Skip to content

stdenv/generic/make-derivation.nix: always set NIX_HARDENING_ENABLE#206490

Closed
LunNova wants to merge 1 commit intoNixOS:stagingfrom
LunNova:lunnova/aslr
Closed

stdenv/generic/make-derivation.nix: always set NIX_HARDENING_ENABLE#206490
LunNova wants to merge 1 commit intoNixOS:stagingfrom
LunNova:lunnova/aslr

Conversation

@LunNova
Copy link
Member

@LunNova LunNova commented Dec 17, 2022
edited
Loading

See #205031, #252310 (comment)

Without this change setting either of hardeningDisable or hardeningEnable is required to activate the default set of hardening flags, making logic elsewhere in nixpkgs (primarily in build-support scripts) more complicated as it has to have its own defaults if this variable is unset. Except on musl which sets it unconditionally.

With this change the default hardening flags are applied even if neither hardening option is set, and other scripts can be simplified.

Description of changes
Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.05 Release Notes (or backporting 22.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added the 6.topic: stdenv Standard environment label Dec 17, 2022
@ofborg ofborg bot added 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Dec 17, 2022
@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 18, 2023
@LunNova LunNova mentioned this pull request Oct 10, 2023
Closed
12 tasks
@zzywysm

This comment was marked as resolved.

Sign in to view
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Oct 12, 2023
@github-actions github-actions bot added the 6.topic: python Python is a high-level, general-purpose programming language. label Oct 12, 2023
@LunNova

This comment was marked as duplicate.

Sign in to view
@LunNova
stdenv/generic/make-derivation.nix: set NIX_HARDENING_ENABLE even if …
4545d75 
…no custom hardeningDisable/hardeningEnable attr
@github-actions github-actions bot removed the 6.topic: python Python is a high-level, general-purpose programming language. label Oct 12, 2023
@LunNova
Copy link
Member Author

LunNova commented Oct 12, 2023

@ofborg build stdenv.cc

@LunNova LunNova requested a review from chivay October 12, 2023 21:08
@LunNova LunNova marked this pull request as ready for review October 12, 2023 21:16
@LunNova LunNova requested a review from Ericson2314 as a code owner October 12, 2023 21:16
@LunNova LunNova requested review from a user and infinisil October 12, 2023 21:16
@zzywysm zzywysm mentioned this pull request Oct 12, 2023
Closed
12 tasks
@LunNova LunNova mentioned this pull request Oct 12, 2023
Closed
6 tasks
@Atemu Atemu added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Oct 13, 2023
chivay
chivay approved these changes Oct 18, 2023
View reviewed changes
Copy link
Member

@chivay chivay left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I've successfully built

  • firefox
  • chromium
  • openssh
  • sway
  • qemu

on an x86_64-linux and everything seems to work.

@risicle
Copy link
Contributor

risicle commented Oct 18, 2023

This almost certainly will cause problems with fortran, have addressed some of them in #259070

@risicle risicle removed the 1.severity: security Issues which raise a security issue, or PRs that fix one label Oct 18, 2023
@risicle
Copy link
Contributor

risicle commented Oct 18, 2023

The security label is a "severity" label to mark vulnerabilities that need priority action, not as a general subject classifier.

@chivay
Copy link
Member

chivay commented Oct 19, 2023
edited
Loading

If I'm not mistaken, the original problem seems to be described here: #27218

Fortran complains if we attempt to use either "format" or "fortify" hardening. However, it seems to be taken care of, at least partially by 78028df

So if the toolchain supports Fortran, add-hardening.sh will drop those flags. Thus, setting NIX_HARDENING_ENABLE shouldn't break anything (?).
Maybe we should add fortify to Fortran's unsupported flags just to be safe?

EDIT: Oh, it seems it is already handled in #259070 🙏
https://github.com/NixOS/nixpkgs/blob/76f7703d8a7fac6a4002f8f48c86b60160d7edad/pkgs/development/compilers/gcc/default.nix#L416

@LunNova LunNova marked this pull request as draft October 19, 2023 04:01
@LunNova
Copy link
Member Author

LunNova commented Oct 19, 2023

Marked as a draft again so it doesn't get merged until #259070 is merged, if we still think this change is good after that PR.

@risicle
Copy link
Contributor

risicle commented Oct 19, 2023

FWIW I'm not pushing to get #259070 merged before 23.11 - too close to the release.

@LunNova
Copy link
Member Author

LunNova commented Feb 25, 2024

@risicle still worth making a change here or should I close this?

@risicle
Copy link
Contributor

risicle commented Feb 25, 2024

There's probably some value in this if only for uniformity.

I'd love to know why the musl exception was needed in the first place.

@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one person. label Mar 9, 2024
@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Mar 20, 2024
@wegank wegank added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 4, 2024
@LunNova LunNova closed this Oct 8, 2024
@LunNova LunNova deleted the lunnova/aslr branch September 22, 2025 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314

@infinisil infinisil Awaiting requested review from infinisil

@K900 K900 Awaiting requested review from K900

@risicle risicle Awaiting requested review from risicle

@vcunat vcunat Awaiting requested review from vcunat

@Artturin Artturin Awaiting requested review from Artturin

1 more reviewer

@chivay chivay chivay approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

2.status: merge conflict This PR has merge conflicts with the target branch 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: stdenv Standard environment 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@LunNova @zzywysm @risicle @chivay @wegank @Atemu