Merge pull request #282638 from risicle/ris-trivialautovarinit

cc-wrapper: add `trivialautovarinit` hardening flag support
2024-02-24 20:23:31 +00:00 · 2024-02-24 20:23:31 +00:00 · 259fabc9ee
commit 259fabc9ee
parent 35aa42e19a 1cae11c0fc
21 changed files with 43 additions and 4 deletions
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@ -310,6 +310,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m

 - A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`.

+- A new hardening flag, `trivialautovarinit` was made available, corresponding to the gcc/clang option `-ftrivial-auto-var-init=pattern`.
+
 - New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.).
  The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime.

--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
 fi

 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format zerocallusedregs)
+  declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format trivialautovarinit zerocallusedregs)
  declare -A hardeningDisableMap=()

  # Determine which flags were effectively disabled so we can report below.
@ -106,6 +106,10 @@ for flag in "${!hardeningEnableMap[@]}"; do
        hardeningCFlagsBefore+=('-fno-strict-overflow')
      fi
      ;;
+    trivialautovarinit)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling trivialautovarinit >&2; fi
+      hardeningCFlagsBefore+=('-ftrivial-auto-var-init=pattern')
+      ;;
    format)
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi
      hardeningCFlagsBefore+=('-Wformat' '-Wformat-security' '-Werror=format-security')
--- a/pkgs/development/compilers/gcc/default.nix
+++ b/pkgs/development/compilers/gcc/default.nix
@ -408,7 +408,7 @@ lib.pipe ((callFile ./common/builder.nix {}) ({
    isGNU = true;
    hardeningUnsupportedFlags = lib.optional is48 "stackprotector"
      ++ lib.optional (!atLeast11) "zerocallusedregs"
-      ++ lib.optional (!atLeast12) "fortify3"
+      ++ lib.optionals (!atLeast12) [ "fortify3" "trivialautovarinit" ]
      ++ lib.optionals (langFortran) [ "fortify" "format" ];
  };

--- a/pkgs/development/compilers/llvm/11/llvm/default.nix
+++ b/pkgs/development/compilers/llvm/11/llvm/default.nix
@ -212,6 +212,8 @@ in stdenv.mkDerivation (rec {
  # E.g. mesa.drivers use the build-id as a cache key (see #93946):
  LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1";

+  hardeningDisable = [ "trivialautovarinit" ];
+
  cmakeBuildType = if debugVersion then "Debug" else "Release";

  cmakeFlags = with stdenv; let
--- a/pkgs/development/compilers/llvm/12/llvm/default.nix
+++ b/pkgs/development/compilers/llvm/12/llvm/default.nix
@ -202,6 +202,8 @@ in stdenv.mkDerivation (rec {
  # E.g. mesa.drivers use the build-id as a cache key (see #93946):
  LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1";

+  hardeningDisable = [ "trivialautovarinit" ];
+
  cmakeBuildType = if debugVersion then "Debug" else "Release";

  cmakeFlags = with stdenv; let
--- a/pkgs/development/compilers/llvm/13/llvm/default.nix
+++ b/pkgs/development/compilers/llvm/13/llvm/default.nix
@ -164,6 +164,8 @@ in stdenv.mkDerivation (rec {
  # E.g. mesa.drivers use the build-id as a cache key (see #93946):
  LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1";

+  hardeningDisable = [ "trivialautovarinit" ];
+
  cmakeBuildType = if debugVersion then "Debug" else "Release";

  cmakeFlags = with stdenv; let
--- a/pkgs/development/compilers/llvm/14/llvm/default.nix
+++ b/pkgs/development/compilers/llvm/14/llvm/default.nix
@ -168,6 +168,8 @@ in stdenv.mkDerivation (rec {
  # E.g. mesa.drivers use the build-id as a cache key (see #93946):
  LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1";

+  hardeningDisable = [ "trivialautovarinit" ];
+
  cmakeBuildType = if debugVersion then "Debug" else "Release";

  cmakeFlags = with stdenv; let
--- a/pkgs/development/compilers/llvm/15/llvm/default.nix
+++ b/pkgs/development/compilers/llvm/15/llvm/default.nix
@ -300,6 +300,8 @@ in stdenv.mkDerivation (rec {
  # E.g. mesa.drivers use the build-id as a cache key (see #93946):
  LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1";

+  hardeningDisable = [ "trivialautovarinit" ];
+
  cmakeBuildType = if debugVersion then "Debug" else "Release";

  cmakeFlags = with stdenv; let
--- a/pkgs/development/compilers/llvm/16/llvm/default.nix
+++ b/pkgs/development/compilers/llvm/16/llvm/default.nix
@ -287,6 +287,8 @@ in
  # E.g. mesa.drivers use the build-id as a cache key (see #93946):
  LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1";

+  hardeningDisable = [ "trivialautovarinit" ];
+
  cmakeBuildType = if debugVersion then "Debug" else "Release";

  cmakeFlags = with stdenv; let
--- a/pkgs/development/compilers/llvm/9/llvm/default.nix
+++ b/pkgs/development/compilers/llvm/9/llvm/default.nix
@ -203,6 +203,8 @@ in stdenv.mkDerivation (rec {
    ln -sv $PWD/lib $out
  '';

