
popd
'') + ''
test -f $out/etc/ld.so.cache && rm $out/etc/ld.so.cache
if test -n "$linuxHeaders"; then
# Include the Linux kernel headers in Glibc, except the `scsi'
# subdirectory, which Glibc provides itself.
(cd $dev/include && \
ln -sv $(ls -d $linuxHeaders/include/* | grep -v scsi\$) .)
fi
# Fix for NIXOS-54 (ldd not working on x86_64). Make a symlink
# "lib64" to "lib".
if test -n "$is64bit"; then
ln -s lib $out/lib64
fi
# Get rid of more unnecessary stuff.
rm -rf $out/var $bin/bin/sln
# Backwards-compatibility to fix e.g.
# "configure: error: Pthreads are required to build libgomp" during `gcc`-build
# because it's not actually needed anymore to link against `pthreads` since
# it's now part of `libc.so.6` itself, but the gcc build breaks if
# this doesn't work.
ln -sf $out/lib/libpthread.so.0 $out/lib/libpthread.so
ln -sf $out/lib/librt.so.1 $out/lib/librt.so
ln -sf $out/lib/libdl.so.2 $out/lib/libdl.so
test -f $out/lib/libutil.so.1 && ln -sf $out/lib/libutil.so.1 $out/lib/libutil.so
touch $out/lib/libpthread.a
# Put libraries for static linking in a separate output. Note
# that libc_nonshared.a and libpthread_nonshared.a are required
# for dynamically-linked applications.
mkdir -p $static/lib
mv $out/lib/*.a $static/lib
mv $static/lib/lib*_nonshared.a $out/lib
# If libutil.so.1 is missing, libutil.a is required.
test -f $out/lib/libutil.so.1 || mv $static/lib/libutil.a $out/lib
# Some of *.a files are linker scripts where moving broke the paths.
sed "/^GROUP/s|$out/lib/lib|$static/lib/lib|g" \
-i "$static"/lib/*.a
# Work around a Nix bug: hard links across outputs cause a build failure.
cp $bin/bin/getconf $bin/bin/getconf_
mv $bin/bin/getconf_ $bin/bin/getconf
'';
separateDebugInfo = true;
passthru =
(previousAttrs.passthru or {})
// lib.optionalAttrs (libgcc != null) {
inherit libgcc;
};
meta = (previousAttrs.meta or {}) // { description = "GNU C Library"; };
})