diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index b23fda1fed756..3a7513a9f0137 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -12,8 +12,17 @@ done # Remove unsupported flags. for flag in @hardening_unsupported_flags@; do unset -v "hardeningEnableMap[$flag]" + # fortify being unsupported implies fortify3 is unsupported + if [[ "$flag" = 'fortify' ]] ; then + unset -v "hardeningEnableMap['fortify3']" + fi done +# make fortify and fortify3 mutually exclusive +if [[ -z "${hardeningEnableMap[fortify3]-}" ]]; then + unset -v "hardeningEnableMap['fortify']" +fi + if (( "${NIX_DEBUG:-0}" >= 1 )); then declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format) declare -A hardeningDisableMap=() @@ -36,11 +45,23 @@ fi for flag in "${!hardeningEnableMap[@]}"; do case $flag in - fortify) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi + fortify | fortify3) # Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly # set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address'). - hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE' '-D_FORTIFY_SOURCE=2') + hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE') + case $flag in + fortify) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi + hardeningCFlags+=('-D_FORTIFY_SOURCE=2') + ;; + fortify3) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi + hardeningCFlags+=('-D_FORTIFY_SOURCE=3') + ;; + *) + # Ignore unsupported. + ;; + esac ;; stackprotector) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi diff --git a/pkgs/development/compilers/gcc/10/default.nix b/pkgs/development/compilers/gcc/10/default.nix index 1a0a6e4b0d0ec..7bee124d797f3 100644 --- a/pkgs/development/compilers/gcc/10/default.nix +++ b/pkgs/development/compilers/gcc/10/default.nix @@ -269,6 +269,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/11/default.nix b/pkgs/development/compilers/gcc/11/default.nix index 20da9a97aa5c3..024cd3e7f8307 100644 --- a/pkgs/development/compilers/gcc/11/default.nix +++ b/pkgs/development/compilers/gcc/11/default.nix @@ -275,6 +275,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index 810706ed0f3dc..b3a16b18bced7 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -283,7 +283,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langFortran langGo version; isGNU = true; - hardeningUnsupportedFlags = [ "stackprotector" ]; + hardeningUnsupportedFlags = [ "stackprotector" "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index e25af867e5374..ba2dadb05e949 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -303,6 +303,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langFortran langGo version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/6/default.nix b/pkgs/development/compilers/gcc/6/default.nix index fcb667b2413f3..42969b28605fa 100644 --- a/pkgs/development/compilers/gcc/6/default.nix +++ b/pkgs/development/compilers/gcc/6/default.nix @@ -321,6 +321,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langFortran langAda langGo version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/7/default.nix b/pkgs/development/compilers/gcc/7/default.nix index bb6a6b66a20f0..9118adaab0067 100644 --- a/pkgs/development/compilers/gcc/7/default.nix +++ b/pkgs/development/compilers/gcc/7/default.nix @@ -276,6 +276,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langFortran langGo version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/8/default.nix b/pkgs/development/compilers/gcc/8/default.nix index d4cd1f5aadc95..2ea7a51b64d41 100644 --- a/pkgs/development/compilers/gcc/8/default.nix +++ b/pkgs/development/compilers/gcc/8/default.nix @@ -253,6 +253,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langFortran langGo version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/gcc/9/default.nix b/pkgs/development/compilers/gcc/9/default.nix index 248a92a2965a0..9c9fdd35b29db 100644 --- a/pkgs/development/compilers/gcc/9/default.nix +++ b/pkgs/development/compilers/gcc/9/default.nix @@ -267,6 +267,7 @@ stdenv.mkDerivation ({ passthru = { inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD version; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/llvm/10/clang/default.nix b/pkgs/development/compilers/llvm/10/clang/default.nix index 0f3c943b527ea..37292e0405201 100644 --- a/pkgs/development/compilers/llvm/10/clang/default.nix +++ b/pkgs/development/compilers/llvm/10/clang/default.nix @@ -91,8 +91,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/11/clang/default.nix b/pkgs/development/compilers/llvm/11/clang/default.nix index fa8080c998fb8..9108392129d72 100644 --- a/pkgs/development/compilers/llvm/11/clang/default.nix +++ b/pkgs/development/compilers/llvm/11/clang/default.nix @@ -96,8 +96,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/12/clang/default.nix b/pkgs/development/compilers/llvm/12/clang/default.nix index ed99f4fe7bc90..5fa4f2e920c72 100644 --- a/pkgs/development/compilers/llvm/12/clang/default.nix +++ b/pkgs/development/compilers/llvm/12/clang/default.nix @@ -90,8 +90,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/13/clang/default.nix b/pkgs/development/compilers/llvm/13/clang/default.nix index 056a1b7e0f0db..bc09187c33acb 100644 --- a/pkgs/development/compilers/llvm/13/clang/default.nix +++ b/pkgs/development/compilers/llvm/13/clang/default.nix @@ -84,8 +84,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/14/clang/default.nix b/pkgs/development/compilers/llvm/14/clang/default.nix index 55d879fb76e4c..b4cadbe8ca380 100644 --- a/pkgs/development/compilers/llvm/14/clang/default.nix +++ b/pkgs/development/compilers/llvm/14/clang/default.nix @@ -87,8 +87,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/5/clang/default.nix b/pkgs/development/compilers/llvm/5/clang/default.nix