diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index ac3d2b69a4a2..488caa44f6ba 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -310,6 +310,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`. +- A new hardening flag, `trivialautovarinit` was made available, corresponding to the gcc/clang option `-ftrivial-auto-var-init=pattern`. + - New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.). The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime. diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index e884f8388b58..ef166e2f50c5 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then fi if (( "${NIX_DEBUG:-0}" >= 1 )); then - declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format zerocallusedregs) + declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format trivialautovarinit zerocallusedregs) declare -A hardeningDisableMap=() # Determine which flags were effectively disabled so we can report below. @@ -106,6 +106,10 @@ for flag in "${!hardeningEnableMap[@]}"; do hardeningCFlagsBefore+=('-fno-strict-overflow') fi ;; + trivialautovarinit) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling trivialautovarinit >&2; fi + hardeningCFlagsBefore+=('-ftrivial-auto-var-init=pattern') + ;; format) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi hardeningCFlagsBefore+=('-Wformat' '-Wformat-security' '-Werror=format-security') diff --git a/pkgs/development/compilers/gcc/default.nix b/pkgs/development/compilers/gcc/default.nix index 53bc057a5b25..cc3546bed22c 100644 --- a/pkgs/development/compilers/gcc/default.nix +++ b/pkgs/development/compilers/gcc/default.nix @@ -408,7 +408,7 @@ lib.pipe ((callFile ./common/builder.nix {}) ({ isGNU = true; hardeningUnsupportedFlags = lib.optional is48 "stackprotector" ++ lib.optional (!atLeast11) "zerocallusedregs" - ++ lib.optional (!atLeast12) "fortify3" + ++ lib.optionals (!atLeast12) [ "fortify3" "trivialautovarinit" ] ++ lib.optionals (langFortran) [ "fortify" "format" ]; }; diff --git a/pkgs/development/compilers/llvm/11/llvm/default.nix b/pkgs/development/compilers/llvm/11/llvm/default.nix index e71d63859a06..5e22d3f4af16 100644 --- a/pkgs/development/compilers/llvm/11/llvm/default.nix +++ b/pkgs/development/compilers/llvm/11/llvm/default.nix @@ -212,6 +212,8 @@ in stdenv.mkDerivation (rec { # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/12/llvm/default.nix b/pkgs/development/compilers/llvm/12/llvm/default.nix index 3ac3ee24aec4..d75ce3b3b052 100644 --- a/pkgs/development/compilers/llvm/12/llvm/default.nix +++ b/pkgs/development/compilers/llvm/12/llvm/default.nix @@ -202,6 +202,8 @@ in stdenv.mkDerivation (rec { # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/13/llvm/default.nix b/pkgs/development/compilers/llvm/13/llvm/default.nix index faebfb6e2bfd..58e742b9b41e 100644 --- a/pkgs/development/compilers/llvm/13/llvm/default.nix +++ b/pkgs/development/compilers/llvm/13/llvm/default.nix @@ -164,6 +164,8 @@ in stdenv.mkDerivation (rec { # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/14/llvm/default.nix b/pkgs/development/compilers/llvm/14/llvm/default.nix index ed7d238ddaee..124d07e4bb2b 100644 --- a/pkgs/development/compilers/llvm/14/llvm/default.nix +++ b/pkgs/development/compilers/llvm/14/llvm/default.nix @@ -168,6 +168,8 @@ in stdenv.mkDerivation (rec { # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/15/llvm/default.nix b/pkgs/development/compilers/llvm/15/llvm/default.nix index 7f1232d57a18..d7ebcbcf8b76 100644 --- a/pkgs/development/compilers/llvm/15/llvm/default.nix +++ b/pkgs/development/compilers/llvm/15/llvm/default.nix @@ -300,6 +300,8 @@ in stdenv.mkDerivation (rec { # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/16/llvm/default.nix b/pkgs/development/compilers/llvm/16/llvm/default.nix index 661866c1890b..aed9c367d1ad 100644 --- a/pkgs/development/compilers/llvm/16/llvm/default.nix +++ b/pkgs/development/compilers/llvm/16/llvm/default.nix @@ -287,6 +287,8 @@ in # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/9/llvm/default.nix b/pkgs/development/compilers/llvm/9/llvm/default.nix index 7d5e8389eba9..f8f1c67670ec 100644 --- a/pkgs/development/compilers/llvm/9/llvm/default.nix +++ b/pkgs/development/compilers/llvm/9/llvm/default.nix @@ -203,6 +203,8 @@ in stdenv.mkDerivation (rec { ln -sv $PWD/lib $out ''; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/compilers/llvm/git/llvm/default.nix b/pkgs/development/compilers/llvm/git/llvm/default.nix index b8cef2287806..6dc2b51aaf9a 100644 --- a/pkgs/development/compilers/llvm/git/llvm/default.nix +++ b/pkgs/development/compilers/llvm/git/llvm/default.nix @@ -290,6 +290,8 @@ stdenv.mkDerivation (rec { # E.g. mesa.drivers use the build-id as a cache key (see #93946): LDFLAGS = optionalString (enableSharedLibraries && !stdenv.isDarwin) "-Wl,--build-id=sha1"; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeBuildType = if debugVersion then "Debug" else "Release"; cmakeFlags = with stdenv; let diff --git a/pkgs/development/libraries/catch2/3.nix b/pkgs/development/libraries/catch2/3.nix index aa8bf62059bd..403c4f729b05 100644 --- a/pkgs/development/libraries/catch2/3.nix +++ b/pkgs/development/libraries/catch2/3.