From 1a5bd697adecf27385b69352485baa52a6e02fe9 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Mon, 2 Oct 2023 19:38:56 +0100 Subject: [PATCH] mkDerivation, bintools-wrapper: move defaultHardeningFlags determination to bintools-wrapper this makes it a lot easier to create a modified stdenv with a different set of defaultHardeningFlags and as a bonus allows us to inject the correct defaultHardeningFlags into toolchain wrapper scripts, reducing repetition. while most hardening flags are arguably more of a compiler thing, it works better to put them in bintools-wrapper because cc-wrapper can easily refer to bintools but not vice-versa. mkDerivation can still easily refer to either when it is constructed. this also switches fortran-hook.sh to use the same defaults for NIX_HARDENING_ENABLE as for C. previously NIX_HARDENING_ENABLE defaults were apparently used to avoid passing problematic flags to a fortran compiler, but this falls apart as soon as mkDerivation sets its own NIX_HARDENING_ENABLE - cc.hardeningUnsupportedFlags is a more appropriate mechanism for this as it actively filters out flags from being used by the wrapper, so switch to using that instead. this is still an imperfect mechanism because it doesn't handle a compiler which has both langFortran *and* langC very well - applying the superset of the two's hardeningUnsupportedFlags to either compiler's invocation. however this is nothing new - cc-wrapper already poorly handles a langFortran+langC compiler, applying two setup hooks that have contradictory options. --- .../bintools-wrapper/default.nix | 25 ++++++++++++++++ .../bintools-wrapper/setup-hook.sh | 2 +- .../build-support/cc-wrapper/add-hardening.sh | 2 +- pkgs/build-support/cc-wrapper/default.nix | 5 ++++ pkgs/build-support/cc-wrapper/fortran-hook.sh | 3 +- pkgs/build-support/cc-wrapper/setup-hook.sh | 2 +- pkgs/development/compilers/gcc/default.nix | 5 ++-- pkgs/stdenv/generic/make-derivation.nix | 29 ++++++++++--------- 8 files changed, 53 insertions(+), 20 deletions(-) diff --git a/pkgs/build-support/bintools-wrapper/default.nix b/pkgs/build-support/bintools-wrapper/default.nix index 525b44fe0480..31be230a67ad 100644 --- a/pkgs/build-support/bintools-wrapper/default.nix +++ b/pkgs/build-support/bintools-wrapper/default.nix @@ -33,6 +33,28 @@ , useMacosReexportHack ? false , wrapGas ? false +# Note: the hardening flags are part of the bintools-wrapper, rather than +# the cc-wrapper, because a few of them are handled by the linker. +, defaultHardeningFlags ? with stdenvNoCC; [ + "bindnow" + "format" + "fortify" + "fortify3" + "pic" + "relro" + "stackprotector" + "strictoverflow" + ] ++ lib.optional ( + # Musl-based platforms will keep "pie", other platforms will not. + # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` + # in the nixpkgs manual to inform users about the defaults. + targetPlatform.libc == "musl" + # Except when: + # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. + # - static armv7l, where compilation fails. + && !(hostPlatform.isAarch && hostPlatform.isStatic) + ) "pie" + # Darwin code signing support utilities , postLinkSignHook ? null, signingUtils ? null }: @@ -124,6 +146,8 @@ stdenv.mkDerivation { (setenv "NIX_LDFLAGS_${suffixSalt}" (concat (getenv "NIX_LDFLAGS_${suffixSalt}") " -L" arg "/lib64")))) '(${concatStringsSep " " (map (pkg: "\"${pkg}\"") pkgs)})) ''; + + inherit defaultHardeningFlags; }; dontBuild = true; @@ -380,6 +404,7 @@ stdenv.mkDerivation { wrapperName = "BINTOOLS_WRAPPER"; inherit dynamicLinker targetPrefix suffixSalt coreutils_bin; inherit bintools_bin libc_bin libc_dev libc_lib; + default_hardening_flags_str = builtins.toString defaultHardeningFlags; }; meta = diff --git a/pkgs/build-support/bintools-wrapper/setup-hook.sh b/pkgs/build-support/bintools-wrapper/setup-hook.sh index 7e9547b96c25..c146cbea80e4 100644 --- a/pkgs/build-support/bintools-wrapper/setup-hook.sh +++ b/pkgs/build-support/bintools-wrapper/setup-hook.sh @@ -65,7 +65,7 @@ do done # If unset, assume the default hardening flags. -: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"} +: ${NIX_HARDENING_ENABLE="@default_hardening_flags_str@"} export NIX_HARDENING_ENABLE # No local scope in sourced file diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 8cd63e460951..2eae278da160 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then fi if (( "${NIX_DEBUG:-0}" >= 1 )); then - declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) + declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format) declare -A hardeningDisableMap=() # Determine which flags were effectively disabled so we can report below. diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 539c29a0a774..56075a032971 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -218,6 +218,8 @@ let then guess else null; + defaultHardeningFlags = bintools.defaultHardeningFlags or []; + darwinPlatformForCC = optionalString stdenv.targetPlatform.isDarwin ( if (targetPlatform.darwinPlatform == "macos" && isGNU) then "macosx" else targetPlatform.darwinPlatform @@ -271,6 +273,8 @@ stdenv.mkDerivation { inherit expand-response-params; inherit nixSupport; + + inherit defaultHardeningFlags; }; dontBuild = true; @@ -706,6 +710,7 @@ stdenv.mkDerivation { inherit suffixSalt coreutils_bin bintools; inherit libc_bin libc_dev libc_lib; inherit darwinPlatformForCC darwinMinVersion darwinMinVersionVariable; + default_hardening_flags_str = builtins.toString defaultHardeningFlags; }; meta = diff --git a/pkgs/build-support/cc-wrapper/fortran-hook.sh b/pkgs/build-support/cc-wrapper/fortran-hook.sh index d72f314c01ce..02da7fd0dc34 100644 --- a/pkgs/build-support/cc-wrapper/fortran-hook.sh +++ b/pkgs/build-support/cc-wrapper/fortran-hook.sh @@ -4,8 +4,7 @@ getTargetRoleWrapper export FC${role_post}=@named_fc@ # If unset, assume the default hardening flags. -# These are different for fortran. -: ${NIX_HARDENING_ENABLE="stackprotector pic strictoverflow relro bindnow"} +: ${NIX_HARDENING_ENABLE="@default_hardening_flags_str@"} export NIX_HARDENING_ENABLE unset -v role_post diff --git a/pkgs/build-support/cc-wrapper/setup-hook.sh b/pkgs/build-support/cc-wrapper/setup-hook.sh index 9326d76e2a8f..33a2b62a49b0 100644 --- a/pkgs/build-support/cc-wrapper/setup-hook.sh +++ b/pkgs/build-support/cc-wrapper/setup-hook.sh @@ -111,7 +111,7 @@ export CC${role_post}=@named_cc@ export CXX${role_post}=@named_cxx@ # If unset, assume the default hardening flags. -: ${NIX_HARDENING_ENABLE="fortify fortify3 stackprotector pic strictoverflow format relro bindnow"} +: ${NIX_HARDENING_ENABLE="@default_hardening_flags_str@"} export NIX_HARDENING_ENABLE # No local scope in sourced file diff --git a/pkgs/development/compilers/gcc/default.nix b/pkgs/development/compilers/gcc/default.nix index eef6faf26424..e0ca04a13878 100644 --- a/pkgs/development/compilers/gcc/default.nix +++ b/pkgs/development/compilers/gcc/default.nix @@ -406,8 +406,9 @@ lib.pipe ((callFile ./common/builder.nix {}) ({ passthru = { inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD langJava version; isGNU = true; - } // lib.optionalAttrs (!atLeast12) { - hardeningUnsupportedFlags = lib.optionals is48 [ "stackprotector" ] ++ [ "fortify3" ]; + hardeningUnsupportedFlags = lib.optional is48 "stackprotector" + ++ lib.optional (!atLeast12) "fortify3" + ++ lib.optionals (langFortran) [ "fortify" "format" ]; }; enableParallelBuilding = true; diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index faa83507893f..78e3f87daabe 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -239,23 +239,26 @@ let # disabling fortify implies fortify3 should also be disabled then unique (hardeningDisable ++ [ "fortify3" ]) else hardeningDisable; - supportedHardeningFlags = [ "fortify" "fortify3" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; - # Musl-based platforms will keep "pie", other platforms will not. - # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` - # in the nixpkgs manual to inform users about the defaults. - defaultHardeningFlags = if stdenv.hostPlatform.isMusl && - # Except when: - # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. - # - static armv7l, where compilation fails. - !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) - then supportedHardeningFlags - else remove "pie" supportedHardeningFlags; + knownHardeningFlags = [ + "bindnow" + "format" + "fortify" + "fortify3" + "pic" + "pie" + "relro" + "stackprotector" + "strictoverflow" + ]; + defaultHardeningFlags = stdenv.cc.defaultHardeningFlags or + # fallback safe-ish set of flags + (remove "pie" knownHardeningFlags); enabledHardeningOptions = if builtins.elem "all" hardeningDisable' then [] else subtractLists hardeningDisable' (defaultHardeningFlags ++ hardeningEnable); # hardeningDisable additionally supports "all". - erroneousHardeningFlags = subtractLists supportedHardeningFlags (hardeningEnable ++ remove "all" hardeningDisable); + erroneousHardeningFlags = subtractLists knownHardeningFlags (hardeningEnable ++ remove "all" hardeningDisable); checkDependencyList = checkDependencyList' []; checkDependencyList' = positions: name: deps: flip imap1 deps (index: dep: @@ -264,7 +267,7 @@ let else throw "Dependency is not of a valid type: ${concatMapStrings (ix: "element ${toString ix} of ") ([index] ++ positions)}${name} for ${attrs.name or attrs.pname}"); in if builtins.length erroneousHardeningFlags != 0 then abort ("mkDerivation was called with unsupported hardening flags: " + lib.generators.toPretty {} { - inherit erroneousHardeningFlags hardeningDisable hardeningEnable supportedHardeningFlags; + inherit erroneousHardeningFlags hardeningDisable hardeningEnable knownHardeningFlags; }) else let doCheck = doCheck';