Skip to content

cc-wrapper: add support for libcxxhardeningfast & libcxxhardeningextensive hardening flags#442945

Merged
philiptaron merged 2 commits intoNixOS:stagingfrom
risicle:ris-libcxx-hardening
Oct 8, 2025
Merged

cc-wrapper: add support for libcxxhardeningfast & libcxxhardeningextensive hardening flags#442945
philiptaron merged 2 commits intoNixOS:stagingfrom
risicle:ris-libcxx-hardening

Conversation

@risicle
Copy link
Contributor

@risicle risicle commented Sep 14, 2025
edited
Loading

See https://libcxx.llvm.org/Hardening.html

These two flags are mutually exclusive in the same way fortify/fortify3 and strictflexarrays1/strictflexarrays3 are.

As with glibcxxassertions (#414987), we don't yet have a nice mechanism for deferring support decisions to the c++ library in use, so for now at least enabling this hardening flag will cause _LIBCPP_HARDENING_MODE to be defined on all compilers.

Not yet finished: release notes and docs entries, but this is ready for review in its current state.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@risicle risicle requested review from a team September 14, 2025 16:46
@risicle risicle added the 6.topic: stdenv Standard environment label Sep 14, 2025
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Sep 14, 2025
@risicle risicle force-pushed the ris-libcxx-hardening branch 2 times, most recently from 8de8347 to 2b6ab40 Compare September 15, 2025 21:51
@nixpkgs-ci nixpkgs-ci bot added 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation labels Sep 15, 2025
@risicle risicle force-pushed the ris-libcxx-hardening branch from 2b6ab40 to 4d10181 Compare September 15, 2025 22:03
@nixpkgs-ci nixpkgs-ci bot added the 2.status: merge conflict This PR has merge conflicts with the target branch label Oct 2, 2025
@risicle risicle force-pushed the ris-libcxx-hardening branch from 4d10181 to 825000a Compare October 4, 2025 11:32
@nixpkgs-ci nixpkgs-ci bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Oct 4, 2025
philiptaron
philiptaron approved these changes Oct 7, 2025
View reviewed changes
Copy link
Contributor

@philiptaron philiptaron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm running the tests. Couple of comments, nothing blocking.

@github-project-automation github-project-automation bot moved this to In Progress in Stdenv Oct 7, 2025
@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Oct 7, 2025
@philiptaron
Copy link
Contributor

philiptaron commented Oct 7, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 442945 --package tests.hardeningFlags-clang --package tests.hardeningFlags-gcc --package tests.hardeningFlags
Commit: 825000a165903d3a6ed19f937e7666b8cc6ab357

