tobias/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-11-09 16:18:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

doc: drop pie flag from sec-hardening-in-nixpkgs

Browse source
This commit is contained in:
Luna Nova 2025-09-14 12:56:03 -07:00
parent 0b3b48fb5f
commit 834e9652c3
No known key found for this signature in database
2 changed files with 2 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
doc/redirects.json
View file

@ -1190,7 +1190,8 @@
"index.html#sec-purity-in-nixpkgs"
],
"sec-hardening-in-nixpkgs": [
"index.html#sec-hardening-in-nixpkgs"
"index.html#sec-hardening-in-nixpkgs",
"index.html#pie"
],
"sec-hardening-flags-enabled-by-default": [
"index.html#sec-hardening-flags-enabled-by-default"
@ -1225,9 +1226,6 @@
"sec-hardening-flags-disabled-by-default": [
"index.html#sec-hardening-flags-disabled-by-default"
],
"pie": [
"index.html#pie"
],
"shadowstack": [
"index.html#shadowstack"
],

13
doc/stdenv/stdenv.chapter.md
View file

@ -1631,19 +1631,6 @@ The following flags are disabled by default and should be enabled with `hardenin
This flag adds the `-fno-strict-aliasing` compiler option, which prevents the compiler from assuming code has been written strictly following the standard in regards to pointer aliasing and therefore performing optimizations that may be unsafe for code that has not followed these rules.
#### `pie` {#pie}
This flag is disabled by default for normal `glibc` based NixOS package builds, but enabled by default for
- `musl`-based package builds, except on Aarch64 and Aarch32, where there are issues.
- Statically-linked for OpenBSD builds, where it appears to be required to get a working binary.
Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Executables are needed to take advantage of Address Space Layout Randomization, supported by modern kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this with the `pic` flag, so they gain ASLR automatically, but binary .text regions need to be build with `pie` to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.
Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option.
If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.
#### `strictflexarrays1` {#strictflexarrays1}
This flag adds the `-fstrict-flex-arrays=1` compiler option, which reduces the cases the compiler treats as "flexible arrays" to those declared with length `[1]`, `[0]` or (the correct) `[]`. This increases the coverage of fortify checks, because such arrays declared as the trailing element of a structure can normally not have their intended length determined by the compiler.