diff options
Diffstat (limited to 'nixpkgs/pkgs/build-support/bintools-wrapper')
| -rw-r--r-- | nixpkgs/pkgs/build-support/bintools-wrapper/default.nix | 25 | ||||
| -rw-r--r-- | nixpkgs/pkgs/build-support/bintools-wrapper/setup-hook.sh | 2 |
2 files changed, 26 insertions, 1 deletions
diff --git a/nixpkgs/pkgs/build-support/bintools-wrapper/default.nix b/nixpkgs/pkgs/build-support/bintools-wrapper/default.nix index 525b44fe0480..5b185b09a4c5 100644 --- a/nixpkgs/pkgs/build-support/bintools-wrapper/default.nix +++ b/nixpkgs/pkgs/build-support/bintools-wrapper/default.nix @@ -33,6 +33,28 @@ , useMacosReexportHack ? false , wrapGas ? false +# Note: the hardening flags are part of the bintools-wrapper, rather than +# the cc-wrapper, because a few of them are handled by the linker. +, defaultHardeningFlags ? with stdenvNoCC; [ + "bindnow" + "format" + "fortify" + "fortify3" + "pic" + "relro" + "stackprotector" + "strictoverflow" + ] ++ lib.optional ( + # Musl-based platforms will keep "pie", other platforms will not. + # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` + # in the nixpkgs manual to inform users about the defaults. + targetPlatform.libc == "musl" + # Except when: + # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. + # - static armv7l, where compilation fails. + && !(targetPlatform.isAarch && targetPlatform.isStatic) + ) "pie" + # Darwin code signing support utilities , postLinkSignHook ? null, signingUtils ? null }: @@ -124,6 +146,8 @@ stdenv.mkDerivation { (setenv "NIX_LDFLAGS_${suffixSalt}" (concat (getenv "NIX_LDFLAGS_${suffixSalt}") " -L" arg "/lib64")))) '(${concatStringsSep " " (map (pkg: "\"${pkg}\"") pkgs)})) ''; + + inherit defaultHardeningFlags; }; dontBuild = true; @@ -380,6 +404,7 @@ stdenv.mkDerivation { wrapperName = "BINTOOLS_WRAPPER"; inherit dynamicLinker targetPrefix suffixSalt coreutils_bin; inherit bintools_bin libc_bin libc_dev libc_lib; + default_hardening_flags_str = builtins.toString defaultHardeningFlags; }; meta = diff --git a/nixpkgs/pkgs/build-support/bintools-wrapper/setup-hook.sh b/nixpkgs/pkgs/build-support/bintools-wrapper/setup-hook.sh index 7e9547b96c25..c146cbea80e4 100644 --- a/nixpkgs/pkgs/build-support/bintools-wrapper/setup-hook.sh +++ b/nixpkgs/pkgs/build-support/bintools-wrapper/setup-hook.sh @@ -65,7 +65,7 @@ do done # If unset, assume the default hardening flags. -: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"} +: ${NIX_HARDENING_ENABLE="@default_hardening_flags_str@"} export NIX_HARDENING_ENABLE # No local scope in sourced file |