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { cmake ]; + hardeningDisable = [ "trivialautovarinit" ]; + cmakeFlags = [ "-DCATCH_DEVELOPMENT_BUILD=ON" "-DCATCH_BUILD_TESTING=${if doCheck then "ON" else "OFF"}" diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix index 86b22eb7cfd7..3bef1d935564 100644 --- a/pkgs/development/libraries/gnutls/default.nix +++ b/pkgs/development/libraries/gnutls/default.nix @@ -106,6 +106,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "trivialautovarinit" ]; + buildInputs = [ lzo lzip libtasn1 libidn2 zlib gmp libunistring unbound gettext libiconv ] ++ lib.optional (withP11-kit) p11-kit ++ lib.optional (tpmSupport && stdenv.isLinux) trousers; diff --git a/pkgs/development/libraries/libnetfilter_conntrack/default.nix b/pkgs/development/libraries/libnetfilter_conntrack/default.nix index e960c8d1bf48..c424879a8191 100644 --- a/pkgs/development/libraries/libnetfilter_conntrack/default.nix +++ b/pkgs/development/libraries/libnetfilter_conntrack/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { }) ]; + hardeningDisable = [ "trivialautovarinit" ]; + buildInputs = [ libmnl ]; propagatedBuildInputs = [ libnfnetlink ]; nativeBuildInputs = [ pkg-config ]; diff --git a/pkgs/development/tools/misc/lttng-ust/generic.nix b/pkgs/development/tools/misc/lttng-ust/generic.nix index 56ad3b19e520..60b133f73144 100644 --- a/pkgs/development/tools/misc/lttng-ust/generic.nix +++ b/pkgs/development/tools/misc/lttng-ust/generic.nix @@ -31,6 +31,8 @@ stdenv.mkDerivation rec { patchShebangs . ''; + hardeningDisable = [ "trivialautovarinit" ]; + configureFlags = [ "--disable-examples" ]; propagatedBuildInputs = [ liburcu ]; diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 064c465bd6e3..c304cb1dc2f8 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -404,6 +404,11 @@ stdenv.mkDerivation (finalAttrs: { outputs = [ "out" "dev" ] ++ (lib.optional (!buildLibsOnly) "man"); + hardeningDisable = [ + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111523 + "trivialautovarinit" + ]; + nativeBuildInputs = [ pkg-config diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 54a03a56866b..6a53d519045c 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -249,6 +249,7 @@ let "relro" "stackprotector" "strictoverflow" + "trivialautovarinit" "zerocallusedregs" ]; defaultHardeningFlags = diff --git a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix index ad2449cfd9ff..6d2490acfa47 100644 --- a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix +++ b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix @@ -15,5 +15,5 @@ derivation ({ langC = true; langCC = true; isGNU = true; - hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ]; + hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" "trivialautovarinit" ]; } // extraAttrs) diff --git a/pkgs/stdenv/linux/bootstrap-tools/default.nix b/pkgs/stdenv/linux/bootstrap-tools/default.nix index ad2449cfd9ff..6d2490acfa47 100644 --- a/pkgs/stdenv/linux/bootstrap-tools/default.nix +++ b/pkgs/stdenv/linux/bootstrap-tools/default.nix @@ -15,5 +15,5 @@ derivation ({ langC = true; langCC = true; isGNU = true; - hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ]; + hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" "trivialautovarinit" ]; } // extraAttrs) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 24e25e584d4b..388dcd428c71 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -104,6 +104,8 @@ stdenv.mkDerivation rec { # TODO(@Ericson2314): Investigate whether Darwin could benefit too ++ optional (isCross && stdenv.hostPlatform.libc != "glibc") libiconv; + hardeningDisable = [ "trivialautovarinit" ]; + configureFlags = [ "--with-packager=https://nixos.org" ] ++ optional (singleBinary != false) ("--enable-single-binary" + optionalString (isString singleBinary) "=${singleBinary}") diff --git a/pkgs/top-level/stage.nix b/pkgs/top-level/stage.nix index cbf0f585fe41..079c44ae912b 100644 --- a/pkgs/top-level/stage.nix +++ b/pkgs/top-level/stage.nix @@ -284,6 +284,7 @@ let stdenv = super'.withDefaultHardeningFlags ( super'.stdenv.cc.defaultHardeningFlags ++ [ "zerocallusedregs" + "trivialautovarinit" ] ) super'.stdenv; })