diff options
author | obadz <obadz-git@obadz.com> | 2016-08-22 01:19:35 +0100 |
---|---|---|
committer | obadz <obadz-git@obadz.com> | 2016-08-22 01:19:35 +0100 |
commit | 24a9183f907cec515724484d84b0cf236de2e8d0 (patch) | |
tree | 67ab37c4de5d8e8f17b78cc8c6680f25edf7d930 /pkgs/development/interpreters | |
parent | ba50fd71700bf796ea2339115733ca5a850015ea (diff) | |
parent | b092538811a2bd4454ed9b056952c0a10f091076 (diff) | |
download | nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.gz nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.bz2 nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.lz nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.xz nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.zst nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.zip |
Merge branch 'hardened-stdenv' into staging
Closes #12895 Amazing work by @globin & @fpletz getting hardened compiler flags by enabled default on the whole package set
Diffstat (limited to 'pkgs/development/interpreters')
17 files changed, 201 insertions, 23 deletions
diff --git a/pkgs/development/interpreters/clisp/2.44.1.nix b/pkgs/development/interpreters/clisp/2.44.1.nix index 682978a5ac8d..b7b329ea9560 100644 --- a/pkgs/development/interpreters/clisp/2.44.1.nix +++ b/pkgs/development/interpreters/clisp/2.44.1.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, libsigsegv, gettext, ncurses, readline, libX11 , libXau, libXt, pcre, zlib, libXpm, xproto, libXext, xextproto , libffi, libffcall, coreutils }: - + stdenv.mkDerivation rec { v = "2.44.1"; name = "clisp-${v}"; - + src = fetchurl { url = "mirror://gnu/clisp/release/${v}/${name}.tar.gz"; sha256 = "0rkp6j6rih4s5d9acifh7pi4b9xfgcspif512l269dqy9qgyy4j1"; @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { zlib libXpm xproto libXext xextproto libffi libffcall ]; patches = [ ./bits_ipctypes_to_sys_ipc.patch ]; # from Gentoo - + # First, replace port 9090 (rather low, can be used) # with 64237 (much higher, IANA private area, not # anything rememberable). @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { substituteInPlace modules/bindings/glibc/linux.lisp --replace "(def-c-type __swblk_t)" "" ''; - + configureFlags = '' --with-readline builddir --with-dynamic-ffi @@ -45,6 +45,8 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-O0 ${stdenv.lib.optionalString (!stdenv.is64bit) "-falign-functions=4"}"; + hardeningDisable = [ "format" ]; + # TODO : make mod-check fails doCheck = false; diff --git a/pkgs/development/interpreters/erlang/R14.nix b/pkgs/development/interpreters/erlang/R14.nix new file mode 100644 index 000000000000..cf4355a38e16 --- /dev/null +++ b/pkgs/development/interpreters/erlang/R14.nix @@ -0,0 +1,65 @@ +{ stdenv, fetchurl, perl, gnum4, ncurses, openssl +, makeWrapper, gnused, gawk }: + +let version = "14B04"; in + +stdenv.mkDerivation { + name = "erlang-" + version; + + src = fetchurl { + url = "http://www.erlang.org/download/otp_src_R${version}.tar.gz"; + sha256 = "0vlvjlg8vzcy6inb4vj00bnj0aarvpchzxwhmi492nv31s8kb6q9"; + }; + + buildInputs = [ perl gnum4 ncurses openssl makeWrapper ]; + + patchPhase = '' sed -i "s@/bin/rm@rm@" lib/odbc/configure erts/configure ''; + + preConfigure = '' + export HOME=$PWD/../ + sed -e s@/bin/pwd@pwd@g -i otp_build + ''; + + configureFlags = "--with-ssl=${openssl}"; + + hardeningDisable = [ "format" ]; + + postInstall = let + manpages = fetchurl { + url = "http://www.erlang.org/download/otp_doc_man_R${version}.tar.gz"; + sha256 = "1nh7l7wilyyaxvlwkjxgm3cq7wpd90sk6vxhgpvg7hwai8g52545"; + }; + in '' + tar xf "${manpages}" -C "$out/lib/erlang" + for i in "$out"/lib/erlang/man/man[0-9]/*.