x86_64-linux

❌ 4 packages failed to build:
  • tests.hardeningFlags-clang.allExplicitDisabledPie
  • tests.hardeningFlags-clang.pieExplicitDisabled
  • tests.hardeningFlags.allExplicitDisabledPie
  • tests.hardeningFlags.pieExplicitDisabled
✅ 135 packages built:
  • tests.hardeningFlags-clang.allExplicitDisabledBindNow
  • tests.hardeningFlags-clang.allExplicitDisabledFortify
  • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
  • tests.hardeningFlags-clang.allExplicitDisabledShadowStack
  • tests.hardeningFlags-clang.allExplicitDisabledStackClashProtection
  • tests.hardeningFlags-clang.allExplicitDisabledStackProtector
  • tests.hardeningFlags-clang.bindNowExplicitDisabled
  • tests.hardeningFlags-clang.bindNowExplicitEnabled
  • tests.hardeningFlags-clang.fortify1ExplicitDisabledCmdlineEnabled
  • tests.hardeningFlags-clang.fortify1ExplicitDisabledCmdlineEnabledExecTest
  • tests.hardeningFlags-clang.fortify1ExplicitEnabledCmdlineDisabled
  • tests.hardeningFlags-clang.fortify1ExplicitEnabledCmdlineDisabledNoWarn
  • tests.hardeningFlags-clang.fortify1ExplicitEnabledExecTest
  • tests.hardeningFlags-clang.fortify3EnabledEnvEnablesFortify1
  • tests.hardeningFlags-clang.fortify3EnabledEnvEnablesFortify1ExecTest
  • tests.hardeningFlags-clang.fortify3ExplicitDisabled
  • tests.hardeningFlags-clang.fortify3ExplicitDisabledDoesntDisableFortify
  • tests.hardeningFlags-clang.fortify3StdenvUnsupp
  • tests.hardeningFlags-clang.fortify3StdenvUnsuppDoesntUnsuppFortify1
  • tests.hardeningFlags-clang.fortify3StdenvUnsuppDoesntUnsuppFortify1ExecTest
  • tests.hardeningFlags-clang.fortifyEnabledEnvDoesntEnableFortify3
  • tests.hardeningFlags-clang.fortifyExplicitDisabled
  • tests.hardeningFlags-clang.fortifyExplicitDisabledDisablesFortify3
  • tests.hardeningFlags-clang.fortifyExplicitEnabled
  • tests.hardeningFlags-clang.fortifyExplicitEnabledExecTest
  • tests.hardeningFlags-clang.fortifyStdenvUnsupp
  • tests.hardeningFlags-clang.fortifyStdenvUnsuppUnsupportsFortify3
  • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
  • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
  • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
  • tests.hardeningFlags-clang.pieExplicitEnabled
  • tests.hardeningFlags-clang.pieExplicitEnabledStructuredAttrs
  • tests.hardeningFlags-clang.relROExplicitEnabled
  • tests.hardeningFlags-clang.sfa1EnabledEnvDoesntEnableSfa3
  • tests.hardeningFlags-clang.sfa1StdenvUnsupp
  • tests.hardeningFlags-clang.sfa1StdenvUnsuppUnsupportsSfa3
  • tests.hardeningFlags-clang.sfa1explicitDisabled
  • tests.hardeningFlags-clang.sfa1explicitDisabledDisablesSfa3
  • tests.hardeningFlags-clang.sfa1explicitDisabledDisablesSfa3ExecTest
  • tests.hardeningFlags-clang.sfa1explicitDisabledExecTest
  • tests.hardeningFlags-clang.sfa1explicitEnabled
  • tests.hardeningFlags-clang.sfa1explicitEnabledDoesntProtectDefLen1
  • tests.hardeningFlags-clang.sfa1explicitEnabledDoesntProtectDefLen1ExecTest
  • tests.hardeningFlags-clang.sfa1explicitEnabledExecTest
  • tests.hardeningFlags-clang.sfa3EnabledEnvEnablesSfa1
  • tests.hardeningFlags-clang.sfa3EnabledEnvEnablesSfa1ExecTest
  • tests.hardeningFlags-clang.sfa3StdenvUnsupp
  • tests.hardeningFlags-clang.sfa3StdenvUnsuppDoesntUnsuppSfa1
  • tests.hardeningFlags-clang.sfa3StdenvUnsuppDoesntUnsuppSfa1ExecTest
  • tests.hardeningFlags-clang.sfa3explicitDisabledDoesntDisableSfa1
