Merge branch 'hardened-stdenv' into staging

Closes #12895 Amazing work by @globin & @fpletz getting hardened compiler flags by enabled default on the whole package set
author: obadz <obadz-git@obadz.com> 2016-08-22 01:19:35 +0100
committer: obadz <obadz-git@obadz.com> 2016-08-22 01:19:35 +0100
commit: 24a9183f907cec515724484d84b0cf236de2e8d0 (patch)
tree: 67ab37c4de5d8e8f17b78cc8c6680f25edf7d930 /pkgs/tools/networking
parent: ba50fd71700bf796ea2339115733ca5a850015ea (diff)
parent: b092538811a2bd4454ed9b056952c0a10f091076 (diff)
download: nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar
nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.gz
nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.bz2
nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.lz
nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.xz
nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.zst
nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.zip
22 files changed, 48 insertions, 104 deletions
diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix
index 9d2afe752571..f5b5893d5437 100644
--- a/pkgs/tools/networking/chrony/default.nix
+++ b/pkgs/tools/networking/chrony/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap;
   nativeBuildInputs = [ pkgconfig ];
 
+  hardeningEnable = [ "pie" ];
+
   configureFlags = [
     "--chronyvardir=$(out)/var/lib/chrony"
   ];
diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix
index 778cfc3b5ed6..91232b4ffa74 100644
--- a/pkgs/tools/networking/dhcpdump/default.nix
+++ b/pkgs/tools/networking/dhcpdump/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [libpcap perl];
 
+  hardeningDisable = [ "fortify" ];
+
   installPhase = ''
     mkdir -pv $out/bin
     cp dhcpdump $out/bin
diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix
index 6b47e0cae840..14bde9a5fa5b 100644
--- a/pkgs/tools/networking/dnsmasq/default.nix
+++ b/pkgs/tools/networking/dnsmasq/default.nix
@@ -29,6 +29,8 @@ stdenv.mkDerivation rec {
     "LOCALEDIR=$(out)/share/locale"
   ];
 
+  hardeningEnable = [ "pie" ];
+
   postBuild = optionalString stdenv.isLinux ''
     make -C contrib/lease-tools
   '';
diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix
index 623b42d6fc1b..a9f2419b1368 100644
--- a/pkgs/tools/networking/eggdrop/default.nix
+++ b/pkgs/tools/networking/eggdrop/default.nix
@@ -1,20 +1,19 @@
-{ stdenv, fetchurl, tcl }:
+{ stdenv, fetchFromGitHub, tcl }:
 
 stdenv.mkDerivation rec {
   name = "eggdrop-${version}";
-  version = "1.6.21";
+  version = "1.6.21-nix1";
 
-  src = fetchurl {
-    url = "ftp://ftp.eggheads.org/pub/eggdrop/GNU/1.6/eggdrop${version}.tar.gz";
-    sha256 = "1galvbh9y4c3msrg1s9na0asm077mh1g2i2vsv1vczmfrbgq92vs";
+  src = fetchFromGitHub {
+    owner = "eggheads";
+    repo = "eggdrop";
+    rev = "9ec109a13c016c4cdc7d52b7e16e4b9b6fbb9331";
+    sha256 = "0mf1vcbmpnvmf5mxk7gi3z32fxpcbynsh9jni8z8frrscrdf5lp5";
   };
 
   buildInputs = [ tcl ];
 
-  patches = [
-    # https://github.com/eggheads/eggdrop/issues/123
-    ./b34a33255f56bbd2317c26da12d702796d67ed50.patch
-  ];
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
     prefix=$out/eggdrop
diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix
index 33d8ee2fd636..13f8cedc673d 100644
--- a/pkgs/tools/networking/iperf/2.nix
+++ b/pkgs/tools/networking/iperf/2.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3";
   };
 