[0-9]; do + prefix="''${i%/*}" + ensureDir "$out/share/man/''${prefix##*/}" + ln -s "$i" "$out/share/man/''${prefix##*/}/''${i##*/}erl" + done + ''; + + # Some erlang bin/ scripts run sed and awk + postFixup = '' + wrapProgram $out/lib/erlang/bin/erl --prefix PATH ":" "${gnused}/bin/" + wrapProgram $out/lib/erlang/bin/start_erl --prefix PATH ":" "${gnused}/bin/:${gawk}/bin" + ''; + + setupHook = ./setup-hook.sh; + + meta = { + homepage = "http://www.erlang.org/"; + description = "Programming language used for massively scalable soft real-time systems"; + + longDescription = '' + Erlang is a programming language used to build massively scalable + soft real-time systems with requirements on high availability. + Some of its uses are in telecoms, banking, e-commerce, computer + telephony and instant messaging. Erlang's runtime system has + built-in support for concurrency, distribution and fault + tolerance. + ''; + + platforms = stdenv.lib.platforms.linux; + maintainers = [ stdenv.lib.maintainers.simons ]; + }; +} diff --git a/pkgs/development/interpreters/lua-4/default.nix b/pkgs/development/interpreters/lua-4/default.nix index 2d216389bd7c..d6f385f5b503 100644 --- a/pkgs/development/interpreters/lua-4/default.nix +++ b/pkgs/development/interpreters/lua-4/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildFlags = "all so sobin"; installFlags = "INSTALL_ROOT=$$out"; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector"; + meta = { homepage = "http://www.lua.org"; description = "Powerful, fast, lightweight, embeddable scripting language"; diff --git a/pkgs/development/interpreters/lua-5/sec.nix b/pkgs/development/interpreters/lua-5/sec.nix index a4d14f7e9d70..478f65fd8284 100644 --- a/pkgs/development/interpreters/lua-5/sec.nix +++ b/pkgs/development/interpreters/lua-5/sec.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ lua5 openssl ]; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector"; + preBuild = '' makeFlagsArray=( linux diff --git a/pkgs/development/interpreters/lush/default.nix b/pkgs/development/interpreters/lush/default.nix index 63cf85bc506b..dcfdc11c7a9e 100644 --- a/pkgs/development/interpreters/lush/default.nix +++ b/pkgs/development/interpreters/lush/default.nix @@ -1,32 +1,29 @@ {stdenv, fetchurl, libX11, xproto, indent, readline, gsl, freeglut, mesa, SDL , blas, binutils, intltool, gettext, zlib}: -let - s = # Generated upstream information - rec { - baseName="lush"; - version="2.0.1"; - name="${baseName}-${version}"; - hash="02pkfn3nqdkm9fm44911dbcz0v3r0l53vygj8xigl6id5g3iwi4k"; + +stdenv.mkDerivation rec { + baseName = "lush"; + version = "2.0.1"; + name = "${baseName}-${version}"; + + src = fetchurl { url="mirror://sourceforge/project/lush/lush2/lush-2.0.1.tar.gz"; sha256="02pkfn3nqdkm9fm44911dbcz0v3r0l53vygj8xigl6id5g3iwi4k"; }; + buildInputs = [ libX11 xproto indent readline gsl freeglut mesa SDL blas binutils intltool gettext zlib ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardeningDisable = [ "pic" ]; + NIX_LDFLAGS=" -lz "; + meta = { - inherit (s) version; - description = ''Lisp Universal SHell''; + description = "Lisp Universal SHell"; license = stdenv.lib.licenses.gpl2Plus ; - maintainers = [stdenv.lib.maintainers.raskin]; + maintainers = [ stdenv.lib.maintainers.raskin ]; platforms = stdenv.lib.platforms.linux; }; } diff --git a/pkgs/development/interpreters/maude/default.nix b/pkgs/development/interpreters/maude/default.nix index 737ded6e1bbc..4493b2c7b852 100644 --- a/pkgs/development/interpreters/maude/default.nix +++ b/pkgs/development/interpreters/maude/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [flex bison ncurses buddy tecla gmpxx libsigsegv makeWrapper]; + hardeningDisable = [ "stackprotector" ]; + preConfigure = '' configureFlagsArray=( --datadir=$out/share/maude diff --git a/pkgs/development/interpreters/perl/default.nix b/pkgs/development/interpreters/perl/default.nix index 99860c304685..04d6c706b46c 100644 --- a/pkgs/development/interpreters/perl/default.nix +++ b/pkgs/development/interpreters/perl/default.nix @@ -68,6 +68,9 @@ let enableParallelBuilding = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + preConfigure = '' configureFlags="$configureFlags -Dprefix=$out -Dman1dir=$out/share/man/man1 -Dman3dir=$out/share/man/man3" diff --git a/pkgs/development/interpreters/php/default.nix b/pkgs/development/interpreters/php/default.nix index 3188d9424416..2841a70ddcf1 100644 --- a/pkgs/development/interpreters/php/default.nix +++ b/pkgs/development/interpreters/php/default.nix @@ -257,6 +257,8 @@ let calendarSupport = config.php.calendar or true; }; + hardeningDisable = [ "bindnow" ]; + configurePhase = '' # Don't record the configure flags since this causes unnecessary # runtime dependencies. diff --git a/pkgs/development/interpreters/ruby/default.nix b/pkgs/development/interpreters/ruby/default.nix index 8db9dd4eaf9a..446013faafdc 100644 --- a/pkgs/development/interpreters/ruby/default.nix +++ b/pkgs/development/interpreters/ruby/default.nix @@ -22,6 +22,7 @@ let then version else versionNoPatch; tag = "v" + stdenv.lib.replaceChars ["." "p" "-"] ["_" "_" ""] fullVersionName; + isRuby20 = majorVersion == "2" && minorVersion == "0"; isRuby21 = majorVersion == "2" && minorVersion == "1"; baseruby = self.override { useRailsExpress = false; }; self = lib.makeOverridable ( @@ -81,6 +82,8 @@ let enableParallelBuilding = true; + hardeningDisable = lib.optional isRuby20 [ "format" ]; + patches = [ ./gem_hook.patch ] ++ (import ./patchsets.nix { diff --git a/pkgs/development/interpreters/ruby/patchsets.nix b/pkgs/development/interpreters/ruby/patchsets.nix index 0e81db4e047f..bf848aba5825 100644 --- a/pkgs/development/interpreters/ruby/patchsets.nix +++ b/pkgs/development/interpreters/ruby/patchsets.nix @@ -3,6 +3,7 @@ rec { "1.9.3" = [ ./ssl_v3.patch + ./rand-egd.patch ./ruby19-parallel-install.patch ./bitperfect-rdoc.patch ] ++ ops useRailsExpress [ @@ -28,6 +29,7 @@ rec { ]; "2.0.0" = [ ./ssl_v3.patch + ./rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.0.0/p${patchLevel}/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.0.0/p${patchLevel}/railsexpress/02-railsexpress-gc.patch" @@ -36,6 +38,7 @@ rec { ]; "2.1.7" = [ ./ssl_v3.patch + ./rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.1.7/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.1.7/railsexpress/02-improve-gc-stats.patch" @@ -49,6 +52,7 @@ rec { ]; "2.2.3" = [ ./ssl_v3.patch + ./ruby22-rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.2.3/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.2.3/railsexpress/02-improve-gc-stats.patch" diff --git a/pkgs/development/interpreters/ruby/rand-egd.patch b/pkgs/development/interpreters/ruby/rand-egd.patch new file mode 100644 index 000000000000..e4f6452000c2 --- /dev/null +++ b/pkgs/development/interpreters/ruby/rand-egd.patch @@ -0,0 +1,42 @@ +diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb +index e272cba..3a1fa71 100644 +--- a/ext/openssl/extconf.rb ++++ b/ext/openssl/extconf.rb +@@ -87,6 +87,7 @@ + have_func("PEM_def_callback") + have_func("PKCS5_PBKDF2_HMAC") + have_func("PKCS5_PBKDF2_HMAC_SHA1") ++have_func("RAND_egd") + have_func("X509V3_set_nconf") + have_func("X509V3_EXT_nconf_nid") + have_func("X509_CRL_add0_revoked") +diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c +index 29cbf8c..27466fe 100644 +--- a/ext/openssl/ossl_rand.c ++++ b/ext/openssl/ossl_rand.c +@@ -148,6 +148,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len) + return str; + } + ++#ifdef HAVE_RAND_EGD + /* + * call-seq: + * egd(filename) -> true +@@ -186,6 +187,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len) + } + return Qtrue; + } ++#endif /* HAVE_RAND_EGD */ + + /* + * call-seq: +@@ -219,7 +221,9 @@ Init_ossl_rand(void) + DEFMETH(mRandom, "write_random_file", ossl_rand_write_file, 1); + DEFMETH(mRandom, "random_bytes", ossl_rand_bytes, 1); + DEFMETH(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1); ++#ifdef HAVE_RAND_EGD + DEFMETH(mRandom, "egd", ossl_rand_egd, 1); + DEFMETH(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2); ++#endif /* HAVE_RAND_EGD */ + DEFMETH(mRandom, "status?", ossl_rand_status, 0) + } diff --git a/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch b/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch new file mode 100644 index 000000000000..ebf2bf56fcfa --- /dev/null +++ b/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch @@ -0,0 +1,42 @@ +diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb +index e272cba..3a1fa71 100644 +--- a/ext/openssl/extconf.rb ++++ b/ext/openssl/extconf.rb +@@ -87,6 +87,7 @@ + have_func("PEM_def_callback") + have_func("PKCS5_PBKDF2_HMAC") + have_func("PKCS5_PBKDF2_HMAC_SHA1") ++have_func("RAND_egd") + have_func("X509V3_set_nconf") + have_func("X509V3_EXT_nconf_nid") + have_func("X509_CRL_add0_revoked") +diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c +index 29cbf8c..27466fe 100644 +--- a/ext/openssl/ossl_rand.c ++++ b/ext/openssl/ossl_rand.c +@@ -148,6 +148,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len) + return str; + } + ++#ifdef HAVE_RAND_EGD + /* + * call-seq: + * egd(filename) -> true +@@ -186,6 +187,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len) + } + return Qtrue; + } ++#endif /* HAVE_RAND_EGD */ + + /* + * call-seq: +@@ -219,8 +221,10 @@ Init_ossl_rand(void) + rb_define_module_function(mRandom, "write_random_file", ossl_rand_write_file, 1); + rb_define_module_function(mRandom, "random_bytes", ossl_rand_bytes, 1); + rb_define_module_function(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1); ++#ifdef HAVE_RAND_EGD + rb_define_module_function(mRandom, "egd", ossl_rand_egd, 1); + rb_define_module_function(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2); ++#endif /* HAVE_RAND_EGD */ + rb_define_module_function(mRandom, "status?", ossl_rand_status, 0); + } diff --git a/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix b/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix index 46dedb36de96..41d37d3e39a0 100644 --- a/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix +++ b/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix @@ -13,9 +13,11 @@ stdenv.mkDerivation rec { postUnpack = "sourceRoot=\${sourceRoot}/src"; + hardeningDisable = [ "format" ]; + makefileExtra = ./Makefile.extra; makefile = "Makefile.ref"; - + patchPhase = '' cat ${makefileExtra} >> ${makefile} diff --git a/pkgs/development/interpreters/spidermonkey/default.nix b/pkgs/development/interpreters/spidermonkey/default.nix index 21ba0b8cba48..1fe4b90b2b80 100644 --- a/pkgs/development/interpreters/spidermonkey/default.nix +++ b/pkgs/development/interpreters/spidermonkey/default.nix @@ -8,6 +8,9 @@ stdenv.mkDerivation rec { sha256 = "12v6v2ccw1y6ng3kny3xw0lfs58d1klylqq707k0x04m707kydj4"; }; + hardeningDisable = [ "format" ] + ++ stdenv.lib.optional stdenv.isi686 "stackprotector"; + buildInputs = [ readline ]; postUnpack = "sourceRoot=\${sourceRoot}/src"; diff --git a/pkgs/development/interpreters/supercollider/default.nix b/pkgs/development/interpreters/supercollider/default.nix index 20690cbd4772..dcb1f8e7062e 100644 --- a/pkgs/development/interpreters/supercollider/default.nix +++ b/pkgs/development/interpreters/supercollider/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { sha256 = "1mybxcnl7flliz74kdfnvh18v5dwd9zbdsw2kc7wpl4idcly1n0s"; }; + hardeningDisable = [ "stackprotector" ]; + cmakeFlags = '' -DSC_WII=OFF -DSC_EL=${if useSCEL then "ON" else "OFF"} @@ -26,7 +28,7 @@ stdenv.mkDerivation rec { buildInputs = [ gcc libjack2 libsndfile fftw curl libXt qt55.qtwebkit qt55.qttools readline ] - ++ optional useSCEL emacs; + ++ optional useSCEL emacs; meta = { description = "Programming language for real time audio synthesis"; diff --git a/pkgs/development/interpreters/unicon-lang/default.nix b/pkgs/development/interpreters/unicon-lang/default.nix index 7487aa633131..a6dfec49b2a2 100644 --- a/pkgs/development/interpreters/unicon-lang/default.nix +++ b/pkgs/development/interpreters/unicon-lang/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { }; buildInputs = [ libX11 libXt unzip ]; + hardeningDisable = [ "fortify" ]; + sourceRoot = "."; configurePhase = '' diff --git a/pkgs/development/interpreters/wasm/default.nix b/pkgs/development/interpreters/wasm/default.nix index 56eebbf89a2e..9a30ae7d8a85 100644 --- a/pkgs/development/interpreters/wasm/default.nix +++ b/pkgs/development/interpreters/wasm/default.nix @@ -17,6 +17,9 @@ let buildInputs = [ cmake clang python ]; buildPhase = "make clang-debug-no-tests"; + + hardeningDisable = [ "format" ]; + installPhase = '' mkdir -p $out/bin cp out/clang/Debug/no-tests/sexpr-wasm $out/bin |