Merge pull request #212498 from risicle/ris-fortify3

hardening flags: add `FORTIFY_SOURCE=3` support
2023-02-16 21:19:30 +00:00 · 2023-02-16 21:19:30 +00:00 · 0eedcfc3f4
parent 8997f4a4db 4e49c5d2e3
commit 0eedcfc3f4
25 changed files with 78 additions and 25 deletions
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@ -12,8 +12,17 @@ done
 # Remove unsupported flags.
 for flag in @hardening_unsupported_flags@; do
  unset -v "hardeningEnableMap[$flag]"
+  # fortify being unsupported implies fortify3 is unsupported
+  if [[ "$flag" = 'fortify' ]] ; then
+    unset -v "hardeningEnableMap['fortify3']"
+  fi
 done

+# make fortify and fortify3 mutually exclusive
+if [[ -z "${hardeningEnableMap[fortify3]-}" ]]; then
+  unset -v "hardeningEnableMap['fortify']"
+fi
+
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
  declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format)
  declare -A hardeningDisableMap=()
@ -36,11 +45,23 @@ fi

 for flag in "${!hardeningEnableMap[@]}"; do
  case $flag in
-    fortify)
-      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
+    fortify | fortify3)
      # Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly
      # set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address').
-      hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE' '-D_FORTIFY_SOURCE=2')
+      hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE')
+      case $flag in
+        fortify)
+          if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
+          hardeningCFlags+=('-D_FORTIFY_SOURCE=2')
+        ;;
+        fortify3)
+          if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi
+          hardeningCFlags+=('-D_FORTIFY_SOURCE=3')
+        ;;
+        *)
+          # Ignore unsupported.
+          ;;
+      esac
      ;;
    stackprotector)
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
--- a/pkgs/development/compilers/gcc/10/default.nix
+++ b/pkgs/development/compilers/gcc/10/default.nix
@ -271,6 +271,7 @@ stdenv.mkDerivation ({
  passthru = {
    inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD version;
    isGNU = true;
+    hardeningUnsupportedFlags = [ "fortify3" ];
  };

  enableParallelBuilding = true;
--- a/pkgs/development/compilers/gcc/11/default.nix
+++ b/pkgs/development/compilers/gcc/11/default.nix
@ -280,6 +280,7 @@ stdenv.mkDerivation ({
  passthru = {
    inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD version;
    isGNU = true;
+    hardeningUnsupportedFlags = [ "fortify3" ];
  };

  enableParallelBuilding = true;
--- a/pkgs/development/compilers/gcc/4.8/default.nix
+++ b/pkgs/development/compilers/gcc/4.8/default.nix
@ -297,7 +297,7 @@ stdenv.mkDerivation ({
  passthru = {
    inherit langC langCC langObjC langObjCpp langFortran langGo version;
    isGNU = true;
-    hardeningUnsupportedFlags = [ "stackprotector" ];
+    hardeningUnsupportedFlags = [ "stackprotector" "fortify3" ];
  };

  enableParallelBuilding = true;
--- a/pkgs/development/compilers/gcc/4.9/default.nix
+++ b/pkgs/development/compilers/gcc/4.9/default.nix
@ -317,6 +317,7 @@ stdenv.mkDerivation ({
  passthru = {
    inherit langC langCC langObjC langObjCpp langFortran langGo version;
    isGNU = true;
+    hardeningUnsupportedFlags = [ "fortify3" ];
  };

  enableParallelBuilding = true;
--- a/pkgs/development/compilers/gcc/6/default.nix
+++ b/pkgs/development/compilers/gcc/6/default.nix
@ -338,6 +338,7 @@ stdenv.mkDerivation ({
  passthru = {
    inherit langC langCC langObjC langObjCpp langFortran langAda langGo version;
    isGNU = true;
+    hardeningUnsupportedFlags = [ "fortify3" ];
  };

  enableParallelBuilding = true;
--- a/pkgs/development/compilers/gcc/7/default.nix
+++ b/pkgs/development/compilers/gcc/7/default.nix
@ -278,6 +278,7 @@ stdenv.mkDerivation ({
  passthru = {
    inherit langC langCC langObjC langObjCpp langFortran langGo version;
    isGNU = true;
+    hardeningUnsupportedFlags = [ "fortify3" ];
  };

