Merge #224822: hardening flags: enable fortify3 by default

...into staging

pkgs/build-support/cc-wrapper/setup-hook.sh

@@ -111,7 +111,7 @@ export CC${role_post}=@named_cc@
 export CXX${role_post}=@named_cxx@
 
 # If unset, assume the default hardening flags.
-: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"}
+: ${NIX_HARDENING_ENABLE="fortify fortify3 stackprotector pic strictoverflow format relro bindnow"}
 export NIX_HARDENING_ENABLE
 
 # No local scope in sourced file

pkgs/development/libraries/libfido2/default.nix

@@ -44,6 +44,9 @@ stdenv.mkDerivation rec {
     "-DUSE_PCSC=1"
   ];
 
+  # causes possible redefinition of _FORTIFY_SOURCE?
+  hardeningDisable = [ "fortify3" ];
+
   meta = with lib; {
     description = ''
       Provides library functionality for FIDO 2.0, including communication with a device over USB.

pkgs/stdenv/generic/make-derivation.nix

@@ -195,16 +195,13 @@ let
   # Musl-based platforms will keep "pie", other platforms will not.
   # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
   # in the nixpkgs manual to inform users about the defaults.
-  defaultHardeningFlags = let
-    # not ready for this by default
-    supportedHardeningFlags' = lib.remove "fortify3" supportedHardeningFlags;
-  in if stdenv.hostPlatform.isMusl &&
+  defaultHardeningFlags = if stdenv.hostPlatform.isMusl &&
       # Except when:
       #    - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
       #    - static armv7l, where compilation fails.
       !(stdenv.hostPlatform.isAarch && stdenv.hostPlatform.isStatic)
-    then supportedHardeningFlags'
-    else lib.remove "pie" supportedHardeningFlags';
+    then supportedHardeningFlags
+    else lib.remove "pie" supportedHardeningFlags;
   enabledHardeningOptions =
     if builtins.elem "all" hardeningDisable'
     then []