From 44e6fb29cbfd8fd774613e058ca3d289d25c5648 Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Sun, 7 Mar 2021 15:34:38 -0500 Subject: [PATCH] stdenv: Fix regression on ARM+static when enabling hardening 4e9dc46dea0ef8cf15c567fa863796bb23099d0b re-enabled hardening for Musl, which is good. Though static builds for ARM fail in various ways - cross armv7l static does not build - cross aarch64 static produces segfaulting dynamically linked binaries - native aarch64 static also produces segfaulting dynamically linked binaries It seems that for native x86_64-linux, static builds are fine though. This works around the issue by removing PIE from the hardening flags, keeping all other hardening flags. This is an improvement (I think) from before 4e9dc46d. Fixes #114953 --- pkgs/stdenv/generic/make-derivation.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 13a7a03d6a8b8..483d44ed8e0ca 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -106,7 +106,12 @@ in rec { ++ depsTargetTarget ++ depsTargetTargetPropagated) == 0; dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || (stdenv.noCC or false); supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; - defaultHardeningFlags = if stdenv.hostPlatform.isMusl + # Musl-based platforms will keep "pie", other platforms will not. + defaultHardeningFlags = if stdenv.hostPlatform.isMusl && + # Except when: + # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. + # - static armv7l, where compilation fails. + !((stdenv.hostPlatform.isAarch64 || stdenv.hostPlatform.isAarch32) && stdenv.hostPlatform.isStatic) then supportedHardeningFlags else lib.remove "pie" supportedHardeningFlags; enabledHardeningOptions =