Merge pull request #242466 from risicle/ris-fortify3-disable-various

disable `fortify3` hardening flag on various packages
NixOS · Jul 12, 2023 · e2622ee · e2622ee
2 parents bc41da4 + bf55980
commit e2622ee
Show file tree

Hide file tree

Showing 13 changed files with 42 additions and 2 deletions.
diff --git a/pkgs/applications/audio/mympd/default.nix b/pkgs/applications/audio/mympd/default.nix
@@ -51,8 +51,12 @@ stdenv.mkDerivation rec {
     # similarly here
     "-DCMAKE_INSTALL_LOCALSTATEDIR=/var/lib/mympd"
   ];
-  # See https://github.com/jcorporation/myMPD/issues/315
-  hardeningDisable = [ "strictoverflow" ];
+  hardeningDisable = [
+    # See https://github.com/jcorporation/myMPD/issues/315
+    "strictoverflow"
+    # causes redefinition of _FORTIFY_SOURCE
+    "fortify3"
+  ];
 
   meta = {
     homepage = "https://jcorporation.github.io/myMPD";

diff --git a/pkgs/applications/networking/nextcloud-client/default.nix b/pkgs/applications/networking/nextcloud-client/default.nix
@@ -87,6 +87,9 @@ mkDerivation rec {
     "-DNO_SHIBBOLETH=1" # allows to compile without qtwebkit
   ];
 
+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
   postBuild = ''
     make doc-man
   '';

diff --git a/pkgs/applications/science/misc/root/5.nix b/pkgs/applications/science/misc/root/5.nix
@@ -66,6 +66,9 @@ stdenv.mkDerivation rec {
     })
   ];
 
+  # https://github.com/root-project/root/issues/13216
+  hardeningDisable = [ "fortify3" ];
+
   preConfigure = ''
     # binutils 2.37 fixes
     fixupList=(

diff --git a/pkgs/applications/virtualization/singularity/generic.nix b/pkgs/applications/virtualization/singularity/generic.nix
@@ -149,6 +149,9 @@ in
   ++ extraConfigureFlags
   ;
 
+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
   # Packages to prefix to the Apptainer/Singularity container runtime default PATH
   # Use overrideAttrs to override
   defaultPathInputs = [

diff --git a/pkgs/development/compilers/intel-graphics-compiler/default.nix b/pkgs/development/compilers/intel-graphics-compiler/default.nix
@@ -86,6 +86,9 @@ stdenv.mkDerivation rec {
     "-DIGC_PREFERRED_LLVM_VERSION=${lib.getVersion llvm}"
   ];
 
+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
   meta = with lib; {
     homepage = "https://github.com/intel/intel-graphics-compiler";
     description = "LLVM-based compiler for OpenCL targeting Intel Gen graphics hardware";

diff --git a/pkgs/development/libraries/gvm-libs/default.nix b/pkgs/development/libraries/gvm-libs/default.nix
@@ -60,6 +60,9 @@ stdenv.mkDerivation rec {
     "-DGVM_RUN_DIR=${placeholder "out"}/run/gvm"
   ];
 
+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
   meta = with lib; {
     description = "Libraries module for the Greenbone Vulnerability Management Solution";
     homepage = "https://github.com/greenbone/gvm-libs";

diff --git a/pkgs/development/libraries/linbox/default.nix b/pkgs/development/libraries/linbox/default.nix
@@ -52,6 +52,9 @@ stdenv.mkDerivation rec {
     "--enable-sage"
   ];
 
+  # https://github.com/linbox-team/linbox/issues/304
+  hardeningDisable = [ "fortify3" ];
+
   doCheck = true;
 
   enableParallelBuilding = true;

diff --git a/pkgs/misc/beep/default.nix b/pkgs/misc/beep/default.nix
@@ -16,6 +16,9 @@ stdenv.mkDerivation rec {
 
   makeFlags = [ "prefix=${placeholder "out"}"];
 
+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
   meta = with lib; {
     description = "The advanced PC speaker beeper";
     homepage = "https://github.com/spkr-beep/beep";

diff --git a/pkgs/os-specific/linux/libevdevc/default.nix b/pkgs/os-specific/linux/libevdevc/default.nix
@@ -19,6 +19,9 @@ stdenv.mkDerivation rec {
 
   makeFlags = [ "DESTDIR=$(out)" "LIBDIR=/lib" ];
 
+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
   meta = with lib; {
     description = "ChromiumOS libevdev. Renamed to avoid conflicts with the standard libevdev found in Linux distros";
     license = licenses.bsd3;

diff --git a/pkgs/servers/mqtt/nanomq/default.nix b/pkgs/servers/mqtt/nanomq/default.nix
@@ -35,6 +35,9 @@ let
     };
 
     nativeBuildInputs = [ cmake ninja flex bison ];
+
+    # https://github.com/nanomq/idl-serial/issues/36
+    hardeningDisable = [ "fortify3" ];
   };
 
 in stdenv.mkDerivation (finalAttrs: {

diff --git a/pkgs/tools/security/hash_extender/default.nix b/pkgs/tools/security/hash_extender/default.nix
@@ -16,6 +16,9 @@ stdenv.mkDerivation {
   doCheck = true;
   checkPhase = "./hash_extender --test";
 
+  # https://github.com/iagox86/hash_extender/issues/26
+  hardeningDisable = [ "fortify3" ];
+
   env.NIX_CFLAGS_COMPILE = "-Wno-error=deprecated-declarations";
 
   installPhase = ''

diff --git a/pkgs/tools/security/yubihsm-shell/default.nix b/pkgs/tools/security/yubihsm-shell/default.nix
@@ -58,6 +58,9 @@ stdenv.mkDerivation rec {
     "-DDISABLE_LTO=ON"
   ];
 
+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
   meta = with lib; {
     description = "yubihsm-shell and libyubihsm";
     homepage = "https://github.com/Yubico/yubihsm-shell";

diff --git a/pkgs/tools/system/minijail/default.nix b/pkgs/tools/system/minijail/default.nix
@@ -19,6 +19,9 @@ stdenv.mkDerivation rec {
     patchShebangs platform2_preinstall.sh
   '';
 
+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
   installPhase = ''
     ./platform2_preinstall.sh ${version} $out/include/chromeos