Commit Graph

179 Commits

Author SHA1 Message Date
Franz Pletz
4150f5e8ba
cc-wrapper: add stackcheck hardening (stack clash)
This fixes the Stack Clash issue rediscovered by Qualys. See
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
for more information on the topic, specifically section III.

We don't have the kernel mitigation available because it is a Grsecurity
feature which we don't support anymore. Other distributions like Gentoo
Hardened and Arch already have `-fstack-check` enabled by default.

See the Gentoo page on Stack Clash for more information on this solution:
https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash

This unfortunately doesn't apply to clang because `-fstack-check` is a
noop there. Note that the GCC implementation also has problems that could
be exploited to circumvent these checks but it is still better than
keeping it disabled.
2017-06-22 00:41:53 +02:00
Orivej Desh
5413bfa8e3 Speed up parsing @args.rsp compiler arguments
Improves upon #25205

https://gist.github.com/pbogdan/9d6986bf931b58a70d75e14eb40ee8a1 parsing time is
reduced from one minute to one second
2017-06-14 18:56:44 +00:00
Jörg Thalheim
e2197465c1
cc-wrapper: externalize default_cxx_stdlib_compile
This value is require to get c++ std include path for libclang based tools (vim plugins in my case).
I currently extract it this with this rather command:

```
eval echo $(nix-instantiate --eval --expr 'with (import <nixpkgs>) {}; clang.default_cxx_stdlib_compile')
```

it did not trigger any recompilation on my system.
2017-06-08 19:50:40 +01:00
Orivej Desh
e9adf383e6 Fix parsing @args.rsp compiler arguments 2017-04-25 13:29:43 +00:00
Tuomas Tynkkynen
7c8a060c09 stdenv: Bringup aarch64 architecture support 2017-01-25 00:01:51 +02:00
John Ericson
09401d44eb cc-wrapper: Remove unneeded crossAttrs 2017-01-24 11:37:56 -05:00
David McFarland
175461e09b cc-wrapper: don't expand $ in response files
This makes the response file handling more consistent with GCC.

For example, a reponse file may contain:

    "-Wl,$ORIGIN"

