Merge pull request #182281 from helsinki-systems/feat/glibc-sec

glibc: improve configure options
2022-07-27 22:09:44 +01:00 · 2022-07-27 22:09:44 +01:00 · 5de6b3ecd7
commit 5de6b3ecd7
parent cfca7fe857 1487fabf60
1 changed files with 4 additions and 1 deletions
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@ -157,7 +157,7 @@ stdenv.mkDerivation ({
    [ "-C"
      "--enable-add-ons"
      "--sysconfdir=/etc"
-      "--enable-stackguard-randomization"
+      "--enable-stack-protector=strong"
      "--enable-bind-now"
      (lib.withFeatureAs withLinuxHeaders "headers" "${linuxHeaders}/include")
      (lib.enableFeature profilingLibraries "profile")
@ -167,6 +167,9 @@ stdenv.mkDerivation ({
      # and on aarch64 with binutils 2.30 or later.
      # https://sourceware.org/glibc/wiki/PortStatus
      "--enable-static-pie"
+    ] ++ lib.optionals stdenv.hostPlatform.isx86 [
+      # Enable Intel Control-flow Enforcement Technology (CET) support
+      "--enable-cet"
    ] ++ lib.optionals withLinuxHeaders [
      "--enable-kernel=3.2.0" # can't get below with glibc >= 2.26
    ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [