diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index aa8eb720486cf2..34358e04194a5b 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -43,6 +43,7 @@ if [[ -z "${hardeningDisableMap[all]:-}" ]]; then hardeningCFlags+=('-fPIE') if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi + hardeningCFlags+=('-pie') hardeningLDFlags+=('-pie') fi ;; @@ -67,7 +68,8 @@ if [[ -z "${hardeningDisableMap[all]:-}" ]]; then hardeningLDFlags+=('-z' 'now') ;; *) - echo "Hardening flag unknown: $flag" >&2 + # Ignore unsupported. Checked in Nix that at least *some* + # tool supports each flag. ;; esac fi diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 1c654ea4756787..6099535600c73d 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -138,7 +138,7 @@ if [ "$dontLink" != 1 ]; then # Add the flags that should only be passed to the compiler when # linking. - extraAfter+=($NIX_@infixSalt@_CFLAGS_LINK "${hardeningLDFlags[@]}") + extraAfter+=($NIX_@infixSalt@_CFLAGS_LINK) # Add the flags that should be passed to the linker (and prevent # `ld-wrapper' from adding NIX_@infixSalt@_LDFLAGS again). diff --git a/pkgs/os-specific/linux/devmem2/default.nix b/pkgs/os-specific/linux/devmem2/default.nix index 4cee9678a9b60b..969197c2dc9d1d 100644 --- a/pkgs/os-specific/linux/devmem2/default.nix +++ b/pkgs/os-specific/linux/devmem2/default.nix @@ -8,8 +8,9 @@ stdenv.mkDerivation rec { sha256 = "14f1k7v6i1yaxg4xcaaf5i4aqn0yabba857zjnbg9wiymy82qf7c"; }; + hardeningDisable = [ "format" ]; # fix compile error + buildCommand = '' - export hardeningDisable=format # fix compile error cc "$src" -o devmem2 install -D devmem2 "$out/bin/devmem2" ''; diff --git a/pkgs/os-specific/linux/firmware/fwupdate/default.nix b/pkgs/os-specific/linux/firmware/fwupdate/default.nix index 3fc7af916368c1..b1cbed1090878c 100644 --- a/pkgs/os-specific/linux/firmware/fwupdate/default.nix +++ b/pkgs/os-specific/linux/firmware/fwupdate/default.nix @@ -17,7 +17,7 @@ let version = "8"; in buildInputs = [ gnu-efi libsmbios popt pkgconfig gettext ]; propagatedBuildInputs = [ efivar ]; # TODO: Just apply the disable to the efi subdir - hardeningDisable = "all"; + hardeningDisable = [ "all" ]; patchPhase = '' sed -i 's|/usr/include/smbios_c/token.h|smbios_c/token.h|' \ linux/libfwup.c diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 2fbaa76c6a4329..b9d8b2d31175c7 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -41,7 +41,20 @@ rec { , __propagatedImpureHostDeps ? [] , sandboxProfile ? "" , propagatedSandboxProfile ? "" + + , hardeningEnable ? [] + , hardeningDisable ? [] , ... } @ attrs: + + # TODO(@Ericson2314): Make this more modular, and not O(n^2). + let allHardeningFlags = [ + "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" + "bindnow" + ]; + in assert lib.all + (flag: lib.elem flag allHardeningFlags) + (hardeningEnable ++ hardeningDisable); + let dependencies = map lib.chooseDevOutputs [ (map (drv: drv.nativeDrv or drv) nativeBuildInputs diff --git a/pkgs/tools/networking/envoy/default.nix b/pkgs/tools/networking/envoy/default.nix index 79a24ea1f8dd0b..f5362d173e7d45 100644 --- a/pkgs/tools/networking/envoy/default.nix +++ b/pkgs/tools/networking/envoy/default.nix @@ -233,7 +233,7 @@ stdenv.mkDerivation rec { patches = [ ./nixos.patch ]; - hardeningDisable = "all"; + hardeningDisable = [ "all" ]; dontPatchELF = true; dontStrip = true;