  • tests.hardeningFlags-clang.sfa3explicitDisabledDoesntDisableSfa1ExecTest
  • tests.hardeningFlags-clang.sfa3explicitEnabledDoesntProtectCorrectFlex
  • tests.hardeningFlags-clang.sfa3explicitEnabledDoesntProtectCorrectFlexExecTest
  • tests.hardeningFlags-clang.sfa3explicitEnabledProtectsDefLen1
  • tests.hardeningFlags-clang.sfa3explicitEnabledProtectsDefLen1ExecTest
  • tests.hardeningFlags-clang.shadowStackExplicitDisabled
  • tests.hardeningFlags-clang.shadowStackExplicitEnabled
  • tests.hardeningFlags-clang.stackClashProtectionExplicitDisabled
  • tests.hardeningFlags-clang.stackClashProtectionStdenvUnsupp
  • tests.hardeningFlags-clang.stackProtectorExplicitDisabled
  • tests.hardeningFlags-clang.stackProtectorExplicitEnabled
  • tests.hardeningFlags-clang.stackProtectorRedisabledEnv
  • tests.hardeningFlags-clang.stackProtectorReenabledEnv
  • tests.hardeningFlags-clang.stackProtectorReenabledFromAllEnv
  • tests.hardeningFlags-clang.stackProtectorStdenvUnsupp
  • tests.hardeningFlags-clang.stackProtectorUnsupportedEnabledEnv
  • tests.hardeningFlags.allExplicitDisabledBindNow
  • tests.hardeningFlags.allExplicitDisabledFortify
  • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
  • tests.hardeningFlags.allExplicitDisabledShadowStack
  • tests.hardeningFlags.allExplicitDisabledStackClashProtection
  • tests.hardeningFlags.allExplicitDisabledStackProtector
  • tests.hardeningFlags.bindNowExplicitDisabled
  • tests.hardeningFlags.bindNowExplicitEnabled
  • tests.hardeningFlags.fortify1ExplicitDisabledCmdlineEnabled
  • tests.hardeningFlags.fortify1ExplicitDisabledCmdlineEnabledExecTest
  • tests.hardeningFlags.fortify1ExplicitEnabledCmdlineDisabled
  • tests.hardeningFlags.fortify1ExplicitEnabledCmdlineDisabledNoWarn
  • tests.hardeningFlags.fortify1ExplicitEnabledExecTest
  • tests.hardeningFlags.fortify3EnabledEnvEnablesFortify1
  • tests.hardeningFlags.fortify3EnabledEnvEnablesFortify1ExecTest
  • tests.hardeningFlags.fortify3ExplicitDisabled
  • tests.hardeningFlags.fortify3ExplicitDisabledDoesntDisableFortify
  • tests.hardeningFlags.fortify3ExplicitEnabled
  • tests.hardeningFlags.fortify3ExplicitEnabledExecTest
  • tests.hardeningFlags.fortify3StdenvUnsupp
  • tests.hardeningFlags.fortify3StdenvUnsuppDoesntUnsuppFortify1
  • tests.hardeningFlags.fortify3StdenvUnsuppDoesntUnsuppFortify1ExecTest
  • tests.hardeningFlags.fortifyEnabledEnvDoesntEnableFortify3
  • tests.hardeningFlags.fortifyExplicitDisabled
  • tests.hardeningFlags.fortifyExplicitDisabledDisablesFortify3
  • tests.hardeningFlags.fortifyExplicitEnabled
  • tests.hardeningFlags.fortifyExplicitEnabledExecTest
  • tests.hardeningFlags.fortifyStdenvUnsupp
  • tests.hardeningFlags.fortifyStdenvUnsuppUnsupportsFortify3
  • tests.hardeningFlags.glibcxxassertionsExplicitDisabled
  • tests.hardeningFlags.glibcxxassertionsExplicitEnabled
  • tests.hardeningFlags.glibcxxassertionsStdenvUnsupp
  • tests.hardeningFlags.pieExplicitEnabled
  • tests.hardeningFlags.pieExplicitEnabledStructuredAttrs
  • tests.hardeningFlags.relROExplicitEnabled
  • tests.hardeningFlags.sfa1EnabledEnvDoesntEnableSfa3
  • tests.hardeningFlags.sfa1StdenvUnsupp
  • tests.hardeningFlags.sfa1StdenvUnsuppUnsupportsSfa3
  • tests.hardeningFlags.sfa1explicitDisabled
  • tests.hardeningFlags.sfa1explicitDisabledDisablesSfa3
  • tests.hardeningFlags.sfa1explicitDisabledDisablesSfa3ExecTest
