diff options
Diffstat (limited to 'pkgs/stdenv')
| -rw-r--r-- | pkgs/stdenv/adapters.nix | 30 | ||||
| -rw-r--r-- | pkgs/stdenv/generic/check-meta.nix | 4 | ||||
| -rw-r--r-- | pkgs/stdenv/generic/make-derivation.nix | 34 | ||||
| -rw-r--r-- | pkgs/stdenv/linux/bootstrap-files/aarch64.nix | 8 | ||||
| -rw-r--r-- | pkgs/stdenv/linux/bootstrap-tools-musl/default.nix | 1 | ||||
| -rw-r--r-- | pkgs/stdenv/linux/bootstrap-tools/default.nix | 1 | ||||
| -rw-r--r-- | pkgs/stdenv/linux/default.nix | 128 | ||||
| -rw-r--r-- | pkgs/stdenv/native/default.nix | 6 |
8 files changed, 139 insertions, 73 deletions
diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix index 42d19a0fad4b9..43fa87d14d880 100644 --- a/pkgs/stdenv/adapters.nix +++ b/pkgs/stdenv/adapters.nix @@ -142,7 +142,7 @@ rec { Example: stdenvNoOptimise = addAttrsToDerivation - { NIX_CFLAGS_COMPILE = "-O0"; } + { env.NIX_CFLAGS_COMPILE = "-O0"; } stdenv; */ addAttrsToDerivation = extraAttrs: stdenv: stdenv.override (old: { @@ -176,7 +176,7 @@ rec { stdenv.override (old: { mkDerivationFromStdenv = extendMkDerivationArgs old (args: { dontStrip = true; - NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + " -ggdb -Og"; + env.NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + " -ggdb -Og"; }); }); @@ -189,6 +189,28 @@ rec { }); }); + useMoldLinker = stdenv: let + bintools = stdenv.cc.bintools.override { + extraBuildCommands = '' + wrap ld.mold ${../build-support/bintools-wrapper/ld-wrapper.sh} ${pkgs.mold}/bin/ld.mold + wrap ld ${../build-support/bintools-wrapper/ld-wrapper.sh} ${pkgs.mold}/bin/ld.mold + ''; + }; + in stdenv.override (old: { + cc = stdenv.cc.override { + inherit bintools; + }; + allowedRequisites = + lib.mapNullable (rs: rs ++ [ bintools pkgs.mold (lib.getLib pkgs.mimalloc) (lib.getLib pkgs.openssl) ]) (stdenv.allowedRequisites or null); + # gcc >12.1.0 supports '-fuse-ld=mold' + # the wrap ld above in bintools supports gcc <12.1.0 and shouldn't harm >12.1.0 + # https://github.com/rui314/mold#how-to-use + } // lib.optionalAttrs (stdenv.cc.isClang || (stdenv.cc.isGNU && lib.versionAtLeast stdenv.cc.version "12")) { + mkDerivationFromStdenv = extendMkDerivationArgs old (args: { + NIX_CFLAGS_LINK = toString (args.NIX_CFLAGS_LINK or "") + " -fuse-ld=mold"; + }); + }); + /* Modify a stdenv so that it builds binaries optimized specifically for the machine they are built on. @@ -197,7 +219,7 @@ rec { impureUseNativeOptimizations = stdenv: stdenv.override (old: { mkDerivationFromStdenv = extendMkDerivationArgs old (args: { - NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + " -march=native"; + env.NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + " -march=native"; NIX_ENFORCE_NO_NATIVE = false; preferLocalBuild = true; @@ -222,7 +244,7 @@ rec { withCFlags = compilerFlags: stdenv: stdenv.override (old: { mkDerivationFromStdenv = extendMkDerivationArgs old (args: { - NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + " ${toString compilerFlags}"; + env.NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + " ${toString compilerFlags}"; }); }); } diff --git a/pkgs/stdenv/generic/check-meta.nix b/pkgs/stdenv/generic/check-meta.nix index 9d99be2a02039..4b0ca649ee94d 100644 --- a/pkgs/stdenv/generic/check-meta.nix +++ b/pkgs/stdenv/generic/check-meta.nix @@ -242,7 +242,7 @@ let remediationMsg = (builtins.getAttr reason remediation) attrs; msg = if inHydra then "Warning while evaluating ${getName attrs}: «${reason}»: ${errormsg}" else "Package ${getName attrs} in ${pos_str meta} ${errormsg}, continuing anyway." - + (if remediationMsg != "" then "\n${remediationMsg}" else ""); + + (lib.optionalString (remediationMsg != "") "\n${remediationMsg}"); isEnabled = lib.findFirst (x: x == reason) null showWarnings; in if isEnabled != null then builtins.trace msg true else true; @@ -322,7 +322,7 @@ let }" else "key 'meta.