From 47a634ae23c896497fc98087cc40f9f10337f9a3 Mon Sep 17 00:00:00 2001 From: Matthew Bauer Date: Sat, 3 Nov 2018 13:55:50 -0500 Subject: [PATCH] make-derivation: enable pie hardening with musl MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes #49071 On ld.gold, we produce broken executables when linking with the Musl libc. This appears to be a known bug when using ld.gold and Musl. This thread describes the workaround as enabling PIE when using ld.gold and Musl: https://www.openwall.com/lists/musl/2015/05/01/5 By default we don’t enable PIE to avoid breaking things. But in the Musl case we are breaking things by not enabling PIE. So this adds a special case for defaultHardeningFlags which keeps the pie hardening for everything. Any packages that break with PIE can add the pie flag to disableHardeningFlags array (a no-op for now on anything but Musl). --- pkgs/stdenv/generic/make-derivation.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index e06faed30a1ea..6c0c94487dee1 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -93,7 +93,9 @@ rec { ++ depsTargetTarget ++ depsTargetTargetPropagated) == 0; runtimeSensativeIfFixedOutput = fixedOutputDrv -> !noNonNativeDeps; supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; - defaultHardeningFlags = lib.remove "pie" supportedHardeningFlags; + defaultHardeningFlags = if stdenv.targetPlatform.isMusl + then supportedHardeningFlags + else lib.remove "pie" supportedHardeningFlags; enabledHardeningOptions = if builtins.elem "all" hardeningDisable then []