cc-wrapper: include fortify-headers before libc includes for musl

2023-02-28 18:18:51 +00:00 · 2023-02-28 18:18:51 +00:00 · 95c4a1fe96
commit 95c4a1fe96
parent 842726c6dc
2 changed files with 21 additions and 0 deletions
--- a/pkgs/build-support/cc-wrapper/default.nix
+++ b/pkgs/build-support/cc-wrapper/default.nix
@ -51,6 +51,8 @@

 # the derivation at which the `-B` and `-L` flags added by `useCcForLibs` will point
 , gccForLibs ? if useCcForLibs then cc else null
+, fortify-headers ? null
+, includeFortifyHeaders ? null
 }:

 with lib;
@ -65,6 +67,10 @@ let
  stdenv = stdenvNoCC;
  inherit (stdenv) hostPlatform targetPlatform;

+  includeFortifyHeaders' = if includeFortifyHeaders != null
+    then includeFortifyHeaders
+    else targetPlatform.libc == "musl";
+
  # Prefix for binaries. Customarily ends with a dash separator.
  #
  # TODO(@Ericson2314) Make unconditional, or optional but always true by
@ -165,6 +171,8 @@ let
    stdenv.targetPlatform.darwinMinVersionVariable;
 in

+assert includeFortifyHeaders' -> fortify-headers != null;
+
 # Ensure bintools matches
 assert libc_bin == bintools.libc_bin;
 assert libc_dev == bintools.libc_dev;
@ -414,6 +422,16 @@ stdenv.mkDerivation {

      echo "${libc_lib}" > $out/nix-support/orig-libc
      echo "${libc_dev}" > $out/nix-support/orig-libc-dev
+    ''
+    # fortify-headers is a set of wrapper headers that augment libc
+    # and use #include_next to pass through to libc's true
+    # implementations, so must appear before them in search order.
+    # in theory a correctly placed -idirafter could be used, but in
+    # practice the compiler may have been built with a --with-headers
+    # like option that forces the libc headers before all -idirafter,
+    # hence -isystem here.
+    + optionalString includeFortifyHeaders' ''
+      echo "-isystem ${fortify-headers}/include" >> $out/nix-support/libc-cflags
    '')

    ##
--- a/pkgs/stdenv/linux/default.nix
+++ b/pkgs/stdenv/linux/default.nix
@ -194,6 +194,7 @@ let
          inherit lib;
          inherit (prevStage) coreutils gnugrep;
          stdenvNoCC = prevStage.ccWrapperStdenv;
+          fortify-headers = prevStage.fortify-headers;
        }).overrideAttrs(a: lib.optionalAttrs (prevStage.gcc-unwrapped.passthru.isXgcc or false) {
          # This affects only `xgcc` (the compiler which compiles the final compiler).
          postFixup = (a.postFixup or "") + ''
@ -568,6 +569,7 @@ in
        inherit lib;
        inherit (self) stdenvNoCC coreutils gnugrep;
        shell = self.bash + "/bin/bash";
+        fortify-headers = self.fortify-headers;
      };
    };
    extraNativeBuildInputs = [
@ -645,6 +647,7 @@ in
        ++  [ linuxHeaders # propagated from .dev
            binutils gcc gcc.cc gcc.cc.lib gcc.expand-response-params gcc.cc.libgcc glibc.passthru.libgcc
          ]
+        ++ lib.optionals (localSystem.libc == "musl") [ fortify-headers ]
        ++ [ prevStage.updateAutotoolsGnuConfigScriptsHook prevStage.gnu-config ]
        ++ (with gcc-unwrapped.passthru; [
          gmp libmpc mpfr isl