nixpkgs/pkgs/test
Maximilian Bosch aaeeef5b6c
stdenv: fix custom hardening settings when using __structuredAttrs = true;
Replaces / Closes #353131

A while ago `postgresql` switched to using structured attrs[1]. In the
PR it was reported that this made postgresql notably slower when
importing SQL dumps[2].

After a bit of debugging it turned out that the hardening was entirely
missing and the following combination of settings was the culprit:

    hardeningEnable = [ "pie" ];
    __structuredAttrs = true;

I.e. the combination of custom hardening settings and structured attrs.

What happened here is that internally the default and enabled hardening
flags get written into `NIX_HARDENING_ENABLE`. However, the value is a list
and the setting is not in the `env` section. This means that in the
structured-attrs case we get something like

    declare -ax NIX_HARDENING_ENABLE=([0]="bindnow" [1]="format" [2]="fortify" [3]="fortify3" [4]="pic" [5]="relro" [6]="stackprotector" [7]="strictoverflow" [8]="zerocallusedregs" [9]="pie")

i.e. an actual array rather than a string with all hardening flags being
space-separated which is what the hardening code of the cc-wrapper
expects[3].

This only happens if `hardeningEnable` or `hardeningDisable` are
explicitly set by a derivation: if none of those are set,
`NIX_HARDENING_ENABLE` won't be set by `stdenv.mkDerivation` and the
default hardening flags are configured by the setup hook of the
cc-wrapper[4].

In other words, this _only_ applies to derivations that have both custom
hardening settings _and_ `__structuredAttrs = true;`.

All values of `NIX_HARDENING_ENABLE` are well-known, so we don't have to
worry about escaping issues. Just forcing it to a string by
concatenating the list everytime solves the issue without additional
issues like eval errors when inheriting `env` from a structuredAttrs
derivation[5]. The price we're paying is a full rebuild.

[1] https://github.com/NixOS/nixpkgs/pull/294504
[2] https://github.com/NixOS/nixpkgs/pull/294504#issuecomment-2451482522
[3] cf3e5d3744/pkgs/build-support/cc-wrapper/add-hardening.sh (L9)
[4] cf3e5d3744/pkgs/build-support/cc-wrapper/setup-hook.sh (L114)
[5] 1e84a7fb95
2024-11-02 22:30:01 +01:00
..
auto-patchelf-hook auto-patchelf: fix test for hook 2024-09-11 19:29:39 +02:00
build-environment-info tests.build-environment-info: add more information 2024-10-29 19:42:46 +00:00
buildFHSEnv
cc-wrapper stdenv: fix custom hardening settings when using __structuredAttrs = true; 2024-11-02 22:30:01 +01:00
check-by-name nixpkgs-vet: update CI, docs, and release to 0.1.4 2024-09-03 13:53:25 -07:00
checkpointBuild
coq
cross tests.cross.sanity: Add GHC to catch regressions 2024-09-08 23:50:05 +02:00
cuda tests.cuda.cudaPackages: remove __attrsFailEvaluation since the attrset evaluates 2024-07-17 11:49:13 -07:00
cue
dhall treewide: remove unused lib (and other) arguments 2024-07-26 11:18:09 +02:00
dotnet tests.dotnet: add test for supported nugetDeps values 2024-09-06 16:47:36 -03:00
haskell tests.haskell.cabalSdist: Prevent rebuilds when Nix files change 2024-08-25 04:59:11 +02:00
hooks
install-shell-files installShellFiles: migrate tests to tests subdirectory 2024-08-28 18:51:06 -03:00
ld-library-path
make-binary-wrapper treewide: replace stdenv.is with stdenv.hostPlatform.is 2024-09-25 00:04:37 +03:00
make-hardcode-gsettings-patch
make-wrapper
nixos-functions tests.nixos-functions: don’t omit derivations on non‐Linux 2024-10-29 19:42:46 +00:00
php
release treewide: replace stdenv.is with stdenv.hostPlatform.is 2024-09-25 00:04:37 +03:00
replace-vars replaceVars: init 2024-08-07 07:27:50 -07:00
simple
stdenv Merge branch 'master' into staging-next 2024-09-25 06:05:01 +03:00
stdenv-inputs treewide: replace stdenv.is with stdenv.hostPlatform.is 2024-09-25 00:04:37 +03:00
substitute
systemd pkgs/test: fix silent failures when using runTests 2024-06-04 02:45:36 +02:00
texlive treewide: replace stdenv.is with stdenv.hostPlatform.is 2024-09-25 00:04:37 +03:00
top-level
vim treewide: remove unused lib (and other) arguments 2024-07-26 11:18:09 +02:00
config.nix
default.nix tests/srcOnly: init (#347548) 2024-11-01 09:13:09 -07:00
kernel.nix tests.kernel-config: remove 'with lib;' 2024-08-16 16:09:03 +02:00
overriding.nix buildGoModule: fix overrideAttrs overriding 2024-08-11 13:38:11 +08:00