From 4a91b3e798c7fb9faa8613e4180d39ac3db42266 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Mon, 16 Oct 2023 18:25:08 +0100 Subject: [PATCH] cc-wrapper: add trivialautovarinit hardening flag support this equates to -ftrivial-auto-var-init=pattern clang has removed support for -ftrivial-auto-var-init=zero and are unlikely to re-add it, so use -ftrivial-auto-var-init=pattern on both compilers if only to make behaviour more consistent between the two. add to pkgsExtraHardening's defaultHardeningFlags. --- nixos/doc/manual/release-notes/rl-2405.section.md | 2 ++ pkgs/build-support/cc-wrapper/add-hardening.sh | 6 +++++- pkgs/development/compilers/gcc/default.nix | 2 +- pkgs/stdenv/generic/make-derivation.nix | 1 + pkgs/stdenv/linux/bootstrap-tools-musl/default.nix | 2 +- pkgs/stdenv/linux/bootstrap-tools/default.nix | 2 +- pkgs/top-level/stage.nix | 1 + 7 files changed, 12 insertions(+), 4 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index ac3d2b69a4a2..488caa44f6ba 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -310,6 +310,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`. +- A new hardening flag, `trivialautovarinit` was made available, corresponding to the gcc/clang option `-ftrivial-auto-var-init=pattern`. + - New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.). The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime. diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index e884f8388b58..ef166e2f50c5 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then fi if (( "${NIX_DEBUG:-0}" >= 1 )); then - declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format zerocallusedregs) + declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format trivialautovarinit zerocallusedregs) declare -A hardeningDisableMap=() # Determine which flags were effectively disabled so we can report below. @@ -106,6 +106,10 @@ for flag in "${!hardeningEnableMap[@]}"; do hardeningCFlagsBefore+=('-fno-strict-overflow') fi ;; + trivialautovarinit) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling trivialautovarinit >&2; fi + hardeningCFlagsBefore+=('-ftrivial-auto-var-init=pattern') + ;; format) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi hardeningCFlagsBefore+=('-Wformat' '-Wformat-security' '-Werror=format-security') diff --git a/pkgs/development/compilers/gcc/default.nix b/pkgs/development/compilers/gcc/default.nix index 53bc057a5b25..cc3546bed22c 100644 --- a/pkgs/development/compilers/gcc/default.nix +++ b/pkgs/development/compilers/gcc/default.nix @@ -408,7 +408,7 @@ lib.pipe ((callFile ./common/builder.nix {}) ({ isGNU = true; hardeningUnsupportedFlags = lib.optional is48 "stackprotector" ++ lib.optional (!atLeast11) "zerocallusedregs" - ++ lib.optional (!atLeast12) "fortify3" + ++ lib.optionals (!atLeast12) [ "fortify3" "trivialautovarinit" ] ++ lib.optionals (langFortran) [ "fortify" "format" ]; }; diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 54a03a56866b..6a53d519045c 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -249,6 +249,7 @@ let "relro" "stackprotector" "strictoverflow" + "trivialautovarinit" "zerocallusedregs" ]; defaultHardeningFlags = diff --git a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix index ad2449cfd9ff..6d2490acfa47 100644 --- a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix +++ b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix @@ -15,5 +15,5 @@ derivation ({ langC = true; langCC = true; isGNU = true; - hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ]; + hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" "trivialautovarinit" ]; } // extraAttrs) diff --git a/pkgs/stdenv/linux/bootstrap-tools/default.nix b/pkgs/stdenv/linux/bootstrap-tools/default.nix index ad2449cfd9ff..6d2490acfa47 100644 --- a/pkgs/stdenv/linux/bootstrap-tools/default.nix +++ b/pkgs/stdenv/linux/bootstrap-tools/default.nix @@ -15,5 +15,5 @@ derivation ({ langC = true; langCC = true; isGNU = true; - hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ]; + hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" "trivialautovarinit" ]; } // extraAttrs) diff --git a/pkgs/top-level/stage.nix b/pkgs/top-level/stage.nix index cbf0f585fe41..079c44ae912b 100644 --- a/pkgs/top-level/stage.nix +++ b/pkgs/top-level/stage.nix @@ -284,6 +284,7 @@ let stdenv = super'.withDefaultHardeningFlags ( super'.stdenv.cc.defaultHardeningFlags ++ [ "zerocallusedregs" + "trivialautovarinit" ] ) super'.stdenv; })