Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[staging] {cc,binutils}-wrapper: fixes for PIE hardening #135619

Merged
merged 5 commits into from
Sep 24, 2021
Merged

[staging] {cc,binutils}-wrapper: fixes for PIE hardening #135619

merged 5 commits into from
Sep 24, 2021

Conversation

r-burns
Copy link
Contributor

@r-burns r-burns commented Aug 25, 2021
edited
Loading

Fixes a number of packages which were broken on musl (where PIE hardening is currently enabled). For example:

  • pkgsMusl.python3
  • pkgsMusl.bulletml
  • pkgsMusl.proot
  • pkgsMusl.libfsm
  • pkgsMusl.libiscsi
  • pkgsMusl.nsjail
  • pkgsMusl.pv
Motivation for this change

Fixes #124476

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • 21.11 Release Notes (or backporting 21.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@r-burns r-burns requested a review from Ericson2314 as a code owner August 25, 2021 03:15
@r-burns r-burns changed the title {cc,binutils}-wrapper: fixes for PIE hardening [staging] {cc,binutils}-wrapper: fixes for PIE hardening Aug 25, 2021
@r-burns r-burns mentioned this pull request Aug 25, 2021
Closed
@nomeata nomeata mentioned this pull request Aug 25, 2021
Closed
nomeata added a commit to dfinity/motoko that referenced this pull request Aug 25, 2021
@nomeata
nix: Try different patch to fix -pie issues
736741c 
in #2532 we added a patch related to static building of ocaml packages,
submitted to nixpkgs as NixOS/nixpkgs#124498,
but it was never merged upstream.

Supposedly a patch from NixOS/nixpkgs#135619
fixes it as well (and maybe more properly). So let’s try that!
This was referenced Aug 25, 2021
Closed
Open
@r-burns
Copy link
Contributor Author

r-burns commented Sep 4, 2021

cc @TredwellGit since it looks like you're running into some of these issues in #104091

@ofborg ofborg bot requested a review from misuzu September 4, 2021 21:54
@r-burns r-burns mentioned this pull request Sep 17, 2021
Merged
11 tasks
@r-burns r-burns requested a review from FRidh as a code owner September 17, 2021 02:54
@ofborg ofborg bot added the 2.status: merge conflict This PR has merge conflicts with the target branch label Sep 17, 2021
@ofborg ofborg bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Sep 17, 2021
@r-burns
cc-wrapper: ensure PIE flags precede PIC flags
bd8258a 
fixes:
pkgsMusl.bulletml
pkgsMusl.proot
pkgsMusl.python3

Debian explains this issue well in the dpkg-buildflags manpage:

-fPIE
    Can be linked into any program, but not a shared library (recommended).
-fPIC
    Can be linked into any program and shared library.

On projects that build both programs and shared libraries you might need to
make sure that when building the shared libraries -fPIC is always passed last
(so that it overrides any previous -PIE) to compilation flags such as CFLAGS.

(from https://manpages.debian.org/bullseye/dpkg-dev/dpkg-buildflags.1.en.html#hardening)
@r-burns
{cc,binutils}-wrapper: match leading/trailing arguments
37d089c 
fixes e.g.:
pkgsMusl.libfsm
pkgsMusl.libiscsi
pkgsMusl.nsjail
pkgsMusl.pv

match strings have whitespace on either side, which wasn't
matching leading/trailing arguments previously
@r-burns
Revert "pkgsMusl.libiscsi: fix build"
882acbd 
This is no longer needed with the previous PIE hardening fixes.

This reverts commit 78d20f2.
@r-burns
Revert "glib: fix musl build"
436f960 
This is no longer needed with the previous PIE hardening fixes.

This reverts commit 74e0aaa.
@r-burns
Revert "pkgsMusl.python*: disable LTO"
a41b83c 
This is no longer needed with the previous PIE hardening fixes.

This reverts commit 2784f1b.
@r-burns r-burns merged commit 1672828 into NixOS:staging Sep 24, 2021
@r-burns r-burns deleted the fpie-musl-fixes branch September 24, 2021 00:55
@r-burns r-burns mentioned this pull request Sep 24, 2021
Closed
12 tasks
@r-burns r-burns mentioned this pull request Oct 8, 2021
Draft
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@veprbl veprbl veprbl approved these changes

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314

@misuzu misuzu Awaiting requested review from misuzu

@hedning hedning Awaiting requested review from hedning

@dasj19 dasj19 Awaiting requested review from dasj19

@amaxine amaxine Awaiting requested review from amaxine

@7c6f434c 7c6f434c Awaiting requested review from 7c6f434c

@jtojnar jtojnar Awaiting requested review from jtojnar

@lovek323 lovek323 Awaiting requested review from lovek323

@FRidh FRidh Awaiting requested review from FRidh

Assignees
No one assigned
Labels
6.topic: python 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ 10.rebuild-linux-stdenv This PR causes stdenv to rebuild
Projects
Staging
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@r-burns @veprbl