Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: d3cfda14fb63
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 6d531f354155
Choose a head ref
  • 1 commit
  • 1 file changed
  • 1 contributor

Commits on Nov 7, 2018

  1. make-derivation: enable pie hardening with musl 

    Fixes #49071

On ld.gold, we produce broken executables when linking with the Musl
libc. This appears to be a known bug when using ld.gold and Musl. This
thread describes the workaround as enabling PIE when using ld.gold and
Musl:

https://www.openwall.com/lists/musl/2015/05/01/5

By default we don’t enable PIE to avoid breaking things. But in the
Musl case we are breaking things by not enabling PIE. So this adds a
special case for defaultHardeningFlags which keeps the pie hardening
for everything. Any packages that break with PIE can add the pie flag
to disableHardeningFlags array (a no-op for now on anything but Musl).
    @matthewbauer @globin
    matthewbauer authored and globin committed Nov 7, 2018
    Copy the full SHA
    6d531f3 View commit details
Showing with 3 additions and 1 deletion.
  1. +3 −1 pkgs/stdenv/generic/make-derivation.nix
4 changes: 3 additions & 1 deletion pkgs/stdenv/generic/make-derivation.nix
View file
Original file line number Diff line number Diff line change
@@ -93,7 +93,9 @@ rec {
++ depsTargetTarget ++ depsTargetTargetPropagated) == 0;
runtimeSensativeIfFixedOutput = fixedOutputDrv -> !noNonNativeDeps;
supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
defaultHardeningFlags = lib.remove "pie" supportedHardeningFlags;
defaultHardeningFlags = if stdenv.targetPlatform.isMusl
then supportedHardeningFlags
else lib.remove "pie" supportedHardeningFlags;
enabledHardeningOptions =
if builtins.elem "all" hardeningDisable
then []