${k}' is unrecognized; expected one of: \n [${lib.concatMapStringsSep ", " (x: "'${x}'") (lib.attrNames metaTypes)}]"; - checkMeta = meta: if config.checkMeta then lib.remove null (lib.mapAttrsToList checkMetaAttr meta) else []; + checkMeta = meta: lib.optionals config.checkMeta (lib.remove null (lib.mapAttrsToList checkMetaAttr meta)); checkOutputsToInstall = attrs: let expectedOutputs = attrs.meta.outputsToInstall or []; diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index c18e70212f985..d9672f62e3d31 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -186,21 +186,29 @@ let ++ buildInputs ++ propagatedBuildInputs ++ depsTargetTarget ++ depsTargetTargetPropagated) == 0; dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || !stdenv.hasCC; - supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; + + hardeningDisable' = if lib.any (x: x == "fortify") hardeningDisable + # disabling fortify implies fortify3 should also be disabled + then lib.unique (hardeningDisable ++ [ "fortify3" ]) + else hardeningDisable; + supportedHardeningFlags = [ "fortify" "fortify3" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ]; # Musl-based platforms will keep "pie", other platforms will not. # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}` # in the nixpkgs manual to inform users about the defaults. - defaultHardeningFlags = if stdenv.hostPlatform.isMusl && - # Except when: - # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. - # - static armv7l, where compilation fails. - !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) - then supportedHardeningFlags - else lib.remove "pie" supportedHardeningFlags; + defaultHardeningFlags = let + # not ready for this by default + supportedHardeningFlags' = lib.remove "fortify3" supportedHardeningFlags; + in if stdenv.hostPlatform.isMusl && + # Except when: + # - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries. + # - static armv7l, where compilation fails. + !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic) + then supportedHardeningFlags' + else lib.remove "pie" supportedHardeningFlags'; enabledHardeningOptions = - if builtins.elem "all" hardeningDisable + if builtins.elem "all" hardeningDisable' then [] - else lib.subtractLists hardeningDisable (defaultHardeningFlags ++ hardeningEnable); + else lib.subtractLists hardeningDisable' (defaultHardeningFlags ++ hardeningEnable); # hardeningDisable additionally supports "all". erroneousHardeningFlags = lib.subtractLists supportedHardeningFlags (hardeningEnable ++ lib.remove "all" hardeningDisable); @@ -570,6 +578,12 @@ lib.extendDerivation # them as runtime dependencies (since Nix greps for store paths # through $out to find them) args = [ "-c" "export > $out" ]; + + # inputDerivation produces the inputs; not the outputs, so any + # restrictions on what used to be the outputs don't serve a purpose + # anymore. + disallowedReferences = [ ]; + disallowedRequisites = [ ]; }); inherit meta passthru overrideAttrs; diff --git a/pkgs/stdenv/linux/bootstrap-files/aarch64.nix b/pkgs/stdenv/linux/bootstrap-files/aarch64.nix index aa81cbd84af31..6719e7ca30722 100644 --- a/pkgs/stdenv/linux/bootstrap-files/aarch64.nix +++ b/pkgs/stdenv/linux/bootstrap-files/aarch64.nix @@ -1,11 +1,11 @@ { busybox = import <nix/fetchurl.nix> { - url = "http://tarballs.nixos.org/stdenv-linux/aarch64/c7c997a0662bf88264db52cbc41e67884eb7a1ff/busybox"; - sha256 = "sha256-4EN2vLvXUkelZZR2eKaAQA5kCEuHNvRZN6dcohxVY+c="; + url = "http://tarballs.nixos.org/stdenv-linux/aarch64/21ec906463ea8f11abf3f9091ddd4c3276516e58/busybox"; executable = true; + hash = "sha256-0MuIeQlBUaeisqoFSu8y+8oB6K4ZG5Lhq8RcS9JqkFQ="; }; bootstrapTools = import <nix/fetchurl.nix> { - url = "http://tarballs.nixos.org/stdenv-linux/aarch64/c7c997a0662bf88264db52cbc41e67884eb7a1ff/bootstrap-tools.tar.xz"; - sha256 = "sha256-AjOvmaW8JFVZaBSRUMKufr9kJozg/tsZr7PvUEBQyi4="; + url = "http://tarballs.nixos.org/stdenv-linux/aarch64/21ec906463ea8f11abf3f9091ddd4c3276516e58/bootstrap-tools.tar.xz"; + hash = "sha256-aJvtsWeuQHbb14BGZ2EiOKzjQn46h3x3duuPEawG0eE="; }; } diff --git a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix index d690f40267217..569f0c6f31e2f 100644 --- a/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix +++ b/pkgs/stdenv/linux/bootstrap-tools-musl/default.nix @@ -15,4 +15,5 @@ derivation ({ langC = true; langCC = true; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; } // extraAttrs) diff --git a/pkgs/stdenv/linux/bootstrap-tools/default.nix b/pkgs/stdenv/linux/bootstrap-tools/default.nix index d690f40267217..569f0c6f31e2f 100644 --- a/pkgs/stdenv/linux/bootstrap-tools/default.nix +++ b/pkgs/stdenv/linux/bootstrap-tools/default.nix @@ -15,4 +15,5 @@ derivation ({ langC = true; langCC = true; isGNU = true; + hardeningUnsupportedFlags = [ "fortify3" ]; } // extraAttrs) diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix index 5c7dfcceec644..18a593b058dfb 100644 --- a/pkgs/stdenv/linux/default.nix +++ b/pkgs/stdenv/linux/default.nix @@ -100,12 +100,20 @@ assert crossSystem == localSystem; let inherit (localSystem) system; + isFromNixpkgs = pkg: !(isFromBootstrapFiles pkg); + isFromBootstrapFiles = + pkg: pkg.passthru.isFromBootstrapFiles or false; + isBuiltByNixpkgsCompiler = + pkg: isFromNixpkgs pkg && isFromNixpkgs pkg.stdenv.cc.cc; + isBuiltByBootstrapFilesCompiler = + pkg: isFromNixpkgs pkg && isFromBootstrapFiles pkg.stdenv.cc.cc; + commonPreHook = '' export NIX_ENFORCE_PURITY="''${NIX_ENFORCE_PURITY-1}" export NIX_ENFORCE_NO_NATIVE="''${NIX_ENFORCE_NO_NATIVE-1}" - ${if system == "x86_64-linux" then "NIX_LIB64_IN_SELF_RPATH=1" else ""} - ${if system == "mipsel-linux" then "NIX_LIB32_IN_SELF_RPATH=1" else ""} + ${lib.optionalString (system == "x86_64-linux") "NIX_LIB64_IN_SELF_RPATH=1"} + ${lib.optionalString (system == "mipsel-linux") "NIX_LIB32_IN_SELF_RPATH=1"} ''; @@ -117,16 +125,14 @@ let # Download and unpack the bootstrap tools (coreutils, GCC, Glibc, ...). - bootstrapTools = import (if localSystem.libc == "musl" then ./bootstrap-tools-musl else ./bootstrap-tools) { + bootstrapTools = (import (if localSystem.libc == "musl" then ./bootstrap-tools-musl else ./bootstrap-tools) { inherit system bootstrapFiles; - extraAttrs = lib.optionalAttrs - config.contentAddressedByDefault - { - __contentAddressed = true; - outputHashAlgo = "sha256"; - outputHashMode = "recursive"; - }; - }; + extraAttrs = lib.optionalAttrs config.contentAddressedByDefault { + __contentAddressed = true; + outputHashAlgo = "sha256"; + outputHashMode = "recursive"; + }; + }) // { passthru.isFromBootstrapFiles = true; }; getLibc = stage: stage.