public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mkDerivation, cc-wrapper: Check hardening flag validity in Nix

Browse Source 
This becomes necessary if more wrappers besides cc-wrapper start
supporting hardening flags. Also good to make the warning into an
error.

Also ensure interface is being used right: Not as a string, not just in
bash.
This commit is contained in:
John Ericson 2017-08-28 14:56:08 -04:00 committed by Robin Gloster
parent 822a8d0148
commit 97a48835b7
5 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkgs/build-support/cc-wrapper/add-hardening.sh
View File

@ -68,7 +68,8 @@ if [[ -z "${hardeningDisableMap[all]:-}" ]]; then
hardeningLDFlags+=('-z' 'now') hardeningLDFlags+=('-z' 'now')
;; ;;
*) *)
echo "Hardening flag unknown: $flag" >&2 # Ignore unsupported. Checked in Nix that at least *some*
# tool supports each flag.
;; ;;
esac esac
fi fi

3
pkgs/os-specific/linux/devmem2/default.nix
View File

@ -8,8 +8,9 @@ stdenv.mkDerivation rec {
sha256 = "14f1k7v6i1yaxg4xcaaf5i4aqn0yabba857zjnbg9wiymy82qf7c"; sha256 = "14f1k7v6i1yaxg4xcaaf5i4aqn0yabba857zjnbg9wiymy82qf7c";
}; };
hardeningDisable = [ "format" ]; # fix compile error
buildCommand = '' buildCommand = ''
export hardeningDisable=format # fix compile error
cc "$src" -o devmem2 cc "$src" -o devmem2
install -D devmem2 "$out/bin/devmem2" install -D devmem2 "$out/bin/devmem2"
''; '';

2
pkgs/os-specific/linux/firmware/fwupdate/default.nix
View File

@ -17,7 +17,7 @@ let version = "8"; in
buildInputs = [ gnu-efi libsmbios popt pkgconfig gettext ]; buildInputs = [ gnu-efi libsmbios popt pkgconfig gettext ];
propagatedBuildInputs = [ efivar ]; propagatedBuildInputs = [ efivar ];
# TODO: Just apply the disable to the efi subdir # TODO: Just apply the disable to the efi subdir
hardeningDisable = "all"; hardeningDisable = [ "all" ];
patchPhase = '' patchPhase = ''
sed -i 's|/usr/include/smbios_c/token.h|smbios_c/token.h|' \ sed -i 's|/usr/include/smbios_c/token.h|smbios_c/token.h|' \
linux/libfwup.c linux/libfwup.c

13
pkgs/stdenv/generic/make-derivation.nix
View File

@ -41,7 +41,20 @@ rec {
, __propagatedImpureHostDeps ? [] , __propagatedImpureHostDeps ? []
, sandboxProfile ? "" , sandboxProfile ? ""
, propagatedSandboxProfile ? "" , propagatedSandboxProfile ? ""
, hardeningEnable ? []
, hardeningDisable ? []
, ... } @ attrs: , ... } @ attrs:
# TODO(@Ericson2314): Make this more modular, and not O(n^2).
let allHardeningFlags = [
"fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro"
"bindnow"
];
in assert lib.all
(flag: lib.elem flag allHardeningFlags)
(hardeningEnable ++ hardeningDisable);
let let
dependencies = map lib.chooseDevOutputs [ dependencies = map lib.chooseDevOutputs [
(map (drv: drv.nativeDrv or drv) nativeBuildInputs (map (drv: drv.nativeDrv or drv) nativeBuildInputs

2
pkgs/tools/networking/envoy/default.nix
View File

@ -233,7 +233,7 @@ stdenv.mkDerivation rec {
patches = [ ./nixos.patch ]; patches = [ ./nixos.patch ];
hardeningDisable = "all"; hardeningDisable = [ "all" ];
dontPatchELF = true; dontPatchELF = true;
dontStrip = true; dontStrip = true;