From 4a91b3e798c7fb9faa8613e4180d39ac3db42266 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Mon, 16 Oct 2023 18:25:08 +0100 Subject: [PATCH 1/8] cc-wrapper: add trivialautovarinit hardening flag support this equates to -ftrivial-auto-var-init=pattern clang has removed support for -ftrivial-auto-var-init=zero and are unlikely to re-add it, so use -ftrivial-auto-var-init=pattern on both compilers if only to make behaviour more consistent between the two. add to pkgsExtraHardening's defaultHardeningFlags. --- nixos/doc/manual/release-notes/rl-2405.section.md | 2 ++ pkgs/build-support/cc-wrapper/add-hardening.sh | 6 +++++- pkgs/development/compilers/gcc/default.nix | 2 +- pkgs/stdenv/generic/make-derivation.nix | 1 + pkgs/stdenv/linux/bootstrap-tools-musl/default.nix | 2 +- pkgs/stdenv/linux/bootstrap-tools/default.nix | 2 +- pkgs/top-level/stage.nix | 1 + 7 files changed, 12 insertions(+), 4 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index ac3d2b69a4a2..488caa44f6ba 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -310,6 +310,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`. +- A new hardening flag, `trivialautovarinit` was made available, corresponding to the gcc/clang option `-ftrivial-auto-var-init=pattern`. + - New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.). The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime. diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index e884f8388b58..ef166e2f50c5 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then fi if (( "${NIX_DEBUG:-0}" >= 1 )); then - declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format zerocallusedregs) + declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format trivialautovarinit zerocallusedregs) declare -A hardeningDisableMap=() # Determine which flags were effectively disabled so we can report below. @@ -106,6 +106,10 @@ for flag in "${!hardeningEnableMap[@]}"; do hardeningCFlagsBefore+=('-fno-strict-overflow') fi ;; + trivialautovarinit) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling trivialautovarinit >&2; fi + hardeningCFlagsBefore+=('-ftrivial-auto-var-init=pattern') + ;; format) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi hardeningCFlagsBefore+=('-Wformat' '-Wformat-security' '-Werror=format-security') diff --git a/pkgs/development/compilers/gcc/default.nix b/pkgs/development/compilers/gcc/default.nix index 53bc057a5b25..cc3546bed22c 100644 --- a/pkgs/development/compilers/gcc/default.nix +++ b/pkgs/development/compilers/gcc/default.nix @@ -408,7 +408,7 @@ lib.pipe ((callFile ./common/builder.nix {}) ({ isGNU = true; hardeningUnsupportedFlags = lib.optional is48 "stackprotector" ++ lib.optional (!atLeast11) "zerocallusedregs" - ++ lib.optional (!atLeast12) "fortify3" + ++ lib.optionals (!atLeast12) [ "fortify3" "trivialautovarinit" ] ++ lib.optionals (langFortran) [ "fortify" "format" ]; }; diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 54a03a56866b..6a53d519045c 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -249,6 +249,7 @@ let "relro" "stackprotector" "strictoverflow" + "trivialautovarinit" "zerocallusedregs" ]; defaultHardeningFlags = diff --git a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix index ad2449cfd9ff..6d2490acfa47 100644 --- a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix +++ b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix @@ -15,5 +15,5 @@ derivation ({ langC = true; langCC = true; isGNU = true; - hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ]; + hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" "trivialautovarinit" ]; } // extraAttrs) diff --git a/pkgs/stdenv/linux/bootstrap-tools/default.nix b/pkgs/stdenv/linux/bootstrap-tools/default.nix index ad2449cfd9ff..6d2490acfa47 100644 --- a/pkgs/stdenv/linux/bootstrap-tools/default.nix +++ b/pkgs/stdenv/linux/bootstrap-tools/default.nix @@ -15,5 +15,5 @@ derivation ({ langC = true; langCC = true; isGNU = true; - hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ]; + hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" "trivialautovarinit" ]; } // extraAttrs) diff --git a/pkgs/top-level/stage.nix b/pkgs/top-level/stage.nix index cbf0f585fe41..079c44ae912b 100644 --- a/pkgs/top-level/stage.nix +++ b/pkgs/top-level/stage.nix @@ -284,6 +284,7 @@ let stdenv = super'.withDefaultHardeningFlags ( super'.stdenv.cc.defaultHardeningFlags ++ [ "zerocallusedregs" + "trivialautovarinit" ] ) super'.stdenv; }) From 5ddeaeb1feef96f49833a0a927d4fe4434a42409 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Mon, 16 Oct 2023 20:43:56 +0100 Subject: [PATCH 2/8] llvmPackages_*.llvm: disable trivialautovarinit hardening flag --- pkgs/development/compilers/llvm/11/llvm/default.nix | 2 ++ pkgs/development/compilers/llvm/12/llvm/default.nix | 2 ++ pkgs/development/compilers/llvm/13/llvm/default.nix | 2 ++ pkgs/development/compilers/llvm/14/llvm/default.nix | 2 ++ pkgs/development/compilers/llvm/15/llvm/default.nix | 2 ++ pkgs/development/compilers/llvm/16/llvm/default.nix | 2 ++ pkgs/development/compilers/llvm/9/llvm/default.nix | 2 ++ pkgs/development/compilers/llvm/git/llvm/default.nix | 2 ++ 8 files changed, 16 insertions(+) diff --git a/pkgs/development/compilers/llvm/11/llvm/default.nix b/pkgs/development/compilers/llvm/11/llvm/default.nix index e71d63859a06..5e22d3f4af16 100644 --- a/pkgs/development/compilers/llvm/11/llvm/default.nix +++ b/pkgs/development/compilers/llvm/11/llvm/default.nix @@ -212,6 +212,8 @@ in stdenv.mkDerivation (rec { # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/12/llvm/default.nix b/pkgs/development/compilers/llvm/12/llvm/default.nix index 3ac3ee24aec4..d75ce3b3b052 100644 --- a/pkgs/development/compilers/llvm/12/llvm/default.nix +++ b/pkgs/development/compilers/llvm/12/llvm/default.nix @@ -202,6 +202,8 @@ in stdenv.mkDerivation (rec { # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/13/llvm/default.nix b/pkgs/development/compilers/llvm/13/llvm/default.nix index faebfb6e2bfd..58e742b9b41e 100644 --- a/pkgs/development/compilers/llvm/13/llvm/default.nix +++ b/pkgs/development/compilers/llvm/13/llvm/default.nix @@ -164,6 +164,8 @@ in stdenv.mkDerivation (rec { # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/14/llvm/default.nix b/pkgs/development/compilers/llvm/14/llvm/default.nix index ed7d238ddaee..124d07e4bb2b 100644 --- a/pkgs/development/compilers/llvm/14/llvm/default.nix +++ b/pkgs/development/compilers/llvm/14/llvm/default.nix @@ -168,6 +168,8 @@ in stdenv.mkDerivation (rec { # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/15/llvm/default.nix b/pkgs/development/compilers/llvm/15/llvm/default.nix index 7f1232d57a18..d7ebcbcf8b76 100644 --- a/pkgs/development/compilers/llvm/15/llvm/default.nix +++ b/pkgs/development/compilers/llvm/15/llvm/default.nix @@ -300,6 +300,8 @@ in stdenv.mkDerivation (rec { # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/16/llvm/default.nix b/pkgs/development/compilers/llvm/16/llvm/default.nix index 661866c1890b..aed9c367d1ad 100644 --- a/pkgs/development/compilers/llvm/16/llvm/default.nix +++ b/pkgs/development/compilers/llvm/16/llvm/default.nix @@ -287,6 +287,8 @@ in # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/9/llvm/default.nix b/pkgs/development/compilers/llvm/9/llvm/default.nix index 7d5e8389eba9..f8f1c67670ec 100644 --- a/pkgs/development/compilers/llvm/9/llvm/default.nix +++ b/pkgs/development/compilers/llvm/9/llvm/default.nix @@ -203,6 +203,8 @@ in stdenv.mkDerivation (rec { ln -sv $PWD/lib $out ''; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/git/llvm/default.nix b/pkgs/development/compilers/llvm/git/llvm/default.nix index b8cef2287806..6dc2b51aaf9a 100644 --- a/pkgs/development/compilers/llvm/git/llvm/default.nix +++ b/pkgs/development/compilers/llvm/git/llvm/default.nix @@ -290,6 +290,8 @@ stdenv.mkDerivation (rec { # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let From ccf0e19d55beea941c4b4274e6a6f5ae26aaec2d Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 21 Jan 2024 15:58:44 +0000 Subject: [PATCH 3/8] catch2_3: disable trivialautovarinit hardening flag --- pkgs/development/libraries/catch2/3.