GCC will treat this as a double quoted string and not expand the
variable reference.  Previously, cc-wrapper would expand the variable
in the same was as if the string was provided on the command line.
2016-11-19 20:21:32 -04:00
Shea Levy
225602d9f2 Merge branch 'response-files' of git://github.com/corngood/nixpkgs into staging 2016-10-31 10:07:30 -04:00
David McFarland
1ad1edbb32 cc-wrapper: expand response files
Fixes #11762
2016-10-31 01:12:07 -03:00
David McFarland
2b6659e13e cc-wrapper: fix detection of unsupported linker flags on cygwin 2016-10-18 17:52:20 -03:00
Shea Levy
eca0f17ad2 nix-buffer support improvements.
Use inherit-local, add per-package elisp hooks.
2016-10-07 10:31:37 -04:00
Markus Hauck
aafbd40577 Replace hard coded /bin/bash occurrences 2016-10-04 20:15:37 +02:00
Franz Pletz
c0fa26ef3b Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-08-24 11:01:53 +02:00
Franz Pletz
8576aea57c cc-wrapper: fix detection of unsupported linker flags 2016-08-24 10:59:52 +02:00
Franz Pletz
3c06e5f6f7 cc-wrapper: check ld hardening capabilities in stdenv 2016-08-23 18:13:31 +02:00
Robin Gloster
07604ad631 add-hardening.sh: fix quotation 2016-08-23 15:27:51 +00:00
Robin Gloster
335d0097cf cc-wrapper: add-{flags,hardening} -> add-{flags,hardening}.sh 2016-08-23 15:27:51 +00:00
Nikolay Amiantov
24f695ffaa cc-wrapper: handle -nostdinc{++,} 2016-08-17 13:19:46 +03:00
Robin Gloster
5185bc1773 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-15 14:41:01 +00:00
Tuomas Tynkkynen
a06a405d0b cross GCC: Fix some paths to libc headers (after multiple outputs)
It's not completely clear to me why the path to libc headers is set
differently when cross building...
2016-06-11 04:15:17 +03:00
Franz Pletz
f8d481754c
Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-05-18 17:10:02 +02:00
Vladimír Čunát
2cbb7bf9d1 cc-wrapper: add -B flag with cc.lib
This fixes `gcc --print-file-name=libstdc++.so`
and thus it should fix #14967.
2016-05-04 14:23:54 +02:00
Nikolay Amiantov
5ff40ddedf add get* helper functions and mass-replace manual outputs search with them 2016-04-25 13:24:39 +03:00
Robin Gloster
d020caa5b2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-18 13:49:22 +00:00
Robin Gloster
3e68106afd Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-07 21:52:26 +00:00
Vladimír Čunát
d1df28f8e5 Merge 'staging' into closure-size
This is mainly to get the update of bootstrap tools.
Otherwise there were mysterious segfaults:
https://github.com/NixOS/nixpkgs/pull/7701#issuecomment-203389817
2016-04-07 14:40:51 +02:00
Tomasz Kontusz
6c9ce23c00 cc-wrapper: Fix a typo in param parsing (close #14401) 2016-04-02 20:51:48 +02:00
Vladimír Čunát
ab15a62c68 Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
Robin Gloster
f60c9df0ba Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-28 15:16:29 +00:00
Nikolay Amiantov
119c287c71 cc-wrapper: use Bash arrays properly 2016-03-24 21:13:11 +03:00
Nikolay Amiantov
0c6db0ca48 cc-wrapper: add option to skip flags for native optimizations 2016-03-24 20:16:17 +03:00
Nikolay Amiantov
87607af7a1 cc-wrapper: add C++-specific paths if -x c++ is passed 2016-03-14 06:58:18 +03:00
Robin Gloster
a9b942c061 cc-wrapper: treat hardeningDisable as string
This fixes passing the env variable to the ld-wrapper through the gcc
call. Wtf?!
2016-03-14 00:26:52 +00:00
Tristan Helmich
1a5acdb695 cc-wrapper: Add additional NIX_DEBUG statements 2016-03-11 14:02:07 +01:00
Tristan Helmich
7e2e0dfe7a cc-wrapper: Use stderr for NIX_DEBUG output
Otherwise configure scripts might break when looking for the path to ld
2016-03-10 15:47:55 +01:00
Franz Pletz
514a478e61 cc-wrapper: Fix if syntax 2016-03-09 10:08:07 +01:00
Robin Gloster
9a5b070b45 hardening: debug with NIX_DEBUG 2016-03-08 20:51:35 +00:00
Vladimír Čunát
09af15654f Merge master into closure-size
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
2016-03-08 09:58:19 +01:00
Franz Pletz
baee91ec60 cc-wrapper: Check if ld supports -z, fixes darwin 2016-03-07 21:40:20 +01:00
Franz Pletz
b2b499e6c4 cc-wrapper: Increase number of functions for stackprotector 2016-03-07 01:30:40 +01:00
Franz Pletz
ab1092875a cc-wrapper: Disable pie for linking static libs 2016-03-07 01:30:39 +01:00
Franz Pletz
63f60b6a13 cc-wrapper: Disable pie when linking shared libraries 2016-03-07 01:30:39 +01:00
Franz Pletz
05a02c53a0 cc-wrapper: -pie is a ldflag 2016-03-06 00:14:55 +01:00
Franz Pletz
aff1f4ab94 Use general hardening flag toggle lists
The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
2016-03-05 18:55:26 +01:00
Eelco Dolstra
d5bb6a1f9c glibc: Enable separate debug symbols
The importance of glibc makes it worthwhile to provide debug
symbols. However, this revealed an issue with separateDebugInfo: it
was indiscriminately adding --build-id to all ld invocations, while in
fact it should only do that for final links. Glibc also uses non-final
("relocatable") links, leading to subsequent failure to apply a build
ID ("Cannot create .note.gnu.build-id section, --build-id
ignored"). So now ld-wrapper.sh only passes --build-id for final
links.
2016-02-28 02:57:37 +01:00
Eelco Dolstra
2040a9ac57 stdenv-linux: Ensure binutils comes before bootstrapTools in $PATH
Otherwise, when building glibc and other packages, the "strip" from
bootstrapTools is used, which doesn't recognise some tags produced by
the newer "ld" from binutils.
2016-02-28 01:13:15 +01:00
Vladimír Čunát
96cbdc70f2 cc-wrapper: fix #10574: old gcc -> cc fallout
The part with gcc-wrapper-old changes is rather unimportant,
as it's almost unused but I still tested that the sole user `gnat` builds.
2016-02-05 14:05:14 +01:00
Vladimír Čunát
f89a136fd5 cc-wrapper: fixup branch interactions
c0599fdd61 and changes on closure-size didn't go well together.
2016-02-03 16:57:41 +01:00
Vladimír Čunát
ae74c356d9 Merge recent 'staging' into closure-size
Let's get rid of those merge conflicts.
2016-02-03 16:57:19 +01:00
Vladimír Čunát
a33fcc8731 cc-wrapper: attempt to fix on darwin
This fixes evaluation at least. I'm unable to test this myself and noone steps up;
https://github.com/NixOS/nixpkgs/pull/7701#issuecomment-174448705
however, Hydra's macs are idling so let's employ them for that.
2016-01-28 06:59:36 +01:00
Vladimír Čunát
8f48a9756b cc-wrapper: quote when saving $PATH 2016-01-25 09:54:10 +01:00
Anthony Cowley
d96893647d cc-wrapper: fix on darwin
The ld-wrapper.sh script calls `readlink` in some circumstances. We need
to ensure that this is the `readlink` from the `coreutils` package so
that flag support is as expected.