+  hardeningDisable = [ "format" ];
+
   meta = with stdenv.lib; {
     homepage = "http://sourceforge.net/projects/iperf/"; 
     description = "Tool to measure IP bandwidth using UDP or TCP";
diff --git a/pkgs/tools/networking/lsh/default.nix b/pkgs/tools/networking/lsh/default.nix
deleted file mode 100644
index 5d788af1682e..000000000000
--- a/pkgs/tools/networking/lsh/default.nix
+++ /dev/null
@@ -1,51 +0,0 @@
-{ stdenv, fetchurl, gperf, guile, gmp, zlib, liboop, readline, gnum4, pam
-, nettools, lsof, procps }:
-
-stdenv.mkDerivation rec {
-  name = "lsh-2.0.4";
-  src = fetchurl {
-    url = "mirror://gnu/lsh/${name}.tar.gz";
-    sha256 = "614b9d63e13ad3e162c82b6405d1f67713fc622a8bc11337e72949d613713091";
-  };
-
-  patches = [ ./pam-service-name.patch ./lshd-no-root-login.patch ];
-
-  preConfigure = ''
-    # Patch `lsh-make-seed' so that it can gather enough entropy.
-    sed -i "src/lsh-make-seed.c" \
-        -e "s|/usr/sbin/arp|${nettools}/sbin/arp|g ;
-            s|/usr/bin/netstat|${nettools}/bin/netstat|g ;
-            s|/usr/local/bin/lsof|${lsof}/bin/lsof|g ;
-            s|/bin/vmstat|${procps}/bin/vmstat|g ;
-            s|/bin/ps|${procps}/bin/sp|g ;
-            s|/usr/bin/w|${procps}/bin/w|g ;
-            s|/usr/bin/df|$(type -P df)|g ;
-            s|/usr/bin/ipcs|$(type -P ipcs)|g ;
-            s|/usr/bin/uptime|$(type -P uptime)|g"
-
-    # Skip the `configure' script that checks whether /dev/ptmx & co. work as
-    # expected, because it relies on impurities (for instance, /dev/pts may
-    # be unavailable in chroots.)
-    export lsh_cv_sys_unix98_ptys=yes
-  '';
-
-  NIX_CFLAGS_COMPILE = "-std=gnu90";
-
-  buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam ];
-
-  meta = {
-    description = "GPL'd implementation of the SSH protocol";
-
-    longDescription = ''
-      lsh is a free implementation (in the GNU sense) of the ssh
-      version 2 protocol, currently being standardised by the IETF
-      SECSH working group.
-    '';
-
-    homepage = http://www.lysator.liu.se/~nisse/lsh/;
-    license = stdenv.lib.licenses.gpl2Plus;
-
-    maintainers = [ ];
-    platforms = [ "x86_64-linux" ];
-  };
-}
diff --git a/pkgs/tools/networking/lsh/lshd-no-root-login.patch b/pkgs/tools/networking/lsh/lshd-no-root-login.patch
deleted file mode 100644
index 9dd81de3fbc1..000000000000
--- a/pkgs/tools/networking/lsh/lshd-no-root-login.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Correctly handle the `--no-root-login' option.
-
---- lsh-2.0.4/src/lshd.c	2006-05-01 13:47:44.000000000 +0200
-+++ lsh-2.0.4/src/lshd.c	2009-09-08 12:20:36.000000000 +0200
-@@ -758,6 +758,10 @@ main_argp_parser(int key, char *arg, str
-       self->allow_root = 1;
-       break;
- 
-+    case OPT_NO_ROOT_LOGIN:
-+      self->allow_root = 0;
-+      break;
-+
-     case OPT_KERBEROS_PASSWD:
-       self->pw_helper = PATH_KERBEROS_HELPER;
-       break;
-
diff --git a/pkgs/tools/networking/lsh/pam-service-name.patch b/pkgs/tools/networking/lsh/pam-service-name.patch
deleted file mode 100644
index 6a6156855c51..000000000000
--- a/pkgs/tools/networking/lsh/pam-service-name.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Tell `lsh-pam-checkpw', the PAM password helper program, to use a more
-descriptive service name.
-
---- lsh-2.0.4/src/lsh-pam-checkpw.c	2003-02-16 22:30:10.000000000 +0100
-+++ lsh-2.0.4/src/lsh-pam-checkpw.c	2008-11-28 16:16:58.000000000 +0100
-@@ -38,7 +38,7 @@
- #include <security/pam_appl.h>
- 
- #define PWD_MAXLEN 1024
--#define SERVICE_NAME "other"
-+#define SERVICE_NAME "lshd"
- #define TIMEOUT 600 
- 
- static int
diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix
index 4b1633947b09..0ae993db332e 100644
--- a/pkgs/tools/networking/mailutils/default.nix
+++ b/pkgs/tools/networking/mailutils/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
     sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65";
   };
 
