Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/security/wrappers: don't force PIE hardening #259509

Merged
merged 1 commit into from
Oct 10, 2023
Merged

nixos/security/wrappers: don't force PIE hardening #259509

merged 1 commit into from
Oct 10, 2023

Conversation

lopsided98
Copy link
Contributor

Description of changes

PIE causes problems with static binaries on ARM (see 76552e9). It is enabled by default on other platforms anyway when musl is used, so we don't need to specify it manually.

Without this PR, the wrapper fails to build on armv7l-linux:

/nix/store/4lxj7pm6qa6fznja0bwk4c68rd90k6gn-armv7l-unknown-linux-musleabihf-binutils-2.40/bin/armv7l-unknown-linux-musleabihf-ld: /nix/store/cppxlcnd0anv12l2dy79cgpc2qwq3lyq-armv7l-unknown-linux-musleabihf-stage-final-gcc-12.3.0/lib/gcc/armv7l-unknown-linux-musleabihf/12.3.0/crtbeginT.o: relocation R_ARM_MOVW_ABS_NC against `a local symbol' can not be used when making a shared object; recompile with -fPIC
/nix/store/cppxlcnd0anv12l2dy79cgpc2qwq3lyq-armv7l-unknown-linux-musleabihf-stage-final-gcc-12.3.0/lib/gcc/armv7l-unknown-linux-musleabihf/12.3.0/crtbeginT.o:(.fini_array+0x0): dangerous relocation: unsupported relocation
/nix/store/cppxlcnd0anv12l2dy79cgpc2qwq3lyq-armv7l-unknown-linux-musleabihf-stage-final-gcc-12.3.0/lib/gcc/armv7l-unknown-linux-musleabihf/12.3.0/crtbeginT.o:(.init_array+0x0): dangerous relocation: unsupported relocation
collect2: error: ld returned 1 exit status

Additionally, on armv6l-linux, you get a dynamically linked binary that segfaults, rather than a statically linked one. I have confirmed that this PR fixes both of these issues.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
    • armv7l-linux (cross)
    • armv6l-linux (cross)
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@lopsided98
nixos/security/wrappers: don't force PIE hardening
12cc02b 
PIE causes problems with static binaries on ARM (see 76552e9). It is
enabled by default on other platforms anyway when musl is used, so we
don't need to specify it manually.
@lopsided98 lopsided98 mentioned this pull request Oct 7, 2023
Merged
6 tasks
@delroth
Copy link
Contributor

delroth commented Oct 7, 2023

@ofborg test wrappers sudo

@yu-re-ka yu-re-ka merged commit b6876d5 into NixOS:master Oct 10, 2023
26 checks passed
@lopsided98 lopsided98 deleted the security-wrapper-pie branch October 11, 2023 01:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lopsided98 @delroth @vcunat @yu-re-ka