qemu: re-enable stack protection

[alyssais]

Motivation for this change

5e25995 ("qemu: 2.6.1 -> 2.7.0") added this, because the QEMU
build failed without it. That's no longer the case, so we can bring
back stack protection.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[Mindavi]

Result of nixpkgs-review pr 112881 run on x86_64-linux 1

5 packages marked as broken and skipped:

• linuxPackages-libre.virtualbox
• linuxPackages_hardkernel_4_14.virtualbox
• linuxPackages_hardkernel_latest.virtualbox
• linuxPackages_latest-libre.virtualbox
• multibootusb

1 package blacklisted:

• tests.nixos-functions.nixosTest-test

23 packages failed to build:

• aqemu
• linuxPackages.virtualbox (linuxPackages_5_4.virtualbox)
• linuxPackages_4_14.virtualbox
• linuxPackages_4_19.virtualbox
• linuxPackages_4_4.virtualbox
• linuxPackages_4_9.virtualbox
• linuxPackages_5_10.virtualbox
• linuxPackages_hardened.virtualbox
• linuxPackages_latest.virtualbox
• linuxPackages_latest_hardened.virtualbox
• linuxPackages_latest_xen_dom0.virtualbox
• linuxPackages_latest_xen_dom0_hardened.virtualbox
• linuxPackages_lqx.virtualbox
• linuxPackages_testing_bcachefs.virtualbox
• linuxPackages_xen_dom0.virtualbox
• linuxPackages_xen_dom0_hardened.virtualbox
• linuxPackages_zen.virtualbox
• qemu_xen (qemu_xen_4_10)
• qemu_xen-light (qemu_xen_4_10-light)
• virtualbox
• virtualboxHardened
• virtualboxHeadless
• virtualboxWithExtpack

20 packages built:

• alpine-make-vm-image
• cloud-init
• cloud-utils
• cot (python38Packages.cot)
• libguestfs
• open-watcom-bin
• out-of-tree
• python37Packages.cot
• python37Packages.guestfs
• python38Packages.guestfs
• python39Packages.cot
• python39Packages.guestfs
• qemu
• qemu-utils
• qemu_full
• qemu_kvm
• qemu_test
• qtemu
• solo5
• vagrant

Some notes:

• Xen appears to be broken: xen fails to build on unstable #108479
• Not sure about virtualbox, I can't seem to find anything in the issue tracker
• Cot test fails due to DeprecationWarning, unrelated
• aqemu build error -> seems unrelated

Excerpt from the virtualboxHeadless build log:

The failing command:
$(QUIET)$(REDIRECT) -wo $@ -- $(SED) -f $< $(filter %.h,$^)
kmk: *** Deleting file '/build/VirtualBox-6.1.18/out/linux.amd64/release/obj/Runtime/errmsgdata.h'
kBuild: Generating /build/VirtualBox-6.1.18/out/linux.amd64/release/obj/Runtime/errmsgdata.h
kmk: *** [/build/VirtualBox-6.1.18/src/VBox/Runtime/Makefile.kmk:3663: /build/VirtualBox-6.1.18/out/linux.amd64/release/obj/Runtime/errmsgdata.h] Segmentation fault

Excerpt from the aqemu build log (seems like a missing include):

/build/source/src/docopt/docopt_value.h:267:16: error: 'runtime_error' is not a member of 'std'
  267 |     throw std::runtime_error( str + " contains non-numeric characters.");
      |                ^~~~~~~~~~~~~
In file included from /build/source/src/docopt/docopt.cpp:9:
/build/source/src/docopt/docopt.h: At global scope:
/build/source/src/docopt/docopt.h:21:50: error: expected class-name before '{' token
   21 |  struct DocoptLanguageError : std::runtime_error { using runtime_error::runtime_error; };
      |                                                  ^
/build/source/src/docopt/docopt.h:21:58: error: 'runtime_error' has not been declared
   21 |  struct DocoptLanguageError : std::runtime_error { using runtime_error::runtime_error; };
      |                                                          ^~~~~~~~~~~~~
/build/source/src/docopt/docopt.h:24:50: error: expected class-name before '{' token
   24 |  struct DocoptArgumentError : std::runtime_error { using runtime_error::runtime_error; };

Building with merge gives the same results.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/476

[Mic92]

Just some random vm test
@GrahamcOfBorg test ferm

[Mic92]

@r-burns any regressions on powerpc in this regard?

[Mic92]

Looks good so far.

[r-burns]

Thanks for the ping - no issues on my end. Built qemu on x86_64-linux and booted a minimal PowerNV VM to login prompt 👍

[Mic92]

Result of nixpkgs-review pr 112881 run on x86_64-linux 1

6 packages marked as broken and skipped:

• aqemu
• linuxPackages-libre.virtualbox
• linuxPackages_hardkernel_4_14.virtualbox
• linuxPackages_hardkernel_latest.virtualbox
• linuxPackages_latest-libre.virtualbox
• multibootusb

1 package blacklisted:

• tests.nixos-functions.nixosTest-test

2 packages failed to build:

• qemu_xen (qemu_xen_4_10)
• qemu_xen-light (qemu_xen_4_10-light)

40 packages built:

• alpine-make-vm-image
• cloud-init
• cloud-utils
• cot (python38Packages.cot)
• libguestfs
• linuxPackages.virtualbox (linuxPackages_5_4.virtualbox)
• linuxPackages_4_14.virtualbox
• linuxPackages_4_19.virtualbox
• linuxPackages_4_4.virtualbox
• linuxPackages_4_9.virtualbox
• linuxPackages_5_10.virtualbox
• linuxPackages_hardened.virtualbox
• linuxPackages_latest.virtualbox
• linuxPackages_latest_hardened.virtualbox
• linuxPackages_latest_xen_dom0.virtualbox
• linuxPackages_latest_xen_dom0_hardened.virtualbox
• linuxPackages_lqx.virtualbox
• linuxPackages_testing_bcachefs.virtualbox
• linuxPackages_xen_dom0.virtualbox
• linuxPackages_xen_dom0_hardened.virtualbox
• linuxPackages_zen.virtualbox
• open-watcom-bin
• out-of-tree
• python37Packages.cot
• python37Packages.guestfs
• python38Packages.guestfs
• python39Packages.cot
• python39Packages.guestfs
• qemu
• qemu-utils
• qemu_full
• qemu_kvm
• qemu_test
• qtemu
• solo5
• vagrant
• virtualbox
• virtualboxHardened
• virtualboxHeadless
• virtualboxWithExtpack