diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh deleted file mode 100644 index b98833b3513b5..0000000000000 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ /dev/null @@ -1,59 +0,0 @@ -hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) -hardeningFlags+=("${hardeningEnable[@]}") -hardeningCFlags=() -hardeningLDFlags=() -hardeningDisable=${hardeningDisable:-""} - -hardeningDisable+=" @hardening_unsupported_flags@" - -if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi - -if [[ ! $hardeningDisable =~ "all" ]]; then - if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi - for flag in "${hardeningFlags[@]}" - do - if [[ ! "${hardeningDisable}" =~ "$flag" ]]; then - case $flag in - fortify) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi - hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') - ;; - stackprotector) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi - hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4') - ;; - pie) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi - hardeningCFlags+=('-fPIE') - if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi - hardeningLDFlags+=('-pie') - fi - ;; - pic) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi - hardeningCFlags+=('-fPIC') - ;; - strictoverflow) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi - hardeningCFlags+=('-fno-strict-overflow') - ;; - format) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi - hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') - ;; - relro) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi - hardeningLDFlags+=('-z' 'relro') - ;; - bindnow) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi - hardeningLDFlags+=('-z' 'now') - ;; - *) - echo "Hardening flag unknown: $flag" >&2 - ;; - esac - fi - done -fi diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 03f068d8298eb..44be6fc47ba48 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -117,7 +117,6 @@ if [[ "$isCpp" = 1 ]]; then fi LD=@ldPath@/ld -source @out@/nix-support/add-hardening.sh # Add the flags for the C compiler proper. extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]}) diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 8a9bd3ecb4d56..21c7006343b3b 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -260,7 +260,6 @@ stdenv.mkDerivation { fi substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh - substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh cp -p ${./utils.sh} $out/nix-support/utils.sh '' + extraBuildCommands; diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh index 44d9a047936a5..8b8fcc95a842b 100644 --- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh @@ -48,7 +48,6 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \ fi LD=@prog@ -source @out@/nix-support/add-hardening.sh extra=(${hardeningLDFlags[@]}) extraBefore=() diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix index 3d75c0e76daaf..8164a2bd6ad95 100644 --- a/pkgs/development/compilers/gcc/5/default.nix +++ b/pkgs/development/compilers/gcc/5/default.nix @@ -220,8 +220,7 @@ stdenv.mkDerivation ({ inherit sha256; }; - # FIXME stackprotector needs gcc 4.9 in bootstrap tools - hardeningDisable = [ "stackprotector" "format" ]; + hardeningDisable = [ "format" ]; inherit patches; @@ -508,8 +507,10 @@ stdenv.mkDerivation ({ ] else null; - passthru = - { inherit langC langCC langObjC langObjCpp langAda langFortran langVhdl langGo version; isGNU = true; }; + passthru = { + inherit langC langCC langObjC langObjCpp langAda langFortran langVhdl langGo version; isGNU = true; + hardeningSupported = [ "fortify" "stackprotector" "pic" "strictoverflow" "format" "relro" "bindnow" ]; + }; inherit enableParallelBuilding enableMultilib; diff --git a/pkgs/development/compilers/gcc/6/default.nix b/pkgs/development/compilers/gcc/6/default.nix index acddc9081be05..9b4d4b37c7377 100644 --- a/pkgs/development/compilers/gcc/6/default.nix +++ b/pkgs/development/compilers/gcc/6/default.nix @@ -506,8 +506,10 @@ stdenv.mkDerivation ({ ] else null; - passthru = - { inherit langC langCC langObjC langObjCpp langAda langFortran langVhdl langGo version; isGNU = true; }; + passthru = { + inherit langC langCC langObjC langObjCpp langAda langFortran langVhdl langGo version; isGNU = true; + hardeningSupported = [ "fortify" "stackprotector" "pic" "strictoverflow" "format" "relro" "bindnow" ]; + }; inherit enableParallelBuilding enableMultilib; diff --git a/pkgs/development/libraries/isl/0.14.1.nix b/pkgs/development/libraries/isl/0.14.1.nix index 77ba20cbb2003..8196dec283ac4 100644 --- a/pkgs/development/libraries/isl/0.14.1.nix +++ b/pkgs/development/libraries/isl/0.14.1.nix @@ -12,9 +12,6 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - # FIXME needs gcc 4.9 in bootstrap tools - hardeningDisable = [ "stackprotector" ]; - meta = { homepage = http://www.kotnet.org/~skimo/isl/; license = stdenv.lib.licenses.lgpl21; diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 372fd3cfa5268..fe32b9db07bd5 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -114,6 +114,8 @@ let , __propagatedImpureHostDeps ? [] , sandboxProfile ? "" , propagatedSandboxProfile ? "" + , hardeningEnable ? [ "all" ] + , hardeningDisable ? [ ] , ... } @ attrs: let pos' = @@ -185,6 +187,7 @@ let (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" "__impureHostDeps" "__propagatedImpureHostDeps" + "hardeningEnable" "hardeningDisable" "sandboxProfile" "propagatedSandboxProfile"]) // (let computedSandboxProfile = @@ -203,6 +206,11 @@ let system = result.system; userHook = config.stdenv.userHook or null; __ignoreNulls = true; + inherit (import ./hardening.nix { + inherit lib; + inherit hardeningEnable hardeningDisable; + hardeningSupported = result.cc.cc.hardeningSupported or []; + }) hardeningCFlags hardeningLDFlags; # Inputs built by the cross compiler. buildInputs = if crossConfig != null then buildInputs' else []; diff --git a/pkgs/stdenv/generic/hardening.nix b/pkgs/stdenv/generic/hardening.nix new file mode 100644 index 0000000000000..f2fbfb79349db --- /dev/null +++ b/pkgs/stdenv/generic/hardening.nix @@ -0,0 +1,52 @@ +{ lib +# toolchain supported flags +, hardeningSupported +# package level flags +, hardeningEnable, hardeningDisable +}: +let +inherit (builtins) filter map elem; +inherit (lib) getAttr concatMap flip attrNames; + +# mapping from nixpkgs hardening flags to their compiler / linker meanings +hardeningFlagMap = { + bindnow = { + LD = [ "-z" "now" ]; + }; + format = { + C = [ "-Wformat" "-Wformat-security" "-Werror=format-security" ]; + }; + fortify = { + C = [ "-O2" "-D_FORTIFY_SOURCE=2" ]; + }; + pie = { + C = [ "-fPIE" ]; + LD = [ "-pie" ]; + }; + pic = { + C = [ "-fPIC" ]; + }; + relro = { + LD = [ "-z" "relro" ]; + }; + stackprotector = { + C = [ "-fstack-protector-strong" "--param ssp-buffer-size=4" ]; + }; + strictoverflow = { + C = [ "-fno-strict-overflow" ]; + }; +}; + +enabledFlags = + if elem "all" hardeningDisable then [] + else filter (x: ! elem x hardeningDisable) ( + if elem "all" hardeningEnable then hardeningSupported + else filter (flip elem hardeningSupported) hardeningEnable + ); + +enabledFlagsMap = map (flip getAttr hardeningFlagMap) enabledFlags; + +in { + hardeningCFlags = concatMap (x: x.C or []) enabledFlagsMap; + hardeningLDFlags = concatMap (x: x.LD or []) enabledFlagsMap; +}