This is accomplished by explicitly setting PATH at the top of each shell
script.

Without doing this, the following happens with a trivial `main.c`:

```
nix-env -f "<nixpkgs>" -iA pkgs.clang
$ clang main.c -L /nix/../nix/store/2ankvagznq062x1gifpxwkk7fp3xwy63-xnu-2422.115.4/Library -o a.out
readlink: illegal option -- f
usage: readlink [-n] [file ...]
```

The key element is the `..` in the path supplied to the linker via a
`-L` flag. With this patch, the above invocation works correctly on
darwin, whose native `/usr/bin/readlink` does not support the `-f` flag.

The explicit path also ensures that the `grep` called by `cc-wrapper.sh`
is the one from Nix.

Fixes #6447
2016-01-19 17:47:11 -05:00
Vladimír Čunát
716aac2519 Merge branch 'staging' into closure-size 2016-01-19 09:55:31 +01:00
Eelco Dolstra
2b5ed58099 cc-wrapper: Don't mess with __DATE__ and __TIME__
This is handled by $SOURCE_DATE_EPOCH now.
2016-01-05 17:21:48 +01:00
Vladimír Čunát
e22d26bedb cc-wrapper: small changes, mostly just cosmetic ones 2016-01-02 11:14:09 +01:00
Luca Bruno
5b0352a6a4 Merge branch 'master' into closure-size 2015-12-11 18:31:00 +01:00
Danny Wilson
f17dea3b3d Fix compilation of GCC 4.9 on SmartOS.
Fix ld-solaris-wrapper never calling ld (since gcc->cc-wrapper refactor).
2015-11-16 17:20:16 +01:00
Vladimír Čunát
efcad4c910 gcc5: split $doc into $man and $info
... because cc-wrapper is meant to propagate man pages into user envs,
and info pages are rather large.

