stdenv/generic/make-derivation.nix: always set NIX_HARDENING_ENABLE

[LunNova]

See #205031, #252310 (comment)

Without this change setting either of hardeningDisable or hardeningEnable is required to activate the default set of hardening flags, making logic elsewhere in nixpkgs (primarily in build-support scripts) more complicated as it has to have its own defaults if this variable is unset. Except on musl which sets it unconditionally.

With this change the default hardening flags are applied even if neither hardening option is set, and other scripts can be simplified.

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[LunNova]

@ofborg build stdenv.cc

[chivay]

LGTM, I've successfully built

• firefox
• chromium
• openssh
• sway
• qemu

on an x86_64-linux and everything seems to work.

[risicle]

This almost certainly will cause problems with fortran, have addressed some of them in #259070

[risicle]

The security label is a "severity" label to mark vulnerabilities that need priority action, not as a general subject classifier.

[chivay]

If I'm not mistaken, the original problem seems to be described here: #27218

Fortran complains if we attempt to use either "format" or "fortify" hardening. However, it seems to be taken care of, at least partially by 78028df

So if the toolchain supports Fortran, add-hardening.sh will drop those flags. Thus, setting NIX_HARDENING_ENABLE shouldn't break anything (?).
Maybe we should add fortify to Fortran's unsupported flags just to be safe?

EDIT: Oh, it seems it is already handled in #259070 🙏
https://github.com/NixOS/nixpkgs/blob/76f7703d8a7fac6a4002f8f48c86b60160d7edad/pkgs/development/compilers/gcc/default.nix#L416

[LunNova]

Marked as a draft again so it doesn't get merged until #259070 is merged, if we still think this change is good after that PR.

[risicle]

FWIW I'm not pushing to get #259070 merged before 23.11 - too close to the release.

[LunNova]

@risicle still worth making a change here or should I close this?

[risicle]

There's probably some value in this if only for uniformity.

I'd love to know why the musl exception was needed in the first place.