pyrox.dev / nixpkgs
lol
fork atom

cc-wrapper: add support for shadowstack hardening flag

Robert Scott b207b6ef c68739f4

options
unified split
Changed files
+23 -1
nixos
doc
manual
release-notes
rl-2411.section.md
pkgs
build-support
cc-wrapper
add-hardening.sh
development
compilers
gcc
default.nix
llvm
common
clang
default.nix
stdenv
darwin
default.nix
generic
make-derivation.nix
linux
bootstrap-tools
default.nix
bootstrap-tools-musl
default.nix
top-level
stage.nix
+2
nixos/doc/manual/release-notes/rl-2411.section.md 
···

       
242

       
242

       
 

       
  - Nemo is now built with gtk-layer-shell support, note that for now it will be expected to see nemo-desktop


     

       
243

       
243

       
 

       
    listed as a regular entry in Cinnamon Wayland session's window list applet.


     

       
244

       
244

       
 

       



     

       

       
245

       
+

       
- The `shadowstack` hardening flag has been added, though disabled by default.


     

       

       
246

       
+

       



     

       
245

       
247

       
 

       
- Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)


     

       
246

       
248

       
 

       
  in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners


     

       
247

       
249

       
 

       
  should be changed to using *runner authentication tokens* by configuring
+5 -1
pkgs/build-support/cc-wrapper/add-hardening.sh 
···

       
32

       
32

       
 

       
fi


     

       
33

       
33

       
 

       



     

       
34

       
34

       
 

       
if (( "${NIX_DEBUG:-0}" >= 1 )); then


     

       
35

       

       
-

       
  declare -a allHardeningFlags=(fortify fortify3 stackprotector stackclashprotection pie pic strictoverflow format trivialautovarinit zerocallusedregs)


     

       

       
35

       
+

       
  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection pie pic strictoverflow format trivialautovarinit zerocallusedregs)


     

       
36

       
36

       
 

       
  declare -A hardeningDisableMap=()


     

       
37

       
37

       
 

       



     

       
38

       
38

       
 

       
  # Determine which flags were effectively disabled so we can report below.


     
···

       
74

       
74

       
 

       
          # Ignore unsupported.


     

       
75

       
75

       
 

       
          ;;


     

       
76

       
76

       
 

       
      esac


     

       

       
77

       
+

       
      ;;


     

       

       
78

       
+

       
    shadowstack)


     

       

       
79

       
+

       
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling shadowstack >&2; fi


     

       

       
80

       
+

       
      hardeningCFlagsBefore+=('-fcf-protection=return')


     

       
77

       
81

       
 

       
      ;;


     

       
78

       
82

       
 

       
    stackprotector)


     

       
79

       
83

       
 

       
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
+6
pkgs/development/compilers/gcc/default.nix 
···

       
430

       
430

       
 

       
      ) "stackclashprotection"


     

       
431

       
431

       
 

       
      ++ optional (!atLeast11) "zerocallusedregs"


     

       
432

       
432

       
 

       
      ++ optionals (!atLeast12) [ "fortify3" "trivialautovarinit" ]


     

       

       
433

       
+

       
      ++ optional (!(


     

       

       
434

       
+

       
        atLeast8


     

       

       
435

       
+

       
        && targetPlatform.isLinux


     

       

       
436

       
+

       
        && targetPlatform.isx86_64


     

       

       
437

       
+

       
        && targetPlatform.libc == "glibc"


     

       

       
438

       
+

       
      )) "shadowstack"


     

       
433

       
439

       
 

       
      ++ optionals (langFortran) [ "fortify" "format" ];


     

       
434

       
440

       
 

       
  };


     

       
435

       
441
+5
pkgs/development/compilers/llvm/common/clang/default.nix 
···

       
139

       
139

       
 

       
      hardeningUnsupportedFlagsByTargetPlatform = targetPlatform:


     

       
140

       
140

       
 

       
        [ "fortify3" ]


     

       
141

       
141

       
 

       
        ++ lib.optional (


     

       

       
142

       
+

       
          (lib.versionOlder release_version "7")


     

       

       
143

       
+

       
          || !targetPlatform.isLinux


     

       

       
144

       
+

       
          || !targetPlatform.isx86_64


     

       

       
145

       
+

       
        ) "shadowstack"


     

       

       
146

       
+

       
        ++ lib.optional (


     

       
142

       
147

       
 

       
          (lib.versionOlder release_version "11")


     

       
143

       
148

       
 

       
          || (targetPlatform.isAarch64 && (lib.versionOlder release_version "18.1"))


     

       
144

       
149

       
 

       
          || (targetPlatform.isFreeBSD && (lib.versionOlder release_version "15"))
+1
pkgs/stdenv/darwin/default.nix 
···

       
416

       
416

       
 

       
                isFromBootstrapFiles = true;


     

       
417

       
417

       
 

       
                hardeningUnsupportedFlags = [


     

       
418

       
418

       
 

       
                  "fortify3"


     

       

       
419

       
+

       
                  "shadowstack"


     

       
419

       
420

       
 

       
                  "stackclashprotection"


     

       
420

       
421

       
 

       
                  "zerocallusedregs"


     

       
421

       
422

       
 

       
                ];
+1
pkgs/stdenv/generic/make-derivation.nix 
···

       
115

       
115

       
 

       
    "format"


     

       
116

       
116

       
 

       
    "fortify"


     

       
117

       
117

       
 

       
    "fortify3"


     

       

       
118

       
+

       
    "shadowstack"


     

       
118

       
119

       
 

       
    "pic"


     

       
119

       
120

       
 

       
    "pie"


     

       
120

       
121

       
 

       
    "relro"
+1
pkgs/stdenv/linux/bootstrap-tools-musl/default.nix 
···

       
17

       
17

       
 

       
  isGNU = true;


     

       
18

       
18

       
 

       
  hardeningUnsupportedFlags = [


     

       
19

       
19

       
 

       
    "fortify3"


     

       

       
20

       
+

       
    "shadowstack"


     

       
20

       
21

       
 

       
    "stackclashprotection"


     

       
21

       
22

       
 

       
    "trivialautovarinit"


     

       
22

       
23

       
 

       
    "zerocallusedregs"
+1
pkgs/stdenv/linux/bootstrap-tools/default.nix 
···

       
17

       
17

       
 

       
  isGNU = true;


     

       
18

       
18

       
 

       
  hardeningUnsupportedFlags = [


     

       
19

       
19

       
 

       
    "fortify3"


     

       

       
20

       
+

       
    "shadowstack"


     

       
20

       
21

       
 

       
    "stackclashprotection"


     

       
21

       
22

       
 

       
    "trivialautovarinit"


     

       
22

       
23

       
 

       
    "zerocallusedregs"
+1
pkgs/top-level/stage.nix 
···

       
292

       
292

       
 

       
          pkgsExtraHardening = super';


     

       
293

       
293

       
 

       
          stdenv = super'.withDefaultHardeningFlags (


     

       
294

       
294

       
 

       
            super'.stdenv.cc.defaultHardeningFlags ++ [


     

       

       
295

       
+

       
              "shadowstack"


     

       
295

       
296

       
 

       
              "stackclashprotection"


     

       
296

       
297

       
 

       
              "trivialautovarinit"


     

       
297

       
298

       
 

       
            ]