  enableParallelBuilding = true;
--- a/pkgs/development/compilers/gcc/8/default.nix
+++ b/pkgs/development/compilers/gcc/8/default.nix
@ -254,6 +254,7 @@ stdenv.mkDerivation ({
  passthru = {
    inherit langC langCC langObjC langObjCpp langFortran langGo version;
    isGNU = true;
+    hardeningUnsupportedFlags = [ "fortify3" ];
  };

  enableParallelBuilding = true;
--- a/pkgs/development/compilers/gcc/9/default.nix
+++ b/pkgs/development/compilers/gcc/9/default.nix
@ -268,6 +268,7 @@ stdenv.mkDerivation ({
  passthru = {
    inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD version;
    isGNU = true;
+    hardeningUnsupportedFlags = [ "fortify3" ];
  };

  enableParallelBuilding = true;
--- a/pkgs/development/compilers/llvm/10/clang/default.nix
+++ b/pkgs/development/compilers/llvm/10/clang/default.nix
@ -91,8 +91,9 @@ let
    '';

    passthru = {
-      isClang = true;
      inherit libllvm;
+      isClang = true;
+      hardeningUnsupportedFlags = [ "fortify3" ];
    };

    meta = llvm_meta // {
--- a/pkgs/development/compilers/llvm/11/clang/default.nix
+++ b/pkgs/development/compilers/llvm/11/clang/default.nix
@ -96,8 +96,9 @@ let
    '';

    passthru = {
-      isClang = true;
      inherit libllvm;
+      isClang = true;
+      hardeningUnsupportedFlags = [ "fortify3" ];
    };

    meta = llvm_meta // {
--- a/pkgs/development/compilers/llvm/12/clang/default.nix
+++ b/pkgs/development/compilers/llvm/12/clang/default.nix
@ -90,8 +90,9 @@ let
    '';

    passthru = {
-      isClang = true;
      inherit libllvm;
+      isClang = true;
+      hardeningUnsupportedFlags = [ "fortify3" ];
    };

    meta = llvm_meta // {
--- a/pkgs/development/compilers/llvm/13/clang/default.nix
+++ b/pkgs/development/compilers/llvm/13/clang/default.nix
@ -84,8 +84,9 @@ let
    '';

    passthru = {
-      isClang = true;
      inherit libllvm;
+      isClang = true;
+      hardeningUnsupportedFlags = [ "fortify3" ];
    };

    meta = llvm_meta // {
--- a/pkgs/development/compilers/llvm/14/clang/default.nix
+++ b/pkgs/development/compilers/llvm/14/clang/default.nix
@ -87,8 +87,9 @@ let
    '';

    passthru = {
-      isClang = true;
      inherit libllvm;
+      isClang = true;
+      hardeningUnsupportedFlags = [ "fortify3" ];
    };

    meta = llvm_meta // {
--- a/pkgs/development/compilers/llvm/5/clang/default.nix
+++ b/pkgs/development/compilers/llvm/5/clang/default.nix
@ -84,8 +84,9 @@ let
    '';

    passthru = {
-      isClang = true;
      inherit libllvm;
+      isClang = true;
+      hardeningUnsupportedFlags = [ "fortify3" ];
    };

    meta = llvm_meta // {
--- a/pkgs/development/compilers/llvm/6/clang/default.nix
+++ b/pkgs/development/compilers/llvm/6/clang/default.nix
@ -84,8 +84,9 @@ let
    '';

    passthru = {
-      isClang = true;
      inherit libllvm;
+      isClang = true;
+      hardeningUnsupportedFlags = [ "fortify3" ];
    };

    meta = llvm_meta // {
--- a/pkgs/development/compilers/llvm/7/clang/default.nix
+++ b/pkgs/development/compilers/llvm/7/clang/default.nix
@ -96,8 +96,9 @@ let
    '';

    passthru = {
-      isClang = true;
      inherit libllvm;
+      isClang = true;
+      hardeningUnsupportedFlags = [ "fortify3" ];
    };

    meta = llvm_meta // {
--- a/pkgs/development/compilers/llvm/8/clang/default.nix
+++ b/pkgs/development/compilers/llvm/8/clang/default.nix
@ -102,8 +102,9 @@ let
    '';

