go: position independent executables by default

Followup to setting --enable-default-pie for our gcc, we teach go to build PIE by default when supported.
2025-09-14 10:52:42 -07:00
parent 97a43a6db4
commit 08aadbf8d4
4 changed files with 37 additions and 7 deletions
--- a/pkgs/build-support/go/module.nix
+++ b/pkgs/build-support/go/module.nix
@@ -269,13 +269,6 @@ lib.extendMkDerivation {
            }
          ''
          + ''
-
-            # currently pie is only enabled by default in pkgsMusl
-            # this will respect the `hardening{Disable,Enable}` flags if set
-            if [[ $NIX_HARDENING_ENABLE =~ "pie" ]]; then
-              export GOFLAGS="-buildmode=pie $GOFLAGS"
-            fi
-
            runHook postConfigure
          ''
        );
--- a/pkgs/development/compilers/go/1.24.nix
+++ b/pkgs/development/compilers/go/1.24.nix
@@ -65,6 +65,7 @@ stdenv.mkDerivation (finalAttrs: {
    ./remove-tools-1.11.patch
    ./go_no_vendor_checks-1.23.patch
    ./go-env-go_ldso.patch
+    ./go-default-pie.patch
  ];

  inherit (stdenv.targetPlatform.go) GOOS GOARCH GOARM;
--- a/pkgs/development/compilers/go/1.25.nix
+++ b/pkgs/development/compilers/go/1.25.nix
@@ -10,8 +10,12 @@
  buildPackages,
  pkgsBuildTarget,
  targetPackages,
+  # for testing
  testers,
+  runCommand,
+  bintools,
  skopeo,
+  clickhouse-backup,
  buildGo125Module,
 }:

@@ -19,6 +23,7 @@ let
  goBootstrap = buildPackages.callPackage ./bootstrap122.nix { };

  skopeoTest = skopeo.override { buildGoModule = buildGo125Module; };
+  clickhouse-backupTest = clickhouse-backup.override { buildGoModule = buildGo125Module; };

  # We need a target compiler which is still runnable at build time,
  # to handle the cross-building case where build != host == target
@@ -70,6 +75,7 @@ stdenv.mkDerivation (finalAttrs: {
    ./remove-tools-1.11.patch
    ./go_no_vendor_checks-1.23.patch
    ./go-env-go_ldso.patch
+    ./go-default-pie.patch
  ];

  inherit (stdenv.targetPlatform.go) GOOS GOARCH GOARM;
@@ -179,6 +185,23 @@ stdenv.mkDerivation (finalAttrs: {
        command = "go version";
        version = "go${finalAttrs.version}";
      };
+      # Picked clickhouse-backup as a package that sets CGO_ENABLED=0
+      # Running and outputting the right version proves a working ELF interpreter was picked
+      clickhouse-backup = testers.testVersion { package = clickhouse-backupTest; };
+      clickhouse-backup-is-pie = runCommand "has-pie" { meta.broken = stdenv.hostPlatform.isStatic; } ''
+        ${lib.optionalString (!isCross) ''
+          if ${lib.getExe' bintools "readelf"} -p .comment ${lib.getExe clickhouse-backup} | grep -Fq "GCC: (GNU)"; then
+            echo "${lib.getExe clickhouse-backup} has a GCC .comment, but it should have used the internal go linker"
+            exit 1
+          fi
+        ''}
+        if ${lib.getExe' bintools "readelf"} -h ${lib.getExe clickhouse-backup} | grep -q "Type:.*DYN"; then
+          touch $out
+        else
+          echo "ERROR: clickhouse-backup is NOT PIE"
+          exit 1
+        fi
+      '';
    };
  };

--- a/pkgs/development/compilers/go/go-default-pie.patch
+++ b/pkgs/development/compilers/go/go-default-pie.patch
@@ -0,0 +1,13 @@
+diff --git a/src/internal/platform/supported.go b/src/internal/platform/supported.go
+index f9706a6988..abac42d550 100644
+--- a/src/internal/platform/supported.go
+++ b/src/internal/platform/supported.go
+@@ -249,7 +253,7 @@ func DefaultPIE(goos, goarch string, isRace bool) bool {
+ 	case "darwin":
+ 		return true
+ 	}
+-	return false
+	return BuildModeSupported("gc", "pie", goos, goarch)
+ }
+ 
+ // ExecutableHasDWARF reports whether the linked executable includes DWARF