  • tests.hardeningFlags.sfa1explicitDisabledExecTest
  • tests.hardeningFlags.sfa1explicitEnabled
  • tests.hardeningFlags.sfa1explicitEnabledDoesntProtectDefLen1
  • tests.hardeningFlags.sfa1explicitEnabledDoesntProtectDefLen1ExecTest
  • tests.hardeningFlags.sfa1explicitEnabledExecTest
  • tests.hardeningFlags.sfa3EnabledEnvEnablesSfa1
  • tests.hardeningFlags.sfa3EnabledEnvEnablesSfa1ExecTest
  • tests.hardeningFlags.sfa3StdenvUnsupp
  • tests.hardeningFlags.sfa3StdenvUnsuppDoesntUnsuppSfa1
  • tests.hardeningFlags.sfa3StdenvUnsuppDoesntUnsuppSfa1ExecTest
  • tests.hardeningFlags.sfa3explicitDisabledDoesntDisableSfa1
  • tests.hardeningFlags.sfa3explicitDisabledDoesntDisableSfa1ExecTest
  • tests.hardeningFlags.sfa3explicitEnabledDoesntProtectCorrectFlex
  • tests.hardeningFlags.sfa3explicitEnabledDoesntProtectCorrectFlexExecTest
  • tests.hardeningFlags.sfa3explicitEnabledProtectsDefLen1
  • tests.hardeningFlags.sfa3explicitEnabledProtectsDefLen1ExecTest
  • tests.hardeningFlags.shadowStackExplicitDisabled
  • tests.hardeningFlags.shadowStackExplicitEnabled
  • tests.hardeningFlags.stackClashProtectionExplicitDisabled
  • tests.hardeningFlags.stackClashProtectionExplicitEnabled
  • tests.hardeningFlags.stackClashProtectionStdenvUnsupp
  • tests.hardeningFlags.stackProtectorExplicitDisabled
  • tests.hardeningFlags.stackProtectorExplicitEnabled
  • tests.hardeningFlags.stackProtectorRedisabledEnv
  • tests.hardeningFlags.stackProtectorReenabledEnv
  • tests.hardeningFlags.stackProtectorReenabledFromAllEnv
  • tests.hardeningFlags.stackProtectorStdenvUnsupp
  • tests.hardeningFlags.stackProtectorUnsupportedEnabledEnv
Error logs: `x86_64-linux`
tests.hardeningFlags-clang.allExplicitDisabledPie 
/nix/store/w87zpnsf6276k5mgwj0xxqxn9am9mvkj-test-bin/bin/test-bin:
 Position Independent Executable: yes
 Stack protected: no, not found! (ignored)
 Fortify Source functions: no, only unprotected functions found! (ignored)
 Read-only relocations: yes
 Immediate binding: no, not found! (ignored)
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found! (ignored)
 Branch Protection: no, not found! (ignored)
ERROR: Expected hardening-check to fail, but it passed!
tests.hardeningFlags-clang.pieExplicitDisabled 
/nix/store/s7amxm64f86k41nvcanzw2rn1flpwcyf-test-bin/bin/test-bin:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: yes
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found! (ignored)
 Branch Protection: no, not found! (ignored)
ERROR: Expected hardening-check to fail, but it passed!
tests.hardeningFlags.allExplicitDisabledPie 
/nix/store/prf72qwz767swbi77fbm6fbk55aygpai-test-bin/bin/test-bin:
 Position Independent Executable: yes
 Stack protected: no, not found! (ignored)
 Fortify Source functions: no, only unprotected functions found! (ignored)
 Read-only relocations: yes
 Immediate binding: no, not found! (ignored)
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found! (ignored)
 Branch Protection: no, not found! (ignored)
ERROR: Expected hardening-check to fail, but it passed!
tests.hardeningFlags.pieExplicitDisabled 
/nix/store/z18i8h0bshfrswp0bmmfhyypzrxk6v07-test-bin/bin/test-bin:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: yes
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found! (ignored)
 Branch Protection: no, not found! (ignored)
ERROR: Expected hardening-check to fail, but it passed!