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/catch2/3.nix b/pkgs/development/libraries/catch2/3.nix index aa8bf62059bd..403c4f729b05 100644 --- a/pkgs/development/libraries/catch2/3.nix +++ b/pkgs/development/libraries/catch2/3.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { cmake ]; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeFlags = [ "-DCATCH_DEVELOPMENT_BUILD=ON" "-DCATCH_BUILD_TESTING=${if doCheck then "ON" else "OFF"}" From 2b673eef6fe3c7844563d92099d7a1ac2c0e65b1 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 21 Jan 2024 15:58:59 +0000 Subject: [PATCH 4/8] gnutls: disable trivialautovarinit hardening flag --- pkgs/development/libraries/gnutls/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix index b8c95653e366..478221f0a990 100644 --- a/pkgs/development/libraries/gnutls/default.nix +++ b/pkgs/development/libraries/gnutls/default.nix @@ -80,6 +80,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "trivialautovarinit" ]; + buildInputs = [ lzo lzip libtasn1 libidn2 zlib gmp libunistring unbound gettext libiconv ] ++ lib.optional (withP11-kit) p11-kit ++ lib.optional (tpmSupport && stdenv.isLinux) trousers; From f63d2dfb562ea05507c1e3cf1bc498762dd4d656 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 21 Jan 2024 15:59:28 +0000 Subject: [PATCH 5/8] libnetfilter_conntrack: disable trivialautovarinit hardening flag --- pkgs/development/libraries/libnetfilter_conntrack/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/libnetfilter_conntrack/default.nix b/pkgs/development/libraries/libnetfilter_conntrack/default.nix index e960c8d1bf48..c424879a8191 100644 --- a/pkgs/development/libraries/libnetfilter_conntrack/default.nix +++ b/pkgs/development/libraries/libnetfilter_conntrack/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { }) ]; + hardeningDisable = [ "trivialautovarinit" ]; + buildInputs = [ libmnl ]; propagatedBuildInputs = [ libnfnetlink ]; nativeBuildInputs = [ pkg-config ]; From 4123c6c93f5349072bedf91b8ee4dd2a9a368986 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 21 Jan 2024 15:59:55 +0000 Subject: [PATCH 6/8] lttng-ust: disable trivialautovarinit hardening flag --- pkgs/development/tools/misc/lttng-ust/generic.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/tools/misc/lttng-ust/generic.nix b/pkgs/development/tools/misc/lttng-ust/generic.nix index 56ad3b19e520..60b133f73144 100644 --- a/pkgs/development/tools/misc/lttng-ust/generic.nix +++ b/pkgs/development/tools/misc/lttng-ust/generic.nix @@ -31,6 +31,8 @@ stdenv.mkDerivation rec { patchShebangs . ''; + hardeningDisable = [ "trivialautovarinit" ]; + configureFlags = [ "--disable-examples" ]; propagatedBuildInputs = [ liburcu ]; From 12970b96ed55cf36a0d3f8cb49b7ea621077f43d Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 21 Jan 2024 16:00:35 +0000 Subject: [PATCH 7/8] systemd: disable trivialautovarinit hardening flag to avoid a reported performance regression --- pkgs/os-specific/linux/systemd/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 064c465bd6e3..c304cb1dc2f8 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -404,6 +404,11 @@ stdenv.mkDerivation (finalAttrs: { outputs = [ "out" "dev" ] ++ (lib.optional (!buildLibsOnly) "man"); + hardeningDisable = [ + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111523 + "trivialautovarinit" + ]; + nativeBuildInputs = [ pkg-config From 1cae11c0fc716d0a2ae83b6916e90fa538714308 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 21 Jan 2024 16:00:54 +0000 Subject: [PATCH 8/8] coreutils: disable trivialautovarinit hardening flag --- pkgs/tools/misc/coreutils/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 24e25e584d4b..388dcd428c71 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -104,6 +104,8 @@ stdenv.mkDerivation rec { # TODO(@Ericson2314): Investigate whether Darwin could benefit too ++ optional (isCross && stdenv.hostPlatform.libc != "glibc") libiconv; + hardeningDisable = [ "trivialautovarinit" ]; + configureFlags = [ "--with-packager=https://nixos.org" ] ++ optional (singleBinary != false) ("--enable-single-binary" + optionalString (isString singleBinary) "=${singleBinary}")