New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
treewide: enable security hardening flags #104091
base: master
Are you sure you want to change the base?
Conversation
Work in progress.
|
Wonder if issues are caused by this: https://gitlab.haskell.org/ghc/ghc/-/merge_requests/4287 |
I've quite possibly missed conversation on this elsewhere, but if not, I think would be good to test with haskell.packages.ghc901.hscolour as the haskell commit can be easily applied as a patch to 9.0, i.e. I think this would be ok. But the first round of compiling hscolour would be in the bootstrap, using an 8.10.2 binary compiled for debian/ubuntu, so it would probably need to be compiling without pie in that phase. I'm not really sure what it working in 9.0+patch would mean for the 8.X versions that are the current default as haskell.org seems to only have marked it for 9, also, I'm not optimistic for what will happen with aarch64 as it seems quite a bit more sensitive to relocation problems.. But some version(s) on some platform(s) would be a great start. |
Thanks for responding.
You did not.
That is the problem. I am unsure how to disable it because |
Booting the stage1 of the real ghc is probably going to need these settings for ghc itself not to fail as a PIE with the binary libraries(?), but before, when the bootstrap ghc is setting up its bootPkgs (and then after the real ghc is built and is building its package set) I think you need to override the haskell-modules side, which should go from make-package-set.nix to generic-builder |
Upon further investigation, I have determined that GHC's support for PIC and PIE is bad. I have it working with PIE totally disabled for Haskell; will push later with additional security hardening enabled. |
See also #101666 (comment) |
9028018
to
7c90efe
Compare
a9ae7f2
to
b4942cc
Compare
Hydra x86_64 Linux seems available so I pushed an update. Would prefer if we could let this build with very low priority rather than cancelling it because otherwise it is difficult to work on. |
b1c1c3e
to
41d4da5
Compare
3fc5f0b
to
8ba67a8
Compare
@vcunat, please add "i686-linux" to supportedSystems for https://hydra.nixos.org/jobset/nixpkgs/hardening-flags#tabs-configuration. |
I set up the default value, as i686 isn't (fully) supported anymore. Anyway, there's probably some evaluation problem, but on a quick look I can't see what it is. |
https://blog.fpmurphy.com/2008/06/position-independent-executables.html >PIE is an address space randomization technique that compiles & links executables to be position independent, i.e. machine instruction code that executes properly regardless of where in memory it actually resides. When combined with a kernel that can recognize it is loading a PIE binary, the kernel loads it into a random address instead of the traditional fixed address locations. https://fedoraproject.org/wiki/Security_Features_Matrix#Address_Space_Layout_Randomization_.28ASLR.29 >This makes memory addresses harder to predict when an attacker is attempting a memory-corruption exploit. >To make ASLR effective all segments must be randomized. Leaving the text segment loading address non-randomized reduces the protection provided by the ASLR since the attackers can use ret2text attacks. The loading address of the text segment in a binary can be randomized by building the binary as PIE (Position Independent Executable). https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Detailed_Harden_Flags_Description >Copy relocations support in GCC 5 and binutils 2.26 makes the performance [decrease] on x86_64 of PIE literally zero for many programs.
i686 works without issue. |
OK, they were quite free now so I added them, i.e. now it's full as the default nixpkgs/trunk jobset. At some point it would be nice to separate the common (stdenv) changes from the package changes, I think, for better visibility. |
With this PR also static-pie will work: #123989 |
If this gets revived at some point (I hope it does!) be sure to take a second look at any packages which needed hardening disabled; many should be fixed by #135619. |
Oh, I just realized I could revive this myself since the hydra job is still active - I'd just have to push to this branch. Would that be all right with you? Don't want to step on any toes |
I am working on rebasing and writing documentation for this, but I have been hesitant to push because I do not want to overload Hydra given the work for 21.11. |
Since several days ago there's also the caveat that cancelling whole evaluations doesn't work (and restarting individual jobs doesn't work). |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
Motivation for this change
https://blog.fpmurphy.com/2008/06/position-independent-executables.html
https://fedoraproject.org/wiki/Security_Features_Matrix#Address_Space_Layout_Randomization_.28ASLR.29
https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Detailed_Harden_Flags_Description
Things done
sandbox
innix.conf
on non-NixOS linux)./result/bin/
)