From 76c956be5cecfc73423d767d9243d159d7b83508 Mon Sep 17 00:00:00 2001 From: Matthew Bauer Date: Sat, 10 Nov 2018 13:49:36 -0600 Subject: [PATCH] treewide: disable pie in more places MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some packages don’t work correctly with pie. Here I disable it for: - busybox - linux kernel - kexectools I also get rid of the Musl conditional for disabling pie in GCC and Binutils. Some day we might want to enable PIE without Musl and it will be useful to have the *just* work with our compiler and linkers. --- pkgs/development/compilers/gcc/4.8/default.nix | 2 +- pkgs/development/compilers/gcc/4.9/default.nix | 2 +- pkgs/development/compilers/gcc/5/default.nix | 2 +- pkgs/development/compilers/gcc/6/default.nix | 2 +- pkgs/development/compilers/gcc/7/default.nix | 2 +- pkgs/development/compilers/gcc/8/default.nix | 2 +- pkgs/development/compilers/gcc/snapshot/default.nix | 2 +- pkgs/development/tools/misc/binutils/default.nix | 2 +- pkgs/os-specific/linux/busybox/default.nix | 3 ++- pkgs/os-specific/linux/kernel/manual-config.nix | 2 +- pkgs/os-specific/linux/kexectools/default.nix | 2 +- 11 files changed, 12 insertions(+), 11 deletions(-) diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index bcb724fd58c..a7a8011b2e6 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -177,7 +177,7 @@ stdenv.mkDerivation ({ inherit patches; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; outputs = [ "out" "lib" "man" "info" ]; setOutputFlags = false; diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index 13ff4165a41..a3ba03f517a 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -185,7 +185,7 @@ stdenv.mkDerivation ({ inherit patches; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; outputs = if langJava || langGo then ["out" "man" "info"] else [ "out" "lib" "man" "info" ]; diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix index a30cd6bbda9..95e3d7b8492 100644 --- a/pkgs/development/compilers/gcc/5/default.nix +++ b/pkgs/development/compilers/gcc/5/default.nix @@ -178,7 +178,7 @@ stdenv.mkDerivation ({ libc_dev = stdenv.cc.libc_dev; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; # This should kill all the stdinc frameworks that gcc and friends like to # insert into default search paths. diff --git a/pkgs/development/compilers/gcc/6/default.nix b/pkgs/development/compilers/gcc/6/default.nix index 372a7065f2d..ff48e485a9a 100644 --- a/pkgs/development/compilers/gcc/6/default.nix +++ b/pkgs/development/compilers/gcc/6/default.nix @@ -178,7 +178,7 @@ stdenv.mkDerivation ({ libc_dev = stdenv.cc.libc_dev; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; # This should kill all the stdinc frameworks that gcc and friends like to # insert into default search paths. diff --git a/pkgs/development/compilers/gcc/7/default.nix b/pkgs/development/compilers/gcc/7/default.nix index 094c26cbf69..9235908f14c 100644 --- a/pkgs/development/compilers/gcc/7/default.nix +++ b/pkgs/development/compilers/gcc/7/default.nix @@ -149,7 +149,7 @@ stdenv.mkDerivation ({ libc_dev = stdenv.cc.libc_dev; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; # This should kill all the stdinc frameworks that gcc and friends like to # insert into default search paths. diff --git a/pkgs/development/compilers/gcc/8/default.nix b/pkgs/development/compilers/gcc/8/default.nix index 1335666c54c..363694dcf4e 100644 --- a/pkgs/development/compilers/gcc/8/default.nix +++ b/pkgs/development/compilers/gcc/8/default.nix @@ -143,7 +143,7 @@ stdenv.mkDerivation ({ libc_dev = stdenv.cc.libc_dev; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; # This should kill all the stdinc frameworks that gcc and friends like to # insert into default search paths. diff --git a/pkgs/development/compilers/gcc/snapshot/default.nix b/pkgs/development/compilers/gcc/snapshot/default.nix index c18189cd949..586fb2b44e1 100644 --- a/pkgs/development/compilers/gcc/snapshot/default.nix +++ b/pkgs/development/compilers/gcc/snapshot/default.nix @@ -137,7 +137,7 @@ stdenv.mkDerivation ({ libc_dev = stdenv.cc.libc_dev; - hardeningDisable = [ "format" ]; + hardeningDisable = [ "format" "pie" ]; postPatch = if targetPlatform != hostPlatform || stdenv.cc.libc != null then diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 54f9b5e4031..2d2884eda3e 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -97,7 +97,7 @@ stdenv.mkDerivation rec { then "-Wno-string-plus-int -Wno-deprecated-declarations" else "-static-libgcc"; - hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; + hardeningDisable = [ "format" "pie" ]; # TODO(@Ericson2314): Always pass "--target" and always targetPrefix. configurePlatforms = [ "build" "host" ] ++ stdenv.lib.optional (stdenv.targetPlatform != stdenv.hostPlatform) "target"; diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index 71ad6203e32..5f4efe943ca 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -42,7 +42,8 @@ stdenv.mkDerivation rec { sha256 = "1dzg45vgy2w1xcd3p6h8d76ykhabbvk1h0lf8yb24ikrwlv8cr4p"; }; - hardeningDisable = [ "format" ] ++ lib.optionals enableStatic [ "fortify" ]; + hardeningDisable = [ "format" "pie" ] + ++ lib.optionals enableStatic [ "fortify" ]; patches = [ ./busybox-in-store.patch diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 1d280647c5a..0ce6ed769a3 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -269,7 +269,7 @@ stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.platform kernelPatches ++ optionals stdenv.lib.inNixShell [ pkgconfig ncurses ] ; - hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" ]; + hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" "pie" ]; # Absolute paths for compilers avoid any PATH-clobbering issues. makeFlags = commonMakeFlags ++ [ diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index 069bd17c483..b78286a902b 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "1ac20jws8iys9w6dpn4q3hihyx73zkabdwv3gcb779cxfrmq2k2h"; }; - hardeningDisable = [ "format" "pic" "relro" ]; + hardeningDisable = [ "format" "pic" "relro" "pie" ]; configureFlags = [ "BUILD_CC=${buildPackages.stdenv.cc.targetPrefix}cc" ]; nativeBuildInputs = [ buildPackages.stdenv.cc ];