From 547ffcb0428121c5968f97581f7c6155af23f416 Mon Sep 17 00:00:00 2001 From: Tristan Ross Date: Thu, 15 Aug 2024 21:54:52 -0700 Subject: [PATCH] cc-wrapper: disable incompatible hardening options in cpu bit size cross --- .../build-support/cc-wrapper/add-hardening.sh | 33 ++++++++++++++++--- pkgs/build-support/cc-wrapper/default.nix | 27 ++++++++++++--- 2 files changed, 52 insertions(+), 8 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 4440d99ccabaf..1c798ee25efef 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -2,13 +2,38 @@ declare -a hardeningCFlagsAfter=() declare -a hardeningCFlagsBefore=() declare -A hardeningEnableMap=() +declare -a hardeningUnsupportedFlags=(@hardening_unsupported_flags@) # Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The # array expansion also prevents undefined variables from causing trouble with # `set -u`. -for flag in ${NIX_HARDENING_ENABLE_@suffixSalt@-}; do - hardeningEnableMap["$flag"]=1 -done +if (( @isClang@ )); then + declare target=@defaultTarget@ + declare target32=@target32@ + declare target64=@target64@ + + for p in "${params[@]}"; do + case "$p" in + --target=*) target=${p#--target=*} ;; + esac + done + + if [[ $(echo "\${target%*-${target#*-}}") == $(echo "\${target32%*-${target32#*-}}") ]]; then + hardeningUnsupportedFlags=(@hardening_unsupported_flags32@) + for flag in ${NIX_HARDENING_ENABLE_@target32@-}; do + hardeningEnableMap["$flag"]=1 + done + elif [[ $(echo "\${target%*-${target#*-}}") == $(echo "\${target64%*-${target64#*-}}") ]]; then + hardeningUnsupportedFlags=(@hardening_unsupported_flags64@) + for flag in ${NIX_HARDENING_ENABLE_@target64@-}; do + hardeningEnableMap["$flag"]=1 + done + fi +else + for flag in ${NIX_HARDENING_ENABLE_@suffixSalt@-}; do + hardeningEnableMap["$flag"]=1 + done +fi # fortify3 implies fortify enablement - make explicit before # we filter unsupported flags because unsupporting fortify3 @@ -18,7 +43,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then fi # Remove unsupported flags. -for flag in @hardening_unsupported_flags@; do +for flag in "${hardeningUnsupportedFlags[@]}"; do unset -v "hardeningEnableMap[$flag]" # fortify being unsupported implies fortify3 is unsupported if [[ "$flag" = 'fortify' ]] ; then diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 34b23acc80e34..4471f867e36bd 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -115,8 +115,13 @@ let # without interfering. For the moment, it is defined as the target triple, # adjusted to be a valid bash identifier. This should be considered an # unstable implementation detail, however. - suffixSalt = replaceStrings ["-" "."] ["_" "_"] targetPlatform.config - + lib.optionalString (targetPlatform.isDarwin && targetPlatform.isStatic) "_static"; + + mkSuffixSalt = platform: replaceStrings ["-" "."] ["_" "_"] platform.config + + lib.optionalString (platform.isDarwin && platform.isStatic) "_static"; + + suffixSalt = mkSuffixSalt targetPlatform; + suffixSalt32 = if (lib.systems.as32bit targetPlatform != null) then mkSuffixSalt (lib.systems.as32bit targetPlatform) else suffixSalt; + suffixSalt64 = if (lib.systems.as64bit targetPlatform != null) then mkSuffixSalt (lib.systems.as64bit targetPlatform) else suffixSalt; useGccForLibs = useCcForLibs && libcxx == null @@ -280,6 +285,14 @@ let then cc.hardeningUnsupportedFlagsByTargetPlatform targetPlatform else (cc.hardeningUnsupportedFlags or []); + ccHardeningUnsupportedFlags32 = if cc ? hardeningUnsupportedFlagsByTargetPlatform + then cc.hardeningUnsupportedFlagsByTargetPlatform (if (lib.systems.as32bit targetPlatform != null) then lib.systems.as32bit targetPlatform else targetPlatform) + else (cc.hardeningUnsupportedFlags or []); + + ccHardeningUnsupportedFlags64 = if cc ? hardeningUnsupportedFlagsByTargetPlatform + then cc.hardeningUnsupportedFlagsByTargetPlatform (if (lib.systems.as64bit targetPlatform != null) then lib.systems.as64bit targetPlatform else targetPlatform) + else (cc.hardeningUnsupportedFlags or []); + darwinPlatformForCC = optionalString targetPlatform.isDarwin ( if (targetPlatform.darwinPlatform == "macos" && isGNU) then "macosx" else targetPlatform.darwinPlatform @@ -316,7 +329,7 @@ stdenvNoCC.mkDerivation { inherit isArocc; passthru = { - inherit targetPrefix suffixSalt; + inherit targetPrefix suffixSalt suffixSalt32 suffixSalt64; # "cc" is the generic name for a C compiler, but there is no one for package # providing the linker and related tools. The two we use now are GNU # Binutils, and Apple's "cctools"; "bintools" as an attempt to find an @@ -651,6 +664,8 @@ stdenvNoCC.mkDerivation { ## + '' export hardening_unsupported_flags="${concatStringsSep " " ccHardeningUnsupportedFlags}" + export hardening_unsupported_flags32="${concatStringsSep " " ccHardeningUnsupportedFlags32}" + export hardening_unsupported_flags64="${concatStringsSep " " ccHardeningUnsupportedFlags64}" '' # For clang, this is handled in add-clang-cc-cflags-before.sh @@ -704,6 +719,10 @@ stdenvNoCC.mkDerivation { substituteInPlace "$flags" --replace $'\n' ' ' done + export defaultTarget=${targetPlatform.config} + export target32=${if (lib.systems.as32bit targetPlatform != null) then (lib.systems.as32bit targetPlatform).config else targetPlatform.config} + export target64=${if (lib.systems.as64bit targetPlatform != null) then (lib.systems.as64bit targetPlatform).config else targetPlatform.config} + substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh substituteAll ${../wrapper-common/utils.bash} $out/nix-support/utils.bash @@ -747,7 +766,7 @@ stdenvNoCC.mkDerivation { # if the native impure bootstrap is gotten rid of this can become `inherit cc;` again. cc = optionalString (!nativeTools) cc; wrapperName = "CC_WRAPPER"; - inherit suffixSalt coreutils_bin bintools; + inherit suffixSalt suffixSalt32 suffixSalt64 coreutils_bin bintools; inherit libc_bin libc_dev libc_lib; inherit darwinPlatformForCC darwinMinVersion darwinMinVersionVariable; default_hardening_flags_str = builtins.toString defaultHardeningFlags;