@philiptaron
Copy link
Contributor

philiptaron commented Oct 7, 2025

Four PIE tests (see the nixpkgs-review) fail. The logs are there. Could you take a look?

@nixpkgs-ci nixpkgs-ci bot added the 2.status: merge conflict This PR has merge conflicts with the target branch label Oct 7, 2025
@risicle
Copy link
Contributor Author

risicle commented Oct 7, 2025

I suspect those broke when pie got enabled at the toolchain level. Anyway, looks like you've just merged the pie flag's removal ;)

@risicle risicle force-pushed the ris-libcxx-hardening branch 2 times, most recently from e58826f to b20ee00 Compare October 7, 2025 21:39
@nixpkgs-ci nixpkgs-ci bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Oct 7, 2025
@philiptaron
Copy link
Contributor

philiptaron commented Oct 7, 2025

I suspect those broke when pie got enabled at the toolchain level. Anyway, looks like you've just merged the pie flag's removal ;)

Yes, it's those failures that made me look more information... and voila, they disappear in a poof of excellence.

philiptaron
philiptaron reviewed Oct 7, 2025
View reviewed changes
Copy link
Contributor

@philiptaron philiptaron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more removal from the release notes then I move to merge.

risicle added 2 commits October 8, 2025 18:53
@risicle
cc-wrapper: add support for libcxxhardeningfast/extensive hardening f…
2a45fd1 
…lags

as with glibcxxassertions, we don't yet have a nice mechanism
for deferring support decisions to the c++ library in use, so
for now at least enabling this hardening flag will cause
_LIBCPP_HARDENING_MODE to be defined on all compilers
@risicle
ld64: disable libcxxhardeningfast hardening flag
422942c 
ld built with this fails to link glib's gio on x86_64 darwin
@risicle risicle force-pushed the ris-libcxx-hardening branch from b20ee00 to 422942c Compare October 8, 2025 17:54
@philiptaron philiptaron merged commit 7394364 into NixOS:staging Oct 8, 2025
27 of 31 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Stdenv Oct 8, 2025
@booxter booxter mentioned this pull request Oct 23, 2025
Closed
3 tasks
@DDoSolitary DDoSolitary mentioned this pull request Nov 19, 2025
Open
13 tasks
DDoSolitary added a commit to DDoSolitary/nixpkgs that referenced this pull request Nov 19, 2025
@DDoSolitary
zig: disable libcxx hardening flags
a55e7e1 
The libcxxhardeningfast and libcxxhardeingextensive hardening flags
introduced by NixOS#442945 add _LIBCPP_HARDENING_MODE definitions to compiler
invocations, but zig already sets it automatically. This causes macro
re-definition warnings (or errors if -Werror is enabled) when compiling
C++ projects with zigStdenv.
@collares collares mentioned this pull request Nov 22, 2025
Draft
13 tasks
@risicle risicle mentioned this pull request Feb 14, 2026
Open
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philiptaron philiptaron philiptaron approved these changes

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314

@emilazy emilazy Awaiting requested review from emilazy

@reckenrode reckenrode Awaiting requested review from reckenrode

@Artturin Artturin Awaiting requested review from Artturin

@RossComputerGuy RossComputerGuy Awaiting requested review from RossComputerGuy

@toonn toonn Awaiting requested review from toonn

@lovesegfault lovesegfault Awaiting requested review from lovesegfault

@azahi azahi Awaiting requested review from azahi

@hsjobeki hsjobeki Awaiting requested review from hsjobeki

@GetPsyched GetPsyched Awaiting requested review from GetPsyched

@fricklerhandwerk fricklerhandwerk Awaiting requested review from fricklerhandwerk

Assignees

No one assigned

Labels

6.topic: stdenv Standard environment 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

Stdenv
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@risicle @philiptaron