From bd8258a389bf6337b0440cd06006e2e6e7fe097b Mon Sep 17 00:00:00 2001
From: Ryan Burns <rtburns@protonmail.com>
Date: Tue, 24 Aug 2021 00:21:04 -0700
Subject: [PATCH 1/5] cc-wrapper: ensure PIE flags precede PIC flags

fixes:
pkgsMusl.bulletml
pkgsMusl.proot
pkgsMusl.python3

Debian explains this issue well in the dpkg-buildflags manpage:

-fPIE
    Can be linked into any program, but not a shared library (recommended).
-fPIC
    Can be linked into any program and shared library.

On projects that build both programs and shared libraries you might need to
make sure that when building the shared libraries -fPIC is always passed last
(so that it overrides any previous -PIE) to compilation flags such as CFLAGS.

(from https://manpages.debian.org/bullseye/dpkg-dev/dpkg-buildflags.1.en.html#hardening)
---
 pkgs/build-support/cc-wrapper/add-hardening.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index 8e2fe6c407ea..dc530bf943d2 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -45,11 +45,12 @@ for flag in "${!hardeningEnableMap[@]}"; do
       hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
       ;;
     pie)
+      # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
-      hardeningCFlags+=('-fPIE')
+      hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}")
       if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
         if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
-        hardeningCFlags+=('-pie')
+        hardeningCFlags=('-pie' "${hardeningCFlags[@]}")
       fi
       ;;
     pic)

From 37d089c1af9c62ca9549fb1eb1c3706f018e626e Mon Sep 17 00:00:00 2001
From: Ryan Burns <rtburns@protonmail.com>
Date: Mon, 20 Sep 2021 17:24:04 -0700
Subject: [PATCH 2/5] {cc,binutils}-wrapper: match leading/trailing arguments

fixes e.g.:
pkgsMusl.libfsm
pkgsMusl.libiscsi
pkgsMusl.nsjail
pkgsMusl.pv

match strings have whitespace on either side, which wasn't
matching leading/trailing arguments previously
---
 pkgs/build-support/bintools-wrapper/add-hardening.sh | 6 +++++-
 pkgs/build-support/cc-wrapper/add-hardening.sh       | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkgs/build-support/bintools-wrapper/add-hardening.sh b/pkgs/build-support/bintools-wrapper/add-hardening.sh
index 4d289a334b77..0a2b2509a826 100644
--- a/pkgs/build-support/bintools-wrapper/add-hardening.sh
+++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh
@@ -37,7 +37,11 @@ fi
 for flag in "${!hardeningEnableMap[@]}"; do
   case $flag in
     pie)
-      if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static " || "$*" =~ " -r " || "$*" =~ " -Ur " || "$*" =~ " -i ") ]]; then
+      if [[ ! (" $* " =~ " -shared " \
+            || " $* " =~ " -static " \
+            || " $* " =~ " -r " \
+            || " $* " =~ " -Ur " \
+            || " $* " =~ " -i ") ]]; then
         if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
         hardeningLDFlags+=('-pie')
       fi
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index dc530bf943d2..e5d296f6c9c5 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -48,7 +48,7 @@ for flag in "${!hardeningEnableMap[@]}"; do
       # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
       hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}")
-      if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
+      if [[ ! (" $* " =~ " -shared " || " $* " =~ " -static ") ]]; then
         if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
         hardeningCFlags=('-pie' "${hardeningCFlags[@]}")
       fi

From 882acbd0af5433b2bbda3d4f692660bcb22d6a2c Mon Sep 17 00:00:00 2001
From: Ryan Burns <rtburns@protonmail.com>
Date: Sat, 4 Sep 2021 13:26:53 -0700
Subject: [PATCH 3/5] Revert "pkgsMusl.libiscsi: fix build"

This is no longer needed with the previous PIE hardening fixes.

This reverts commit 78d20f22007a9e615c8bf1a7bf12afea518e1d39.
---
 pkgs/development/libraries/libiscsi/default.nix | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/pkgs/development/libraries/libiscsi/default.nix b/pkgs/development/libraries/libiscsi/default.nix
index 6dd23d219d95..3cc2e0eee8c3 100644
--- a/pkgs/development/libraries/libiscsi/default.nix
+++ b/pkgs/development/libraries/libiscsi/default.nix
@@ -13,10 +13,6 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ autoreconfHook ];
 
-  # This can be removed after >=1.20.0, or if the build suceeds with
-  # pie enabled (default on Musl).
-  hardeningDisable = [ "pie" ];
-
   # This problem is gone on libiscsi master.
   NIX_CFLAGS_COMPILE =
     lib.optional stdenv.hostPlatform.is32bit "-Wno-error=sign-compare";

From 436f960f2ac3f27e896c651a01c5c2c10a8557b7 Mon Sep 17 00:00:00 2001
From: Ryan Burns <rtburns@protonmail.com>
Date: Thu, 16 Sep 2021 17:58:32 -0700
Subject: [PATCH 4/5] Revert "glib: fix musl build"

This is no longer needed with the previous PIE hardening fixes.

This reverts commit 74e0aaaa30c1751450cddf055a5eb4ca64d7e33b.
---
 pkgs/development/libraries/glib/default.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkgs/development/libraries/glib/default.nix b/pkgs/development/libraries/glib/default.nix
index 3c8fe4d569fa..772b913f6748 100644
--- a/pkgs/development/libraries/glib/default.nix
+++ b/pkgs/development/libraries/glib/default.nix
@@ -134,8 +134,6 @@ stdenv.mkDerivation rec {
     "-DG_DISABLE_CAST_CHECKS"
   ];
 
-  hardeningDisable = [ "pie" ];
-
   postPatch = ''
     chmod +x gio/tests/gengiotypefuncs.py
     patchShebangs gio/tests/gengiotypefuncs.py

From a41b83c0ffb765d52f78730082566f6e56620412 Mon Sep 17 00:00:00 2001
From: Ryan Burns <rtburns@protonmail.com>
Date: Thu, 16 Sep 2021 18:53:00 -0700
Subject: [PATCH 5/5] Revert "pkgsMusl.python*: disable LTO"

This is no longer needed with the previous PIE hardening fixes.

This reverts commit 2784f1bd6908b37ed0d686778f347e63692c0f84.
---
 pkgs/development/interpreters/python/cpython/default.nix | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pkgs/development/interpreters/python/cpython/default.nix b/pkgs/development/interpreters/python/cpython/default.nix
index abfff8009afe..8e340dd3b146 100644
--- a/pkgs/development/interpreters/python/cpython/default.nix
+++ b/pkgs/development/interpreters/python/cpython/default.nix
@@ -45,9 +45,7 @@
 # enableLTO is a subset of the enableOptimizations flag that doesn't harm reproducibility.
 # enabling LTO on 32bit arch causes downstream packages to fail when linking
 # enabling LTO on *-darwin causes python3 to fail when linking.
-# enabling LTO with musl and dynamic linking fails with a linker error although it should
-# be possible as alpine is doing it: https://github.com/alpinelinux/aports/blob/a8ccb04668c7729e0f0db6c6ff5f25d7519e779b/main/python3/APKBUILD#L82
-, enableLTO ? stdenv.is64bit && stdenv.isLinux && !(stdenv.hostPlatform.isMusl && !stdenv.hostPlatform.isStatic)
+, enableLTO ? stdenv.is64bit && stdenv.isLinux
 , reproducibleBuild ? false
 , pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}"
 }: