diff options
| -rw-r--r-- | pkgs/build-support/cc-wrapper/setup-hook.sh | 2 | ||||
| -rw-r--r-- | pkgs/development/libraries/libfido2/default.nix | 3 | ||||
| -rw-r--r-- | pkgs/stdenv/generic/make-derivation.nix | 9 |
3 files changed, 7 insertions, 7 deletions
diff --git a/pkgs/build-support/cc-wrapper/setup-hook.sh b/pkgs/build-support/cc-wrapper/setup-hook.sh index be01c51a71ffd..9326d76e2a8ff 100644 --- a/pkgs/build-support/cc-wrapper/setup-hook.sh +++ b/pkgs/build-support/cc-wrapper/setup-hook.sh @@ -111,7 +111,7 @@ export CC${role_post}=@named_cc@ export CXX${role_post}=@named_cxx@ # If unset, assume the default hardening flags. -: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"} +: ${NIX_HARDENING_ENABLE="fortify fortify3 stackprotector pic strictoverflow format relro bindnow"} export NIX_HARDENING_ENABLE # No local scope in sourced file diff --git a/pkgs/development/libraries/libfido2/default.nix b/pkgs/development/libraries/libfido2/default.nix index 6904177567b16..c14c30c273354 100644 --- a/pkgs/development/libraries/libfido2/default.nix +++ b/pkgs/development/libraries/libfido2/default.nix @@ -44,6 +44,9 @@ stdenv.mkDerivation rec { "-DUSE_PCSC=1" ]; + # causes possible redefinition of _FORTIFY_SOURCE? + hardeningDisable = [ "fortify3" ]; + meta = with lib; { description = '' Provides library functionality for FIDO 2.0, including communication with a device over USB. diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 7454269159870..0799ca685f50b 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -195,16 +195,13 @@ let # Musl-based platforms will keep "pie", other platforms will not. # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` # in the nixpkgs manual to inform users about the defaults. - defaultHardeningFlags = let - # not ready for this by default - supportedHardeningFlags' = lib.remove "fortify3" supportedHardeningFlags; - in if stdenv.hostPlatform.isMusl && + defaultHardeningFlags = if stdenv.hostPlatform.isMusl && # Except when: # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. # - static armv7l, where compilation fails. !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) - then supportedHardeningFlags' - else lib.remove "pie" supportedHardeningFlags'; + then supportedHardeningFlags + else lib.remove "pie" supportedHardeningFlags; enabledHardeningOptions = if builtins.elem "all" hardeningDisable' then [] |