+  hardeningDisable = [ "format" ];
+
   patches = [ ./path-to-cat.patch ./no-gets.patch ./scm_c_string.patch ];
 
   configureFlags = [
diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix
index 0f75bd44d69b..7a1eac59eeae 100644
--- a/pkgs/tools/networking/netboot/default.nix
+++ b/pkgs/tools/networking/netboot/default.nix
@@ -9,10 +9,12 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ yacc lzo db4 ];
 
+  hardeningDisable = [ "format" ];
+
   meta = with stdenv.lib; {
     description = "Mini PXE server";
     maintainers = [ maintainers.raskin ];
     platforms = ["x86_64-linux"];
     license = stdenv.lib.licenses.free;
   };
-}
\ No newline at end of file
+}
diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix
index 433a3349702d..4c42771be170 100644
--- a/pkgs/tools/networking/ntp/default.nix
+++ b/pkgs/tools/networking/ntp/default.nix
@@ -19,6 +19,8 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ autoreconfHook ];
   buildInputs = [ libcap openssl ];
 
+  hardeningEnable = [ "pie" ];
+
   postInstall = ''
     rm -rf $out/share/doc
   '';
diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix
index d0e8ea4b1d9b..e3e2053e2ce6 100644
--- a/pkgs/tools/networking/openfortivpn/default.nix
+++ b/pkgs/tools/networking/openfortivpn/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, automake, autoconf, openssl, ppp }:
+{ stdenv, fetchFromGitHub, autoreconfHook, openssl, ppp }:
 
 with stdenv.lib;
 
@@ -15,13 +15,11 @@ in stdenv.mkDerivation {
     sha256 = "08ycz053wa29ckgr93132hr3vrd84r3bks9q807qanri0n35y256";
   };
 
-  buildInputs = [ openssl automake autoconf ppp ];
+  buildInputs = [ openssl ppp autoreconfHook ];
 
-  preConfigure = ''
-    aclocal
-    autoconf
-    automake --add-missing
+  hardeningDisable = [ "format" ];
 
+  preConfigure = ''
     substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd"
   '';
 
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index dab638301820..8f4c0aa54dfa 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -71,6 +71,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardeningEnable = [ "pie" ];
+
   postInstall = ''
     # Install ssh-copy-id, it's very useful.
     cp contrib/ssh-copy-id $out/bin/
diff --git a/pkgs/tools/networking/quicktun/default.nix b/pkgs/tools/networking/quicktun/default.nix
index f07cfe4d0724..ed559f5d5c9f 100644
--- a/pkgs/tools/networking/quicktun/default.nix
+++ b/pkgs/tools/networking/quicktun/default.nix
@@ -11,8 +11,6 @@ stdenv.mkDerivation rec {
     sha256 = "0m7gvlgs1mhyw3c8s2dg05j7r7hz8kjpb0sk245m61ir9dmwlf8i";
   };
 
-  CFLAGS = "-fPIE -fPIC -pie -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now";
-
   buildInputs = [ libsodium ];
 
   phases = [ "unpackPhase" "buildPhase" "installPhase" ];
diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix
index 42d4a8177563..1c8ef67a7830 100644
--- a/pkgs/tools/networking/radvd/default.nix
+++ b/pkgs/tools/networking/radvd/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig libdaemon bison flex check ];
 
+  hardeningEnable = [ "pie" ];
+
   meta = with stdenv.lib; {
     homepage = http://www.litech.org/radvd/;
     description = "IPv6 Router Advertisement Daemon";
diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix
index f9eff5b12d55..19cdb884bd1a 100644
--- a/pkgs/tools/networking/socat/default.nix
+++ b/pkgs/tools/networking/socat/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ];
 
