From 4e9dc46dea0ef8cf15c567fa863796bb23099d0b Mon Sep 17 00:00:00 2001 From: Nathan Hawkins Date: Sat, 24 Oct 2020 22:34:50 +0000 Subject: [PATCH] stdenv: Fix hardening default for pkgsMusl to reenable -pie defaultHardeningFlags is set to enable pie for Musl, but is not actually used because the default is never put into NIX_HARDENING_ENABLE. That still works for cases other than Musl only because NIX_HARDENING_ENABLE is defaulted in the binutils and cc-wrapper setup-hook.sh scripts. --- pkgs/stdenv/generic/make-derivation.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 491951e6121..bc5c4701db2 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -276,7 +276,7 @@ in rec { in [ "--cross-file=${crossFile}" ] ++ mesonFlags; } // lib.optionalAttrs (attrs.enableParallelBuilding or false) { enableParallelChecking = attrs.enableParallelChecking or true; - } // lib.optionalAttrs (hardeningDisable != [] || hardeningEnable != []) { + } // lib.optionalAttrs (hardeningDisable != [] || hardeningEnable != [] || stdenv.hostPlatform.isMusl) { NIX_HARDENING_ENABLE = enabledHardeningOptions; } // lib.optionalAttrs (stdenv.hostPlatform.isx86_64 && stdenv.hostPlatform ? platform.gcc.arch) { requiredSystemFeatures = attrs.requiredSystemFeatures or [] ++ [ "gccarch-${stdenv.hostPlatform.platform.gcc.arch}" ];