diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index bcb724fd58c..a7a8011b2e6 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -177,7 +177,7 @@ stdenv.mkDerivation ({ inherit patches; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; outputs = [ "out" "lib" "man" "info" ]; setOutputFlags = false; diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index 13ff4165a41..a3ba03f517a 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -185,7 +185,7 @@ stdenv.mkDerivation ({ inherit patches; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; outputs = if langJava || langGo then ["out" "man" "info"] else [ "out" "lib" "man" "info" ]; diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix index a30cd6bbda9..95e3d7b8492 100644 --- a/pkgs/development/compilers/gcc/5/default.nix +++ b/pkgs/development/compilers/gcc/5/default.nix @@ -178,7 +178,7 @@ stdenv.mkDerivation ({ libc_dev = stdenv.cc.libc_dev; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; # This should kill all the stdinc frameworks that gcc and friends like to # insert into default search paths. diff --git a/pkgs/development/compilers/gcc/6/default.nix b/pkgs/development/compilers/gcc/6/default.nix index 372a7065f2d..ff48e485a9a 100644 --- a/pkgs/development/compilers/gcc/6/default.nix +++ b/pkgs/development/compilers/gcc/6/default.nix @@ -178,7 +178,7 @@ stdenv.mkDerivation ({ libc_dev = stdenv.cc.libc_dev; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; # This should kill all the stdinc frameworks that gcc and friends like to # insert into default search paths. diff --git a/pkgs/development/compilers/gcc/7/default.nix b/pkgs/development/compilers/gcc/7/default.nix index 094c26cbf69..9235908f14c 100644 --- a/pkgs/development/compilers/gcc/7/default.nix +++ b/pkgs/development/compilers/gcc/7/default.nix @@ -149,7 +149,7 @@ stdenv.mkDerivation ({ libc_dev = stdenv.cc.libc_dev; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; # This should kill all the stdinc frameworks that gcc and friends like to # insert into default search paths. diff --git a/pkgs/development/compilers/gcc/8/default.nix b/pkgs/development/compilers/gcc/8/default.nix index 1335666c54c..363694dcf4e 100644 --- a/pkgs/development/compilers/gcc/8/default.nix +++ b/pkgs/development/compilers/gcc/8/default.nix @@ -143,7 +143,7 @@ stdenv.mkDerivation ({ libc_dev = stdenv.cc.libc_dev; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; # This should kill all the stdinc frameworks that gcc and friends like to # insert into default search paths. diff --git a/pkgs/development/compilers/gcc/snapshot/default.nix b/pkgs/development/compilers/gcc/snapshot/default.nix index c18189cd949..586fb2b44e1 100644 --- a/pkgs/development/compilers/gcc/snapshot/default.nix +++ b/pkgs/development/compilers/gcc/snapshot/default.nix @@ -137,7 +137,7 @@ stdenv.mkDerivation ({ libc_dev = stdenv.cc.libc_dev; - hardeningDisable = [ "format" ]; + hardeningDisable = [ "format" "pie" ]; postPatch = if targetPlatform != hostPlatform || stdenv.cc.libc != null then diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 54f9b5e4031..2d2884eda3e 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -97,7 +97,7 @@ stdenv.mkDerivation rec { then "-Wno-string-plus-int -Wno-deprecated-declarations" else "-static-libgcc"; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; # TODO(@Ericson2314): Always pass "--target" and always targetPrefix. configurePlatforms = [ "build" "host" ] ++ stdenv.lib.optional (stdenv.targetPlatform != stdenv.hostPlatform) "target"; diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index 71ad6203e32..5f4efe943ca 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -42,7 +42,8 @@ stdenv.mkDerivation rec { sha256 = "1dzg45vgy2w1xcd3p6h8d76ykhabbvk1h0lf8yb24ikrwlv8cr4p"; }; - hardeningDisable = [ "format" ] ++ lib.optionals enableStatic [ "fortify" ]; + hardeningDisable = [ "format" "pie" ] + ++ lib.optionals enableStatic [ "fortify" ]; patches = [ ./busybox-in-store.patch diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 1d280647c5a..0ce6ed769a3 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -269,7 +269,7 @@ stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.platform kernelPatches ++ optionals stdenv.lib.inNixShell [ pkgconfig ncurses ] ; - hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" ]; + hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" "pie" ]; # Absolute paths for compilers avoid any PATH-clobbering issues. makeFlags = commonMakeFlags ++ [ diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index 069bd17c483..b78286a902b 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "1ac20jws8iys9w6dpn4q3hihyx73zkabdwv3gcb779cxfrmq2k2h"; }; - hardeningDisable = [ "format" "pic" "relro" ]; + hardeningDisable = [ "format" "pic" "relro" "pie" ]; configureFlags = [ "BUILD_CC=${buildPackages.stdenv.cc.targetPrefix}cc" ]; nativeBuildInputs = [ buildPackages.stdenv.cc ];