${localSystem.libc}; @@ -186,7 +192,7 @@ let }; in - + assert bootstrapTools.passthru.isFromBootstrapFiles or false; # sanity check [ ({}: { @@ -200,9 +206,6 @@ in # Build a dummy stdenv with no GCC or working fetchurl. This is # because we need a stdenv to build the GCC wrapper and fetchurl. - # - # resulting stage0 stdenv: - # - coreutils, binutils, glibc, gcc: from bootstrapFiles (prevStage: stageFun prevStage { name = "bootstrap-stage0"; @@ -230,6 +233,7 @@ in '' + lib.optionalString (localSystem.libc == "musl") '' ln -s ${bootstrapTools}/include-libc $out/include ''; + passthru.isFromBootstrapFiles = true; }; gcc-unwrapped = bootstrapTools; binutils = import ../../build-support/bintools-wrapper { @@ -258,10 +262,14 @@ in # If we ever need to use a package from more than one stage back, we # simply re-export those packages in the middle stage(s) using the # overrides attribute and the inherit syntax. - # - # resulting stage1 stdenv: - # - coreutils, binutils, glibc, gcc: from bootstrapFiles - (prevStage: stageFun prevStage { + (prevStage: + # previous stage0 stdenv: + assert isFromBootstrapFiles prevStage.binutils.bintools; + assert isFromBootstrapFiles prevStage."${localSystem.libc}"; + assert isFromBootstrapFiles prevStage.gcc-unwrapped; + assert isFromBootstrapFiles prevStage.coreutils; + assert isFromBootstrapFiles prevStage.gnugrep; + stageFun prevStage { name = "bootstrap-stage1"; # Rebuild binutils to use from stage2 onwards. @@ -288,10 +296,14 @@ in # 2nd stdenv that contains our own rebuilt binutils and is used for # compiling our own Glibc. # - # resulting stage2 stdenv: - # - coreutils, glibc, gcc: from bootstrapFiles - # - binutils: from nixpkgs, built by bootstrapFiles toolchain - (prevStage: stageFun prevStage { + (prevStage: + # previous stage1 stdenv: + assert isBuiltByBootstrapFilesCompiler prevStage.binutils-unwrapped; + assert isFromBootstrapFiles prevStage."${localSystem.libc}"; + assert isFromBootstrapFiles prevStage.gcc-unwrapped; + assert isFromBootstrapFiles prevStage.coreutils; + assert isFromBootstrapFiles prevStage.gnugrep; + stageFun prevStage { name = "bootstrap-stage2"; overrides = self: super: { @@ -334,6 +346,7 @@ in bintools = self.stdenvNoCC.mkDerivation { pname = prevStage.bintools.bintools.pname + "-patchelfed-ld"; inherit (prevStage.bintools.bintools) version; + passthru = { inherit (prevStage.bintools.passthru) isFromBootstrapFiles; }; enableParallelBuilding = true; dontUnpack = true; dontBuild = true; @@ -360,11 +373,14 @@ in # Construct a third stdenv identical to the 2nd, except that this # one uses the rebuilt Glibc from stage2. It still uses the recent # binutils and rest of the bootstrap tools, including GCC. - # - # resulting stage3 stdenv: - # - coreutils, gcc: from bootstrapFiles - # - glibc, binutils: from nixpkgs, built by bootstrapFiles toolchain - (prevStage: stageFun prevStage { + (prevStage: + # previous stage2 stdenv: + assert isBuiltByBootstrapFilesCompiler prevStage.binutils-unwrapped; + assert isBuiltByBootstrapFilesCompiler prevStage.${localSystem.libc}; + assert isFromBootstrapFiles prevStage.gcc-unwrapped; + assert isFromBootstrapFiles prevStage.coreutils; + assert isFromBootstrapFiles prevStage.gnugrep; + stageFun prevStage { name = "bootstrap-stage3"; overrides = self: super: rec { @@ -401,17 +417,21 @@ in # Construct a fourth stdenv that uses the new GCC. But coreutils is # still from the bootstrap tools. # - # resulting stage4 stdenv: - # - coreutils: from bootstrapFiles - # - glibc, binutils: from nixpkgs, built by bootstrapFiles toolchain - # - gcc: from nixpkgs, built by bootstrapFiles toolchain. Can assume - # it has almost no code from bootstrapTools as gcc bootstraps - # internally. The only exceptions are crt files from glibc - # built by bootstrapTools used to link executables and libraries, - # and the bootstrapTools-built, statically-linked - # lib{mpfr,mpc,gmp,isl}.a which are linked into the final gcc - # (see commit cfde88976ba4cddd01b1bb28b40afd12ea93a11d). - (prevStage: stageFun prevStage { + (prevStage: + # previous stage3 stdenv: + assert isBuiltByBootstrapFilesCompiler prevStage.binutils-unwrapped; + assert isBuiltByBootstrapFilesCompiler prevStage.