forked from mirrors/nixpkgs
Merge pull request #135619 from r-burns/fpie-musl-fixes
[staging] {cc,binutils}-wrapper: fixes for PIE hardening
This commit is contained in:
commit
16728283c3
|
@ -37,7 +37,11 @@ fi
|
|||
for flag in "${!hardeningEnableMap[@]}"; do
|
||||
case $flag in
|
||||
pie)
|
||||
if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static " || "$*" =~ " -r " || "$*" =~ " -Ur " || "$*" =~ " -i ") ]]; then
|
||||
if [[ ! (" $* " =~ " -shared " \
|
||||
|| " $* " =~ " -static " \
|
||||
|| " $* " =~ " -r " \
|
||||
|| " $* " =~ " -Ur " \
|
||||
|| " $* " =~ " -i ") ]]; then
|
||||
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
|
||||
hardeningLDFlags+=('-pie')
|
||||
fi
|
||||
|
|
|
@ -45,11 +45,12 @@ for flag in "${!hardeningEnableMap[@]}"; do
|
|||
hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
|
||||
;;
|
||||
pie)
|
||||
# NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
|
||||
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
|
||||
hardeningCFlags+=('-fPIE')
|
||||
if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
|
||||
hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}")
|
||||
if [[ ! (" $* " =~ " -shared " || " $* " =~ " -static ") ]]; then
|
||||
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
|
||||
hardeningCFlags+=('-pie')
|
||||
hardeningCFlags=('-pie' "${hardeningCFlags[@]}")
|
||||
fi
|
||||
;;
|
||||
pic)
|
||||
|
|
|
@ -45,9 +45,7 @@
|
|||
# enableLTO is a subset of the enableOptimizations flag that doesn't harm reproducibility.
|
||||
# enabling LTO on 32bit arch causes downstream packages to fail when linking
|
||||
# enabling LTO on *-darwin causes python3 to fail when linking.
|
||||
# enabling LTO with musl and dynamic linking fails with a linker error although it should
|
||||
# be possible as alpine is doing it: https://github.com/alpinelinux/aports/blob/a8ccb04668c7729e0f0db6c6ff5f25d7519e779b/main/python3/APKBUILD#L82
|
||||
, enableLTO ? stdenv.is64bit && stdenv.isLinux && !(stdenv.hostPlatform.isMusl && !stdenv.hostPlatform.isStatic)
|
||||
, enableLTO ? stdenv.is64bit && stdenv.isLinux
|
||||
, reproducibleBuild ? false
|
||||
, pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}"
|
||||
}:
|
||||
|
|
|
@ -134,8 +134,6 @@ stdenv.mkDerivation rec {
|
|||
"-DG_DISABLE_CAST_CHECKS"
|
||||
];
|
||||
|
||||
hardeningDisable = [ "pie" ];
|
||||
|
||||
postPatch = ''
|
||||
chmod +x gio/tests/gengiotypefuncs.py
|
||||
patchShebangs gio/tests/gengiotypefuncs.py
|
||||
|
|
|
@ -13,10 +13,6 @@ stdenv.mkDerivation rec {
|
|||
|
||||
nativeBuildInputs = [ autoreconfHook ];
|
||||
|
||||
# This can be removed after >=1.20.0, or if the build suceeds with
|
||||
# pie enabled (default on Musl).
|
||||
hardeningDisable = [ "pie" ];
|
||||
|
||||
# This problem is gone on libiscsi master.
|
||||
NIX_CFLAGS_COMPILE =
|
||||
lib.optional stdenv.hostPlatform.is32bit "-Wno-error=sign-compare";
|
||||
|
|
Loading…
Reference in a new issue