{cc-wrapper,bintools-wrapper}: drop pie hardening flag

We expect compilers to enable PIE by default via --enable-default-pie or similar.
2025-09-12 17:33:36 -07:00
parent 10a4dec731
commit 0b3b48fb5f
5 changed files with 8 additions and 84 deletions
@@ -15,7 +15,7 @@ for flag in @hardening_unsupported_flags@; do
 done

 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(pie relro bindnow)
+  declare -a allHardeningFlags=(relro bindnow)
  declare -A hardeningDisableMap=()

  # Determine which flags were effectively disabled so we can report below.
@@ -36,16 +36,6 @@ fi

 for flag in "${!hardeningEnableMap[@]}"; do
  case $flag in
-    pie)
-      if [[ ! (" ${params[*]} " =~ " -shared " \
-            || " ${params[*]} " =~ " -static " \
-            || " ${params[*]} " =~ " -r " \
-            || " ${params[*]} " =~ " -Ur " \
-            || " ${params[*]} " =~ " -i ") ]]; then
-        if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
-        hardeningLDFlags+=('-pie')
-      fi
-      ;;
    relro)
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling relro >&2; fi
      hardeningLDFlags+=('-z' 'relro')
@@ -55,24 +55,7 @@
    "stackprotector"
    "strictoverflow"
    "zerocallusedregs"
-  ]
-  ++ lib.optional (
-    with stdenvNoCC;
-    lib.any (x: x) [
-      # OpenBSD static linking requires PIE
-      (with targetPlatform; isOpenBSD && isStatic)
-      (lib.all (x: x) [
-        # Musl-based platforms will keep "pie", other platforms will not.
-        # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
-        # in the nixpkgs manual to inform users about the defaults.
-        (targetPlatform.libc == "musl")
-        # Except when:
-        #    - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
-        #    - static armv7l, where compilation fails.
-        (!(targetPlatform.isAarch && targetPlatform.isStatic))
-      ])
-    ]
-  ) "pie",
+  ],
 }:

 assert propagateDoc -> bintools ? man;
@@ -52,7 +52,7 @@ fi


 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret strictflexarrays1 strictflexarrays3 pie pic strictoverflow glibcxxassertions format trivialautovarinit zerocallusedregs)
+  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret strictflexarrays1 strictflexarrays3 pic strictoverflow glibcxxassertions format trivialautovarinit zerocallusedregs)
  declare -A hardeningDisableMap=()

  # Determine which flags were effectively disabled so we can report below.
@@ -127,15 +127,6 @@ for flag in "${!hardeningEnableMap[@]}"; do
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling nostrictaliasing >&2; fi
      hardeningCFlagsBefore+=('-fno-strict-aliasing')
      ;;
-    pie)
-      # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
-      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
-      hardeningCFlagsBefore=('-fPIE' "${hardeningCFlagsBefore[@]}")
-      if [[ ! (" ${params[*]} " =~ " -shared " || " ${params[*]} " =~ " -static ") ]]; then
-        if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
-        hardeningCFlagsBefore=('-pie' "${hardeningCFlagsBefore[@]}")
-      fi
-      ;;
    pic)
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi
      hardeningCFlagsBefore+=('-fPIC')
@@ -225,14 +225,7 @@ let

  canExecuteHostOnBuild = buildPlatform.canExecute hostPlatform;
  defaultHardeningFlags =
-    (if stdenvHasCC then stdenv.cc else { }).defaultHardeningFlags or
-    # fallback safe-ish set of flags
-    (
-      if isOpenBSD && isStatic then
-        knownHardeningFlags # Need pie, in fact
-      else
-        remove "pie" knownHardeningFlags
-    );
+    (if stdenvHasCC then stdenv.cc else { }).defaultHardeningFlags or knownHardeningFlags;
  stdenvHostSuffix = optionalString (hostPlatform != buildPlatform) "-${hostPlatform.config}";
  stdenvStaticMarker = optionalString isStatic "-static";
  userHook = config.stdenv.userHook or null;
@@ -455,25 +455,10 @@ nameDrvAfterAttrName (
      )
    );

-    pieExplicitEnabled = brokenIf stdenv.hostPlatform.isStatic (
-      checkTestBin
-        (f2exampleWithStdEnv stdenv {
-          hardeningEnable = [ "pie" ];
-        })
-        {
-          ignorePie = false;
-        }
-    );
-
-    pieExplicitEnabledStructuredAttrs = brokenIf stdenv.hostPlatform.isStatic (
-      checkTestBin
-        (f2exampleWithStdEnv stdenv {
-          hardeningEnable = [ "pie" ];
-          __structuredAttrs = true;
-        })
-        {
-          ignorePie = false;
-        }
+    pieAlwaysEnabled = brokenIf stdenv.hostPlatform.isStatic (
+      checkTestBin (f2exampleWithStdEnv stdenv { }) {
+        ignorePie = false;
+      }
    );

    relROExplicitEnabled =
@@ -662,17 +647,6 @@ nameDrvAfterAttrName (
      )
    );

-    pieExplicitDisabled = brokenIf (stdenv.hostPlatform.isMusl && stdenv.cc.isClang) (
-      checkTestBin
-        (f2exampleWithStdEnv stdenv {
-          hardeningDisable = [ "pie" ];
-        })
-        {
-          ignorePie = false;
-          expectFailure = true;
-        }
-    );
-
    # can't force-disable ("partial"?) relro
    relROExplicitDisabled = brokenIf true (
      checkTestBin
@@ -1101,13 +1075,6 @@ nameDrvAfterAttrName (
        expectFailure = true;
      };

-      allExplicitDisabledPie = brokenIf (stdenv.hostPlatform.isMusl && stdenv.cc.isClang) (
-        checkTestBin tb {
-          ignorePie = false;
-          expectFailure = true;
-        }
-      );
-
      # can't force-disable ("partial"?) relro
      allExplicitDisabledRelRO = brokenIf true (
        checkTestBin tb {