Also replace the duplicate g++ and gcc man1 pages by a symlink.
2015-10-28 10:15:55 +01:00
Vladimír Čunát
55d129609d cc-wrapper: correct ccLDFlags with multiple outputs
Note: -B argument seems more like for gcc's main output,
though it's used in a bit strange way here.
(Upstream default is /usr/lib/gcc/ which we don't move.)
2015-10-28 10:15:54 +01:00
Vladimír Čunát
cd7a78d7e4 cc-wrapper: fix typo ignoring flags; fixes #10574 2015-10-28 10:15:54 +01:00
Vladimír Čunát
5227fb1dd5 Merge commit staging+systemd into closure-size
Many non-conflict problems weren't (fully) resolved in this commit yet.
2015-10-03 13:33:37 +02:00
Jude Taylor
80e09678f7 darwin: use system dyld
see https://github.com/NixOS/nixpkgs/issues/9432
2015-08-25 11:12:09 -07:00
Jude Taylor
ef95107ddc make isClang work the way a user might expect 2015-08-12 11:27:54 -07:00
Vladimír Čunát
615f64dcbe gcc_multi: disable the hook moving lib64 to lib
This was preventing wine from build, and we typically don't want it
anyway in multilib builds. /cc #8706.
2015-07-20 13:43:52 +02:00
Eelco Dolstra
553abf71ba Merge remote-tracking branch 'origin/staging' into gcc-4.9
Conflicts:
	pkgs/build-support/cc-wrapper/default.nix
	pkgs/development/libraries/wayland/default.nix
	pkgs/development/tools/build-managers/cmake/default.nix
	pkgs/top-level/all-packages.nix
2015-06-01 20:08:43 +02:00
Eelco Dolstra
6671bb8be4 Remove gccStdInc
This reverts d927da8dae. Having a copy
of gcc-wrapper/setup-hook.sh is bad for maintainability - it had
already started to diverge. Also, gccStdInc gave a nix-env conflict
with the standard gcc. And it wasn't actually used in Nixpkgs.

Instead, if you really need to change "-isystem" to "-I", you can now
set ccIncludeFlag to "-I".
2015-05-13 18:17:25 +02:00
Eric Seidel
395829686d add is{GNU,Clang} attrs to cc-wrapper.
These will be more pleasant to use than the existing

    (cc.cc.isClang or false)

nonsense we currently do.
2015-05-11 14:39:36 -07:00
Vladimír Čunát
d484c392aa stdenv multiple-outputs: change propagation rules
Now development stuff is propagated from the first output,
and userEnvPkgs from the one with binaries.

Also don't move *.la files (yet). It causes problems, and they're small.
2015-04-18 19:30:28 +02:00
Vladimír Čunát
bf414c9d4f Merge 'staging' into closure-size
- there were many easy merge conflicts
- cc-wrapper needed nontrivial changes

Many other problems might've been created by interaction of the branches,
but stdenv and a few other packages build fine now.
2015-04-18 11:22:20 +02:00
Alexander V. Nikolaev
3311513df6 Rename ccgo back to gccgo
I believe this is result of typo, introduced in 48f63c2f.
2015-03-27 12:45:32 +02:00
Shea Levy
f91dea4c0b cc-wrapper: Set default system include flags for non-gcc c++ on Linux
Without this, clang can't find libstdc++. This needs to happen in the wrapper
so that the libc++ setup hook can still override it
2015-03-06 19:04:43 +00:00
Dan Peebles
7bea6aafae Some cc-wrapper changes to better support darwin and clang:
- Add a conditional flag for the c++ std lib
- Build binaries that get linked by our own dyld (someday)
- Automatically add framework directories in the setup hook
2015-02-08 21:15:22 -05:00
Eric Seidel
6f7632a7bd update libcxx[abi] to 3.5 2015-02-03 14:02:59 -08:00
Shea Levy
aea1254f96 cc-wrapper merge fixes 2015-02-02 21:30:05 -05:00
Shea Levy
c45372f038 Merge commit 'cfb29ab882323d379aba20a95020c7c24f883eae'
Partial staging merge, including cc-wrapper fixes

Conflicts:
	pkgs/applications/audio/spotify/default.nix
	pkgs/build-support/cc-wrapper/default.nix
	pkgs/development/compilers/cryptol/1.8.x.nix
2015-02-02 21:14:28 -05:00
Shea Levy
9bccb95a82 cc-wrapper: Fix for cross-compiling
Fixes #5949

Suggested by @ambrop72
2015-01-25 23:29:06 -05:00
Shea Levy
f326b7995c Remove libc++ stuff from cc-wrapper
This is now part of the libc++ setup hook
2015-01-16 11:30:51 -05:00
Shea Levy
7dc57a389e cc-wrapper: Set CC/CXX more specifically if possible 2015-01-16 10:50:53 -05:00
Eric Seidel
48f63c2f2e rename gcc-wrapper to cc-wrapper.
also makes cc-wrapper compatible with clang in the darwin fork.
2015-01-14 20:26:56 -08:00