Merge pull request #135619 from r-burns/fpie-musl-fixes

[staging] {cc,binutils}-wrapper: fixes for PIE hardening
2021-09-23 17:55:08 -07:00 · 2021-09-23 17:55:08 -07:00 · 16728283c3
parent da64747b37 a41b83c0ff
commit 16728283c3
5 changed files with 10 additions and 13 deletions
--- a/pkgs/build-support/bintools-wrapper/add-hardening.sh
+++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh
@ -37,7 +37,11 @@ fi
 for flag in "${!hardeningEnableMap[@]}"; do
  case $flag in
    pie)
-      if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static " || "$*" =~ " -r " || "$*" =~ " -Ur " || "$*" =~ " -i ") ]]; then
+      if [[ ! (" $* " =~ " -shared " \
+            || " $* " =~ " -static " \
+            || " $* " =~ " -r " \
+            || " $* " =~ " -Ur " \
+            || " $* " =~ " -i ") ]]; then
        if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
        hardeningLDFlags+=('-pie')
      fi
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@ -45,11 +45,12 @@ for flag in "${!hardeningEnableMap[@]}"; do
      hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
      ;;
    pie)
+      # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
-      hardeningCFlags+=('-fPIE')
-      if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
+      hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}")
+      if [[ ! (" $* " =~ " -shared " || " $* " =~ " -static ") ]]; then
        if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
-        hardeningCFlags+=('-pie')
+        hardeningCFlags=('-pie' "${hardeningCFlags[@]}")
      fi
      ;;
    pic)
--- a/pkgs/development/interpreters/python/cpython/default.nix
+++ b/pkgs/development/interpreters/python/cpython/default.nix
@ -45,9 +45,7 @@
 # enableLTO is a subset of the enableOptimizations flag that doesn't harm reproducibility.
 # enabling LTO on 32bit arch causes downstream packages to fail when linking
 # enabling LTO on *-darwin causes python3 to fail when linking.
-# enabling LTO with musl and dynamic linking fails with a linker error although it should
-# be possible as alpine is doing it: https://github.com/alpinelinux/aports/blob/a8ccb04668c7729e0f0db6c6ff5f25d7519e779b/main/python3/APKBUILD#L82
-, enableLTO ? stdenv.is64bit && stdenv.isLinux && !(stdenv.hostPlatform.isMusl && !stdenv.hostPlatform.isStatic)
+, enableLTO ? stdenv.is64bit && stdenv.isLinux
 , reproducibleBuild ? false
 , pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}"
 }:
--- a/pkgs/development/libraries/glib/default.nix
+++ b/pkgs/development/libraries/glib/default.nix
@ -134,8 +134,6 @@ stdenv.mkDerivation rec {
    "-DG_DISABLE_CAST_CHECKS"
  ];

-  hardeningDisable = [ "pie" ];
-
  postPatch = ''
    chmod +x gio/tests/gengiotypefuncs.py
    patchShebangs gio/tests/gengiotypefuncs.py
--- a/pkgs/development/libraries/libiscsi/default.nix
+++ b/pkgs/development/libraries/libiscsi/default.nix
@ -13,10 +13,6 @@ stdenv.mkDerivation rec {

  nativeBuildInputs = [ autoreconfHook ];

-  # This can be removed after >=1.20.0, or if the build suceeds with
-  # pie enabled (default on Musl).
-  hardeningDisable = [ "pie" ];
-
  # This problem is gone on libiscsi master.
  NIX_CFLAGS_COMPILE =
    lib.optional stdenv.hostPlatform.is32bit "-Wno-error=sign-compare";