nixos/security/wrappers: don't force PIE hardening #259509
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes
PIE causes problems with static binaries on ARM (see 76552e9). It is enabled by default on other platforms anyway when musl is used, so we don't need to specify it manually.
Without this PR, the wrapper fails to build on
armv7l-linux
:Additionally, on
armv6l-linux
, you get a dynamically linked binary that segfaults, rather than a statically linked one. I have confirmed that this PR fixes both of these issues.Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)