Skip to content

WIP: rewrite hardening in plain nix#19512

Closed
groxxda wants to merge 7 commits intoNixOS:stagingfrom
groxxda:hardeningInNix
Closed

WIP: rewrite hardening in plain nix#19512
groxxda wants to merge 7 commits intoNixOS:stagingfrom
groxxda:hardeningInNix

Conversation

@groxxda
Copy link
Contributor

@groxxda groxxda commented Oct 13, 2016
edited
Loading

Motivation for this change

Doing it in nix makes it more lazy.

See commit messages for more details

Fixes #18995

This PR is not ready to merge.
I post it to get feedback on the changes.

TODO:

  • Add hardening for other cc derivations
  • Handle pie hardening (probably via .spec file for gcc, sadly unsupported on clang)
  • Make all flag more efficient (see 4bf0576 for details)

CC @fpletz @globin

Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • OS X
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@groxxda
stdenv: rewrite hardening from bash to nix
eedf427 
The logic is now done in nix. This adds the benefit that hardening is
now more lazy. Previously a change to add-hardening.sh caused a full
rebuild.
@groxxda
stdenv: add hardeningSupported (only gcc5 for now)
cfb5d1e 
This adds an attribute to the cc derivation that indicates which
hardening flags are supported.

Fixes #18995:
nix-shell -p uses stdenvNoCC to build the environment. Thus
stdenv.cc.cc.hardeningSupported is undefined and no hardening flags are
turned on.
@groxxda
gcc6: add supported hardening flags
4b93591
@groxxda
stdenv: support special 'all' hardening flag
4bf0576 
Since it was supported before, add it here.

The implementation favors readability over performance:
The case hardeningDisable=["all"] is unnecessarily unperformant.
@groxxda
gcc, icl: our bootstrap gcc has supportHardening = [], so no need for…
73f0e91 
… this anymore
@groxxda
Copy link
Contributor Author

groxxda commented Oct 13, 2016

@fpletz can I help with the remaining todos?

@fpletz fpletz added 0.kind: enhancement Add something new or improve an existing system. 9.needs: reporter feedback This issue needs the person who filed it to respond 1.severity: mass-rebuild 9.needs: port to stable A PR needs a backport to the stable release. labels Oct 13, 2016
@fpletz fpletz self-assigned this Oct 13, 2016
@fpletz
Copy link
Member

fpletz commented Oct 13, 2016

Yes, please start if you can. I will have time again to look at these issues at the weekend. Too much dayjob-stuff to do.

@groxxda
Copy link
Contributor Author

groxxda commented Oct 13, 2016

@fpletz can you share your work for spec files somewhere?

@aneeshusa
Copy link
Contributor

aneeshusa commented Oct 14, 2016

I'm a big fan of doing more in Nix (see my cmakeFlags/configureFlags PRs), but since this adds more processing to mkDerivation, I believe this will require #18660 to allow easy overrides of the hardening flags.

@aneeshusa
Copy link
Contributor

aneeshusa commented Oct 14, 2016
edited
Loading

We need to keep supporting "all" for backwards compatibility right now, but a nice interface improvement we can get is also supporting hardeningEnable = true and hardeningDisable = true, instead of using "all" as a sentinel.

Edit: this could also be hardeningEnable = true and hardeningEnable = false, and not supporting a boolean value for hardeningDisable.

@groxxda
Copy link
Contributor Author

groxxda commented Oct 14, 2016

@fpletz I think our best shot to handle pie gracefully is to modify (ld,cc)-wrapper instead of using spec files. Something along [pseudo code]

for flag in flags:
  if flag matches "-?-(static|shared)":
    disable_pie = true
if disable_pie:
  flags.remove("-pie")

just before the debug print..

@spacekitteh
Copy link
Contributor

spacekitteh commented Nov 4, 2016
edited
Loading

Cool. How's this coming?

Also, @grahamc security

@grahamc grahamc added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Nov 5, 2016
@bjornfor
Copy link
Contributor

bjornfor commented Dec 8, 2016

Friendly bump. Are the remaining TODOs blockers?

@copumpkin
Copy link
Member

copumpkin commented May 4, 2017

Any progress here?

@fpletz
Copy link
Member

fpletz commented Aug 15, 2017

Closing in favour of #28029.

@fpletz fpletz closed this Aug 15, 2017
@groxxda groxxda deleted the hardeningInNix branch September 21, 2017 13:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@fpletz fpletz

Labels

0.kind: enhancement Add something new or improve an existing system. 1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: port to stable A PR needs a backport to the stable release. 9.needs: reporter feedback This issue needs the person who filed it to respond

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@groxxda @fpletz @aneeshusa @spacekitteh @bjornfor @copumpkin @grahamc