+  hardeningDisable = [ "trivialautovarinit" ];
+
  cmakeBuildType = if debugVersion then "Debug" else "Release";

  cmakeFlags = with stdenv; let
--- a/pkgs/development/compilers/llvm/git/llvm/default.nix
+++ b/pkgs/development/compilers/llvm/git/llvm/default.nix
@ -290,6 +290,8 @@ stdenv.mkDerivation (rec {
  # E.g. mesa.drivers use the build-id as a cache key (see #93946):
  LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1";

+  hardeningDisable = [ "trivialautovarinit" ];
+
  cmakeBuildType = if debugVersion then "Debug" else "Release";

  cmakeFlags = with stdenv; let
--- a/pkgs/development/libraries/catch2/3.nix
+++ b/pkgs/development/libraries/catch2/3.nix
@ -20,6 +20,8 @@ stdenv.mkDerivation rec {
    cmake
  ];

+  hardeningDisable = [ "trivialautovarinit" ];
+
  cmakeFlags = [
    "-DCATCH_DEVELOPMENT_BUILD=ON"
    "-DCATCH_BUILD_TESTING=${if doCheck then "ON" else "OFF"}"
--- a/pkgs/development/libraries/gnutls/default.nix
+++ b/pkgs/development/libraries/gnutls/default.nix
@ -106,6 +106,8 @@ stdenv.mkDerivation rec {

  enableParallelBuilding = true;

+  hardeningDisable = [ "trivialautovarinit" ];
+
  buildInputs = [ lzo lzip libtasn1 libidn2 zlib gmp libunistring unbound gettext libiconv ]
    ++ lib.optional (withP11-kit) p11-kit
    ++ lib.optional (tpmSupport && stdenv.isLinux) trousers;
--- a/pkgs/development/libraries/libnetfilter_conntrack/default.nix
+++ b/pkgs/development/libraries/libnetfilter_conntrack/default.nix
@ -17,6 +17,8 @@ stdenv.mkDerivation rec {
    })
  ];

+  hardeningDisable = [ "trivialautovarinit" ];
+
  buildInputs = [ libmnl ];
  propagatedBuildInputs = [ libnfnetlink ];
  nativeBuildInputs = [ pkg-config ];
--- a/pkgs/development/tools/misc/lttng-ust/generic.nix
+++ b/pkgs/development/tools/misc/lttng-ust/generic.nix
@ -31,6 +31,8 @@ stdenv.mkDerivation rec {
    patchShebangs .
  '';

+  hardeningDisable = [ "trivialautovarinit" ];
+
  configureFlags = [ "--disable-examples" ];

  propagatedBuildInputs = [ liburcu ];
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@ -404,6 +404,11 @@ stdenv.mkDerivation (finalAttrs: {

  outputs = [ "out" "dev" ] ++ (lib.optional (!buildLibsOnly) "man");

+  hardeningDisable = [
+    # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111523
+    "trivialautovarinit"
+  ];
+
  nativeBuildInputs =
    [
      pkg-config
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@ -249,6 +249,7 @@ let
    "relro"
    "stackprotector"
    "strictoverflow"
+    "trivialautovarinit"
    "zerocallusedregs"
  ];
  defaultHardeningFlags =
--- a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix
+++ b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix
@ -15,5 +15,5 @@ derivation ({
  langC = true;
  langCC = true;
  isGNU = true;
-  hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
+  hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" "trivialautovarinit" ];
 } // extraAttrs)
--- a/pkgs/stdenv/linux/bootstrap-tools/default.nix
+++ b/pkgs/stdenv/linux/bootstrap-tools/default.nix
@ -15,5 +15,5 @@ derivation ({
  langC = true;
  langCC = true;
  isGNU = true;
-  hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
+  hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" "trivialautovarinit" ];
 } // extraAttrs)
--- a/pkgs/tools/misc/coreutils/default.nix
+++ b/pkgs/tools/misc/coreutils/default.nix
@ -104,6 +104,8 @@ stdenv.mkDerivation rec {
    # TODO(@Ericson2314): Investigate whether Darwin could benefit too
    ++ optional (isCross && stdenv.hostPlatform.libc != "glibc") libiconv;

+  hardeningDisable = [ "trivialautovarinit" ];
+
  configureFlags = [ "--with-packager=https://nixos.org" ]
    ++ optional (singleBinary != false)
      ("--enable-single-binary" + optionalString (isString singleBinary) "=${singleBinary}")
--- a/pkgs/top-level/stage.nix
+++ b/pkgs/top-level/stage.nix
@ -284,6 +284,7 @@ let
          stdenv = super'.withDefaultHardeningFlags (
            super'.stdenv.cc.defaultHardeningFlags ++ [
              "zerocallusedregs"
+              "trivialautovarinit"
            ]
          ) super'.stdenv;
        })