    passthru = {
-      isClang = true;
      inherit libllvm;
+      isClang = true;
+      hardeningUnsupportedFlags = [ "fortify3" ];
    };

    meta = llvm_meta // {
--- a/pkgs/development/compilers/llvm/9/clang/default.nix
+++ b/pkgs/development/compilers/llvm/9/clang/default.nix
@ -97,8 +97,9 @@ let
    '';

    passthru = {
-      isClang = true;
      inherit libllvm;
+      isClang = true;
+      hardeningUnsupportedFlags = [ "fortify3" ];
    };

    meta = llvm_meta // {
--- a/pkgs/development/compilers/llvm/git/clang/default.nix
+++ b/pkgs/development/compilers/llvm/git/clang/default.nix
@ -88,8 +88,9 @@ let
    '';

    passthru = {
-      isClang = true;
      inherit libllvm;
+      isClang = true;
+      hardeningUnsupportedFlags = [ "fortify3" ];
    };

    meta = llvm_meta // {
--- a/pkgs/development/libraries/acl/default.nix
+++ b/pkgs/development/libraries/acl/default.nix
@ -19,6 +19,9 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [ gettext ];
  buildInputs = [ attr ];

+  # causes failures in coreutils test suite
+  hardeningDisable = [ "fortify3" ];
+
  # Upstream use C++-style comments in C code. Remove them.
  # This comment breaks compilation if too strict gcc flags are used.
  patchPhase = ''
--- a/pkgs/development/libraries/libffi/default.nix
+++ b/pkgs/development/libraries/libffi/default.nix
@ -44,6 +44,7 @@ stdenv.mkDerivation rec {

  preCheck = ''
    # The tests use -O0 which is not compatible with -D_FORTIFY_SOURCE.
+    NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify3/}
    NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify/}
  '';

--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@ -186,21 +186,29 @@ let
                                  ++ buildInputs ++ propagatedBuildInputs
                                  ++ depsTargetTarget ++ depsTargetTargetPropagated) == 0;
  dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || !stdenv.hasCC;
-  supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
+
+  hardeningDisable' = if lib.any (x: x == "fortify") hardeningDisable
+    # disabling fortify implies fortify3 should also be disabled
+    then lib.unique (hardeningDisable ++ [ "fortify3" ])
+    else hardeningDisable;
+  supportedHardeningFlags = [ "fortify" "fortify3" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
  # Musl-based platforms will keep "pie", other platforms will not.
  # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
  # in the nixpkgs manual to inform users about the defaults.
-  defaultHardeningFlags = if stdenv.hostPlatform.isMusl &&
-                            # Except when:
-                            #    - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
-                            #    - static armv7l, where compilation fails.
-                            !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic)
-                          then supportedHardeningFlags
-                          else lib.remove "pie" supportedHardeningFlags;
+  defaultHardeningFlags = let
+    # not ready for this by default
+    supportedHardeningFlags' = lib.remove "fortify3" supportedHardeningFlags;
+  in if stdenv.hostPlatform.isMusl &&
+      # Except when:
+      #    - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
+      #    - static armv7l, where compilation fails.
+      !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic)
+    then supportedHardeningFlags'
+    else lib.remove "pie" supportedHardeningFlags';
  enabledHardeningOptions =
-    if builtins.elem "all" hardeningDisable
+    if builtins.elem "all" hardeningDisable'
    then []
-    else lib.subtractLists hardeningDisable (defaultHardeningFlags ++ hardeningEnable);
+    else lib.subtractLists hardeningDisable' (defaultHardeningFlags ++ hardeningEnable);
  # hardeningDisable additionally supports "all".
  erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable);

--- a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix
+++ b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix
@ -15,4 +15,5 @@ derivation ({
  langC = true;
  langCC = true;
  isGNU = true;
+  hardeningUnsupportedFlags = [ "fortify3" ];
 } // extraAttrs)
--- a/pkgs/stdenv/linux/bootstrap-tools/default.nix
+++ b/pkgs/stdenv/linux/bootstrap-tools/default.nix
@ -15,4 +15,5 @@ derivation ({
  langC = true;
  langCC = true;
  isGNU = true;
+  hardeningUnsupportedFlags = [ "fortify3" ];
 } // extraAttrs)