From 95c4a1fe96f2f6f406b805754099cb724aafdf42 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Tue, 28 Feb 2023 18:18:51 +0000 Subject: [PATCH] cc-wrapper: include fortify-headers before libc includes for musl --- pkgs/build-support/cc-wrapper/default.nix | 18 ++++++++++++++++++ pkgs/stdenv/linux/default.nix | 3 +++ 2 files changed, 21 insertions(+) diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 53141cac5dfb..b4104f351cae 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -51,6 +51,8 @@ # the derivation at which the `-B` and `-L` flags added by `useCcForLibs` will point , gccForLibs ? if useCcForLibs then cc else null +, fortify-headers ? null +, includeFortifyHeaders ? null }: with lib; @@ -65,6 +67,10 @@ let stdenv = stdenvNoCC; inherit (stdenv) hostPlatform targetPlatform; + includeFortifyHeaders' = if includeFortifyHeaders != null + then includeFortifyHeaders + else targetPlatform.libc == "musl"; + # Prefix for binaries. Customarily ends with a dash separator. # # TODO(@Ericson2314) Make unconditional, or optional but always true by @@ -165,6 +171,8 @@ let stdenv.targetPlatform.darwinMinVersionVariable; in +assert includeFortifyHeaders' -> fortify-headers != null; + # Ensure bintools matches assert libc_bin == bintools.libc_bin; assert libc_dev == bintools.libc_dev; @@ -414,6 +422,16 @@ stdenv.mkDerivation { echo "${libc_lib}" > $out/nix-support/orig-libc echo "${libc_dev}" > $out/nix-support/orig-libc-dev + '' + # fortify-headers is a set of wrapper headers that augment libc + # and use #include_next to pass through to libc's true + # implementations, so must appear before them in search order. + # in theory a correctly placed -idirafter could be used, but in + # practice the compiler may have been built with a --with-headers + # like option that forces the libc headers before all -idirafter, + # hence -isystem here. + + optionalString includeFortifyHeaders' '' + echo "-isystem ${fortify-headers}/include" >> $out/nix-support/libc-cflags '') ## diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix index 0e483321b935..34fffd36aa6a 100644 --- a/pkgs/stdenv/linux/default.nix +++ b/pkgs/stdenv/linux/default.nix @@ -194,6 +194,7 @@ let inherit lib; inherit (prevStage) coreutils gnugrep; stdenvNoCC = prevStage.ccWrapperStdenv; + fortify-headers = prevStage.fortify-headers; }).overrideAttrs(a: lib.optionalAttrs (prevStage.gcc-unwrapped.passthru.isXgcc or false) { # This affects only `xgcc` (the compiler which compiles the final compiler). postFixup = (a.postFixup or "") + '' @@ -568,6 +569,7 @@ in inherit lib; inherit (self) stdenvNoCC coreutils gnugrep; shell = self.bash + "/bin/bash"; + fortify-headers = self.fortify-headers; }; }; extraNativeBuildInputs = [ @@ -645,6 +647,7 @@ in ++ [ linuxHeaders # propagated from .dev binutils gcc gcc.cc gcc.cc.lib gcc.expand-response-params gcc.cc.libgcc glibc.passthru.libgcc ] + ++ lib.optionals (localSystem.libc == "musl") [ fortify-headers ] ++ [ prevStage.updateAutotoolsGnuConfigScriptsHook prevStage.gnu-config ] ++ (with gcc-unwrapped.passthru; [ gmp libmpc mpfr isl