qbit/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cc-wrapper: add support for shadowstack hardening flag

Browse Source
This commit is contained in:
Robert Scott 2024-07-11 23:11:13 +01:00
parent c68739f4f0
commit b207b6ef74
9 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -242,6 +242,8 @@
- Nemo is now built with gtk-layer-shell support, note that for now it will be expected to see nemo-desktop
listed as a regular entry in Cinnamon Wayland session's window list applet.
- The `shadowstack` hardening flag has been added, though disabled by default.
- Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)
in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners
should be changed to using *runner authentication tokens* by configuring

6
pkgs/build-support/cc-wrapper/add-hardening.sh
View File

@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
fi
if (( "${NIX_DEBUG:-0}" >= 1 )); then
declare -a allHardeningFlags=(fortify fortify3 stackprotector stackclashprotection pie pic strictoverflow format trivialautovarinit zerocallusedregs)
declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection pie pic strictoverflow format trivialautovarinit zerocallusedregs)
declare -A hardeningDisableMap=()
# Determine which flags were effectively disabled so we can report below.
@ -75,6 +75,10 @@ for flag in "${!hardeningEnableMap[@]}"; do
;;
esac
;;
shadowstack)
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling shadowstack >&2; fi
hardeningCFlagsBefore+=('-fcf-protection=return')
;;
stackprotector)
if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')

6
pkgs/development/compilers/gcc/default.nix
View File

@ -430,6 +430,12 @@ pipe ((callFile ./common/builder.nix {}) ({
) "stackclashprotection"
++ optional (!atLeast11) "zerocallusedregs"
++ optionals (!atLeast12) [ "fortify3" "trivialautovarinit" ]
++ optional (!(
atLeast8
&& targetPlatform.isLinux
&& targetPlatform.isx86_64
&& targetPlatform.libc == "glibc"
)) "shadowstack"
++ optionals (langFortran) [ "fortify" "format" ];
};

5
pkgs/development/compilers/llvm/common/clang/default.nix
View File

@ -138,6 +138,11 @@ let
isClang = true;
hardeningUnsupportedFlagsByTargetPlatform = targetPlatform:
[ "fortify3" ]
++ lib.optional (
(lib.versionOlder release_version "7")
|| !targetPlatform.isLinux
|| !targetPlatform.isx86_64
) "shadowstack"
++ lib.optional (
(lib.versionOlder release_version "11")
|| (targetPlatform.isAarch64 && (lib.versionOlder release_version "18.1"))

1
pkgs/stdenv/darwin/default.nix
View File

@ -416,6 +416,7 @@ in
isFromBootstrapFiles = true;
hardeningUnsupportedFlags = [
"fortify3"
"shadowstack"
"stackclashprotection"
"zerocallusedregs"
];

1
pkgs/stdenv/generic/make-derivation.nix
View File

@ -115,6 +115,7 @@ let
"format"
"fortify"
"fortify3"
"shadowstack"
"pic"
"pie"
"relro"

1
pkgs/stdenv/linux/bootstrap-tools-musl/default.nix
View File

@ -17,6 +17,7 @@ derivation ({
isGNU = true;
hardeningUnsupportedFlags = [
"fortify3"
"shadowstack"
"stackclashprotection"
"trivialautovarinit"
"zerocallusedregs"

1
pkgs/stdenv/linux/bootstrap-tools/default.nix
View File

@ -17,6 +17,7 @@ derivation ({
isGNU = true;
hardeningUnsupportedFlags = [
"fortify3"
"shadowstack"
"stackclashprotection"
"trivialautovarinit"
"zerocallusedregs"

1
pkgs/top-level/stage.nix
View File

@ -292,6 +292,7 @@ let
pkgsExtraHardening = super';
stdenv = super'.withDefaultHardeningFlags (
super'.stdenv.cc.defaultHardeningFlags ++ [
"shadowstack"
"stackclashprotection"
"trivialautovarinit"
]