${localSystem.libc}; + assert isBuiltByBootstrapFilesCompiler prevStage.gcc-unwrapped; + assert isFromBootstrapFiles prevStage.coreutils; + assert isFromBootstrapFiles prevStage.gnugrep; + # Can assume prevStage.gcc-unwrapped has almost no code from + # bootstrapTools as gcc bootstraps internally. The only + # exceptions are crt files from glibc built bybootstrapTools + # used to link executables and libraries, and the + # bootstrapTools-built, statically-linked + # lib{mpfr,mpc,gmp,isl}.a which are linked into the final gcc + # (see commit cfde88976ba4cddd01b1bb28b40afd12ea93a11d). + stageFun prevStage { name = "bootstrap-stage4"; overrides = self: super: { @@ -468,17 +488,15 @@ in # dependency (`nix-store -qR') on bootstrapTools or the first # binutils built. # - # resulting stage5 (final) stdenv: - # - coreutils, binutils: from nixpkgs, built by nixpkgs toolchain - # - glibc: from nixpkgs, built by bootstrapFiles toolchain - # - gcc: from nixpkgs, built by bootstrapFiles toolchain. Can assume - # it has almost no code from bootstrapTools as gcc bootstraps - # internally. The only exceptions are crt files from glibc - # built by bootstrapTools used to link executables and libraries, - # and the bootstrapTools-built, statically-linked - # lib{mpfr,mpc,gmp,isl}.a which are linked into the final gcc - # (see commit cfde88976ba4cddd01b1bb28b40afd12ea93a11d). - (prevStage: { + (prevStage: + # previous stage4 stdenv; see stage3 comment regarding gcc, + # which applies here as well. + assert isBuiltByNixpkgsCompiler prevStage.binutils-unwrapped; + assert isBuiltByBootstrapFilesCompiler prevStage.${localSystem.libc}; + assert isBuiltByBootstrapFilesCompiler prevStage.gcc-unwrapped; + assert isBuiltByNixpkgsCompiler prevStage.coreutils; + assert isBuiltByNixpkgsCompiler prevStage.gnugrep; + { inherit config overlays; stdenv = import ../generic rec { name = "stdenv-linux"; @@ -554,4 +572,14 @@ in }; }) + # This "no-op" stage is just a place to put the assertions about stage5. + (prevStage: + # previous stage5 stdenv; see stage3 comment regarding gcc, + # which applies here as well. + assert isBuiltByNixpkgsCompiler prevStage.binutils-unwrapped; + assert isBuiltByBootstrapFilesCompiler prevStage.${localSystem.libc}; + assert isBuiltByBootstrapFilesCompiler prevStage.gcc-unwrapped; + assert isBuiltByNixpkgsCompiler prevStage.coreutils; + assert isBuiltByNixpkgsCompiler prevStage.gnugrep; + { inherit (prevStage) config overlays stdenv; }) ] diff --git a/pkgs/stdenv/native/default.nix b/pkgs/stdenv/native/default.nix index 87862b84bc1b2..bae4ff2c93b26 100644 --- a/pkgs/stdenv/native/default.nix +++ b/pkgs/stdenv/native/default.nix @@ -12,9 +12,9 @@ let else "/bin/bash"; path = - (if system == "i686-solaris" then [ "/usr/gnu" ] else []) ++ - (if system == "i686-netbsd" then [ "/usr/pkg" ] else []) ++ - (if system == "x86_64-solaris" then [ "/opt/local/gnu" ] else []) ++ + (lib.optionals (system == "i686-solaris") [ "/usr/gnu" ]) ++ + (lib.optionals (system == "i686-netbsd") [ "/usr/pkg" ]) ++ + (lib.optionals (system == "x86_64-solaris") [ "/opt/local/gnu" ]) ++ ["/" "/usr" "/usr/local"]; prehookBase = '' |