make-derivation: enable pie hardening with musl

Fixes #49071 On ld.gold, we produce broken executables when linking with the Musl libc. This appears to be a known bug when using ld.gold and Musl. This thread describes the workaround as enabling PIE when using ld.gold and Musl: https://www.openwall.com/lists/musl/2015/05/01/5 By default we don’t enable PIE to avoid breaking things. But in the Musl case we are breaking things by not enabling PIE. So this adds a special case for defaultHardeningFlags which keeps the pie hardening for everything. Any packages that break with PIE can add the pie flag to disableHardeningFlags array (a no-op for now on anything but Musl).
2018-11-03 13:55:50 -05:00 · 2018-11-03 13:55:50 -05:00 · 6d531f3541
parent d3cfda14fb
commit 6d531f3541
1 changed files with 3 additions and 1 deletions
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@ -93,7 +93,9 @@ rec {
                                      ++ depsTargetTarget ++ depsTargetTargetPropagated) == 0;
      runtimeSensativeIfFixedOutput = fixedOutputDrv -> !noNonNativeDeps;
      supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
-      defaultHardeningFlags = lib.remove "pie" supportedHardeningFlags;
+      defaultHardeningFlags = if stdenv.targetPlatform.isMusl
+                              then supportedHardeningFlags
+                              else lib.remove "pie" supportedHardeningFlags;
      enabledHardeningOptions =
        if builtins.elem "all" hardeningDisable
        then []