Hardening adds -pie to -shared invocation due to response file

[pwaller]

Steps To Reproduce

Steps to reproduce the behavior:

1. nix-build <the below>.
2. Observe build failure ld.lld: error: -shared and -pie may not be used together.

{ pkgs ? import <nixpkgs> {} }:

let
  # gcc silently accepts -shared -pie together, lld does not.
  linker = pkgs.wrapBintoolsWith { bintools = pkgs.llvmPackages.lld; };
in

pkgs.stdenv.mkDerivation {
  name = "nixpkgs-hardening-bug";

  src = pkgs.writeText "src.c" "int main(int argc, char* argv[]) { return 0; }";
  NIX_HARDENING_ENABLE="pie";

  unpackPhase = ":";
  buildPhase = ''
    $CC -c -o src.o $src
    bash -x ${linker}/bin/ld.lld @${pkgs.writeText "responsefile" "-shared"} src.o
  '';

}

Build log

building
++ gcc -c -o src.o /nix/store/cskqhvkcmclg60r5vh9wf594q52c0qa3-src.c
++ /nix/store/68v7fk0rfjmvizfs0y3sz1abcpz6k0gc-lld-wrapper-14.0.1/bin/ld.lld @/nix/store/w4lrhm8si8cihrqdcr1j1myrimq4irvl-responsefile src.o
ld.lld: error: -shared and -pie may not be used together

Additional context

Given NIX_HARDENING_ENABLE=pie, the bintools wrapper attemps to pass -pie even though -shared is specified. The binutils linker accepts this silently, but lld explodes with an error.

The trace (included in above nix build script) shows that add-hardening inserts this -pie flag, even though it's trying not to do so if -shared is passed. The reason is that the test is against the params via $* [0], rather than the expanded response parameters. In my build setup, clang is using a response file to pass parameters to the linker, so this test fails.

++ for flag in "${!hardeningEnableMap[@]}"
++ case $flag in
++ [[  @/nix/store/w4lrhm8si8cihrqdcr1j1myrimq4irvl-responsefile src.o  =~  -shared  ]]
++ [[  @/nix/store/w4lrhm8si8cihrqdcr1j1myrimq4irvl-responsefile src.o  =~  -static  ]]
++ [[  @/nix/store/w4lrhm8si8cihrqdcr1j1myrimq4irvl-responsefile src.o  =~  -r  ]]
++ [[  @/nix/store/w4lrhm8si8cihrqdcr1j1myrimq4irvl-responsefile src.o  =~  -Ur  ]]
++ [[  @/nix/store/w4lrhm8si8cihrqdcr1j1myrimq4irvl-responsefile src.o  =~  -i  ]]
++ ((  0 >= 1  ))
++ hardeningLDFlags+=('-pie')

Here is the relevant bit in add-hardening.sh:

nixpkgs/pkgs/build-support/bintools-wrapper/add-hardening.sh

Lines 40 to 44 in cc83d35

	if [[ ! (" $* " =~ " -shared " \
	|| " $* " =~ " -static " \
	|| " $* " =~ " -r " \
	|| " $* " =~ " -Ur " \
	|| " $* " =~ " -i ") ]]; then

I believe this should be referring to the response-expanded $params variable instead.

Notify maintainers

cc @Ericson2314 @matthewbauer

Metadata

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.18.0, NixOS, 22.05 (Quokka), 22.05.866.1f8d88087a3`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.8.1`
 - channels(pwaller): `"unstable"`
 - channels(root): `"home-manager-22.05.tar.gz, nixos-22.05"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[pwaller]

I've posted a PR to address this, help wanted getting it merged: #239331