index 57d6fe6ae7f88..5cccbc44cb4a2 100644 --- a/pkgs/development/compilers/llvm/5/clang/default.nix +++ b/pkgs/development/compilers/llvm/5/clang/default.nix @@ -84,8 +84,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/6/clang/default.nix b/pkgs/development/compilers/llvm/6/clang/default.nix index 1b37efe3f08ee..104baeafd10eb 100644 --- a/pkgs/development/compilers/llvm/6/clang/default.nix +++ b/pkgs/development/compilers/llvm/6/clang/default.nix @@ -84,8 +84,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/7/clang/default.nix b/pkgs/development/compilers/llvm/7/clang/default.nix index d146e5b5f8156..5c40ba1439600 100644 --- a/pkgs/development/compilers/llvm/7/clang/default.nix +++ b/pkgs/development/compilers/llvm/7/clang/default.nix @@ -96,8 +96,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/8/clang/default.nix b/pkgs/development/compilers/llvm/8/clang/default.nix index bc2ed03eed90a..e00bc1c319ae0 100644 --- a/pkgs/development/compilers/llvm/8/clang/default.nix +++ b/pkgs/development/compilers/llvm/8/clang/default.nix @@ -102,8 +102,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/9/clang/default.nix b/pkgs/development/compilers/llvm/9/clang/default.nix index 7819676e33a8b..fa9cabf367110 100644 --- a/pkgs/development/compilers/llvm/9/clang/default.nix +++ b/pkgs/development/compilers/llvm/9/clang/default.nix @@ -97,8 +97,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/compilers/llvm/git/clang/default.nix b/pkgs/development/compilers/llvm/git/clang/default.nix index 8f2663b7e896c..35d196b4b6e3b 100644 --- a/pkgs/development/compilers/llvm/git/clang/default.nix +++ b/pkgs/development/compilers/llvm/git/clang/default.nix @@ -88,8 +88,9 @@ let ''; passthru = { - isClang = true; inherit libllvm; + isClang = true; + hardeningUnsupportedFlags = [ "fortify3" ]; }; meta = llvm_meta // { diff --git a/pkgs/development/libraries/acl/default.nix b/pkgs/development/libraries/acl/default.nix index 1ac577e19cdb8..5b31ba3a1c850 100644 --- a/pkgs/development/libraries/acl/default.nix +++ b/pkgs/development/libraries/acl/default.nix @@ -19,6 +19,9 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ gettext ]; buildInputs = [ attr ]; + # causes failures in coreutils test suite + hardeningDisable = [ "fortify3" ]; + # Upstream use C++-style comments in C code. Remove them. # This comment breaks compilation if too strict gcc flags are used. patchPhase = '' diff --git a/pkgs/development/libraries/libffi/default.nix b/pkgs/development/libraries/libffi/default.nix index 2031f175eab86..681f9cbfb2297 100644 --- a/pkgs/development/libraries/libffi/default.nix +++ b/pkgs/development/libraries/libffi/default.nix @@ -44,6 +44,7 @@ stdenv.mkDerivation rec { preCheck = '' # The tests use -O0 which is not compatible with -D_FORTIFY_SOURCE. + NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify3/} NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify/} ''; diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 517cfc03aea5f..0e37fb6625547 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -178,21 +178,29 @@ let ++ buildInputs ++ propagatedBuildInputs ++ depsTargetTarget ++ depsTargetTargetPropagated) == 0; dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || !stdenv.hasCC; - supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; + + hardeningDisable' = if lib.any (x: x == "fortify") hardeningDisable + # disabling fortify implies fortify3 should also be disabled + then lib.unique (hardeningDisable ++ [ "fortify3" ]) + else hardeningDisable; + supportedHardeningFlags = [ "fortify" "fortify3" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; # Musl-based platforms will keep "pie", other platforms will not. # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` # in the nixpkgs manual to inform users about the defaults. - defaultHardeningFlags = if stdenv.hostPlatform.isMusl && - # Except when: - # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. - # - static armv7l, where compilation fails. - !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) - then supportedHardeningFlags - else lib.remove "pie" supportedHardeningFlags; + defaultHardeningFlags = let + # not ready for this by default + supportedHardeningFlags' = lib.remove "fortify3" supportedHardeningFlags; + in if stdenv.hostPlatform.isMusl && + # Except when: + # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. + # - static armv7l, where compilation fails. + !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) + then supportedHardeningFlags' + else lib.remove "pie" supportedHardeningFlags'; enabledHardeningOptions = - if builtins.elem "all" hardeningDisable + if builtins.elem "all" hardeningDisable' then [] - else lib.subtractLists hardeningDisable (defaultHardeningFlags ++ hardeningEnable); + else lib.subtractLists hardeningDisable' (defaultHardeningFlags ++ hardeningEnable); # hardeningDisable additionally supports "all". erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable); diff --git a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix index d690f40267217..569f0c6f31e2f 100644 --- a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix +++ b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix @@ -15,4 +15,5 @@ derivation ({ langC = true; langCC = true; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; } // extraAttrs) diff --git a/pkgs/stdenv/linux/bootstrap-tools/default.nix b/pkgs/stdenv/linux/bootstrap-tools/default.nix index d690f40267217..569f0c6f31e2f 100644 --- a/pkgs/stdenv/linux/bootstrap-tools/default.nix +++ b/pkgs/stdenv/linux/bootstrap-tools/default.nix @@ -15,4 +15,5 @@ derivation ({ langC = true; langCC = true; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; } // extraAttrs)