+  hardeningEnable = [ "pie" ];
+
   meta = {
     description = "A utility for bidirectional data transfer between two independent data channels";
     homepage = http://www.dest-unreach.org/socat/;
diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix
index 2f12aaa7ee23..114247682c7a 100644
--- a/pkgs/tools/networking/stunnel/default.nix
+++ b/pkgs/tools/networking/stunnel/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name    = "stunnel-${version}";
-  version = "5.29";
+  version = "5.31";
 
   src = fetchurl {
     url    = "http://www.stunnel.org/downloads/${name}.tar.gz";
-    sha256 = "0lgmdpsm36a6j5s0jabv3cfg3rzqz9c9sfdqgkx399iy80jrd423";
+    sha256 = "1dz0p85ha78vxc2hjhrkr4xf8w3q8r177bqdrgm26v6wncdbfim7";
   };
 
   buildInputs = [ openssl ];
diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix
index 9827b62c6c4a..3a5117653c83 100644
--- a/pkgs/tools/networking/telnet/default.nix
+++ b/pkgs/tools/networking/telnet/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation {
     sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn";
   };
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ncurses];
 
   meta = {
diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix
index d10e645dc874..1c8829a07b27 100644
--- a/pkgs/tools/networking/trickle/default.nix
+++ b/pkgs/tools/networking/trickle/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0s1qq3k5mpcs9i7ng0l9fvr1f75abpbzfi1jaf3zpzbs1dz50dlx";
   };
 
-  buildInputs = [libevent];
+  buildInputs = [ libevent ];
 
   preConfigure = ''
     sed -i 's|libevent.a|libevent.so|' configure
@@ -22,6 +22,8 @@ stdenv.mkDerivation rec {
 
   configureFlags = "--with-libevent";
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     description = "Lightweight userspace bandwidth shaper";
     license = stdenv.lib.licenses.bsd3;
diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix
index 9d4ae5d671ac..c2c707fbc77a 100644
--- a/pkgs/tools/networking/uwimap/default.nix
+++ b/pkgs/tools/networking/uwimap/default.nix
@@ -14,6 +14,8 @@ stdenv.mkDerivation {
     # -fPIC is required to compile php with imap on x86_64 systems
     + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC";
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ openssl ]
     ++ stdenv.lib.optional (!stdenv.isDarwin) pam;
 
diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix
index 88ee459f8168..3a3709a9df00 100644
--- a/pkgs/tools/networking/vde2/default.nix
+++ b/pkgs/tools/networking/vde2/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ openssl libpcap python ];
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     homepage = http://vde.sourceforge.net/;
     description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network";
diff --git a/pkgs/tools/networking/vlan/default.nix b/pkgs/tools/networking/vlan/default.nix
index 9c9376550dfb..41ece0537ab4 100644
--- a/pkgs/tools/networking/vlan/default.nix
+++ b/pkgs/tools/networking/vlan/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "1jjc5f26hj7bk8nkjxsa8znfxcf8pgry2ipnwmj2fr6ky0dhm3rv";
   };
 
+  hardeningDisable = [ "format" ];
+
   preBuild =
     ''
       # Ouch, the tarball contains pre-compiled binaries.
@@ -18,12 +20,12 @@ stdenv.mkDerivation rec {
     ''
       mkdir -p $out/sbin
       cp vconfig $out/sbin/
-      
+
       mkdir -p $out/share/man/man8
       cp vconfig.8 $out/share/man/man8/
     '';
 
-  meta = { 
+  meta = {
     description = "User mode programs to enable VLANs on Ethernet devices";
     platforms = stdenv.lib.platforms.linux;
   };
author	obadz <obadz-git@obadz.com>	2016-08-22 01:19:35 +0100
committer	obadz <obadz-git@obadz.com>	2016-08-22 01:19:35 +0100
commit	24a9183f907cec515724484d84b0cf236de2e8d0 (patch)
tree	67ab37c4de5d8e8f17b78cc8c6680f25edf7d930 /pkgs/tools/networking
parent	ba50fd71700bf796ea2339115733ca5a850015ea (diff)
parent	b092538811a2bd4454ed9b056952c0a10f091076 (diff)
download	nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.gz nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.bz2 nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.lz nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.xz nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.tar.zst nixlib-24a9183f907cec515724484d84b0cf236de2e8d0.zip